要查看系统日志信息,使用journalctl工具即可。
不加任何参数,它将显示系统日志的全部信息:显示的顺序是从旧到新。
[root@vm1 ~]# journalctl
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:20:01 CST. --
Jul 14 05:12:22 vm1 systemd-journal[96]: Runtime journal is using 8.0M (max allowed 90.9M, trying to leave 136.4M free of 901.
Jul 14 05:12:22 vm1 kernel: Initializing cgroup subsys cpuset
Jul 14 05:12:22 vm1 kernel: Initializing cgroup subsys cpu
Jul 14 05:12:22 vm1 kernel: Initializing cgroup subsys cpuacct
Jul 14 05:12:22 vm1 kernel: Linux version 3.10.0-1160.88.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5
Jul 14 05:12:22 vm1 kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-1160.88.1.el7.x86_64 root=UUID=5989d617-8a54-4457-88ea-07
Jul 14 05:12:22 vm1 kernel: e820: BIOS-provided physical RAM map:
journalctl -r 从新到旧显示系统日志信息。
[root@vm1 ~]# journalctl -r
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:19:30 CST. --
Jul 13 21:19:30 vm1 useradd[7697]: new user: name=test, UID=1003, GID=1003, home=/home/test, shell=/bin/bash
Jul 13 21:19:30 vm1 useradd[7697]: new group: name=test, GID=1003
Jul 13 21:18:07 vm1 systemd[1]: Time has been changed
Jul 14 05:15:54 vm1 systemd-logind[548]: New session 3 of user root.
Jul 14 05:15:54 vm1 sshd[5368]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 14 05:15:54 vm1 systemd[1]: Started Session 3 of user root.
我使用ntpdate命令同步下时间,在系统日志中都有显示:显示Time has been changed。然后我还添加了一个test用户,在日志中也有显示,最上面两行,可以看到是新创建了test组,然后再创建了新用户test。
journalctl -f命令来跟踪最新日志,读取最新日志条目。
[root@vm1 ~]# journalctl -f
-- Logs begin at Fri 2023-07-14 05:12:22 CST. --
Jul 13 21:29:17 vm1 sshd[15812]: Accepted password for root from 192.168.17.1 port 7437 ssh2
Jul 13 21:29:17 vm1 systemd[1]: Started Session 7 of user root.
Jul 13 21:29:17 vm1 systemd-logind[548]: New session 7 of user root.
Jul 13 21:29:17 vm1 sshd[15812]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 13 21:29:22 vm1 sshd[15957]: Accepted password for root from 192.168.17.1 port 7449 ssh2
Jul 13 21:29:22 vm1 systemd-logind[548]: New session 8 of user root.
Jul 13 21:29:22 vm1 systemd[1]: Started Session 8 of user root.
Jul 13 21:29:22 vm1 sshd[15957]: pam_unix(sshd:session): session opened for user root by (uid=0)
我通过ssh登录到服务器的最新日志开始实时显示出来。这个功能有点类似tail -f的功能,持续显示journal日志的内容(实时监测的时候相当有用。)
[root@vm1 ~]# journalctl _SYSTEMD_UNIT=sshd.service
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:30:01 CST. --
Jul 14 05:12:29 vm1 sshd[865]: Server listening on 0.0.0.0 port 22.
Jul 14 05:12:29 vm1 sshd[865]: Server listening on :: port 22.
Jul 14 05:15:49 vm1 sshd[4077]: Accepted password for root from 192.168.17.1 port 5688 ssh2
Jul 14 05:15:54 vm1 sshd[5368]: Accepted password for root from 192.168.17.1 port 6084 ssh2
Jul 13 21:29:17 vm1 sshd[15812]: Accepted password for root from 192.168.17.1 port 7437 ssh2
Jul 13 21:29:22 vm1 sshd[15957]: Accepted password for root from 192.168.17.1 port 7449 ssh2
[root@vm1 ~]#
[root@vm1 ~]# journalctl -u sshd.service
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:30:01 CST. --
Jul 14 05:12:29 vm1 systemd[1]: Starting OpenSSH server daemon...
Jul 14 05:12:29 vm1 sshd[865]: Server listening on 0.0.0.0 port 22.
Jul 14 05:12:29 vm1 systemd[1]: Started OpenSSH server daemon.
Jul 14 05:12:29 vm1 sshd[865]: Server listening on :: port 22.
Jul 14 05:15:49 vm1 sshd[4077]: Accepted password for root from 192.168.17.1 port 5688 ssh2
Jul 14 05:15:54 vm1 sshd[5368]: Accepted password for root from 192.168.17.1 port 6084 ssh2
Jul 13 21:29:17 vm1 sshd[15812]: Accepted password for root from 192.168.17.1 port 7437 ssh2
Jul 13 21:29:22 vm1 sshd[15957]: Accepted password for root from 192.168.17.1 port 7449 ssh2
[root@vm1 ~]#
查看仅属于sshd.service单元生成的日志。
在这段日志中,我们能看到一行日志信息,分四个部分:
第一部分是日期时间;
第二部分是:主机名(本地或者远端主机);
第三部分是:应用程序或者服务名称;
第四部分是:具体日志信息;
journal -p命令:
找出日志等级为错误(error)的日志:
[root@vm1 ~]# journalctl -p err
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:35:02 CST. --
Jul 14 05:12:22 vm1 kernel: Detected CPU family 6 model 140 stepping 1
Jul 14 05:12:22 vm1 kernel: Warning: Intel Processor - this hardware has not undergone upstream testing. Please consult http:/
Jul 14 05:12:23 vm1 kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Jul 14 05:12:26 vm1 kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled!
Jul 14 05:12:29 vm1 systemd[1]: Failed to start Vsftpd ftp daemon.
journalctl -n 10
指定输出显示10行日志。
我们可以通过-n 或者 --lines=参数来指定显示的行数。
[root@vm1 log]# journalctl -n 10
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:45:01 CST. --
Jul 13 21:40:01 vm1 postfix/qmgr[1168]: 101891CE819B: removed
Jul 13 21:45:01 vm1 systemd[1]: Created slice User Slice of chang.
Jul 13 21:45:01 vm1 systemd[1]: Started Session 12 of user chang.
Jul 13 21:45:01 vm1 CROND[29431]: (chang) CMD (echo 123 |passwd --stdin chang)
Jul 13 21:45:01 vm1 systemd[1]: Removed slice User Slice of chang.
Jul 13 21:45:01 vm1 postfix/pickup[29436]: 1A62C1CE819B: uid=1002 from=<chang>
Jul 13 21:45:01 vm1 postfix/cleanup[29438]: 1A62C1CE819B: message-id=<20230713134501.1A62C1CE819B@vm1.localdomain>
Jul 13 21:45:01 vm1 postfix/qmgr[1168]: 1A62C1CE819B: from=<chang@vm1.localdomain>, size=729, nrcpt=1 (queue active)
Jul 13 21:45:01 vm1 postfix/local[29440]: 1A62C1CE819B: to=<chang@vm1.localdomain>, orig_to=<chang>, relay=local, delay=0.04,
Jul 13 21:45:01 vm1 postfix/qmgr[1168]: 1A62C1CE819B: removed
journalctl -b -1
[root@vm1 ~]# journalctl -b -1
Specifying boot ID has no effect, no persistent journal was found
[root@vm1 ~]#
用于显示最后一次系统启动的日志。这个日志信息有助于寻找系统crash的原因。收集该日志必须配置永久存储位置。(/var/log/journal)。
journalctl --since "2023-07-11 00:00:00" --until "2023-07-12 00:00:00"
查看从2023-07-11 00:00:00到2023-07-12 00:00:00的日志,需要配置永久存储位。(/var/log/journal)
[root@vm1 ~]# journalctl --since "2023-07-11 00:00:00" --until "2023-07-12 00:00:00"
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:40:01 CST. --
[root@vm1 ~]#
这段时间,我的虚拟机没有相关的信息。
[root@vm1 ~]# journalctl -o verbose
-- Logs begin at Fri 2023-07-14 05:12:22 CST, end at Thu 2023-07-13 21:40:01 CST. --
Fri 2023-07-14 05:12:22.588603 CST [s=9f3c5b56ae48403f883b59f2443c0f59;i=1;b=8bfc3c08f847474791a50e6b5728fcd9;m=19224a;t=60064
PRIORITY=6
_TRANSPORT=driver
MESSAGE=Runtime journal is using 8.0M (max allowed 90.9M, trying to leave 136.4M free of 901.5M available → current limit
MESSAGE_ID=ec387f577b844b8fa948f33cad9a75e6
_PID=96
_UID=0
_GID=0
_COMM=systemd-journal
_EXE=/usr/lib/systemd/systemd-journald
_CMDLINE=/usr/lib/systemd/systemd-journald
_CAP_EFFECTIVE=5402800cf
_SYSTEMD_CGROUP=/system.slice/systemd-journald.service
_SYSTEMD_UNIT=systemd-journald.service
_SYSTEMD_SLICE=system.slice
_BOOT_ID=8bfc3c08f847474791a50e6b5728fcd9
_MACHINE_ID=3ea61b0fa82c45c89e622a5853eb248d
_HOSTNAME=vm1
Fri 2023-07-14 05:12:22.588704 CST [s=9f3c5b56ae48403f883b59f2443c0f59;i=2;b=8bfc3c08f847474791a50e6b5728fcd9;m=1922af;t=60064
PRIORITY=6
_BOOT_ID=8bfc3c08f847474791a50e6b5728fcd9
_MACHINE_ID=3ea61b0fa82c45c89e622a5853eb248d
_HOSTNAME=vm1
_SOURCE_MONOTONIC_TIMESTAMP=0
_TRANSPORT=kernel
SYSLOG_FACILITY=0
SYSLOG_IDENTIFIER=kernel
MESSAGE=Initializing cgroup subsys cpuset
Fri 2023-07-14 05:12:22.588727 CST [s=9f3c5b56ae48403f883b59f2443c0f59;i=3;b=8bfc3c08f847474791a50e6b5728fcd9;m=1922c6;t=60064
显示系统日志信息
命令 “journalctl -k” 和 “journalctl --dmesg” 用来显示系统的内核日志信息
创建永久存放目录:
mkdir /var/log/journal
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal
systemctl restart systemd-journald
2是粘制位。
在鸟哥的私房菜书中,他是这么说的:
既然我们还有rsyslog.service以及logrotate的存在,那么systemd-journal.service产生的登录文件,最好还是放在/run/log的内存当中,以加快存取的速度。
rsyslog.service可以存放我们的登录文件,似乎就没有必要再保存一份journal日志文件了。