「systemd-journald」- 日志服务

认识

该笔记将学习在 CenOS 7 中如何使用 Journald 服务以及 journalctl 命令进行日志管理。

文档

组成

配置文件:/etc/systemd/journald.conf

应用

存储方式

日志数据保存在带有索引的结构化二进制文件中,还包含与日志事件相关的额外信息(原始设备、优先级等等);

默认日志存储机制

在默认情况下,日志文件保持在 /run/log/journal/ 目录,在系统重启后会丢失,因为 RHEL 7 认为自上次启动以来的日志足够了,无需持久化存储日志;

需要修改 /etc/systemd/journald.conf 配置文件中 [Journal] 部分的 Storage 属性。

在 CentOS Linux release 7.4.1708 (Core)中,默认 Storage=auto 配置。还可以配置为:

“volatile”,将日志存储在内存中,即 /run/log/journal 目录,如果有必要会自动创建。

“persistent”,日志将保存在磁盘中,即 /var/log/journal 目录,如果有必要会自动创建。但是,如果在启动期间磁盘不可写,比如无法成功创建 /var/log/journal 目录,那依旧会写入 /run/log/journal 目录,如果有必要会自动创建。

“auto”,类似于”persistent”属性,但是不会自动创建 /var/log/journal 目录,因此目录 /var/log/journal 的存在与否,决定了日志的写入位置。

“none”,关闭所有的存储,接收到的所有日志数据将被丢弃。将被转发到其他的目标,比如控制台、内核日志缓冲,syslog 服务等等。

持久存储日志的方法

既然”auto”是默认值。所以,想要持久化日志,执行如下命令即可: 

# 创建目录
mkdir /var/log/journal

# 使用 systemd 中定义的指令进行初始化
systemd-tmpfiles --create --prefix /var/log/journal

# 重启以生效
systemctl restart systemd-journald

但是,如果 /var/log/journal/ 存在,则日志将写入其中,这样可查看历史日志。所以,持久化保存日志的方法为“创建 /var/log/journal/ 目录”: 

# --------------------------------------------------------- # 创建目录,并设置用户组

mkdir -pv  /var/log/journal/
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal

# --------------------------------------------------------- # 通知 systemd-journald 进程

killall -USR1 systemd-journald

# --------------------------------------------------------- # 检查日志是否已经写入 /var/log/journal/ 目录

ls -l /var/log/journal/

默认的日志轮转

但是 systemd-journal 具有日志轮转机制,通过 /etc/systemd/journald.conf 配置调整;

清理日志

Clear systemd journal

可以使用 –vacuum-size= 选项与 –vacuum-time= 选项清理日志,但是这只能用于清理归档的日志: 

# 查看日志使用空间,包括归档与活跃的日志
journalctl --disk-usage

# 根据时间及大小清理日志
journalctl --vacuum-time=10d
journalctl --vacuum-size=2G

配置空间占用

Setting journalctl limits

调整 /etc/systemd/journald.conf 配置

  • SystemMaxUse= and RuntimeMaxUse= control how much disk space the journal may use up at most.

重启 systemctl restart systemd-journald.service 服务

查 | 查看日志

在日志中,包含的字段:systemd.journal-fields(7)
https://man7.org/linux/man-pages/man7/systemd.journal-fields.7.html48

启动日志

How do I display log messages from previous boots under CentOS 7? 

# journalctl -b

# journalctl -b -1                                                              # 显示上次系统启动日志

内核日志

systemd – How to get kernel boot log with journalctl? – Unix & Linux Stack Exchange 

journalctl -k # 仅显示启动日志

journalctl -t kernel # 显示内核的历史日志

应用日志

journalctl -f -u ‘xxx.service’

journalctl /usr/bin/gnome-shell # 通过程序路径来过滤日志

https://man7.org/linux/man-pages/man1/journalctl.1.html

It is also possible to filter the entries by specifying an absolute file path as an argument. The file path may be a file or a symbolic link and the file must exist at the time of the query. If a file path refers to an executable binary, an “_EXE=” match for the canonicalized binary path is added to the query. If a file path refers to an executable script, a “_COMM=” match for the script name is added to the query. If a file path refers to a device node, “_KERNEL_DEVICE=” matches for the kernel name of the device and for each of its ancestor devices is added to the query. Symbolic links are dereferenced, kernel names are synthesized, and parent devices are identified from the environment at the time of the query. In general, a device node is the best proxy for an actual device, as log entries do not usually contain fields that identify an actual device. For the resulting log entries to be correct for the actual device, the relevant parts of the environment at the time the entry was logged, in particular the actual device corresponding to the device node, must have been the same as those at the time of the query. Because device nodes generally change their corresponding devices across reboots, specifying a device node path causes the resulting entries to be restricted to those from the current boot.

Filed under: K4NZDROID - @ 12:00 AM