认识
该笔记将学习在 CenOS 7 中如何使用 Journald 服务以及 journalctl 命令进行日志管理。
文档
- systemd-journald(1)
- manpath.be/journald.conf
- Using journalctl – The Ultimate Guide To Logging
组成
配置文件:/etc/systemd/journald.conf
应用
存储方式
日志数据保存在带有索引的结构化二进制文件中,还包含与日志事件相关的额外信息(原始设备、优先级等等);
默认日志存储机制
在默认情况下,日志文件保持在 /run/log/journal/ 目录,在系统重启后会丢失,因为 RHEL 7 认为自上次启动以来的日志足够了,无需持久化存储日志;
需要修改 /etc/systemd/journald.conf 配置文件中 [Journal] 部分的 Storage 属性。
在 CentOS Linux release 7.4.1708 (Core)中,默认 Storage=auto 配置。还可以配置为:
持久存储日志的方法
既然”auto”是默认值。所以,想要持久化日志,执行如下命令即可:
# 创建目录 mkdir /var/log/journal # 使用 systemd 中定义的指令进行初始化 systemd-tmpfiles --create --prefix /var/log/journal # 重启以生效 systemctl restart systemd-journald
但是,如果 /var/log/journal/ 存在,则日志将写入其中,这样可查看历史日志。所以,持久化保存日志的方法为“创建 /var/log/journal/ 目录”:
# --------------------------------------------------------- # 创建目录,并设置用户组 mkdir -pv /var/log/journal/ chown root:systemd-journal /var/log/journal chmod 2755 /var/log/journal # --------------------------------------------------------- # 通知 systemd-journald 进程 killall -USR1 systemd-journald # --------------------------------------------------------- # 检查日志是否已经写入 /var/log/journal/ 目录 ls -l /var/log/journal/
默认的日志轮转
但是 systemd-journal 具有日志轮转机制,通过 /etc/systemd/journald.conf 配置调整;
清理日志
可以使用 –vacuum-size= 选项与 –vacuum-time= 选项清理日志,但是这只能用于清理归档的日志:
# 查看日志使用空间,包括归档与活跃的日志 journalctl --disk-usage # 根据时间及大小清理日志 journalctl --vacuum-time=10d journalctl --vacuum-size=2G
配置空间占用
调整 /etc/systemd/journald.conf 配置
- SystemMaxUse= and RuntimeMaxUse= control how much disk space the journal may use up at most.
重启 systemctl restart systemd-journald.service 服务
查 | 查看日志
在日志中,包含的字段:systemd.journal-fields(7)
https://man7.org/linux/man-pages/man7/systemd.journal-fields.7.html48
启动日志
How do I display log messages from previous boots under CentOS 7?
# journalctl -b # journalctl -b -1 # 显示上次系统启动日志
内核日志
systemd – How to get kernel boot log with journalctl? – Unix & Linux Stack Exchange
journalctl -k # 仅显示启动日志 journalctl -t kernel # 显示内核的历史日志
应用日志
journalctl -f -u ‘xxx.service’
journalctl /usr/bin/gnome-shell # 通过程序路径来过滤日志
It is also possible to filter the entries by specifying an absolute file path as an argument. The file path may be a file or a symbolic link and the file must exist at the time of the query. If a file path refers to an executable binary, an “_EXE=” match for the canonicalized binary path is added to the query. If a file path refers to an executable script, a “_COMM=” match for the script name is added to the query. If a file path refers to a device node, “_KERNEL_DEVICE=” matches for the kernel name of the device and for each of its ancestor devices is added to the query. Symbolic links are dereferenced, kernel names are synthesized, and parent devices are identified from the environment at the time of the query. In general, a device node is the best proxy for an actual device, as log entries do not usually contain fields that identify an actual device. For the resulting log entries to be correct for the actual device, the relevant parts of the environment at the time the entry was logged, in particular the actual device corresponding to the device node, must have been the same as those at the time of the query. Because device nodes generally change their corresponding devices across reboots, specifying a device node path causes the resulting entries to be restricted to those from the current boot.