systemd/Journal
主文檔請參考 systemd。
systemd 提供了自己的日誌系統(logging system),稱為 journal。使用 systemd 日誌,無需額外安裝日誌服務(syslog)。使用 journalctl(1) 命令讀取日誌。
Arch Linux 中, /var/log/journal/
目錄是 systemd包 軟件包的一部分。默認情況下 /etc/systemd/journald.conf
中的Storage=
為 auto
,systemd 會將日誌記錄寫入 /var/log/journal
。若被刪除,systemd 不會自動創建此目錄,而是將日誌寫入 /run/log/journal
,重啟時內容會消失。如果 journald.conf
中的 Storage=persistent
, systemd-journald.service
重啟或系統重啟時會重新創建 /var/log/journal/
。
Systemd 日誌可以按照#優先級和#功能標記日誌,符合 syslog 協議 (RFC 5424) 標準。
優先級[編輯 | 編輯原始碼]
日誌會帶 syslog 優先級代碼,標記消息的重要性,參考 RFC 5424 6.2.1。
數值 | 優先級 | 關鍵字 | 描述 | 示例 |
---|---|---|---|---|
0 | Emergency | emerg | System is unusable | Severe Kernel BUG, systemd dumped core. This level should not be used by applications. |
1 | Alert | alert | Should be corrected immediately | Vital subsystem goes out of work. Data loss. kernel: BUG: unable to handle kernel paging request at ffffc90403238ffc .
|
2 | Critical | crit | Critical conditions | Crashes, coredumps. Like familiar flash:systemd-coredump[25319]: Process 25310 (plugin-containe) of user 1000 dumped core Failure in the system primary application, like X11. |
3 | Error | err | Error conditions | Not fatal error reported:kernel: usb 1-3: 3:1: cannot get freq at ep 0x84 ,systemd[1]: Failed unmounting /var. ,libvirtd[1720]: internal error: Failed to initialize a valid firewall backend ).
|
4 | Warning | warning | May indicate that an error will occur if action is not taken. | A non-root file system has only 1GB free.org.freedesktop. Notifications[1860]: (process:5999): Gtk-WARNING **: Locale not supported by C library. Using the fallback 'C' locale .
|
5 | Notice | notice | Events that are unusual, but not error conditions. | systemd[1]: var.mount: Directory /var to mount over is not empty, mounting anyway . gcr-prompter[4997]: Gtk: GtkDialog mapped without a transient parent. This is discouraged .
|
6 | Informational | info | Normal operational messages that require no action. | lvm[585]: 7 logical volume(s) in volume group "archvg" now active .
|
7 | Debug | debug | Messages which may need to be enabled first, only useful for debugging | kdeinit5[1900]: powerdevil: Scheduling inhibition from ":1.14" "firefox" with cookie 13 and reason "screen"
|
These rules are recommendations, and the priority level of a given error is at the application developer's discretion. It is always possible that the error will be at a higher or lower level than expected.
Examples:
- Info message:
pulseaudio[2047]: W: [pulseaudio] alsa-mixer.c: Volume element Master has 8 channels. That's too much! I can't handle that!
It is an warning or error by definition. - Plaguing alert message:
sudo[21711]: user : a password is required ; TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=list /usr/bin/pacman --color auto -Sy
The reason - user was manually added to sudoers file, not to wheel group, which is arguably normal action, but sudo produced an alert on every occasion.
功能[編輯 | 編輯原始碼]
日誌文件會帶上 syslog 功能碼,標記發出日誌的程序類型 RFC 5424 6.2.1。
功能碼 | 關鍵字 | 描述 | 信息 |
---|---|---|---|
0 | kern | kernel messages | |
1 | user | user-level messages | |
2 | mail system | Archaic POSIX still supported and sometimes used system, for more mail(1)) | |
3 | daemon | system daemons | All daemons, including systemd and its subsystems |
4 | auth | security/authorization messages | Also watch for different facility 10 |
5 | syslog | messages generated internally by syslogd | As it standartized for syslogd, not used by systemd (see facility 3) |
6 | lpr | line printer subsystem (archaic subsystem) | |
7 | news | network news subsystem (archaic subsystem) | |
8 | uucp | UUCP subsystem (archaic subsystem) | |
9 | clock daemon | systemd-timesyncd | |
10 | authpriv | security/authorization messages | Also watch for different facility 4 |
11 | ftp | FTP daemon | |
12 | - | NTP subsystem | |
13 | - | log audit | |
14 | - | log alert | |
15 | cron | scheduling daemon | |
16 | local0 | local use 0 (local0) | |
17 | local1 | local use 1 (local1) | |
18 | local2 | local use 2 (local2) | |
19 | local3 | local use 3 (local3) | |
20 | local4 | local use 4 (local4) | |
21 | local5 | local use 5 (local5) | |
22 | local6 | local use 6 (local6) | |
23 | local7 | local use 7 (local7) |
So, useful facilities to watch: 0,1,3,4,9,10,15.
過濾輸出[編輯 | 編輯原始碼]
journalctl
可以根據特定字段過濾輸出。如果過濾的字段比較多,需要較長時間才能顯示出來。
示例:
- 顯示
PATTERN
模式的日誌:# journalctl --grep=PATTERN
- 顯示本次啟動後的所有日誌:
# journalctl -b
journalctl -b -0
顯示本次啟動的信息journalctl -b -1
顯示上次啟動的信息journalctl -b -2
顯示上上次啟動的信息journalctl -b -2
- 只顯示錯誤、衝突和重要告警信息
# journalctl -p err..alert
也可以使用數字,journalctl -p 3..1
。If single number/keyword used,journalctl -p 3
- all higher priority levels also included. - 包含日誌消息類型的描述:
# journalctl -x
注意在報告 bug 和尋求幫助時不要使用此命令,因為這個命令會產生大量的輸出。用journalctl --list-catalog
可以查看所有類型的描述。 - 顯示從某個日期 ( 或時間 ) 開始的消息:
# journalctl --since="2012-10-30 18:17:16"
- 顯示從某個時間 ( 例如 20分鐘前 ) 的消息:
# journalctl --since "20 min ago"
- 顯示最新信息
# journalctl -f
- 顯示特定程序的所有消息:
# journalctl /usr/lib/systemd/systemd
- 顯示特定進程的所有消息:
# journalctl _PID=1
- 顯示指定單元的所有消息:
# journalctl -u man-db.service
- Show all messages from user services by a specific unit:
$ journalctl --user -u dbus
- 顯示內核環緩存消息r:
# journalctl -k
- Show auth.log equivalent by filtering on syslog facility:
# journalctl -f -l SYSLOG_FACILITY=10
- If your journal directory (by default located under
/var/log/journal
) contains huge amount of log data thenjournalctl
can take several minutes in filtering output. You can speed it up significantly by using--file
option to forcejournalctl
to look only into most recent journal:# journalctl --file /var/log/journal/*/system.journal -f
詳情參閱journalctl(1)、systemd.journal-fields(7),以及 Lennert 的這篇博文。
- By default, journalctl truncates lines longer than screen width, but in some cases, it may be better to enable wrapping instead of truncating. This can be controlled by the
SYSTEMD_LESS
environment variable, which contains options passed to less (the default pager) and defaults toFRSXMK
(see less(1) and journalctl(1) for details).
- By omitting the
S
option, the output will be wrapped instead of truncated. For example, start journalctl as follows:$ SYSTEMD_LESS=FRXMK journalctl
- To set this behaviour as default, export the variable from
~/.bashrc
or~/.zshrc
.
- While the journal is stored in a binary format, the content of stored messages is not modified. This means it is viewable with strings, for example for recovery in an environment which does not have systemd installed, e.g.:{{bc|$ strings /mnt/arch/var/log/journal/af4967d77fba44c6b093d0e9862f6ddd/system.journal | grep -i message
日誌大小限制[編輯 | 編輯原始碼]
如果按上面的操作保留日誌的話,默認日誌最大限制為所在文件系統容量的 10%,即:如果 /var/log/journal
儲存在 50GiB 的根分區中,那麼日誌最多存儲 5GiB 數據。用 systemd-journald
日誌查看當前設置:
# journalctl -b -u systemd-journald
可以修改配置文件指定最大限制。如限制日誌最大 50MiB:
/etc/systemd/journald.conf
SystemMaxUse=50M
還可以通過配置片段而不是全局配置文件進行設置:
/etc/systemd/journald.conf.d/00-journal-size.conf
[Journal] SystemMaxUse=50M
修改配置後要立即生效,請重啟 systemd-journald.service
服務。
詳情參見 journald.conf(5).
配合 syslog 使用[編輯 | 編輯原始碼]
systemd 提供了 socket /run/systemd/journal/syslog
,以兼容傳統日誌服務。所有系統信息都會被傳入。要使傳統日誌服務工作,需要讓服務連結該 socket,而非 /dev/log
(官方說明)。Arch 軟件倉庫中的 syslog-ng包 已經包含了需要的配置。
journald.conf
使用 no
轉發socket . 為了使 syslog-ng 配合 journald , 你需要在 /etc/systemd/journald.conf
中設置 ForwardToSyslog=yes
. 參閱 Syslog-ng#Overview 了解更多細節.
如果你選擇使用 rsyslogAUR , 因為 rsyslog 從日誌中直接傳出消息,所以不再必要改變那個選項..
設置開機啟動 syslog-ng:
# systemctl enable syslog-ng
這裏有一份很不錯的 journalctl
指南。
Per unit size limit by a journal namespace[編輯 | 編輯原始碼]
Edit the unit file for the service you wish to configure (for example sshd) and add LogNamespace=ssh
in the [Service]
section.
Then create /etc/systemd/journald@ssh.conf
by copying /etc/systemd/journald.conf
. After that, edit journald@ssh.conf
and adjust SystemMaxUse
to your liking.
Restarting the service should automatically start the new journal service systemd-journald@ssh.service
. The logs from the namespaced service can be viewed with journalctl --namespace ssh
.
See systemd-journald.service(8) § JOURNAL NAMESPACES for details about journal namespaces.
手動清理日誌[編輯 | 編輯原始碼]
/var/log/journal
存放着日誌, rm
應該能工作. 或者使用journalctl
,
例如:
- 清理日誌使總大小小於 100M:
# journalctl --vacuum-size=100M
- 清理最早兩周前的日誌.
# journalctl --vacuum-time=2weeks
Journal files must have been rotated out and made inactive before they can be trimmed by vacuum commands. Rotation of journal files can be done by running journalctl --rotate
. The --rotate
argument can also be provided alongside one or more vacuum criteria arguments to perform rotation and then trim files in a single command.
參閱 journalctl(1) 獲得更多信息.
轉發 journald 到 /dev/tty12[編輯 | 編輯原始碼]
建立一個 Systemd#替換單元文件|drop-in directory]] /etc/systemd/journald.conf.d
然後在其中建立 fw-tty12.conf
:
/etc/systemd/journald.conf.d/fw-tty12.conf
[Journal] ForwardToConsole=yes TTYPath=/dev/tty12 MaxLevelConsole=info
然後重新啟動 systemd-journald.
查看特定位置的日誌[編輯 | 編輯原始碼]
有時你希望查看另一個系統上的日誌.例如從 Live 環境修復現存的系統.
這種情況下你可以掛載目標系統 ( 例如掛載到 /mnt
),然後用 -D
/--directory
參數指定目錄,像這樣:
# journalctl -D /mnt/var/log/journal -xe
普通用戶訪問日誌[編輯 | 編輯原始碼]
在默認的配置中,普通用戶僅能訪問自己的日誌,要讓普通用戶訪問系統日誌,可以將用戶加入 systemd-journal
用戶組。adm
和 wheel
組中的用戶也可以讀取日誌。
更多信息請參考 journalctl(1) § DESCRIPTION 和用戶和用戶組#用戶組管理。