systemd/Journal

来自 Arch Linux 中文维基

主文档请参考 systemd

systemd 提供了自己的日志系统(logging system),称为 journal。使用 systemd 日志,无需额外安装日志服务(syslog)。使用 journalctl(1) 命令读取日志。

Arch Linux 中, /var/log/journal/ 目录是 systemd 软件包的一部分。默认情况下 /etc/systemd/journald.conf 中的Storage=auto,systemd 会将日志记录写入 /var/log/journal。若被删除,systemd 不会自动创建此目录,而是将日志写入 /run/log/journal,重启时内容会消失。如果 journald.conf 中的 Storage=persistentsystemd-journald.service 重启或系统重启时会重新创建 /var/log/journal/

Systemd 日志可以按照#优先级#功能标记日志,符合 syslog 协议 (RFC 5424) 标准。

提示:如果 /var/log/journal/ 位于 btrfs 文件系统,应该考虑对这个目录禁用写入时复制,方法参阅 Btrfs#Copy-on-Write (CoW)

优先级[编辑 | 编辑源代码]

日志会带 syslog 优先级代码,标记消息的重要性,参考 RFC 5424 6.2.1

数值 优先级 关键字 描述 示例
0 Emergency emerg System is unusable Severe Kernel BUG, systemd dumped core.
This level should not be used by applications.
1 Alert alert Should be corrected immediately Vital subsystem goes out of work. Data loss.
kernel: BUG: unable to handle kernel paging request at ffffc90403238ffc.
2 Critical crit Critical conditions Crashes, coredumps. Like familiar flash:
systemd-coredump[25319]: Process 25310 (plugin-containe) of user 1000 dumped core
Failure in the system primary application, like X11.
3 Error err Error conditions Not fatal error reported:
kernel: usb 1-3: 3:1: cannot get freq at ep 0x84,
systemd[1]: Failed unmounting /var.,
libvirtd[1720]: internal error: Failed to initialize a valid firewall backend).
4 Warning warning May indicate that an error will occur if action is not taken. A non-root file system has only 1GB free.
org.freedesktop. Notifications[1860]: (process:5999): Gtk-WARNING **: Locale not supported by C library. Using the fallback 'C' locale.
5 Notice notice Events that are unusual, but not error conditions. systemd[1]: var.mount: Directory /var to mount over is not empty, mounting anyway. gcr-prompter[4997]: Gtk: GtkDialog mapped without a transient parent. This is discouraged.
6 Informational info Normal operational messages that require no action. lvm[585]: 7 logical volume(s) in volume group "archvg" now active.
7 Debug debug Messages which may need to be enabled first, only useful for debugging kdeinit5[1900]: powerdevil: Scheduling inhibition from ":1.14" "firefox" with cookie 13 and reason "screen"

These rules are recommendations, and the priority level of a given error is at the application developer's discretion. It is always possible that the error will be at a higher or lower level than expected.

Examples:

  • Info message:
    pulseaudio[2047]: W: [pulseaudio] alsa-mixer.c: Volume element Master has 8 channels. That's too much! I can't handle that!
    It is an warning or error by definition.
  • Plaguing alert message:
    sudo[21711]:     user : a password is required ; TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=list /usr/bin/pacman --color auto -Sy
    The reason - user was manually added to sudoers file, not to wheel group, which is arguably normal action, but sudo produced an alert on every occasion.

功能[编辑 | 编辑源代码]

日志文件会带上 syslog 功能码,标记发出日志的程序类型 RFC 5424 6.2.1

功能码 关键字 描述 信息
0 kern kernel messages
1 user user-level messages
2 mail mail system Archaic POSIX still supported and sometimes used system, for more mail(1))
3 daemon system daemons All daemons, including systemd and its subsystems
4 auth security/authorization messages Also watch for different facility 10
5 syslog messages generated internally by syslogd As it standartized for syslogd, not used by systemd (see facility 3)
6 lpr line printer subsystem (archaic subsystem)
7 news network news subsystem (archaic subsystem)
8 uucp UUCP subsystem (archaic subsystem)
9 clock daemon systemd-timesyncd
10 authpriv security/authorization messages Also watch for different facility 4
11 ftp FTP daemon
12 - NTP subsystem
13 - log audit
14 - log alert
15 cron scheduling daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

So, useful facilities to watch: 0,1,3,4,9,10,15.

过滤输出[编辑 | 编辑源代码]

journalctl可以根据特定字段过滤输出。如果过滤的字段比较多,需要较长时间才能显示出来。

示例:

  • 显示 PATTERN 模式的日志:
    # journalctl --grep=PATTERN
  • 显示本次启动后的所有日志:
    # journalctl -b
  • journalctl -b -0 显示本次启动的信息
  • journalctl -b -1 显示上次启动的信息
  • journalctl -b -2 显示上上次启动的信息 journalctl -b -2
  • 只显示错误、冲突和重要告警信息
    # journalctl -p err..alert
    也可以使用数字, journalctl -p 3..1。If single number/keyword used, journalctl -p 3 - all higher priority levels also included.
  • 包含日志消息类型的描述:
    # journalctl -x
    注意在报告 bug 和寻求帮助时不要使用此命令,因为这个命令会产生大量的输出。用 journalctl --list-catalog 可以查看所有类型的描述。
  • 显示从某个日期 ( 或时间 ) 开始的消息:
    # journalctl --since="2012-10-30 18:17:16"
  • 显示从某个时间 ( 例如 20分钟前 ) 的消息:
    # journalctl --since "20 min ago"
  • 显示最新信息
    # journalctl -f
  • 显示特定程序的所有消息:
    # journalctl /usr/lib/systemd/systemd
  • 显示特定进程的所有消息:
    # journalctl _PID=1
  • 显示指定单元的所有消息:
    # journalctl -u man-db.service
  • Show all messages from user services by a specific unit:
    $ journalctl --user -u dbus
  • 显示内核环缓存消息r:
    # journalctl -k
  • Show auth.log equivalent by filtering on syslog facility:
    # journalctl -f -l SYSLOG_FACILITY=10
  • If your journal directory (by default located under /var/log/journal) contains huge amount of log data then journalctl can take several minutes in filtering output. You can speed it up significantly by using --file option to force journalctl to look only into most recent journal:
    # journalctl --file /var/log/journal/*/system.journal -f

详情参阅journalctl(1)systemd.journal-fields(7),以及 Lennert 的这篇博文

  • By default, journalctl truncates lines longer than screen width, but in some cases, it may be better to enable wrapping instead of truncating. This can be controlled by the SYSTEMD_LESS environment variable, which contains options passed to less (the default pager) and defaults to FRSXMK (see less(1) and journalctl(1) for details).
By omitting the S option, the output will be wrapped instead of truncated. For example, start journalctl as follows:
$ SYSTEMD_LESS=FRXMK journalctl
To set this behaviour as default, export the variable from ~/.bashrc or ~/.zshrc.
  • While the journal is stored in a binary format, the content of stored messages is not modified. This means it is viewable with strings, for example for recovery in an environment which does not have systemd installed, e.g.:{{bc|$ strings /mnt/arch/var/log/journal/af4967d77fba44c6b093d0e9862f6ddd/system.journal | grep -i message

日志大小限制[编辑 | 编辑源代码]

如果按上面的操作保留日志的话,默认日志最大限制为所在文件系统容量的 10%,即:如果 /var/log/journal 储存在 50GiB 的根分区中,那么日志最多存储 5GiB 数据。用 systemd-journald 日志查看当前设置:

# journalctl -b -u systemd-journald

可以修改配置文件指定最大限制。如限制日志最大 50MiB:

/etc/systemd/journald.conf
SystemMaxUse=50M

还可以通过配置片段而不是全局配置文件进行设置:

/etc/systemd/journald.conf.d/00-journal-size.conf
[Journal]
SystemMaxUse=50M

修改配置后要立即生效,请重启 systemd-journald.service 服务。

详情参见 journald.conf(5).

配合 syslog 使用[编辑 | 编辑源代码]

systemd 提供了 socket /run/systemd/journal/syslog,以兼容传统日志服务。所有系统信息都会被传入。要使传统日志服务工作,需要让服务链接该 socket,而非 /dev/log官方说明)。Arch 软件仓库中的 syslog-ng 已经包含了需要的配置。

journald.conf 使用 no 转发socket . 为了使 syslog-ng 配合 journald , 你需要在 /etc/systemd/journald.conf 中设置 ForwardToSyslog=yes . 参阅 Syslog-ng#Overview 了解更多细节.

如果你选择使用 rsyslogAUR , 因为 rsyslog 从日志中直接传出消息,所以不再必要改变那个选项..

设置开机启动 syslog-ng:

 # systemctl enable syslog-ng

这里有一份很不错的 journalctl 指南。

Per unit size limit by a journal namespace[编辑 | 编辑源代码]

Edit the unit file for the service you wish to configure (for example sshd) and add LogNamespace=ssh in the [Service] section.

Then create /etc/systemd/journald@ssh.conf by copying /etc/systemd/journald.conf. After that, edit journald@ssh.conf and adjust SystemMaxUse to your liking.

Restarting the service should automatically start the new journal service systemd-journald@ssh.service. The logs from the namespaced service can be viewed with journalctl --namespace ssh.

See systemd-journald.service(8) § JOURNAL NAMESPACES for details about journal namespaces.

手动清理日志[编辑 | 编辑源代码]

/var/log/journal 存放着日志, rm 应该能工作. 或者使用journalctl,

例如:

  • 清理日志使总大小小于 100M:
    # journalctl --vacuum-size=100M
  • 清理最早两周前的日志.
    # journalctl --vacuum-time=2weeks

Journal files must have been rotated out and made inactive before they can be trimmed by vacuum commands. Rotation of journal files can be done by running journalctl --rotate. The --rotate argument can also be provided alongside one or more vacuum criteria arguments to perform rotation and then trim files in a single command.

参阅 journalctl(1) 获得更多信息.

转发 journald 到 /dev/tty12[编辑 | 编辑源代码]

建立一个 Systemd#替换单元文件|drop-in directory]] /etc/systemd/journald.conf.d 然后在其中建立 fw-tty12.conf :

/etc/systemd/journald.conf.d/fw-tty12.conf
[Journal]
ForwardToConsole=yes
TTYPath=/dev/tty12
MaxLevelConsole=info

然后重新启动 systemd-journald.

查看特定位置的日志[编辑 | 编辑源代码]

有时你希望查看另一个系统上的日志.例如从 Live 环境修复现存的系统.

这种情况下你可以挂载目标系统 ( 例如挂载到 /mnt ),然后用 -D/--directory 参数指定目录,像这样:

# journalctl -D /mnt/var/log/journal -xe

普通用户访问日志[编辑 | 编辑源代码]

在默认的配置中,普通用户仅能访问自己的日志,要让普通用户访问系统日志,可以将用户加入 systemd-journal 用户组admwheel 组中的用户也可以读取日志。

更多信息请参考 journalctl(1) § DESCRIPTION用户和用户组#用户组管理