systemd/Journal

主文档请参考 systemd。

systemd 提供了自己的日志系统（logging system），称为 journal。使用 systemd 日志，无需额外安装日志服务（syslog）。使用 journalctl(1) 命令读取日志。

Arch Linux 中， /var/log/journal/ 目录是 systemd^包软件包的一部分。默认情况下 /etc/systemd/journald.conf 中的Storage= 为 auto，systemd 会将日志记录写入 /var/log/journal。若被删除，systemd 不会自动创建此目录，而是将日志写入 /run/log/journal，重启时内容会消失。如果 journald.conf 中的 Storage=persistent， systemd-journald.service 重启或系统重启时会重新创建 /var/log/journal/。

Systemd 日志可以按照#优先级和#功能标记日志，符合 syslog 协议 (RFC 5424) 标准。

提示：如果 /var/log/journal/ 位于 btrfs 文件系统，应该考虑对这个目录禁用写入时复制，方法参阅 Btrfs#Copy-on-Write (CoW)。

优先级[编辑 | 编辑源代码]

日志会带 syslog 优先级代码，标记消息的重要性，参考 RFC 5424 6.2.1。

数值	优先级	关键字	描述	示例
0	Emergency	emerg	System is unusable	Severe Kernel BUG, systemd dumped core. This level should not be used by applications.
1	Alert	alert	Should be corrected immediately	Vital subsystem goes out of work. Data loss. `kernel: BUG: unable to handle kernel paging request at ffffc90403238ffc`.
2	Critical	crit	Critical conditions	Crashes, coredumps. Like familiar flash: `systemd-coredump[25319]: Process 25310 (plugin-containe) of user 1000 dumped core` Failure in the system primary application, like X11.
3	Error	err	Error conditions	Not fatal error reported: `kernel: usb 1-3: 3:1: cannot get freq at ep 0x84`, `systemd[1]: Failed unmounting /var.`, `libvirtd[1720]: internal error: Failed to initialize a valid firewall backend`).
4	Warning	warning	May indicate that an error will occur if action is not taken.	A non-root file system has only 1GB free. `org.freedesktop. Notifications[1860]: (process:5999): Gtk-WARNING **: Locale not supported by C library. Using the fallback 'C' locale`.
5	Notice	notice	Events that are unusual, but not error conditions.	`systemd[1]: var.mount: Directory /var to mount over is not empty, mounting anyway`. `gcr-prompter[4997]: Gtk: GtkDialog mapped without a transient parent. This is discouraged`.
6	Informational	info	Normal operational messages that require no action.	`lvm[585]: 7 logical volume(s) in volume group "archvg" now active`.
7	Debug	debug	Messages which may need to be enabled first, only useful for debugging	`kdeinit5[1900]: powerdevil: Scheduling inhibition from ":1.14" "firefox" with cookie 13 and reason "screen"`

These rules are recommendations, and the priority level of a given error is at the application developer's discretion. It is always possible that the error will be at a higher or lower level than expected.

Examples:

Info message:

pulseaudio[2047]: W: [pulseaudio] alsa-mixer.c: Volume element Master has 8 channels. That's too much! I can't handle that!

It is an warning or error by definition.

Plaguing alert message:
```
sudo[21711]:     user : a password is required ; TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=list /usr/bin/pacman --color auto -Sy
```
The reason - user was manually added to sudoers file, not to wheel group, which is arguably normal action, but sudo produced an alert on every occasion.

功能[编辑 | 编辑源代码]

日志文件会带上 syslog 功能码，标记发出日志的程序类型 RFC 5424 6.2.1。

功能码	关键字	描述	信息
0	kern	kernel messages
1	user	user-level messages
2	mail	mail system	Archaic POSIX still supported and sometimes used system, for more mail(1))
3	daemon	system daemons	All daemons, including systemd and its subsystems
4	auth	security/authorization messages	Also watch for different facility 10
5	syslog	messages generated internally by syslogd	As it standartized for syslogd, not used by systemd (see facility 3)
6	lpr	line printer subsystem (archaic subsystem)
7	news	network news subsystem (archaic subsystem)
8	uucp	UUCP subsystem (archaic subsystem)
9		clock daemon	systemd-timesyncd
10	authpriv	security/authorization messages	Also watch for different facility 4
11	ftp	FTP daemon
12	-	NTP subsystem
13	-	log audit
14	-	log alert
15	cron	scheduling daemon
16	local0	local use 0 (local0)
17	local1	local use 1 (local1)
18	local2	local use 2 (local2)
19	local3	local use 3 (local3)
20	local4	local use 4 (local4)
21	local5	local use 5 (local5)
22	local6	local use 6 (local6)
23	local7	local use 7 (local7)

So, useful facilities to watch: 0,1,3,4,9,10,15.

过滤输出[编辑 | 编辑源代码]

journalctl可以根据特定字段过滤输出。如果过滤的字段比较多，需要较长时间才能显示出来。

示例：

显示 PATTERN 模式的日志:
```
# journalctl --grep=PATTERN
```
显示本次启动后的所有日志：
```
# journalctl -b
```
journalctl -b -0 显示本次启动的信息
journalctl -b -1 显示上次启动的信息
journalctl -b -2 显示上上次启动的信息 journalctl -b -2
只显示错误、冲突和重要告警信息
```
# journalctl -p err..alert
```
也可以使用数字， journalctl -p 3..1。If single number/keyword used, journalctl -p 3 - all higher priority levels also included.
包含日志消息类型的描述：
```
# journalctl -x
```
注意在报告 bug 和寻求帮助时不要使用此命令，因为这个命令会产生大量的输出。用 journalctl --list-catalog 可以查看所有类型的描述。
显示从某个日期 ( 或时间 ) 开始的消息:
```
# journalctl --since="2012-10-30 18:17:16"
```
显示从某个时间 ( 例如 20分钟前 ) 的消息:
```
# journalctl --since "20 min ago"
```
显示最新信息
```
# journalctl -f
```
显示特定程序的所有消息:
```
# journalctl /usr/lib/systemd/systemd
```
显示特定进程的所有消息:
```
# journalctl _PID=1
```
显示指定单元的所有消息：
```
# journalctl -u man-db.service
```
Show all messages from user services by a specific unit:
```
$ journalctl --user -u dbus
```
显示内核环缓存消息r:
```
# journalctl -k
```
Show auth.log equivalent by filtering on syslog facility:
```
# journalctl -f -l SYSLOG_FACILITY=10
```
If your journal directory (by default located under /var/log/journal) contains huge amount of log data then journalctl can take several minutes in filtering output. You can speed it up significantly by using --file option to force journalctl to look only into most recent journal:
```
# journalctl --file /var/log/journal/*/system.journal -f
```

详情参阅journalctl(1)、systemd.journal-fields(7)，以及 Lennert 的这篇博文。

By default, journalctl truncates lines longer than screen width, but in some cases, it may be better to enable wrapping instead of truncating. This can be controlled by the SYSTEMD_LESS environment variable, which contains options passed to less (the default pager) and defaults to FRSXMK (see less(1) and journalctl(1) for details).

By omitting the S option, the output will be wrapped instead of truncated. For example, start journalctl as follows:

$ SYSTEMD_LESS=FRXMK journalctl

To set this behaviour as default, export the variable from ~/.bashrc or ~/.zshrc.

While the journal is stored in a binary format, the content of stored messages is not modified. This means it is viewable with strings, for example for recovery in an environment which does not have systemd installed, e.g.:{{bc|$ strings /mnt/arch/var/log/journal/af4967d77fba44c6b093d0e9862f6ddd/system.journal | grep -i message

日志大小限制[编辑 | 编辑源代码]

如果按上面的操作保留日志的话，默认日志最大限制为所在文件系统容量的 10%，即：如果 /var/log/journal 储存在 50GiB 的根分区中，那么日志最多存储 5GiB 数据。用 systemd-journald 日志查看当前设置:

# journalctl -b -u systemd-journald

可以修改配置文件指定最大限制。如限制日志最大 50MiB：

/etc/systemd/journald.conf

SystemMaxUse=50M

还可以通过配置片段而不是全局配置文件进行设置：

/etc/systemd/journald.conf.d/00-journal-size.conf

[Journal]
SystemMaxUse=50M

修改配置后要立即生效，请重启 systemd-journald.service 服务。

详情参见 journald.conf(5).

配合 syslog 使用[编辑 | 编辑源代码]

systemd 提供了 socket /run/systemd/journal/syslog，以兼容传统日志服务。所有系统信息都会被传入。要使传统日志服务工作，需要让服务链接该 socket，而非 /dev/log（官方说明）。Arch 软件仓库中的 syslog-ng^包已经包含了需要的配置。

journald.conf 使用 no 转发socket . 为了使 syslog-ng 配合 journald , 你需要在 /etc/systemd/journald.conf 中设置 ForwardToSyslog=yes . 参阅 Syslog-ng#Overview 了解更多细节.

如果你选择使用 rsyslog^AUR , 因为 rsyslog 从日志中直接传出消息,所以不再必要改变那个选项..

设置开机启动 syslog-ng：

 # systemctl enable syslog-ng

这里有一份很不错的 journalctl 指南。

Per unit size limit by a journal namespace[编辑 | 编辑源代码]

Edit the unit file for the service you wish to configure (for example sshd) and add LogNamespace=ssh in the [Service] section.

Then create /etc/systemd/journald@ssh.conf by copying /etc/systemd/journald.conf. After that, edit journald@ssh.conf and adjust SystemMaxUse to your liking.

Restarting the service should automatically start the new journal service systemd-journald@ssh.service. The logs from the namespaced service can be viewed with journalctl --namespace ssh.

See systemd-journald.service(8) § JOURNAL NAMESPACES for details about journal namespaces.

手动清理日志[编辑 | 编辑源代码]

/var/log/journal 存放着日志, rm 应该能工作. 或者使用journalctl,

例如:

清理日志使总大小小于 100M:
```
# journalctl --vacuum-size=100M
```
清理最早两周前的日志.
```
# journalctl --vacuum-time=2weeks
```

Journal files must have been rotated out and made inactive before they can be trimmed by vacuum commands. Rotation of journal files can be done by running journalctl --rotate. The --rotate argument can also be provided alongside one or more vacuum criteria arguments to perform rotation and then trim files in a single command.

参阅 journalctl(1) 获得更多信息.

转发 journald 到 /dev/tty12[编辑 | 编辑源代码]

建立一个 Systemd#替换单元文件|drop-in directory]] /etc/systemd/journald.conf.d 然后在其中建立 fw-tty12.conf :

/etc/systemd/journald.conf.d/fw-tty12.conf

[Journal]
ForwardToConsole=yes
TTYPath=/dev/tty12
MaxLevelConsole=info

然后重新启动 systemd-journald.

查看特定位置的日志[编辑 | 编辑源代码]

有时你希望查看另一个系统上的日志.例如从 Live 环境修复现存的系统.

这种情况下你可以挂载目标系统 ( 例如挂载到 /mnt ),然后用 -D/--directory 参数指定目录,像这样:

# journalctl -D /mnt/var/log/journal -xe

普通用户访问日志[编辑 | 编辑源代码]

在默认的配置中，普通用户仅能访问自己的日志，要让普通用户访问系统日志，可以将用户加入 systemd-journal 用户组。adm 和 wheel 组中的用户也可以读取日志。

更多信息请参考 journalctl(1) § DESCRIPTION 和用户和用户组#用户组管理。