systemd/Journal

出自 Arch Linux 中文维基

主文檔請參考 systemd

systemd 提供了自己的日誌系統(logging system),稱為 journal。使用 systemd 日誌,無需額外安裝日誌服務(syslog)。使用 journalctl(1) 命令讀取日誌。

Arch Linux 中, /var/log/journal/ 目錄是 systemd 軟體包的一部分。默認情況下 /etc/systemd/journald.conf 中的Storage=auto,systemd 會將日誌記錄寫入 /var/log/journal。若被刪除,systemd 不會自動創建此目錄,而是將日誌寫入 /run/log/journal,重啟時內容會消失。如果 journald.conf 中的 Storage=persistentsystemd-journald.service 重啟 或系統重啟時會重新創建 /var/log/journal/

Systemd 日誌可以按照#優先級#功能標記日誌,符合 syslog 協議 (RFC 5424) 標準。

提示:如果 /var/log/journal/ 位於 btrfs 文件系統,應該考慮對這個目錄禁用寫入時複製,方法參閱 Btrfs#Copy-on-Write (CoW)

優先級[編輯 | 編輯原始碼]

日誌會帶 syslog 優先級代碼,標記消息的重要性,參考 RFC 5424 6.2.1

數值 優先級 關鍵字 描述 示例
0 Emergency emerg System is unusable Severe Kernel BUG, systemd dumped core.
This level should not be used by applications.
1 Alert alert Should be corrected immediately Vital subsystem goes out of work. Data loss.
kernel: BUG: unable to handle kernel paging request at ffffc90403238ffc.
2 Critical crit Critical conditions Crashes, coredumps. Like familiar flash:
systemd-coredump[25319]: Process 25310 (plugin-containe) of user 1000 dumped core
Failure in the system primary application, like X11.
3 Error err Error conditions Not fatal error reported:
kernel: usb 1-3: 3:1: cannot get freq at ep 0x84,
systemd[1]: Failed unmounting /var.,
libvirtd[1720]: internal error: Failed to initialize a valid firewall backend).
4 Warning warning May indicate that an error will occur if action is not taken. A non-root file system has only 1GB free.
org.freedesktop. Notifications[1860]: (process:5999): Gtk-WARNING **: Locale not supported by C library. Using the fallback 'C' locale.
5 Notice notice Events that are unusual, but not error conditions. systemd[1]: var.mount: Directory /var to mount over is not empty, mounting anyway. gcr-prompter[4997]: Gtk: GtkDialog mapped without a transient parent. This is discouraged.
6 Informational info Normal operational messages that require no action. lvm[585]: 7 logical volume(s) in volume group "archvg" now active.
7 Debug debug Messages which may need to be enabled first, only useful for debugging kdeinit5[1900]: powerdevil: Scheduling inhibition from ":1.14" "firefox" with cookie 13 and reason "screen"

These rules are recommendations, and the priority level of a given error is at the application developer's discretion. It is always possible that the error will be at a higher or lower level than expected.

Examples:

  • Info message:
    pulseaudio[2047]: W: [pulseaudio] alsa-mixer.c: Volume element Master has 8 channels. That's too much! I can't handle that!
    It is an warning or error by definition.
  • Plaguing alert message:
    sudo[21711]:     user : a password is required ; TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=list /usr/bin/pacman --color auto -Sy
    The reason - user was manually added to sudoers file, not to wheel group, which is arguably normal action, but sudo produced an alert on every occasion.

功能[編輯 | 編輯原始碼]

日誌文件會帶上 syslog 功能碼,標記發出日誌的程序類型 RFC 5424 6.2.1

功能碼 關鍵字 描述 信息
0 kern kernel messages
1 user user-level messages
2 mail mail system Archaic POSIX still supported and sometimes used system, for more mail(1))
3 daemon system daemons All daemons, including systemd and its subsystems
4 auth security/authorization messages Also watch for different facility 10
5 syslog messages generated internally by syslogd As it standartized for syslogd, not used by systemd (see facility 3)
6 lpr line printer subsystem (archaic subsystem)
7 news network news subsystem (archaic subsystem)
8 uucp UUCP subsystem (archaic subsystem)
9 clock daemon systemd-timesyncd
10 authpriv security/authorization messages Also watch for different facility 4
11 ftp FTP daemon
12 - NTP subsystem
13 - log audit
14 - log alert
15 cron scheduling daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

So, useful facilities to watch: 0,1,3,4,9,10,15.

過濾輸出[編輯 | 編輯原始碼]

journalctl可以根據特定欄位過濾輸出。如果過濾的欄位比較多,需要較長時間才能顯示出來。

示例:

  • 顯示 PATTERN 模式的日誌:
    # journalctl --grep=PATTERN
  • 顯示本次啟動後的所有日誌:
    # journalctl -b
  • journalctl -b -0 顯示本次啟動的信息
  • journalctl -b -1 顯示上次啟動的信息
  • journalctl -b -2 顯示上上次啟動的信息 journalctl -b -2
  • 只顯示錯誤、衝突和重要告警信息
    # journalctl -p err..alert
    也可以使用數字, journalctl -p 3..1。If single number/keyword used, journalctl -p 3 - all higher priority levels also included.
  • 包含日誌消息類型的描述:
    # journalctl -x
    注意在報告 bug 和尋求幫助時不要使用此命令,因為這個命令會產生大量的輸出。用 journalctl --list-catalog 可以查看所有類型的描述。
  • 顯示從某個日期 ( 或時間 ) 開始的消息:
    # journalctl --since="2012-10-30 18:17:16"
  • 顯示從某個時間 ( 例如 20分鐘前 ) 的消息:
    # journalctl --since "20 min ago"
  • 顯示最新信息
    # journalctl -f
  • 顯示特定程序的所有消息:
    # journalctl /usr/lib/systemd/systemd
  • 顯示特定進程的所有消息:
    # journalctl _PID=1
  • 顯示指定單元的所有消息:
    # journalctl -u man-db.service
  • Show all messages from user services by a specific unit:
    $ journalctl --user -u dbus
  • 顯示內核環緩存消息r:
    # journalctl -k
  • Show auth.log equivalent by filtering on syslog facility:
    # journalctl -f -l SYSLOG_FACILITY=10
  • If your journal directory (by default located under /var/log/journal) contains huge amount of log data then journalctl can take several minutes in filtering output. You can speed it up significantly by using --file option to force journalctl to look only into most recent journal:
    # journalctl --file /var/log/journal/*/system.journal -f

詳情參閱journalctl(1)systemd.journal-fields(7),以及 Lennert 的這篇博文

  • By default, journalctl truncates lines longer than screen width, but in some cases, it may be better to enable wrapping instead of truncating. This can be controlled by the SYSTEMD_LESS environment variable, which contains options passed to less (the default pager) and defaults to FRSXMK (see less(1) and journalctl(1) for details).
By omitting the S option, the output will be wrapped instead of truncated. For example, start journalctl as follows:
$ SYSTEMD_LESS=FRXMK journalctl
To set this behaviour as default, export the variable from ~/.bashrc or ~/.zshrc.
  • While the journal is stored in a binary format, the content of stored messages is not modified. This means it is viewable with strings, for example for recovery in an environment which does not have systemd installed, e.g.:{{bc|$ strings /mnt/arch/var/log/journal/af4967d77fba44c6b093d0e9862f6ddd/system.journal | grep -i message

日誌大小限制[編輯 | 編輯原始碼]

如果按上面的操作保留日誌的話,默認日誌最大限制為所在文件系統容量的 10%,即:如果 /var/log/journal 儲存在 50GiB 的根分區中,那麼日誌最多存儲 5GiB 數據。用 systemd-journald 日誌查看當前設置:

# journalctl -b -u systemd-journald

可以修改配置文件指定最大限制。如限制日誌最大 50MiB:

/etc/systemd/journald.conf
SystemMaxUse=50M

還可以通過配置片段而不是全局配置文件進行設置:

/etc/systemd/journald.conf.d/00-journal-size.conf
[Journal]
SystemMaxUse=50M

修改配置後要立即生效,請重啟 systemd-journald.service 服務。

詳情參見 journald.conf(5).

配合 syslog 使用[編輯 | 編輯原始碼]

systemd 提供了 socket /run/systemd/journal/syslog,以兼容傳統日誌服務。所有系統信息都會被傳入。要使傳統日誌服務工作,需要讓服務連結該 socket,而非 /dev/log官方說明)。Arch 軟體倉庫中的 syslog-ng 已經包含了需要的配置。

journald.conf 使用 no 轉發socket . 為了使 syslog-ng 配合 journald , 你需要在 /etc/systemd/journald.conf 中設置 ForwardToSyslog=yes . 參閱 Syslog-ng#Overview 了解更多細節.

如果你選擇使用 rsyslogAUR , 因為 rsyslog 從日誌中直接傳出消息,所以不再必要改變那個選項..

設置開機啟動 syslog-ng:

 # systemctl enable syslog-ng

這裡有一份很不錯的 journalctl 指南。

Per unit size limit by a journal namespace[編輯 | 編輯原始碼]

Edit the unit file for the service you wish to configure (for example sshd) and add LogNamespace=ssh in the [Service] section.

Then create /etc/systemd/journald@ssh.conf by copying /etc/systemd/journald.conf. After that, edit journald@ssh.conf and adjust SystemMaxUse to your liking.

Restarting the service should automatically start the new journal service systemd-journald@ssh.service. The logs from the namespaced service can be viewed with journalctl --namespace ssh.

See systemd-journald.service(8) § JOURNAL NAMESPACES for details about journal namespaces.

手動清理日誌[編輯 | 編輯原始碼]

/var/log/journal 存放著日誌, rm 應該能工作. 或者使用journalctl,

例如:

  • 清理日誌使總大小小於 100M:
    # journalctl --vacuum-size=100M
  • 清理最早兩周前的日誌.
    # journalctl --vacuum-time=2weeks

Journal files must have been rotated out and made inactive before they can be trimmed by vacuum commands. Rotation of journal files can be done by running journalctl --rotate. The --rotate argument can also be provided alongside one or more vacuum criteria arguments to perform rotation and then trim files in a single command.

參閱 journalctl(1) 獲得更多信息.

轉發 journald 到 /dev/tty12[編輯 | 編輯原始碼]

建立一個 Systemd#替換單元文件|drop-in directory]] /etc/systemd/journald.conf.d 然後在其中建立 fw-tty12.conf :

/etc/systemd/journald.conf.d/fw-tty12.conf
[Journal]
ForwardToConsole=yes
TTYPath=/dev/tty12
MaxLevelConsole=info

然後重新啟動 systemd-journald.

查看特定位置的日誌[編輯 | 編輯原始碼]

有時你希望查看另一個系統上的日誌.例如從 Live 環境修復現存的系統.

這種情況下你可以掛載目標系統 ( 例如掛載到 /mnt ),然後用 -D/--directory 參數指定目錄,像這樣:

# journalctl -D /mnt/var/log/journal -xe

普通用戶訪問日誌[編輯 | 編輯原始碼]

在默認的配置中,普通用戶僅能訪問自己的日誌,要讓普通用戶訪問系統日誌,可以將用戶加入 systemd-journal 用戶組admwheel 組中的用戶也可以讀取日誌。

更多信息請參考 journalctl(1) § DESCRIPTION用戶和用戶組#用戶組管理