journalctl工具是在centos7之后出现的工具。
在Systemd出现之前,Linux系统及各应用的日志都是分别管理的,Systemd开始统一管理了所有Unit的启动日志,这样带来的好处就是可以只用一个 journalctl命令,查看所有日志(内核日志和 应用日志)。
日志的配置文件/etc/systemd/journald.conf
参数:
-b 查看本次启动的所有日志 或者什么也不加,journalctl
[root@vrgv ~]# journalctl -b -- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. -- Feb 18 10:37:48 vrgv systemd-journal[197]: Runtime journal is using 8.0M (max allowed 799.4M, trying to leave 1.1G free Feb 18 10:37:48 vrgv kernel: Linux version 5.4.91-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 9.3.1 20200408 Feb 18 10:37:48 vrgv kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.91-1.el7.elrepo.x86_64 root=/dev/mapper/centos-root Feb 18 10:37:48 vrgv kernel: Disabled fast string operations Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
-k 查看内核日志
[root@vrgv ~]# journalctl -k -- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. -- Feb 18 10:37:48 vrgv kernel: Linux version 5.4.91-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 9.3.1 20200408 Feb 18 10:37:48 vrgv kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.91-1.el7.elrepo.x86_64 root=/dev/mapper/centos-root Feb 18 10:37:48 vrgv kernel: Disabled fast string operations Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
-u 根据类型查询,如查看docker服务日志journalctl -u docker
[root@vrgv ~]# journalctl -u docker.service -- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. -- Feb 18 10:37:59 vrgv systemd[1]: Starting Docker Application Container Engine... Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.798907622+08:00" level=info msg="libcontainerd: started Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.801937970+08:00" level=info msg="parsed scheme: \"unix\" Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.802051497+08:00" level=info msg="scheme \"unix\" not reg Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.806551815+08:00" level=info msg="ccResolverWrapper: send Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.806638857+08:00" level=info msg="ClientConn switching ba Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.808453873+08:00" l
–since “2017-01-10” --until “2017-01-11 03:00” 查看2017.1.10到2017.1.11 3点的日志,也可简写成-S和-U
[root@vrgv ~]# journalctl -S "2021-03-01 11:00" -U "2021-03-01 12:00" -- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. -- Mar 01 11:00:13 vrgv systemd[1]: Starting Cleanup of Temporary Directories... Mar 01 11:00:13 vrgv systemd[1]: Started Cleanup of Temporary Directories. Mar 01 11:01:01 vrgv systemd[1]: Started Session 307 of user root. Mar 01 11:01:01 vrgv CROND[129463]: (root) CMD (run-parts /etc/cron.hourly) Mar 01 11:01:01 vrgv run-parts(/etc/cron.hourly)[129466]: starting 0anacron
_UID 查看某个用户的日志,如查看postgres用户日志journalctl _UID=1000 (1000是根据命令id -u postgres得到的)
[root@vrgv ~]# id -u postgres 1000 [root@vrgv ~]# journalctl _UID=1000 -- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. -- Feb 18 10:37:59 vrgv pg_ctl[10180]: 2021-02-17 21:37:59.254 EST [10206] LOG: listening on IPv4 address "0.0.0.0", port Feb 18 10:37:59 vrgv pg_ctl[10180]: 2021-02-17 21:37:59.254 EST [10206] LOG: listening on IPv6 address "::", port 5432 Feb 18 10:37:59 vrgv pg_ctl[10180]: 2021-02-17 21:37:59.264 EST [10206] LOG: listening on Unix socket "/tmp/.s.PGSQL.5 Feb 18 10:38:00 vrgv pg_ctl[10180]: 2021-02-17 21:38:00.083 EST [10206] LOG: redirecting log output to l
-p 显示特定优先级的信息,从而过滤掉优先级较低的信息
0: emerg 紧急 1: alert 警惕 2: crit 警示 3: err 错误 4: warning 警告 5: notice 注意,通告 6: info 信息 7: debug 调试 [root@vrgv ~]# journalctl -p 3 -b -- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. -- Feb 18 10:37:50 vrgv kernel: sd 2:0:0:0: [sda] Assuming drive cache: write through Feb 18 10:37:50 vrgv kernel: sd 2:0:1:0: [sdb] Assuming drive cache: write through Feb 18 10:37:50 vrgv kernel: sd 2:0:2:0: [sdc] Assuming drive cache: write through Feb 18 10:37:51 vrgv systemd-udevd[5107]: unknown key 'PHYSDEVBUS' in /etc/udev/rules.d/80-hasp.rules:9 Feb 18 10:37:51 vrgv systemd-udevd[5107]: invalid rule '/etc/udev/rules.d/80-hasp.rules:9' Feb 18 10:37:51 vrgv systemd-udevd[5107]: unknown key 'PHYSDEVBUS' in /etc/udev/rules.d/80-hasp.rules:10 Feb 18 10:37:51 vrgv systemd-udevd[5107]: invalid rule '/etc/udev/rules.d/80-hasp.rules:10' Feb 18 10:37:52 vrgv kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled!
-a 与-p相反,-a代表全部显示
[root@vrgv ~]# journalctl -a -- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 13:01:01 CST. -- Feb 18 10:37:48 vrgv systemd-journal[197]: Runtime journal is using 8.0M (max allowed 799.4M, trying to leave 1.1G free Feb 18 10:37:48 vrgv kernel: Linux version 5.4.91-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 9.3.1 20200408 Feb 18 10:37:48 vrgv kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.91-1.el7.elrepo.x86_64 root=/dev/mapper/centos-root Feb 18 10:37:48 vrgv kernel: Disabled fast string operations Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
-o 指定日志输出格式,最为常见的格式:-o json-pretty
cat: 只显示信息字段本身。 export: 适合传输或备份的二进制格式。 json: 标准JSON,每行一个条目。 json-pretty: JSON格式,适合人类阅读习惯。 json-sse: JSON格式,经过打包以兼容server-sent事件。 short: 默认syslog类输出格式。 short-iso: 默认格式,强调显示ISO 8601挂钟时间戳。 short-monotonic: 默认格式,提供普通时间戳。 short-precise: 默认格式,提供微秒级精度。 verbose: 显示该条目的全部可用journal字段,包括通常被内部隐藏的字段。 [root@vrgv ~]# journalctl -o json-pretty -b { "__CURSOR" : "s=fb03d2b00f8e4804ae90d1272f9ac3f2;i=1;b=66afbb5671e04f30b082eed2c2ff5402;m=23a7fc;t=5bb9338a8743e;x=acbe13f9 "__REALTIME_TIMESTAMP" : "1613615868703806", "__MONOTONIC_TIMESTAMP" : "2336764", "_BOOT_ID" : "66afbb5671e04f30b082eed2c2ff5402", "PRIORITY" : "6", "_TRANSPORT" : "driver", "MESSAGE" : "Runtime journal is using 8.0M (max allowed 799.4M, trying to leave 1.1G free of 7.7G available \uffffffe2\ufff "MESSAGE_ID" : "ec387f577b844b8fa948f33cad9a75e6", "_PID" : "197", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/usr/lib/systemd/systemd-journald", "_CMDLINE" : "/usr/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_MACHINE_ID" : "92dcecad2935477796367be725a6735b", "_HOSTNAME" : "vrgv" }
-f 持续实时输入日志
[root@vrgv ~]# journalctl -fu docker.service -- Logs begin at Thu 2021-02-18 10:37:48 CST. -- Feb 18 10:38:00 vrgv dockerd[10179]: time="2021-02-18T10:38:00.241741884+08:00" level=info msg="Loading containers: start." Feb 18 10:38:01 vrgv dockerd[10179]: time="2021-02-18T10:38:01.610646278+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address" Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.143827293+08:00" level=info msg="Loading containers: done." Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.250503801+08:00" level=info msg="Docker daemon" commit=481bc77 graphdriver(s)=overlay2 version=18.09.6 Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.250847585+08:00" level=info msg="Daemon has completed initialization" Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.277582884+08:00" level=info msg="API listen on /var/run/docker.sock" Feb 18 10:38:02 vrgv systemd[1]: Started Docker Application Container Engine.
另外几种查看信息的
查看日志占用磁盘空间大小
[root@k8s-node1 ~]# journalctl --disk-usage Archived and active journals take up 87.6M on disk.
设置日志占用磁盘空间
[root@k8s-node1 ~]# journalctl --vacuum-size=500M Vacuuming done, freed 0B of archived journals on disk.
设置日志最长保留时间
month/years
[root@k8s-node1 ~]# journalctl --vacuum-time=1month Vacuuming done, freed 0B of archived journals on disk.
最后看一下配置文件
[root@k8s-node1 ~]# vim /etc/systemd/journald.conf # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # Entries in this file show the compile time defaults. # You can change settings by editing this file. # Defaults can be restored by simply deleting this file. # # See journald.conf(5) for details. [Journal] #Storage=auto #Compress=yes #Seal=yes #SplitMode=uid #SyncIntervalSec=5m #RateLimitInterval=30s #RateLimitBurst=1000 #SystemMaxUse= #SystemKeepFree= #SystemMaxFileSize= #RuntimeMaxUse= #RuntimeKeepFree= #RuntimeMaxFileSize= #MaxRetentionSec= #MaxFileSec=1month #ForwardToSyslog=yes #ForwardToKMsg=no #ForwardToConsole=no #ForwardToWall=yes #TTYPath=/dev/console #MaxLevelStore=debug #MaxLevelSyslog=debug #MaxLevelKMsg=notice #MaxLevelConsole=info #MaxLevelWall=emerg #LineMax=48K
