使用journalctl查看linux的系统日志

使用journalctl查看linux的系统日志

Linux使用system journal记录系统日志，而这种日志是以二进制的方式存储的，不能使用文本编辑器查看日志内容，工具journalctl就是查看这个系统日志的。

1. 基本用法

$ sudo journalctl

• 只查看kernel日志:

$ sudo journalctl -k

-k表示只显示kernel日志，否则显示所有的日志。

• tailer和follower模式

sudo journalctl -n 20
sudo journalctl -f

• 只查看最近一次boot之后的日志:

$ sudo journalctl -b

如果不指定-b则显示所有本地存储的日志，包括前面的系统重启之前的日志。

2. 按时间过滤

$ sudo journalctl --since "2015-01-10" --until "2015-01-11 03:00"

3. 按模块过滤

$ sudo journalctl -u docker.service
$ sudo journalctl -u docker

就是系统服务(service)的名字，可以在ls /etc/systemd/system/*.service查到。

查看system journal本身的日志：

$ sudo journalctl -u systemd-journald

查看rsyslog本身的日志：

$ sudo journalctl -u rsyslog

4. 按PID，UID，GID过滤

$ sudo _PID=8088
$ sudo _UID=1000
$ sudo _GID=102

5. 按程序文件名过滤

$ sudo journalctl /usr/bin/bash
$ sudo journalctl /usr/lib/systemd/systemd

6. 按facility过滤

$ sudo journalctl SYSLOG_FACILITY=10

facility对应表是：

Facility code	Keyword	Description	Info
0	kern	Kernel messages
1	user	User-level messages
2	mail	Mail system	Archaic POSIX still supported and sometimes used (for more mail(1))
3	daemon	System daemons	All daemons, including systemd and its subsystems
4	auth	Security/authorization messages	Also watch for different facility 10
5	syslog	Messages generated internally by syslogd	For syslogd implementations (not used by systemd, see facility 3)
6	lpr	Line printer subsystem (archaic subsystem)
7	news	Network news subsystem (archaic subsystem)
8	uucp	UUCP subsystem (archaic subsystem)
9		Clock daemon	systemd-timesyncd
10	authpriv	Security/authorization messages	Also watch for different facility 4
11	ftp	FTP daemon
12	-	NTP subsystem
13	-	Log audit
14	-	Log alert
15	cron	Scheduling daemon
16	local0	Local use 0 (local0)
17	local1	Local use 1 (local1)
18	local2	Local use 2 (local2)
19	local3	Local use 3 (local3)
20	local4	Local use 4 (local4)
21	local5	Local use 5 (local5)
22	local6	Local use 6 (local6)
23	local7	Local use 7 (local7)

6. 过滤日志优先级

$ sudo journalctl -p err

优先级包括：emerg, alert, crit, err, warning, notice, info, debug

7. 定义输出格式

不分页全输出：

$ sudo journalctl --no-pager

输出内容格式：

$ sudo journalctl -b -u docker -o json

常用格式包括：

• cat: Displays only the message field itself.
• export: A binary format suitable for transferring or backing up.
• json: Standard JSON with one entry per line.
• json-pretty: JSON formatted for better human-readability
• json-sse: JSON formatted output wrapped to make add server-sent event compatible
• short: The default syslog style output
• short-iso: The default format augmented to show ISO 8601 wallclock timestamps.
• short-monotonic: The default format with monotonic timestamps.
• short-precise: The default format with microsecond precision
• verbose: Shows every journal field available for the entry, including those usually hidden internally.

这里面json格式很好用，比如前面我们要找模块名，可执行程序名，已经facility 名都可以通过json字段看出来；举个例子：

$ sudo journalctl -u docker.service -n 1 -o json-pretty
{
        "__CURSOR" : "s=4e0c207c0bdc4a94b40f7334c31b266e;i=9afc3;b=d81e4e0ff04c4b20a0808c387c164b29;m=1609a889e5;t=5a36f387ffeff;x=50ff018ae5e983c2",
        "__REALTIME_TIMESTAMP" : "1587072968163071",
        "__MONOTONIC_TIMESTAMP" : "94651320805",
        "_BOOT_ID" : "d81e4e0ff04c4b20a0808c387c164b29",
        "_UID" : "0",
        "_GID" : "0",
        "_CAP_EFFECTIVE" : "3fffffffff",
        "_SYSTEMD_SLICE" : "system.slice",
        "_MACHINE_ID" : "28e03ba83cee410dacc7a88d75f7321a",
        "_HOSTNAME" : "<hostname>",
        "_TRANSPORT" : "syslog",
        "PRIORITY" : "3",
        "SYSLOG_FACILITY" : "22",
        "SYSLOG_IDENTIFIER" : "nginx",
        "SYSLOG_PID" : "2838",
        "_PID" : "2838",
        "_COMM" : "dockerd",
        "_EXE" : "/usr/bin/dockerd",
        "_CMDLINE" : "/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H unix://var/run/docker.sock --no-new-privileges=true --tlsverify --tlscacert=/etc/docker/ssl/rootCA.crt --tlscert=/etc/docker/ssl/doma
        "_SYSTEMD_CGROUP" : "/system.slice/docker.service",
        "_SYSTEMD_UNIT" : "docker.service",
        "MESSAGE" : "<...>",
        "_SOURCE_REALTIME_TIMESTAMP" : "1587072968159167"
}

这是一个nginx container输出到docker daemon的日志；从这里可以清晰的看到日志的各个属性，可以更好的理解使用前面的过滤条件。