journalctl工具是在centos7之后出现的工具。
在Systemd出现之前,Linux系统及各应用的日志都是分别管理的,Systemd开始统一管理了所有Unit的启动日志,这样带来的好处就是可以只用一个 journalctl命令,查看所有日志(内核日志和 应用日志)。
日志的配置文件`/etc/systemd/journald.conf`
参数:
-b 查看本次启动的所有日志 或者什么也不加,journalctl
[root@vrgv ~]# journalctl -b
-- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. --
Feb 18 10:37:48 vrgv systemd-journal[197]: Runtime journal is using 8.0M (max allowed 799.4M, trying to leave 1.1G free
Feb 18 10:37:48 vrgv kernel: Linux version 5.4.91-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 9.3.1 20200408
Feb 18 10:37:48 vrgv kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.91-1.el7.elrepo.x86_64 root=/dev/mapper/centos-root
Feb 18 10:37:48 vrgv kernel: Disabled fast string operations
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
-k 查看内核日志
[root@vrgv ~]# journalctl -k
-- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. --
Feb 18 10:37:48 vrgv kernel: Linux version 5.4.91-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 9.3.1 20200408
Feb 18 10:37:48 vrgv kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.91-1.el7.elrepo.x86_64 root=/dev/mapper/centos-root
Feb 18 10:37:48 vrgv kernel: Disabled fast string operations
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
-u 根据类型查询,如查看docker服务日志journalctl -u docker
[root@vrgv ~]# journalctl -u docker.service
-- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. --
Feb 18 10:37:59 vrgv systemd[1]: Starting Docker Application Container Engine...
Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.798907622+08:00" level=info msg="libcontainerd: started
Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.801937970+08:00" level=info msg="parsed scheme: \"unix\"
Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.802051497+08:00" level=info msg="scheme \"unix\" not reg
Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.806551815+08:00" level=info msg="ccResolverWrapper: send
Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.806638857+08:00" level=info msg="ClientConn switching ba
Feb 18 10:37:59 vrgv dockerd[10179]: time="2021-02-18T10:37:59.808453873+08:00" l
--since "2017-01-10" --until "2017-01-11 03:00" 查看2017.1.10到2017.1.11 3点的日志,也可简写成-S和-U
[root@vrgv ~]# journalctl -S "2021-03-01 11:00" -U "2021-03-01 12:00"
-- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. --
Mar 01 11:00:13 vrgv systemd[1]: Starting Cleanup of Temporary Directories...
Mar 01 11:00:13 vrgv systemd[1]: Started Cleanup of Temporary Directories.
Mar 01 11:01:01 vrgv systemd[1]: Started Session 307 of user root.
Mar 01 11:01:01 vrgv CROND[129463]: (root) CMD (run-parts /etc/cron.hourly)
Mar 01 11:01:01 vrgv run-parts(/etc/cron.hourly)[129466]: starting 0anacron
_UID 查看某个用户的日志,如查看postgres用户日志journalctl _UID=1000 (1000是根据命令id -u postgres得到的)
[root@vrgv ~]# id -u postgres
1000
[root@vrgv ~]# journalctl _UID=1000
-- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. --
Feb 18 10:37:59 vrgv pg_ctl[10180]: 2021-02-17 21:37:59.254 EST [10206] LOG: listening on IPv4 address "0.0.0.0", port
Feb 18 10:37:59 vrgv pg_ctl[10180]: 2021-02-17 21:37:59.254 EST [10206] LOG: listening on IPv6 address "::", port 5432
Feb 18 10:37:59 vrgv pg_ctl[10180]: 2021-02-17 21:37:59.264 EST [10206] LOG: listening on Unix socket "/tmp/.s.PGSQL.5
Feb 18 10:38:00 vrgv pg_ctl[10180]: 2021-02-17 21:38:00.083 EST [10206] LOG: redirecting log output to l
-p 显示特定优先级的信息,从而过滤掉优先级较低的信息
0: emerg 紧急
1: alert 警惕
2: crit 警示
3: err 错误
4: warning 警告
5: notice 注意,通告
6: info 信息
7: debug 调试
[root@vrgv ~]# journalctl -p 3 -b
-- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 12:46:08 CST. --
Feb 18 10:37:50 vrgv kernel: sd 2:0:0:0: [sda] Assuming drive cache: write through
Feb 18 10:37:50 vrgv kernel: sd 2:0:1:0: [sdb] Assuming drive cache: write through
Feb 18 10:37:50 vrgv kernel: sd 2:0:2:0: [sdc] Assuming drive cache: write through
Feb 18 10:37:51 vrgv systemd-udevd[5107]: unknown key 'PHYSDEVBUS' in /etc/udev/rules.d/80-hasp.rules:9
Feb 18 10:37:51 vrgv systemd-udevd[5107]: invalid rule '/etc/udev/rules.d/80-hasp.rules:9'
Feb 18 10:37:51 vrgv systemd-udevd[5107]: unknown key 'PHYSDEVBUS' in /etc/udev/rules.d/80-hasp.rules:10
Feb 18 10:37:51 vrgv systemd-udevd[5107]: invalid rule '/etc/udev/rules.d/80-hasp.rules:10'
Feb 18 10:37:52 vrgv kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled!
-a 与-p相反,-a代表全部显示
[root@vrgv ~]# journalctl -a
-- Logs begin at Thu 2021-02-18 10:37:48 CST, end at Mon 2021-03-01 13:01:01 CST. --
Feb 18 10:37:48 vrgv systemd-journal[197]: Runtime journal is using 8.0M (max allowed 799.4M, trying to leave 1.1G free
Feb 18 10:37:48 vrgv kernel: Linux version 5.4.91-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 9.3.1 20200408
Feb 18 10:37:48 vrgv kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.91-1.el7.elrepo.x86_64 root=/dev/mapper/centos-root
Feb 18 10:37:48 vrgv kernel: Disabled fast string operations
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Feb 18 10:37:48 vrgv kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
-o 指定日志输出格式,最为常见的格式:-o json-pretty
cat: 只显示信息字段本身。
export: 适合传输或备份的二进制格式。
json: 标准JSON,每行一个条目。
json-pretty: JSON格式,适合人类阅读习惯。
json-sse: JSON格式,经过打包以兼容server-sent事件。
short: 默认syslog类输出格式。
short-iso: 默认格式,强调显示ISO 8601挂钟时间戳。
short-monotonic: 默认格式,提供普通时间戳。
short-precise: 默认格式,提供微秒级精度。
verbose: 显示该条目的全部可用journal字段,包括通常被内部隐藏的字段。
[root@vrgv ~]# journalctl -o json-pretty -b
{
"__CURSOR" : "s=fb03d2b00f8e4804ae90d1272f9ac3f2;i=1;b=66afbb5671e04f30b082eed2c2ff5402;m=23a7fc;t=5bb9338a8743e;x=acbe13f9
"__REALTIME_TIMESTAMP" : "1613615868703806",
"__MONOTONIC_TIMESTAMP" : "2336764",
"_BOOT_ID" : "66afbb5671e04f30b082eed2c2ff5402",
"PRIORITY" : "6",
"_TRANSPORT" : "driver",
"MESSAGE" : "Runtime journal is using 8.0M (max allowed 799.4M, trying to leave 1.1G free of 7.7G available \uffffffe2\ufff
"MESSAGE_ID" : "ec387f577b844b8fa948f33cad9a75e6",
"_PID" : "197",
"_UID" : "0",
"_GID" : "0",
"_COMM" : "systemd-journal",
"_EXE" : "/usr/lib/systemd/systemd-journald",
"_CMDLINE" : "/usr/lib/systemd/systemd-journald",
"_CAP_EFFECTIVE" : "25402800cf",
"_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service",
"_SYSTEMD_UNIT" : "systemd-journald.service",
"_SYSTEMD_SLICE" : "system.slice",
"_MACHINE_ID" : "92dcecad2935477796367be725a6735b",
"_HOSTNAME" : "vrgv"
}
-f 持续实时输入日志
[root@vrgv ~]# journalctl -fu docker.service
-- Logs begin at Thu 2021-02-18 10:37:48 CST. --
Feb 18 10:38:00 vrgv dockerd[10179]: time="2021-02-18T10:38:00.241741884+08:00" level=info msg="Loading containers: start."
Feb 18 10:38:01 vrgv dockerd[10179]: time="2021-02-18T10:38:01.610646278+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.143827293+08:00" level=info msg="Loading containers: done."
Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.250503801+08:00" level=info msg="Docker daemon" commit=481bc77 graphdriver(s)=overlay2 version=18.09.6
Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.250847585+08:00" level=info msg="Daemon has completed initialization"
Feb 18 10:38:02 vrgv dockerd[10179]: time="2021-02-18T10:38:02.277582884+08:00" level=info msg="API listen on /var/run/docker.sock"
Feb 18 10:38:02 vrgv systemd[1]: Started Docker Application Container Engine.
另外几种查看信息的
查看日志占用磁盘空间大小
[root@k8s-node1 ~]# journalctl --disk-usage
Archived and active journals take up 87.6M on disk.
设置日志占用磁盘空间
[root@k8s-node1 ~]# journalctl --vacuum-size=500M
Vacuuming done, freed 0B of archived journals on disk.
设置日志最长保留时间
month/years
[root@k8s-node1 ~]# journalctl --vacuum-time=1month
Vacuuming done, freed 0B of archived journals on disk.
最后看一下配置文件
[root@k8s-node1 ~]# vim /etc/systemd/journald.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.
[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitInterval=30s
#RateLimitBurst=1000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K