Linux日志管理系统rsyslog

Posted 1874

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux日志管理系统rsyslog相关的知识,希望对你有一定的参考价值。

  一、日志的概念

  什么是日志?日志就是历史事件。历史事件包括时间、地点、人物、时间。这个是生活中所说的日志很好理解。在Linux中也有类似的服务,它主要作用就是记录Linux系统的历史事件,包括什么时间什么服务或者那个进程或者pid发生的一些事件,通过记录发生的事件,我们可以查看日志来了解在过去的一段时间Linux系统发生了什么事,从而可以帮助我们解决一些问题。

  在Linux系统里日志是有级别的,也就是说事件的关键程度,比如说有些事件只是警告,需要我们注意,起个提醒我们的目的,我们可以后面去处理,也可以不处理,但是有些事件级别比较紧急,它不仅仅只是提示我们的作用,很有可能这一秒发生了这样的事件,下一秒Linux系统就挂了,所以在Linux系统里事件的关键性程度非常重要。在centos5之前日志系统的名称叫syslog,它主要有两个服务组成,一个是syslogd(system application )它主要记录着应用程序的一些日志,一个是klogd(Linux kernel)它主要记录着Linux内核的日志。通常记录事件的格式是,日期时间  主机   进程[pid]  事件内容。Linux日志系统不仅仅可以用做本地记录本机的日志,它还可以通过tcp或者udp协议的服务完成日志的传送,从而实现帮助其他主机记录日志功能,我们把这样的服务器称为日志服务器。

  二、rsyslog介绍

  在centos6和centos7上rsyslog有如下特性

  1)多进程

  2)支持UDP、TCP、SSL、TLS、RELP等协议

  3)可以通过网络将日志储存到mysql、PGSQL、Oracle等数据库中管理

  4)支持强大的过滤器,可实现过滤记录日志信息中的任意部分

  5)支持自定义日志输出格式

  rsyslog日志收集器重要术语

  facility:中文翻译过来是设施的意思,从功能或程序上对日志分类,在Linux中常见的facility有auth(认证相关的日志),authpriv(授权相关的日志),cron(计划任务相关日志),daemon(系统服务相关日志),ftp(ftp服务相关的日志),kern(内核相关日志),lpr(打印相关的日志),mail(邮件相关日志),news(新闻相关的日志),security(安全相关的日志),user(用户相关的日志),uucp(文件copy相关的日志),local0-local7(自定义相关的日志)

  priority:优先级别,从低到高排序debug(调试),info(消息),notice(注意),warn(warning警告),err(error错误),crit(critical严重警告),alert(需要立即修改的信息)emerg(panic内核崩溃,内核恐慌等严重的信息)

  程序环境:

    程序包:rsyslog

    主程序:/usr/sbin/rsyslogd

    主配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf

    库文件:/lib64/rsyslog/*.so

    服务脚本:

      centos6:service rsyslog {start|stop|restart|status}

      centos7:/usr/lib/systemd/system/rsyslog.service

    配置文件格式:由三部分组成

      MODULES:相关模块配置

      GLOBAL DIRECTIVES:全局配置

      RULES:日志记录相关的规则设置

    RULES配置格式:facility.priority;facility.priority;……  target

      facility:

        *:所有的facility

        facility1,facility2,facility3,…:指定的facility列表

      priority:

        *:表示所有级别

        none:没有级别

        priority:此级别以及高于此级别的所有级别

        =priority:仅此级别

      target:

        文件路径:通常在/var/log/,文件路前的“-”表示异步写入

        用户:将日志事件通知给指定用户,是通过将信息发送给登录到系统上的用户的终端进行显示;*表示登录的所有用户

        日志服务器:@host,把日志送往指定的远程服务器记录;host:表示日志服务器的地址,默认监听在tcp或者udp协议的514端口以提供服务

        管道:|command,转发给其他命令处理

    其他日志:

      /var/log/wtmp:当前系统成功登录系统的日志 需要使用last命令查看      

      /var/log/btmp:当前系统尝试登录系统失败的日志 需要使用lastb命令查看

      /var/log/dmesg:系统引导过程中的日志信息; 也可使用dmesg命令进行查看

      lastlog:显示当前系统上的所有用户最近一次登录系统的时间

  三、实验将sshd的日志分离到/var/log/sshd.log

  sshd是远程登录Linux系统的一个服务,默认工作在22端口,通常情况下它的日志是记录在/var/log/secure 文件中,在之前我们不知道它为什么要记录在这个文件中,我们学习了rsyslog后,就明白了。

  首先我们来看看sshd的配置文件

[root@test ~]#grep "log" /etc/ssh/sshd_config
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
[root@test ~]#

  说明:可以看到sshd的配置文件中明确定义了syslogfacility authpriv。通过上面的介绍我们大概知道rsyslog 的facility 中就包括authpriv 这个设施。接下来我们在来看看rsyslog的配置文件

[root@test ~]#grep "authpriv" /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
[root@test ~]#

  说明:看到以上的结果,结合我们之前介绍的rsyslog,是不是很清楚知道sshd的日志为什么记录在/etc/log/secure中了嘛。rsyslog的配置文件中明确定义了authpriv设施中的任何级别的日志都记录在/var/log/secure中。

  更改sshd 配置文件 将日志的设施更改为自定义设施local3

[root@test ~]#grep "log" /etc/ssh/sshd_config
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV
SyslogFacility local3
[root@test ~]#

  在rsyslog配置文件中指定 local3设施中的任何级别的目标文件为/var/log/sshd.log

[root@test ~]#grep "local" /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
local7.*                                                /var/log/boot.log
local3.*                                                /var/log/sshd.log
[root@test ~]#

  重启rsyslogd 和sshd 服务

[root@test ~]#systemctl restart rsyslog sshd

  查看/var/log/sshd.log

[root@test ~]#ll /var/log/sshd.log
-rw-------. 1 root root 207 12月 24 19:23 /var/log/sshd.log
[root@test ~]#cat /var/log/sshd.log
Dec 24 19:23:33 test sshd[4532]: Received signal 15; terminating.
Dec 24 19:23:33 test sshd[4575]: Server listening on 0.0.0.0 port 41319.
Dec 24 19:23:33 test sshd[4575]: Server listening on :: port 41319.
[root@test ~]#

  说明:要想用rsyslog来管理应用程序的日志,前提是应用程序内部实现rsyslog的日志接口,否则是不可以通过rsyslog来管理日志

  四、日志管理小工具

  logger:这个小工具可以生成日志,主要用于我们配置的日志系统是否可以正常的记录日志

[root@test ~]#logger  --help

用法:
 logger [选项] [消息]

选项:
 -T, --tcp             只使用 TCP
 -d, --udp             只使用 UDP
 -i, --id              同时记录进程 ID
 -f, --file <文件>     记录此文件的内容
 -h, --help            显示此帮助并退出
 -S, --size <num>      maximum size for a single message (default 1024)
 -n, --server <name>   write to this remote syslog server
 -P, --port <port>     use this port for UDP or TCP connection
 -p, --priority <prio> mark given message with this priority
 -s, --stderr          output message to standard error as well
 -t, --tag <标志>      用此标志标记每一行
 -u, --socket <套接字> 写入此 Unix 套接字
 -V, --version         输出版本信息并退出

[root@test ~]#

  给local3发送一条info级别或以上级别的日志

[root@test ~]#logger -p "local3.info" "this is test log" 
[root@test ~]#tail /var/log/sshd.log 
Dec 24 19:23:33 test sshd[4532]: Received signal 15; terminating.
Dec 24 19:23:33 test sshd[4575]: Server listening on 0.0.0.0 port 41319.
Dec 24 19:23:33 test sshd[4575]: Server listening on :: port 41319.
Dec 24 19:42:49 test qiuhom: this is test log
[root@test ~]#

  说明:有了这个工具我们可以很好的测试日志系统是否在正常记录日志

  配置local4 的所有级别消息都发送给所有登录到系统的用户终端进行显示

[root@test ~]#grep "local" /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
local7.*                                                /var/log/boot.log
local3.*                                                /var/log/sshd.log
local4.*                                                *
[root@test ~]#systemctl restart rsyslog
[root@test ~]#syst^C
[root@test ~]#who 
root     tty1         2019-12-24 19:50
qiuhom   pts/0        2019-12-24 19:03 (192.168.0.232)
qiuhom   pts/1        2019-12-24 19:50 (192.168.0.232)
[root@test ~]#logger -p "local4.info" "this is test log"

Message from syslogd@test at Dec 24 19:53:02 ...
 qiuhom:this is test log
[root@test ~]#

  journalctl:此工具是centos7上的一个日志管理工具。systemd统一管理所有unit的启动日志,带来的好处就是,可以用journalctl一个命令查看所有日志(内核日志和应用日志),日志的配置文件/etc/systemd/journald.conf

  1)查看所有日志(默认情况下,只保存本次启动的日志)

[root@test ~]#journalctl 
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. --
12月 23 12:42:48 docker systemd-journal[105]: Runtime journal is using 8.0M (max allowed 91.3M, trying to leave 136.9
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct
12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc ve
12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos-
12月 23 12:42:48 docker kernel: Disabled fast string operations
12月 23 12:42:48 docker kernel: e820: Bios-provided physical RAM map:
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved
12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active
12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable
12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable
12月 23 12:42:48 docker kernel: extended physical RAM map:
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable
lines 1-39

  2)查看内核日志(不显示应用日志)

[root@test ~]#journalctl -k
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. --
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct
12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc ve
12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos-
12月 23 12:42:48 docker kernel: Disabled fast string operations
12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map:
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved
12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active
12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable
12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable
12月 23 12:42:48 docker kernel: extended physical RAM map:
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x000000000b91c018-0x000000000b92c057] usable
lines 1-39

  3)查看系统本次启动的日志

[root@test ~]#journalctl -b 0
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. --
12月 23 12:42:48 docker systemd-journal[105]: Runtime journal is using 8.0M (max allowed 91.3M, trying to leave 136.9
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu
12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct
12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc ve
12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos-
12月 23 12:42:48 docker kernel: Disabled fast string operations
12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map:
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved
12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active
12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable
12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable
12月 23 12:42:48 docker kernel: extended physical RAM map:
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved
12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable
lines 1-39

  4)查看指定时间的日志

journalctl --since="2017-10-30 18:10:30"
journalctl --since "20 min ago"
journalctl --since yesterday
journalctl --since "2017-01-10" --until "2017-01-11 03:00"
journalctl --since 09:00 --until "1 hour ago"
[root@test ~]#journalctl --since 09:00 --until "1 hour ago"
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. --
12月 24 09:01:01 test systemd[1]: Created slice User Slice of root.
12月 24 09:01:01 test systemd[1]: Started Session 22 of user root.
12月 24 09:01:01 test CROND[2543]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 09:01:01 test run-parts(/etc/cron.hourly)[2546]: starting 0anacron
12月 24 09:01:01 test run-parts(/etc/cron.hourly)[2552]: finished 0anacron
12月 24 09:01:02 test systemd[1]: Removed slice User Slice of root.
12月 24 10:01:01 test systemd[1]: Created slice User Slice of root.
12月 24 10:01:01 test systemd[1]: Started Session 23 of user root.
12月 24 10:01:01 test CROND[2561]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 10:01:01 test run-parts(/etc/cron.hourly)[2564]: starting 0anacron
12月 24 10:01:01 test run-parts(/etc/cron.hourly)[2570]: finished 0anacron
12月 24 10:01:01 test systemd[1]: Removed slice User Slice of root.
12月 24 11:01:01 test systemd[1]: Created slice User Slice of root.
12月 24 11:01:01 test systemd[1]: Started Session 24 of user root.
12月 24 11:01:01 test CROND[2579]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 11:01:01 test run-parts(/etc/cron.hourly)[2582]: starting 0anacron
12月 24 11:01:01 test run-parts(/etc/cron.hourly)[2588]: finished 0anacron
12月 24 11:01:01 test systemd[1]: Removed slice User Slice of root.
12月 24 12:01:01 test systemd[1]: Created slice User Slice of root.
12月 24 12:01:01 test systemd[1]: Started Session 25 of user root.
12月 24 12:01:01 test CROND[2597]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 12:01:01 test run-parts(/etc/cron.hourly)[2600]: starting 0anacron
12月 24 12:01:01 test run-parts(/etc/cron.hourly)[2606]: finished 0anacron
12月 24 12:01:01 test systemd[1]: Removed slice User Slice of root.
12月 24 12:58:31 test systemd[1]: Starting Cleanup of Temporary Directories...
12月 24 12:58:32 test systemd[1]: Started Cleanup of Temporary Directories.
12月 24 13:01:01 test systemd[1]: Created slice User Slice of root.
12月 24 13:01:01 test systemd[1]: Started Session 26 of user root.
12月 24 13:01:01 test CROND[2619]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 13:01:01 test run-parts(/etc/cron.hourly)[2622]: starting 0anacron
12月 24 13:01:01 test run-parts(/etc/cron.hourly)[2628]: finished 0anacron
12月 24 13:01:01 test systemd[1]: Removed slice User Slice of root.
12月 24 13:16:24 test sshd[2635]: Accepted password for qiuhom from 192.168.0.232 port 2097 ssh2
12月 24 13:16:25 test systemd[1]: Created slice User Slice of qiuhom.
12月 24 13:16:25 test systemd-logind[773]: New session 27 of user qiuhom.
12月 24 13:16:25 test systemd[1]: Started Session 27 of user qiuhom.
12月 24 13:16:25 test sshd[2635]: pam_unix(sshd:session): session opened for user qiuhom by (uid=0)
12月 24 13:16:28 test su[2673]: (to root) qiuhom on pts/0
lines 1-39

  说明:指定时间不能超过记录时间的最早时间

  5)显示尾部的最新日志默认是现实10行

[root@test ~]#journalctl -n
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. --
12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ
12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name
12月 24 19:53:02 test qiuhom[6222]: this is test log
12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1
12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000)
12月 24 19:53:54 test qiuhom[6466]: this is test log
12月 24 20:01:01 test systemd[1]: Started Session 37 of user root.
12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron
12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron
[root@test ~]#journalctl -n 15
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. --
12月 24 19:52:16 test systemd[1]: Stopped System Logging Service.
12月 24 19:52:16 test systemd[1]: Starting System Logging Service...
12月 24 19:52:16 test rsyslogd[6118]:  [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="6118" x-info="htt
12月 24 19:52:16 test rsyslogd[6118]: action \'*\' treated as \':omusrmsg:*\' - please use \':omusrmsg:*\' syntax instead, 
12月 24 19:52:16 test systemd[1]: Started System Logging Service.
12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ
12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name
12月 24 19:53:02 test qiuhom[6222]: this is test log
12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1
12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000)
12月 24 19:53:54 test qiuhom[6466]: this is test log
12月 24 20:01:01 test systemd[1]: Started Session 37 of user root.
12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron
12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron
[root@test ~]#

  6)实时滚动显示最新日志

[root@test ~]#journalctl -f
-- Logs begin at 一 2019-12-23 12:42:48 CST. --
12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occured in file \'/etc/rsyslog.conf\' around line 75 [v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ]
12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name :1.95, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
12月 24 19:53:02 test qiuhom[6222]: this is test log
12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1
12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000)
12月 24 19:53:54 test qiuhom[6466]: this is test log
12月 24 20:01:01 test systemd[1]: Started Session 37 of user root.
12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron
12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron
12月 24 20:51:28 test qiuhom[8356]: this is a test log

  说明:此选项同tail -f 类似

  7)查看指定服务的日志

[root@test ~]#journalctl /sbin/nginx
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:51:28 CST. --
12月 23 12:43:07 test nginx[1050]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
12月 23 12:43:07 test nginx[1050]: nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test ~]#journalctl /usr/lib/systemd/systemd
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:51:28 CST. --
12月 23 12:42:49 docker systemd[1]: Started Setup Virtual Console.
12月 23 12:42:49 docker systemd[1]: Started dracut cmdline hook.
12月 23 12:42:49 docker systemd[1]: Starting dracut pre-udev hook...
12月 23 12:42:49 docker systemd[1]: Started dracut pre-udev hook.
12月 23 12:42:49 docker systemd[1]: Starting udev Kernel Device Manager...
12月 23 12:42:49 docker systemd[1]: Started udev Kernel Device Manager.
12月 23 12:42:49 docker systemd[1]: Starting udev Coldplug all Devices...
12月 23 12:42:49 docker systemd[1]: Mounting Configuration File System...
12月 23 12:42:49 docker systemd[1]: Mounted Configuration File System.
12月 23 12:42:49 docker systemd[1]: Started udev Coldplug all Devices.
12月 23 12:42:49 docker systemd[1]: Reached target System Initialization.
12月 23 12:42:49 docker systemd[1]: Starting Show Plymouth Boot Screen...
12月 23 12:42:49 docker systemd[1]: Starting dracut initqueue hook...
12月 23 12:42:49 docker systemd[1]: Started Show Plymouth Boot Screen.
12月 23 12:42:49 docker systemd[1]: Started Forward Password Requests to Plymouth Directory Watch.
12月 23 12:42:49 docker systemd[1]: Reached target Paths.
12月 23 12:42:49 docker systemd[1]: Reached target Basic System.
12月 23 12:42:51 docker systemd[1]: Found device /dev/mapper/centos-root.
12月 23 12:42:51 docker systemd[1]: Starting File System Check on /dev/mapper/centos-root...
12月 23 12:42:51 docker systemd[1]: Started File System Check on /dev/mapper/centos-root.
12月 23 12:42:51 docker systemd[1]: Started dracut initqueue hook.
12月 23 12:42:51 docker systemd[1]: Reached target Remote File Systems (Pre).
12月 23 12:42:51 docker systemd[1]: Reached target Remote File Systems.
12月 23 12:42:51 docker systemd[1]: Mounting /sysroot...
12月 23 12:42:52 docker systemd[1]: Mounted /sysroot.
12月 23 12:42:52 docker systemd[1]: Reached target Initrd Root File System.
12月 23 12:42:52 docker systemd[1]: Starting Reload Configuration from the Real Root...
12月 23 12:42:52 docker systemd[1]: Reloading.
12月 23 12:42:52 docker systemd[1]: Started Reload Configuration from the Real Root.
12月 23 12:42:52 docker systemd[1]: Reached target Initrd File Systems.
12月 23 12:42:52 docker systemd[1]: Reached target Initrd Default Target.
12月 23 12:42:52 docker systemd[1]: Starting dracut pre-pivot and cleanup hook...
12月 23 12:42:52 docker systemd[1]: Started dracut pre-pivot and cleanup hook.
12月 23 12:42:52 docker systemd[1]: Starting Cleaning Up and Shutting Down Daemons...
12月 23 12:42:52 docker systemd[1]: Stopped target Timers.
12月 23 12:42:52 docker systemd[1]: Starting Plymouth switch root service...
12月 23 12:42:52 docker systemd[1]: Stopped Cleaning Up and Shutting Down Daemons.
12月 23 12:42:52 docker systemd[1]: Stopped dracut pre-pivot and cleanup hook.
lines 1-39

  8)查看指定进程的日志

[root@test ~]#journalctl _PID=757
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 23 12:42:56 test chronyd[757]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SI
12月 23 12:42:56 test chronyd[757]: Frequency -5.019 +/- 0.085 ppm read from /var/lib/chrony/drift
12月 23 12:43:07 test chronyd[757]: Selected source 84.16.67.12
[root@test ~]#journalctl _PID=10781
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 24 21:08:08 test setroubleshoot[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:08 test python[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tcp_socket
                                      
                                      *****  Plugin connect_ports (85.9 confidence) suggests   *********************
                                      
                                      If you want to allow /usr/sbin/nginx to connect to network port 8888
                                      Then you need to modify the port type.
                                      Do
                                      # semanage port -a -t PORT_TYPE -p tcp 8888
                                          where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, http_po
                                      
                                      *****  Plugin catchall_boolean (7.33 confidence) suggests   ******************
                                      
                                      If you want to allow httpd to can network connect
                                      Then you must tell SELinux about this by enabling the \'httpd_can_network_connec
                                      
                                      Do
                                      setsebool -P httpd_can_network_connect 1
                                      
                                      *****  Plugin catchall_boolean (7.33 confidence) suggests   ******************
                                      
                                      If you want to allow nis to enabled
                                      Then you must tell SELinux about this by enabling the \'nis_enabled\' boolean.
                                      
                                      Do
                                      setsebool -P nis_enabled 1
                                      
                                      *****  Plugin catchall (1.35 confidence) suggests   **************************
                                      
                                      If you believe that nginx should be allowed name_connect access on the port 888
                                      Then you should report this as a bug.
                                      You can generate a local policy module to allow this access.
                                      Do
                                      allow this access for now by executing:
                                      # ausearch -c \'nginx\' --raw | audit2allow -M my-nginx
                                      # semodule -i my-nginx.pp
                                      
lines 1-38/38 (END)

  9)查看某个路径下脚本的日志

[root@test ~]#journalctl /usr/bin/bash
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 23 12:42:56 test augenrules[730]: /sbin/augenrules: No change
12月 23 12:42:56 test augenrules[730]: No rules
12月 23 12:43:06 test network[883]: 正在打开环回接口: [  确定  ]
12月 23 12:43:06 test network[883]: 正在打开接口 enp2s0: [  确定  ]
12月 23 13:01:01 test CROND[1515]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 14:01:01 test CROND[2160]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 15:01:01 test CROND[2185]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 16:01:01 test CROND[2203]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 17:01:01 test CROND[2221]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 18:01:01 test CROND[2239]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 19:01:02 test CROND[2256]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 20:01:01 test CROND[2275]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 21:01:01 test CROND[2291]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 22:01:01 test CROND[2309]: (root) CMD (run-parts /etc/cron.hourly)
12月 23 23:01:01 test CROND[2328]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 01:01:01 test CROND[2368]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 02:01:01 test CROND[2388]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 03:01:01 test CROND[2408]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 04:01:01 test CROND[2455]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 07:01:01 test CROND[2507]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 08:01:01 test CROND[2525]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 09:01:01 test CROND[2543]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 10:01:01 test CROND[2561]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 11:01:01 test CROND[2579]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 12:01:01 test CROND[2597]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 13:01:01 test CROND[2619]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 14:01:01 test CROND[3415]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 16:01:01 test CROND[3454]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 17:01:01 test CROND[3472]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 18:01:01 test CROND[3490]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 19:01:01 test CROND[3509]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly)
12月 24 21:01:01 test CROND[9711]: (root) CMD (run-parts /etc/cron.hourly)
[root@test ~]#

  10)查看指定用户的日志

[root@test ~]#id qiuhom
uid=1000(qiuhom) gid=1000(qiuhom) 组=1000(qiuhom)
[root@test ~]#journalctl _UID=1000
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 23 13:23:58 test su[1912]: (to root) qiuhom on pts/0
12月 23 13:23:58 test su[1912]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000)
12月 23 14:07:46 test su[1912]: pam_unix(su-l:session): session closed for user root
12月 24 13:16:28 test su[2673]: (to root) qiuhom on pts/0
12月 24 13:16:28 test su[2673]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000)
12月 24 14:02:19 test su[2673]: pam_unix(su-l:session): session closed for user root
12月 24 19:03:55 test su[3562]: (to root) qiuhom on pts/0
12月 24 19:03:55 test su[3562]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000)
12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1
12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000)
[root@test ~]#

  11)查看某个unit的日志

[root@test ~]#journalctl -u nginx.service
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 23 12:43:07 test systemd[1]: Starting The nginx HTTP and reverse proxy server...
12月 23 12:43:07 test nginx[1050]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
12月 23 12:43:07 test nginx[1050]: nginx: configuration file /etc/nginx/nginx.conf test is successful
12月 23 12:43:08 test systemd[1]: Started The nginx HTTP and reverse proxy server.
[root@test ~]#journalctl -u nginx.service --since today
-- No entries --
[root@test ~]#systemctl restart nginx
[root@test ~]#journalctl -u nginx.service --since today
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:14:31 CST. --
12月 24 21:14:31 test systemd[1]: Stopping The nginx HTTP and reverse proxy server...
12月 24 21:14:31 test systemd[1]: Stopped The nginx HTTP and reverse proxy server.
12月 24 21:14:31 test systemd[1]: Starting The nginx HTTP and reverse proxy server...
12月 24 21:14:31 test nginx[11296]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
12月 24 21:14:31 test nginx[11296]: nginx: configuration file /etc/nginx/nginx.conf test is successful
12月 24 21:14:31 test systemd[1]: Started The nginx HTTP and reverse proxy server.
[root@test ~]#

  说明:可以同时指定多个unit,分别用-u指定其名即可,也可以用--since 指定时间,也可以用-f来跟踪某个nuit的最新日志

  12)查看指定优先级(及其以上级别)的日志,共有8级

    0: emerg
    1: alert
    2: crit
    3: err
    4: warning
    5: notice
    6: info
    7: debug

[root@test ~]#journalctl -p err
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:14:31 CST. --
12月 23 12:42:50 docker kernel: gma500 0000:00:02.0: GPU: power management timed out.
12月 24 19:47:41 test rsyslogd[5521]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ
12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ
12月 24 21:07:45 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:48 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:49 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:50 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:50 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:51 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:52 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:53 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:53 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:54 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:55 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:56 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:56 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:57 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:58 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:58 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:07:59 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:00 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:01 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:01 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:02 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:03 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:08 test setroubleshoot[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:23 test setroubleshoot[10826]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
[root@test ~]#

  13)日志默认分页输出,--no-pager 改为正常的标准输出

……省略部分信息
12月 24 21:14:31 test polkitd[752]: Registered Authentication Agent for unix-process:11283:11710498 (system bus name :1.105 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
12月 24 21:14:31 test systemd[1]: Stopping The nginx HTTP and reverse proxy server...
12月 24 21:14:31 test systemd[1]: Stopped The nginx HTTP and reverse proxy server.
12月 24 21:14:31 test systemd[1]: Starting The nginx HTTP and reverse proxy server...
12月 24 21:14:31 test nginx[11296]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
12月 24 21:14:31 test nginx[11296]: nginx: configuration file /etc/nginx/nginx.conf test is successful
12月 24 21:14:31 test systemd[1]: Started The nginx HTTP and reverse proxy server.
12月 24 21:14:31 test polkitd[752]: Unregistered Authentication Agent for unix-process:11283:11710498 (system bus name :1.105, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
[root@test ~]#

  14)以json格式(单行)输出

[root@test ~]#journalctl -b -u nginx.service -o json
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=4fe;b=e3110b5a73e44bebb9ac87b21fad016d;m=1401ea7;t=59a57a9eb3d4c
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50a;b=e3110b5a73e44bebb9ac87b21fad016d;m=1488bea;t=59a57a9f3aa8f
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50b;b=e3110b5a73e44bebb9ac87b21fad016d;m=1489f61;t=59a57a9f3be06
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50d;b=e3110b5a73e44bebb9ac87b21fad016d;m=14d1bc8;t=59a57a9f83a6e
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6b9;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44014f22;t=59a72ecac6
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6ba;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44020532;t=59a72ecad2
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bb;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44024a99;t=59a72ecad6
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bc;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44046779;t=59a72ecaf8
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bd;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44046be4;t=59a72ecaf8
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6be;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b440637c3;t=59a72ecb15
[root@test ~]#

  多行输出,可读性更好

[root@test ~]#journalctl -b -u nginx.service -o json-pretty
{
        "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=4fe;b=e3110b5a73e44bebb9ac87b21fad016d;m=1401ea7;t=59a57a9
        "__REALTIME_TIMESTAMP" : "1577076187151692",
        "__MONOTONIC_TIMESTAMP" : "20979367",
        "_BOOT_ID" : "e3110b5a73e44bebb9ac87b21fad016d",
        "PRIORITY" : "6",
        "_UID" : "0",
        "_GID" : "0",
        "_MACHINE_ID" : "931bcb70deb1435eaea1d542d13878cc",
        "SYSLOG_FACILITY" : "3",
        "SYSLOG_IDENTIFIER" : "systemd",
        "_TRANSPORT" : "journal",
        "_PID" : "1",
        "_COMM" : "systemd",
        "_EXE" : "/usr/lib/systemd/systemd",
        "_CAP_EFFECTIVE" : "1fffffffff",
        "_SYSTEMD_CGROUP" : "/",
        "CODE_FILE" : "src/core/unit.c",
        "CODE_FUNCTION" : "unit_status_log_starting_stopping_reloading",
        "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5",
        "_HOSTNAME" : "test",
        "_CMDLINE" : "/usr/lib/systemd/systemd --switched-root --system --deserialize 22",
        "_SELINUX_CONTEXT" : "system_u:system_r:init_t:s0",
        "CODE_LINE" : "1395",
        "UNIT" : "nginx.service",
        "MESSAGE" : "Starting The nginx HTTP and reverse proxy server...",
        "_SOURCE_REALTIME_TIMESTAMP" : "1577076187143557"
}
{
        "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50a;b=e3110b5a73e44bebb9ac87b21fad016d;m=1488bea;t=59a57a9
        "__REALTIME_TIMESTAMP" : "1577076187703951",
        "__MONOTONIC_TIMESTAMP" : "21531626",
        "_BOOT_ID" : "e3110b5a73e44bebb9ac87b21fad016d",
        "PRIORITY" : "6",
        "_UID" : "0",
        "_GID" : "0",
        "_SYSTEMD_SLICE" : "system.slice",
        "_MACHINE_ID" : "931bcb70deb1435eaea1d542d13878cc",
        "SYSLOG_FACILITY" : "3",
[root@test ~]#

  15)显示日志占据的磁盘空间

[root@test ~]#journalctl --disk-usage
Archived and active journals take up 8.0M on disk.
[root@test ~]#

  指定日志文件占据的最大空间

[root@test ~]#journalctl --vacuum-size=1G
Vacuuming done, freed 0B of archived journals on disk.
[root@test ~]#

  指定日志文件保存多久

[root@test ~]#journalctl --vacuum-time=1years
Vacuuming done, freed 0B of archived journals on disk.
[root@test ~]#

  logrotate:这个程序是一个日志文件管理工具。用来把旧的日志文件删除,并创建新的日志文件,我们把这一过程称为日志转储或滚动。它可以根据日志文件的大小,也可以根据其天数来转储,通常我们是设定定时计划任务去完成。

  配置文件是/etc/logrotate.conf

  主要的参数有:

    compress: 通过gzip压缩转储以后的日志

    nocompress:不需要压缩时,用这个参数

    copytruncate:用于还在打开中的日志文件,把当前日志备份并截断

    nocopytruncate:备份日志文件,但不截断

    create mode owner group 转储文件,使用指定的文件模式创建新的日志文件

    nocreate :不建立新的日志文件

    delaycompress和compress 一起使用时,转储的日志文件到下一次转储时才压缩

    nodelaycompress:覆盖delaycompress选项,转储并压缩

    errors address :转储时代错误信息发送指定的email地址

    ifempty:即使是空文件也转储,是缺省选项

    notifempty:如果是空文件的话,不转储

    mail address把转储的日志文件发送到指定的email地址

    nomail:转储时不发送日志文件

    olddir directory:转储后的日志文件放入指定的目录,必须和当前日志文件在同一个文件系统

    noolddir:转储后的日志文件和当前日志文件放在同一个目录下

    sharedscripts : 运行postrotate脚本,作用是在所有日志都轮转后统一执行一次脚本。如果没有配置这个,那么每个日志轮转后都会执行一次脚本

    prerotate/endscript :在转储以前需要执行的命令可以放入这两个关键字中间,这两个关键字必须单独成行

    postrotate/endscript:在转储以后需要执行的命令可以放入这两个关键字中间,这两个关键字必须单独成行

    dateext :使用当期日期作为命名格式

    dateformat :配合dateext使用,紧跟在下一行出现,定义文件切割后的文件名,必须配合dateext使用,只支持 %Y %m %d %s 这四个参数

    daily:指定转储周期为每天

    weekly:指定转储周期为每周

    monthly:指定转储周期为每月

    size:大小,指定日志超过多大时,就执行日志转储

    rotate count:指定日志文件删除之前转储的次数,0指没有备份,5指保留5个备份

    missingok:如果日志不存在,提示错误

    nomissingok:如果日志不存在,继续下一次日志,不提示错误

  默认配置文件

[root@test ~]#cat /etc/logrotate.conf 
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we\'ll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
        minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.
[root@test ~]#

  说明:从上面的配置文件看,我们可以了解到/var/log/wtmp 这个日志文件是每一个月转储一次,并创建新的日志文件 其权限是0644 属主是root 属组是utmp ,日志文件小大超过1M,日志文件就会转储, 保留一个备份文件。这个文件定义了系统的软件日志文件的转储规则,其中include /etc/logrotate.d/表示将/etc/logrotate.d目录下的所有转储规则都导入配置文件中。这样一来就可以实现单独的应用可以用单独的配置文件存储。这样一来就很方便的实现了管理转储规则的目的。

[root@test ~]#ll /etc/logrotate.d/
总用量 40
-rw-r--r--. 1 root root  91 4月  11 2018 bootlog
-rw-r--r--. 1 root root 160 9月  19 2018 chrony
-rw-r--r--. 1 root root 194 8月   6 21:44 httpd
-rw-r--r--. 1 root root 893 8月   8 19:49 mariadb
-rw-r--r--. 1 root root 243 5月  10 2019 nginx
-rw-r--r--. 1 root root 136 6月  10 2014 ppp
-rw-r--r--. 1 root root 115 8月   9 22:39 samba
-rw-r--r--. 1 root root 224 10月 18 23:48 syslog
-rw-r--r--. 1 root root 100 10月 31 2018 wpa_supplicant
-rw-r--r--. 1 root root 103 11月  5 2018 yum
[root@test ~]#cat /etc/logrotate.d/chrony 
/var/log/chrony/*.log {
    missingok
    nocreate
    sharedscripts
    postrotate
        /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
    endscript
}
[root@test ~]#cat /etc/logrotate.d/nginx 
/var/log/nginx/*log {
    create 0644 nginx nginx
    daily
    rotate 10
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

[root@test ~]#cat /etc/logrotate.d/syslog 
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
[root@test ~]#cat /etc/logrotate.d/yum
/var/log/yum.log {
    missingok
    notifempty
    maxsize 30k
    yearly
    create 0600 root root
}
[root@test ~]#

  说明:/etc/logrotate.d/这个目录就是存放各种应用程序的日志文件转储规则

  logrotate是基于cron来运行的,其脚本是/etc/cron.daily/logrotate,日志的转储是系统自动完成对,事实上我们运行logrotate会调用配置文件/etc/logrotate.conf,我们可以在/etc/logrotate.d目录下定义各种应用程序日志转储的规则,用来覆盖其logrotate的默认值。通常我们在测试自己写的转储规则时,我们可以用 logrotate -f /etc/logrotate.d/xxx,这条命令的的作用就是强制读取/etc/logrotate.d/xxx 来转储日志文件;以下是logrotate命令的用法

[root@test ~]#logrotate --help
用法: logrotate [OPTION...] <configfile>
  -d, --debug               Don\'t do anything, just test (implies -v)
  -f, --force               Force file rotation
  -m, --mail=command        Command to send mail (instead of `/bin/mail\')
  -s, --state=statefile     Path of state file
  -v, --verbose             Display messages during rotation
  -l, --log=STRING          Log file
  --version                 Display version information

Help options:
  -?, --help                Show this help message
  --usage                   Display brief usage message
[root@test ~]#

  说明:-d表示--debug,debug模式,测试配置文件是否有误,-f表示--force强制转储日志文件,-m指定压缩后的日志文件发送到邮箱地址,-s表示使用指定的状态文件,-v表示显示其转储过程。有了这个工具管理日志文件就很轻松,我们只需要定义其日志文件的转储规则即可。

  五、启动网络日志服务,让rsyslog工作在tcp或者udp协议上,配置rsyslog成为日志服务器

    1)rsyslog工作在tcp或者udp协议的514端口配置

[root@test ~]#grep -i "tcp" /etc/rsyslog.conf    
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
# Remote Logging (we use TCP for reliable delivery)
[root@test ~]#grep -i "udp" /etc/rsyslog.conf   
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
[root@test ~]#

  说明:以上配置是将rsyslog配置成工作在udp 514端口上,此时配置好配置文件后重启服务,此服务器就成为了rsyslog日志服务器了,它可以帮助其他服务器记录日志。

    2)重启rsyslog服务,在其客户机上配置rsyslog,让其日志发送给rsyslog服务器记录

[root@test ~]#systemctl restart rsyslog
[root@test ~]#ss -ntul
Netid State      Recv-Q Send-Q           Local Address:Port                          Peer Address:Port              
udp   UNCONN     0      0                            *:123                                      *:*                  
udp   UNCONN     0      0                    127.0.0.1:323                                      *:*                  
udp   UNCONN     0      0                            *:514                                      *:*                  
udp   UNCONN     0      0                          ::1:323                                     :::*                  
udp   UNCONN     0      0                           :::514                                     :::*                  
tcp   LISTEN     0      100                  127.0.0.1:25                                       *:*                  
tcp   LISTEN     0      25                           *:514                                      *:*                  
tcp   LISTEN     0      128                          *:41319                                    *:*                  
tcp   LISTEN     0      50                           *:3306                                     *:*                  
tcp   LISTEN     0      100                        ::1:25                                      :::*                  
tcp   LISTEN     0      25                          :::514                                     :::*                  
tcp   LISTEN     0      128                         :::41319                                   :::*                  
tcp   LISTEN     0      128                         :::80                                      :::*                  
[root@test ~]#

  说明:可以看到重启了服务后,514端口已经起来,接下来配置客户机的rsyslog,让其通过网络发送日志到日志服务器上

[root@test-node1 ~]#grep "192.168.0.99" /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none                @192.168.0.99
[root@test-node1 ~]#

  说明:以上配置的意思是除了mail ,authpriv,cron这三个以外的所有设施的info及info以上级别的日志都发往192.168.0.99记录,这里需要注意一点,一个“@”表示连接服务器是通过udp协议连接,日志通过udp协议传送,两个“@”表示连接服务器通过tcp去连接,日志通过tcp协议传送

    3)重启客户机上的rsyslog服务,在服务器上查看客户机的日志

[root@test-node1 ~]#/etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@test-node1 ~]#logger "i am test-node1"
[root@test-node1 ~]#tail /var/log/messages
Dec 24 23:06:17 test kernel: cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
Dec 24 23:06:17 test kernel: EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: 
Dec 24 23:06:17 test kernel: EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: 
Dec 24 23:06:17 test kernel: Adding 4128764k swap on /dev/mapper/VolGroup-lv_swap.  Priority:-1 extents:1 across:4128764k 
Dec 24 23:06:17 test kernel: sky2 eth0: enabling interface
Dec 24 23:06:17 test kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready
Dec 24 23:06:17 test kernel: sky2 eth0: Link is up at 1000 Mbps, full duplex, flow control both
Dec 24 23:06:17 test kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Dec 24 23:23:06 test kernel: Kernel logging (proc) stopped.
Dec 24 23:23:06 test rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1471" x-info="http://www.rsyslog.com"] exiting on signal 15.
[root@test-node1 ~]#

  说明:可以看到客户机上没有记录日志了

[root@test ~]#tail /var/log/messages
Dec 24 21:43:07 test systemd: Started System Logging Service.
Dec 24 23:26:04 test systemd: Stopping System Logging Service...
Dec 24 23:26:04 test rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="16136" x-info="http://www.rsyslog.com"] exiting on signal 15.
Dec 24 23:26:04 test systemd: Stopped System Logging Service.
Dec 24 23:26:04 test systemd: Starting System Logging Service...
Dec 24 23:26:04

以上是关于Linux日志管理系统rsyslog的主要内容,如果未能解决你的问题,请参考以下文章

Linux基础——rsyslog日志管理

Linux基于rsyslog启用网络日志服务实现日志实时转储

Linux 之 rsyslog 系统日志转发(转载)

Linux通过Rsyslog搭建集中日志服务器

Linux 之rsyslog+LogAnalyzer 日志收集系统

linux搭的rsyslog日志服务器接收设备日志有延时