Linux日誌管理系統rsyslog
阿新 • • 發佈:2019-12-25
一、日誌的概念
什麼是日誌?日誌就是歷史事件。歷史事件包括時間、地點、人物、時間。這個是生活中所說的日誌很好理解。在Linux中也有類似的服務,它主要作用就是記錄Linux系統的歷史事件,包括什麼時間什麼服務或者那個程序或者pid發生的一些事件,通過記錄發生的事件,我們可以檢視日誌來了解在過去的一段時間Linux系統發生了什麼事,從而可以幫助我們解決一些問題。
在Linux系統裡日誌是有級別的,也就是說事件的關鍵程度,比如說有些事件只是警告,需要我們注意,起個提醒我們的目的,我們可以後面去處理,也可以不處理,但是有些事件級別比較緊急,它不僅僅只是提示我們的作用,很有可能這一秒發生了這樣的事件,下一秒Linux系統就掛了,所以在Linux系統裡事件的關鍵性程度非常重要。在centos5之前日誌系統的名稱叫syslog,它主要有兩個服務組成,一個是syslogd(system application )它主要記錄著應用程式的一些日誌,一個是klogd(Linux kernel)它主要記錄著Linux核心的日誌。通常記錄事件的格式是,日期時間 主機 程序[pid] 事件內容。Linux日誌系統不僅僅可以用做本地記錄本機的日誌,它還可以通過tcp或者udp協議的服務完成日誌的傳送,從而實現幫助其他主機記錄日誌功能,我們把這樣的伺服器稱為日誌伺服器。
二、rsyslog介紹
在centos6和centos7上rsyslog有如下特性
1)多程序
2)支援UDP、TCP、SSL、TLS、RELP等協議
3)可以通過網路將日誌儲存到Mysql、PGSQL、Oracle等資料庫中管理
4)支援強大的過濾器,可實現過濾記錄日誌資訊中的任意部分
5)支援自定義日誌輸出格式
rsyslog日誌手機器重要術語
facility:中文翻譯過來是設施的意思,從功能或程式上對日誌分類,在Linux中常見的facility有auth(認證相關的日誌),authpriv(授權相關的日誌),cron(計劃任務相關日誌),daemon(系統服務相關日誌),ftp(ftp服務相關的日誌),kern(核心相關日誌),lpr(列印相關的日誌),mail(郵件相關日誌),news(新聞相關的日誌),security(安全相關的日誌),user(使用者相關的日誌),uucp(檔案copy相關的日誌),local0-local7(自定義相關的日誌)
priority:優先級別,從低到高排序debug(除錯),info(訊息),notice(注意),warn(warning警告),err(error錯誤),crit(critical嚴重警告),alert(需要立即修改的資訊)emerg(panic核心崩潰,核心恐慌等嚴重的資訊)
程式環境:
程式包:rsyslog
主程式:/usr/sbin/rsyslogd
主配置檔案:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf
庫檔案:/lib64/rsyslog/*.so
服務指令碼:
centos6:service rsyslog {start|stop|restart|status}
centos7:/usr/lib/systemd/system/rsyslog.service
配置檔案格式:由三部分組成
MODULES:相關模組配置
GLOBAL DIRECTIVES:全域性配置
RULES:日誌記錄相關的規則設定
RULES配置格式:facility.priority;facility.priority;…… target
facility:
*:所有的facility
facility1,facility2,facility3,…:指定的facility列表
priority:
*:表示所有級別
none:沒有級別
priority:此級別以及高於此級別的所有級別
=priority:僅此級別
target:
檔案路徑:通常在/var/log/,檔案路前的“-”表示非同步寫入
使用者:將日誌事件通知給指定使用者,是通過將資訊傳送給登入到系統上的使用者的終端進行顯示;*表示登入的所有使用者
日誌伺服器:@host,把日誌送往指定的遠端伺服器記錄;host:表示日誌伺服器的地址,預設監聽在tcp或者udp協議的514埠以提供服務
管道:|command,轉發給其他命令處理
其他日誌:
/var/log/wtmp:當前系統成功登入系統的日誌 需要使用last命令檢視
/var/log/btmp:當前系統嘗試登入系統失敗的日誌 需要使用lastb命令檢視
/var/log/dmesg:系統引導過程中的日誌資訊; 也可使用dmesg命令進行檢視
lastlog:顯示當前系統上的所有使用者最近一次登入系統的時間
三、實驗將sshd的日誌分離到/var/log/sshd.log
sshd是遠端登入Linux系統的一個服務,預設工作在22埠,通常情況下它的日誌是記錄在/var/log/secure 檔案中,在之前我們不知道它為什麼要記錄在這個檔案中,我們學習了rsyslog後,就明白了。
首先我們來看看sshd的配置檔案
[root@test ~]#grep "log" /etc/ssh/sshd_config #SyslogFacility AUTH SyslogFacility AUTHPRIV [root@test ~]#
說明:可以看到sshd的配置檔案中明確定義了syslogfacility authpriv。通過上面的介紹我們大概知道rsyslog 的facility 中就包括authpriv 這個設施。接下來我們在來看看rsyslog的配置檔案
[root@test ~]#grep "authpriv" /etc/rsyslog.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure [root@test ~]#
說明:看到以上的結果,結合我們之前介紹的rsyslog,是不是很清楚知道sshd的日誌為什麼記錄在/etc/log/secure中了嘛。rsyslog的配置檔案中明確定義了authpriv設施中的任何級別的日誌都記錄在/var/log/secure中。
更改sshd 配置檔案 將日誌的設施更改為自定義設施local3
[root@test ~]#grep "log" /etc/ssh/sshd_config #SyslogFacility AUTH #SyslogFacility AUTHPRIV SyslogFacility local3 [root@test ~]#
在rsyslog配置檔案中指定 local3設施中的任何級別的目標檔案為/var/log/sshd.log
[root@test ~]#grep "local" /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. local7.* /var/log/boot.log local3.* /var/log/sshd.log [root@test ~]#
重啟rsyslogd 和sshd 服務
[root@test ~]#systemctl restart rsyslog sshd
檢視/var/log/sshd.log
[root@test ~]#ll /var/log/sshd.log -rw-------. 1 root root 207 12月 24 19:23 /var/log/sshd.log [root@test ~]#cat /var/log/sshd.log Dec 24 19:23:33 test sshd[4532]: Received signal 15; terminating. Dec 24 19:23:33 test sshd[4575]: Server listening on 0.0.0.0 port 41319. Dec 24 19:23:33 test sshd[4575]: Server listening on :: port 41319. [root@test ~]#
說明:要想用rsyslog來管理應用程式的日誌,前提是應用程式內部實現rsyslog的日誌介面,否則是不可以通過rsyslog來管理日誌
四、日誌管理小工具
logger:這個小工具可以生成日誌,主要用於我們配置的日誌系統是否可以正常的記錄日誌
[root@test ~]#logger --help 用法: logger [選項] [訊息] 選項: -T, --tcp 只使用 TCP -d, --udp 只使用 UDP -i, --id 同時記錄程序 ID -f, --file <檔案> 記錄此檔案的內容 -h, --help 顯示此幫助並退出 -S, --size <num> maximum size for a single message (default 1024) -n, --server <name> write to this remote syslog server -P, --port <port> use this port for UDP or TCP connection -p, --priority <prio> mark given message with this priority -s, --stderr output message to standard error as well -t, --tag <標誌> 用此標誌標記每一行 -u, --socket <套接字> 寫入此 Unix 套接字 -V, --version 輸出版本資訊並退出 [root@test ~]#
給local3傳送一條info日誌
[root@test ~]#logger -p "local3.info" "this is test log" [root@test ~]#tail /var/log/sshd.log Dec 24 19:23:33 test sshd[4532]: Received signal 15; terminating. Dec 24 19:23:33 test sshd[4575]: Server listening on 0.0.0.0 port 41319. Dec 24 19:23:33 test sshd[4575]: Server listening on :: port 41319. Dec 24 19:42:49 test qiuhom: this is test log [root@test ~]#
說明:有了這個工具我們可以很好的測試日誌系統是否在正常記錄日誌
配置local4 的所有級別訊息都發送給所有登入到系統的使用者終端
[root@test ~]#grep "local" /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. local7.* /var/log/boot.log local3.* /var/log/sshd.log local4.* * [root@test ~]#systemctl restart rsyslog [root@test ~]#syst^C [root@test ~]#who root tty1 2019-12-24 19:50 qiuhom pts/0 2019-12-24 19:03 (192.168.0.232) qiuhom pts/1 2019-12-24 19:50 (192.168.0.232) [root@test ~]#logger -p "local4.info" "this is test log" Message from syslogd@test at Dec 24 19:53:02 ... qiuhom:this is test log [root@test ~]#
journalctl:此工具是centos7上的一個日誌管理工具。systemd統一管理所有unit的啟動日誌,帶來的好處就是,可以用journalctl一個命令檢視所有日誌(核心日誌和應用日誌),日誌的配置檔案/etc/systemd/journald.conf
1)檢視所有日誌(預設情況下,只儲存本次啟動的日誌)
[root@test ~]#journalctl -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 23 12:42:48 docker systemd-journal[105]: Runtime journal is using 8.0M (max allowed 91.3M, trying to leave 136.9 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct 12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 ([email protected]) (gcc ve 12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos- 12月 23 12:42:48 docker kernel: Disabled fast string operations 12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map: 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved 12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable 12月 23 12:42:48 docker kernel: extended physical RAM map: 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable lines 1-39
2)檢視核心日誌(不顯示應用日誌)
[root@test ~]#journalctl -k -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct 12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 ([email protected]) (gcc ve 12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos- 12月 23 12:42:48 docker kernel: Disabled fast string operations 12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map: 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved 12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable 12月 23 12:42:48 docker kernel: extended physical RAM map: 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x000000000b91c018-0x000000000b92c057] usable lines 1-39
3)檢視系統本次啟動的日誌
[root@test ~]#journalctl -b 0 -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 23 12:42:48 docker systemd-journal[105]: Runtime journal is using 8.0M (max allowed 91.3M, trying to leave 136.9 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct 12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 ([email protected]) (gcc ve 12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos- 12月 23 12:42:48 docker kernel: Disabled fast string operations 12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map: 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved 12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable 12月 23 12:42:48 docker kernel: extended physical RAM map: 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable lines 1-39
4)檢視指定時間的日誌
journalctl --since="2017-10-30 18:10:30" journalctl --since "20 min ago" journalctl --since yesterday journalctl --since "2017-01-10" --until "2017-01-11 03:00" journalctl --since 09:00 --until "1 hour ago"
[root@test ~]#journalctl --since 09:00 --until "1 hour ago" -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 24 09:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 09:01:01 test systemd[1]: Started Session 22 of user root. 12月 24 09:01:01 test CROND[2543]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 09:01:01 test run-parts(/etc/cron.hourly)[2546]: starting 0anacron 12月 24 09:01:01 test run-parts(/etc/cron.hourly)[2552]: finished 0anacron 12月 24 09:01:02 test systemd[1]: Removed slice User Slice of root. 12月 24 10:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 10:01:01 test systemd[1]: Started Session 23 of user root. 12月 24 10:01:01 test CROND[2561]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 10:01:01 test run-parts(/etc/cron.hourly)[2564]: starting 0anacron 12月 24 10:01:01 test run-parts(/etc/cron.hourly)[2570]: finished 0anacron 12月 24 10:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 11:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 11:01:01 test systemd[1]: Started Session 24 of user root. 12月 24 11:01:01 test CROND[2579]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 11:01:01 test run-parts(/etc/cron.hourly)[2582]: starting 0anacron 12月 24 11:01:01 test run-parts(/etc/cron.hourly)[2588]: finished 0anacron 12月 24 11:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 12:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 12:01:01 test systemd[1]: Started Session 25 of user root. 12月 24 12:01:01 test CROND[2597]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 12:01:01 test run-parts(/etc/cron.hourly)[2600]: starting 0anacron 12月 24 12:01:01 test run-parts(/etc/cron.hourly)[2606]: finished 0anacron 12月 24 12:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 12:58:31 test systemd[1]: Starting Cleanup of Temporary Directories... 12月 24 12:58:32 test systemd[1]: Started Cleanup of Temporary Directories. 12月 24 13:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 13:01:01 test systemd[1]: Started Session 26 of user root. 12月 24 13:01:01 test CROND[2619]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 13:01:01 test run-parts(/etc/cron.hourly)[2622]: starting 0anacron 12月 24 13:01:01 test run-parts(/etc/cron.hourly)[2628]: finished 0anacron 12月 24 13:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 13:16:24 test sshd[2635]: Accepted password for qiuhom from 192.168.0.232 port 2097 ssh2 12月 24 13:16:25 test systemd[1]: Created slice User Slice of qiuhom. 12月 24 13:16:25 test systemd-logind[773]: New session 27 of user qiuhom. 12月 24 13:16:25 test systemd[1]: Started Session 27 of user qiuhom. 12月 24 13:16:25 test sshd[2635]: pam_unix(sshd:session): session opened for user qiuhom by (uid=0) 12月 24 13:16:28 test su[2673]: (to root) qiuhom on pts/0 lines 1-39
說明:指定時間不能超過記錄時間的最早時間
5)顯示尾部的最新日誌預設是現實10行
[root@test ~]#journalctl -n -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name 12月 24 19:53:02 test qiuhom[6222]: this is test log 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:54 test qiuhom[6466]: this is test log 12月 24 20:01:01 test systemd[1]: Started Session 37 of user root. 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron [root@test ~]#journalctl -n 15 -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 24 19:52:16 test systemd[1]: Stopped System Logging Service. 12月 24 19:52:16 test systemd[1]: Starting System Logging Service... 12月 24 19:52:16 test rsyslogd[6118]: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="6118" x-info="htt 12月 24 19:52:16 test rsyslogd[6118]: action '*' treated as ':omusrmsg:*' - please use ':omusrmsg:*' syntax instead, 12月 24 19:52:16 test systemd[1]: Started System Logging Service. 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name 12月 24 19:53:02 test qiuhom[6222]: this is test log 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:54 test qiuhom[6466]: this is test log 12月 24 20:01:01 test systemd[1]: Started Session 37 of user root. 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron [root@test ~]#
6)實時滾動顯示最新日誌
[root@test ~]#journalctl -f -- Logs begin at 一 2019-12-23 12:42:48 CST. -- 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occured in file '/etc/rsyslog.conf' around line 75 [v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ] 12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name :1.95, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus) 12月 24 19:53:02 test qiuhom[6222]: this is test log 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:54 test qiuhom[6466]: this is test log 12月 24 20:01:01 test systemd[1]: Started Session 37 of user root. 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron 12月 24 20:51:28 test qiuhom[8356]: this is a test log
說明:此選項同tail -f 類似
7)檢視指定服務的日誌
[root@test ~]#journalctl /sbin/nginx -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:51:28 CST. -- 12月 23 12:43:07 test nginx[1050]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 23 12:43:07 test nginx[1050]: nginx: configuration file /etc/nginx/nginx.conf test is successful [root@test ~]#journalctl /usr/lib/systemd/systemd -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:51:28 CST. -- 12月 23 12:42:49 docker systemd[1]: Started Setup Virtual Console. 12月 23 12:42:49 docker systemd[1]: Started dracut cmdline hook. 12月 23 12:42:49 docker systemd[1]: Starting dracut pre-udev hook... 12月 23 12:42:49 docker systemd[1]: Started dracut pre-udev hook. 12月 23 12:42:49 docker systemd[1]: Starting udev Kernel Device Manager... 12月 23 12:42:49 docker systemd[1]: Started udev Kernel Device Manager. 12月 23 12:42:49 docker systemd[1]: Starting udev Coldplug all Devices... 12月 23 12:42:49 docker systemd[1]: Mounting Configuration File System... 12月 23 12:42:49 docker systemd[1]: Mounted Configuration File System. 12月 23 12:42:49 docker systemd[1]: Started udev Coldplug all Devices. 12月 23 12:42:49 docker systemd[1]: Reached target System Initialization. 12月 23 12:42:49 docker systemd[1]: Starting Show Plymouth Boot Screen... 12月 23 12:42:49 docker systemd[1]: Starting dracut initqueue hook... 12月 23 12:42:49 docker systemd[1]: Started Show Plymouth Boot Screen. 12月 23 12:42:49 docker systemd[1]: Started Forward Password Requests to Plymouth Directory Watch. 12月 23 12:42:49 docker systemd[1]: Reached target Paths. 12月 23 12:42:49 docker systemd[1]: Reached target Basic System. 12月 23 12:42:51 docker systemd[1]: Found device /dev/mapper/centos-root. 12月 23 12:42:51 docker systemd[1]: Starting File System Check on /dev/mapper/centos-root... 12月 23 12:42:51 docker systemd[1]: Started File System Check on /dev/mapper/centos-root. 12月 23 12:42:51 docker systemd[1]: Started dracut initqueue hook. 12月 23 12:42:51 docker systemd[1]: Reached target Remote File Systems (Pre). 12月 23 12:42:51 docker systemd[1]: Reached target Remote File Systems. 12月 23 12:42:51 docker systemd[1]: Mounting /sysroot... 12月 23 12:42:52 docker systemd[1]: Mounted /sysroot. 12月 23 12:42:52 docker systemd[1]: Reached target Initrd Root File System. 12月 23 12:42:52 docker systemd[1]: Starting Reload Configuration from the Real Root... 12月 23 12:42:52 docker systemd[1]: Reloading. 12月 23 12:42:52 docker systemd[1]: Started Reload Configuration from the Real Root. 12月 23 12:42:52 docker systemd[1]: Reached target Initrd File Systems. 12月 23 12:42:52 docker systemd[1]: Reached target Initrd Default Target. 12月 23 12:42:52 docker systemd[1]: Starting dracut pre-pivot and cleanup hook... 12月 23 12:42:52 docker systemd[1]: Started dracut pre-pivot and cleanup hook. 12月 23 12:42:52 docker systemd[1]: Starting Cleaning Up and Shutting Down Daemons... 12月 23 12:42:52 docker systemd[1]: Stopped target Timers. 12月 23 12:42:52 docker systemd[1]: Starting Plymouth switch root service... 12月 23 12:42:52 docker systemd[1]: Stopped Cleaning Up and Shutting Down Daemons. 12月 23 12:42:52 docker systemd[1]: Stopped dracut pre-pivot and cleanup hook. lines 1-39
8)檢視指定程序的日誌
[root@test ~]#journalctl _PID=757
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 23 12:42:56 test chronyd[757]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SI
12月 23 12:42:56 test chronyd[757]: Frequency -5.019 +/- 0.085 ppm read from /var/lib/chrony/drift
12月 23 12:43:07 test chronyd[757]: Selected source 84.16.67.12
[root@test ~]#journalctl _PID=10781
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 24 21:08:08 test setroubleshoot[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:08 test python[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tcp_socket
***** Plugin connect_ports (85.9 confidence) suggests *********************
If you want to allow /usr/sbin/nginx to connect to network port 8888
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 8888
where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, http_po
***** Plugin catchall_boolean (7.33 confidence) suggests ******************
If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connec
Do
setsebool -P httpd_can_network_connect 1
***** Plugin catchall_boolean (7.33 confidence) suggests ******************
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (1.35 confidence) suggests **************************
If you believe that nginx should be allowed name_connect access on the port 888
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp
lines 1-38/38 (END)
9)檢視某個路徑指令碼的日誌
[root@test ~]#journalctl /usr/bin/bash -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. -- 12月 23 12:42:56 test augenrules[730]: /sbin/augenrules: No change 12月 23 12:42:56 test augenrules[730]: No rules 12月 23 12:43:06 test network[883]: 正在開啟環回介面: [ 確定 ] 12月 23 12:43:06 test network[883]: 正在開啟介面 enp2s0: [ 確定 ] 12月 23 13:01:01 test CROND[1515]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 14:01:01 test CROND[2160]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 15:01:01 test CROND[2185]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 16:01:01 test CROND[2203]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 17:01:01 test CROND[2221]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 18:01:01 test CROND[2239]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 19:01:02 test CROND[2256]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 20:01:01 test CROND[2275]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 21:01:01 test CROND[2291]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 22:01:01 test CROND[2309]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 23:01:01 test CROND[2328]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 01:01:01 test CROND[2368]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 02:01:01 test CROND[2388]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 03:01:01 test CROND[2408]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 04:01:01 test CROND[2455]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 07:01:01 test CROND[2507]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 08:01:01 test CROND[2525]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 09:01:01 test CROND[2543]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 10:01:01 test CROND[2561]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 11:01:01 test CROND[2579]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 12:01:01 test CROND[2597]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 13:01:01 test CROND[2619]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 14:01:01 test CROND[3415]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 16:01:01 test CROND[3454]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 17:01:01 test CROND[3472]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 18:01:01 test CROND[3490]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 19:01:01 test CROND[3509]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 21:01:01 test CROND[9711]: (root) CMD (run-parts /etc/cron.hourly) [root@test ~]#
10)檢視指定使用者的日誌
[root@test ~]#id qiuhom uid=1000(qiuhom) gid=1000(qiuhom) 組=1000(qiuhom) [root@test ~]#journalctl _UID=1000 -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. -- 12月 23 13:23:58 test su[1912]: (to root) qiuhom on pts/0 12月 23 13:23:58 test su[1912]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 23 14:07:46 test su[1912]: pam_unix(su-l:session): session closed for user root 12月 24 13:16:28 test su[2673]: (to root) qiuhom on pts/0 12月 24 13:16:28 test su[2673]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 14:02:19 test su[2673]: pam_unix(su-l:session): session closed for user root 12月 24 19:03:55 test su[3562]: (to root) qiuhom on pts/0 12月 24 19:03:55 test su[3562]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) [root@test ~]#
11)檢視某個unit的日誌
[root@test ~]#journalctl -u nginx.service -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. -- 12月 23 12:43:07 test systemd[1]: Starting The nginx HTTP and reverse proxy server... 12月 23 12:43:07 test nginx[1050]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 23 12:43:07 test nginx[1050]: nginx: configuration file /etc/nginx/nginx.conf test is successful 12月 23 12:43:08 test systemd[1]: Started The nginx HTTP and reverse proxy server. [root@test ~]#journalctl -u nginx.service --since today -- No entries -- [root@test ~]#systemctl restart nginx [root@test ~]#systjournalctl -u nginx.service --since today -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:14:31 CST. -- 12月 24 21:14:31 test systemd[1]: Stopping The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test systemd[1]: Stopped The nginx HTTP and reverse proxy server. 12月 24 21:14:31 test systemd[1]: Starting The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test nginx[11296]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 24 21:14:31 test nginx[11296]: nginx: configuration file /etc/nginx/nginx.conf test is successful 12月 24 21:14:31 test systemd[1]: Started The nginx HTTP and reverse proxy server. [root@test ~]#
說明:可以同時指定多個unit,分別用-u指定其名即可,也可以用--since 指定時間,也可以用-f來跟蹤某個nuit的最新日誌
12)檢視指定優先順序(及其以上級別)的日誌,共有8級
0: emerg
1: alert
2: crit
3: err
4: warning
5: notice
6: info
7: debug
[root@test ~]#journalctl -p err -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:14:31 CST. -- 12月 23 12:42:50 docker kernel: gma500 0000:00:02.0: GPU: power management timed out. 12月 24 19:47:41 test rsyslogd[5521]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 21:07:45 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:48 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:49 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:50 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:50 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:51 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:52 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:53 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:53 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:54 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:55 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:56 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:56 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:57 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:58 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:58 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:59 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:00 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:01 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:01 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:02 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:03 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:08 test setroubleshoot[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:23 test setroubleshoot[10826]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc [root@test ~]#
13)日誌預設分頁輸出,--no-pager 改為正常的標準輸出
……省略部分資訊 12月 24 21:14:31 test polkitd[752]: Registered Authentication Agent for unix-process:11283:11710498 (system bus name :1.105 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) 12月 24 21:14:31 test systemd[1]: Stopping The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test systemd[1]: Stopped The nginx HTTP and reverse proxy server. 12月 24 21:14:31 test systemd[1]: Starting The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test nginx[11296]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 24 21:14:31 test nginx[11296]: nginx: configuration file /etc/nginx/nginx.conf test is successful 12月 24 21:14:31 test systemd[1]: Started The nginx HTTP and reverse proxy server. 12月 24 21:14:31 test polkitd[752]: Unregistered Authentication Agent for unix-process:11283:11710498 (system bus name :1.105, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus) [root@test ~]#
14)以json格式(單行)輸出
[root@test ~]#journalctl -b -u nginx.service -o json
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=4fe;b=e3110b5a73e44bebb9ac87b21fad016d;m=1401ea7;t=59a57a9eb3d4c
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50a;b=e3110b5a73e44bebb9ac87b21fad016d;m=1488bea;t=59a57a9f3aa8f
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50b;b=e3110b5a73e44bebb9ac87b21fad016d;m=1489f61;t=59a57a9f3be06
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50d;b=e3110b5a73e44bebb9ac87b21fad016d;m=14d1bc8;t=59a57a9f83a6e
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6b9;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44014f22;t=59a72ecac6
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6ba;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44020532;t=59a72ecad2
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bb;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44024a99;t=59a72ecad6
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bc;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44046779;t=59a72ecaf8
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bd;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44046be4;t=59a72ecaf8
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6be;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b440637c3;t=59a72ecb15
[root@test ~]#
多行輸出,可讀性更好
[root@test ~]#journalctl -b -u nginx.service -o json-pretty
{
"__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=4fe;b=e3110b5a73e44bebb9ac87b21fad016d;m=1401ea7;t=59a57a9
"__REALTIME_TIMESTAMP" : "1577076187151692",
"__MONOTONIC_TIMESTAMP" : "20979367",
"_BOOT_ID" : "e3110b5a73e44bebb9ac87b21fad016d",
"PRIORITY" : "6",
"_UID" : "0",
"_GID" : "0",
"_MACHINE_ID" : "931bcb70deb1435eaea1d542d13878cc",
"SYSLOG_FACILITY" : "3",
"SYSLOG_IDENTIFIER" : "systemd",
"_TRANSPORT" : "journal",
"_PID" : "1",
"_COMM" : "systemd",
"_EXE" : "/usr/lib/systemd/systemd",
"_CAP_EFFECTIVE" : "1fffffffff",
"_SYSTEMD_CGROUP" : "/",
"CODE_FILE" : "src/core/unit.c",
"CODE_FUNCTION" : "unit_status_log_starting_stopping_reloading",
"MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5",
"_HOSTNAME" : "test",
"_CMDLINE" : "/usr/lib/systemd/systemd --switched-root --system --deserialize 22",
"_SELINUX_CONTEXT" : "system_u:system_r:init_t:s0",
"CODE_LINE" : "1395",
"UNIT" : "nginx.service",
"MESSAGE" : "Starting The nginx HTTP and reverse proxy server...",
"_SOURCE_REALTIME_TIMESTAMP" : "1577076187143557"
}
{
"__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50a;b=e3110b5a73e44bebb9ac87b21fad016d;m=1488bea;t=59a57a9
"__REALTIME_TIMESTAMP" : "1577076187703951",
"__MONOTONIC_TIMESTAMP" : "21531626",
"_BOOT_ID" : "e3110b5a73e44bebb9ac87b21fad016d",
"PRIORITY" : "6",
"_UID" : "0",
"_GID" : "0",
"_SYSTEMD_SLICE" : "system.slice",
"_MACHINE_ID" : "931bcb70deb1435eaea1d542d13878cc",
"SYSLOG_FACILITY" : "3",
[root@test ~]#
15)顯示日誌佔據的磁碟空間
[root@test ~]#journalctl --disk-usage Archived and active journals take up 8.0M on disk. [root@test ~]#
指定日誌檔案佔據的最大空間
[root@test ~]#journalctl --vacuum-size=1G Vacuuming done, freed 0B of archived journals on disk. [root@test ~]#
指定日誌檔案儲存多久
[root@test ~]#journalctl --vacuum-time=1years Vacuuming done, freed 0B of archived journals on disk. [root@test ~]#
五、啟動網路日誌服務,讓rsyslog工作在tcp或者udp協議上,配置rsyslog成為日誌伺服器
1)rsyslog工作在tcp或者udp協議的514埠配置
[root@test ~]#grep -i "tcp" /etc/rsyslog.conf # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # Remote Logging (we use TCP for reliable delivery) [root@test ~]#grep -i "udp" /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 [root@test ~]#
說明:以上配置是將rsyslog配置成工作在udp 514埠上,此時配置好配置檔案後重啟,此伺服器就成為了rsyslog日誌伺服器了,它可以幫助其他伺服器記錄日誌。
2)重啟rsyslog服務,在其客戶機上配置rsyslog,讓其日誌傳送給rsyslog伺服器記錄
[root@test ~]#systemctl restart rsyslog [root@test ~]#ss -ntul Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:123 *:* udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 *:514 *:* udp UNCONN 0 0 ::1:323 :::* udp UNCONN 0 0 :::514 :::* tcp LISTEN 0 100 127.0.0.1:25 *:* tcp LISTEN 0 25 *:514 *:* tcp LISTEN 0 128 *:41319 *:* tcp LISTEN 0 50 *:3306 *:* tcp LISTEN 0 100 ::1:25 :::* tcp LISTEN 0 25 :::514 :::* tcp LISTEN 0 128 :::41319 :::* tcp LISTEN 0 128 :::80 :::* [root@test ~]#
說明:可以看到重啟了服務後,514埠已經起來,接下來配置客戶機的rsyslog,讓其通過網路傳送日誌到日誌伺服器上
[root@test-node1 ~]#grep "192.168.0.99" /etc/rsyslog.conf *.info;mail.none;authpriv.none;cron.none @192.168.0.99 [root@test-node1 ~]#
說明:以上配置的意思是除了mail ,authpriv,cron這三個以外的所有設施的info及info以上級別的日誌都發往192.168.0.99記錄,這裡需要注意一點,一個“@”表示連線伺服器是通過udp協議連線,日誌通過udp協議傳送,兩個“@”表示連線伺服器通過tcp去連線,日誌通過tcp協議傳送
3)重啟客戶機上的rsyslog服務,在伺服器上檢視客戶機的日誌
[root@test-node1 ~]#/etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@test-node1 ~]#logger "i am test-node1" [root@test-node1 ~]#tail /var/log/messages Dec 24 23:06:17 test kernel: cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A) Dec 24 23:06:17 test kernel: EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: Dec 24 23:06:17 test kernel: EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: Dec 24 23:06:17 test kernel: Adding 4128764k swap on /dev/mapper/VolGroup-lv_swap. Priority:-1 extents:1 across:4128764k Dec 24 23:06:17 test kernel: sky2 eth0: enabling interface Dec 24 23:06:17 test kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready Dec 24 23:06:17 test kernel: sky2 eth0: Link is up at 1000 Mbps, full duplex, flow control both Dec 24 23:06:17 test kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Dec 24 23:23:06 test kernel: Kernel logging (proc) stopped. Dec 24 23:23:06 test rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1471" x-info="http://www.rsyslog.com"] exiting on signal 15. [root@test-node1 ~]#
說明:可以看到客戶機上沒有記錄日誌了
[root@test ~]#tail /var/log/messages Dec 24 21:43:07 test systemd: Started System Logging Service. Dec 24 23:26:04 test systemd: Stopping System Logging Service... Dec 24 23:26:04 test rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="16136" x-info="http://www.rsyslog.com"] exiting on signal 15. Dec 24 23:26:04 test systemd: Stopped System Logging Service. Dec 24 23:26:04 test systemd: Starting System Logging Service... Dec 24 23:26:04 test rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="16359" x-info="http://www.rsyslog.com"] start Dec 24 23:26:04 test rsyslogd: action '*' treated as ':omusrmsg:*' - please use ':omusrmsg:*' syntax instead, '*' will not be supported in the future [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2184 ] Dec 24 23:26:04 test systemd: Started System Logging Service. Dec 24 23:26:04 test rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 76: warnings occured in file '/etc/rsyslog.conf' around line 76 [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2207 ] Dec 24 23:26:13 test-node1 qiuhom: i am test-node1 [root@test ~]#
說明:在日誌伺服器上可以看到我們剛才的測試日誌資訊,這裡需要說一下,我們客戶端通過網路把日誌傳送給服務端,服務端裡怎麼儲存要看服務端配置,服務端可以把它儲存到資料庫,儲存到檔案都可以。
六、rsyslog將日誌記錄於mysql中
1)準備mysql server
[root@test ~]#yum install mariadb 已載入外掛:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 dockerrepo | 2.9 kB 00:00:00 epel | 5.3 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 軟體包 1:mariadb-5.5.64-1.el7.x86_64 已安裝並且是最新版本 無須任何處理 [root@test ~]#systemctl status mariadb ● mariadb.service - MariaDB database server Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@test ~]#systemctl start mariadb [root@test ~]#mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
說明:mariadb同mysql類似,yum安裝mariadb 並啟動服務即可
2)在mysql server上授權rsyslog能連線至當前資料庫伺服器
MariaDB [(none)]> select user,host,password from mysql.user
-> ;
+------+-----------+----------+
| user | host | password |
+------+-----------+----------+
| root | localhost | |
+------+-----------+----------+
1 row in set (0.00 sec)
MariaDB [(none)]> grant all on Syslog.* to 'rsyslog'@'%' identified by 'rsyslogpass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> select user,host,password from mysql.user;
+---------+-----------+-------------------------------------------+
| user | host | password |
+---------+-----------+-------------------------------------------+
| root | localhost | |
| rsyslog | % | *3AABCFD2E87DD4D86B283A77A7B21E449FBA9AFA |
+---------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
MariaDB [(none)]>
3)在rsyslog伺服器上安裝mysql模組相關的程式包
[root@test ~]#yum install rsyslog-mysql 已載入外掛:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com 正在解決依賴關係 --> 正在檢查事務 ---> 軟體包 rsyslog-mysql.x86_64.0.8.24.0-41.el7_7.2 將被 安裝 --> 正在處理依賴關係 rsyslog = 8.24.0-41.el7_7.2,它被軟體包 rsyslog-mysql-8.24.0-41.el7_7.2.x86_64 需要 --> 正在檢查事務 ---> 軟體包 rsyslog.x86_64.0.8.24.0-34.el7 將被 升級 ---> 軟體包 rsyslog.x86_64.0.8.24.0-41.el7_7.2 將被 更新 --> 解決依賴關係完成 依賴關係解決 ===================================================================================================================== Package 架構 版本 源 大小 ===================================================================================================================== 正在安裝: rsyslog-mysql x86_64 8.24.0-41.el7_7.2 updates 42 k 為依賴而更新: rsyslog x86_64 8.24.0-41.el7_7.2 updates 616 k 事務概要 ===================================================================================================================== 安裝 1 軟體包 升級 ( 1 依賴軟體包) 總下載量:659 k Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/2): rsyslog-mysql-8.24.0-41.el7_7.2.x86_64.rpm | 42 kB 00:00:00 (2/2): rsyslog-8.24.0-41.el7_7.2.x86_64.rpm | 616 kB 00:00:00 --------------------------------------------------------------------------------------------------------------------- 總計 858 kB/s | 659 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在更新 : rsyslog-8.24.0-41.el7_7.2.x86_64 1/3 正在安裝 : rsyslog-mysql-8.24.0-41.el7_7.2.x86_64 2/3 清理 : rsyslog-8.24.0-34.el7.x86_64 3/3 驗證中 : rsyslog-8.24.0-41.el7_7.2.x86_64 1/3 驗證中 : rsyslog-mysql-8.24.0-41.el7_7.2.x86_64 2/3 驗證中 : rsyslog-8.24.0-34.el7.x86_64 3/3 已安裝: rsyslog-mysql.x86_64 0:8.24.0-41.el7_7.2 作為依賴被升級: rsyslog.x86_64 0:8.24.0-41.el7_7.2 完畢! [root@test ~]#
說明:此外掛必須在rsyslog伺服器上安裝,也就說你準備把那臺伺服器的日誌記錄到資料庫中你就在那臺日誌伺服器上安裝此外掛即可。
4)為rsyslog建立資料庫及表
[root@test ~]#rpm -ql rsyslog-mysql /usr/lib64/rsyslog/ommysql.so /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql [root@test ~]#mysql < /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql [root@test ~]#mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | Syslog | | mysql | | performance_schema | | test | +--------------------+ 5 rows in set (0.00 sec) MariaDB [(none)]> use Syslog Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [Syslog]> show tables; +----------------