How to use journalctl to view and analyze systemd logs (with examples)

Introduction

Many people say that systemd is not good and that it has a great impact on the system. This is also a controversial topic. But you can't deny that it provides a complete set of tools to manage and troubleshoot your system. Imagine when you come across a broken system with no GUI, you could mess up booting and GRUB. In this case, you can boot from a live system, mount your Linux partition, and browse the systemd logs to find the problem.

systemd has three basic components, as follows:

• ​​systemd​​: The system and service manager of the Linux operating system.
• ​​systemctl​​: This command is used to review and control the status of the systemd system and service manager.
• ​​systemd-analyze​​: This command provides performance statistics on system startup and retrieves additional status and tracing information from the System and Service Manager.

In addition to these three services, systemd also provides other services, such as journald, logind, networkd, etc. In this guide, we will discuss systemd’s journald service.

journald - systemd log service

By design, systemd provides a centralized way to handle all operating system logs from processes, applications, etc. All these log events are handled by systemd's journald daemon. The journald daemon collects all logs from all over the Linux operating system and stores them as binary data in files.

There are many benefits of centrally recording events and system problems in binary data. For example, because system logs are stored in binary rather than text form, you can translate them in text, JSON objects, and more to meet various needs. In addition, since the logs are stored sequentially, it is super easy to track individual events through date/time operations on the logs.

Please remember that the log files collected by journald have thousands of lines and are constantly updated with every boot and every event. Therefore, if you have a long-running Linux operating system, the log size should be in GB. Since there are thousands of logs, it's best to filter them with basic commands to learn more about system issues.

journald configuration file

journald’s configuration file exists in the following path. It contains various flags on how logging should be done. You can take a look at this file and make the necessary changes. But I recommend not modifying this file unless you know what you are doing.

/etc/systemd/journald.conf

journald Where binary log files are stored

journald stores logs in binary format. They are saved in a directory under this path:

/var/log/journal

For example, in the following path, there is a directory that contains all system logs so far.

journalctl log file path

Do not use the ​​cat​​ command, and do not use ​​nano​​ or ​​vi​​ to open these files. They (being binary) cannot be displayed normally.

Use journalctl to view and analyze systemd logs

journald basic commands

The basic command to view journald logs is:

journalctl

journalctl

该命令提供了所有应用程序和进程的日志条目，包括错误、警告等。它显示的列表中，最旧的日志在顶部，当前的日志在底部。你需要不断按回车键来逐行滚动浏览。你也可以使用 ​​PAGE UP​​ 和 ​​PAGE DOWN​​ 键来滚动。按 ​​q​​ 键可以退出这个视图。

如何以不同时区的时间查看日志条目

默认情况下，​​journalctl​​ 以当前系统时区显示日志的时间。然而，你可以很容易地在命令中提供时区，将同一日志转换为不同的时区。例如，要以 UTC 查看日志，请使用以下命令：

journalctl --utc

journalctl --utc

如何在日志中只查看错误、警告等信息

系统产生的日志有不同的优先级。有些日志可能是可以忽略的警告，有些可能是重要的错误。你可能想只看错误，不看警告。这也可以用下面的命令来实现。

要查看紧急系统信息，请使用：

journalctl -p 0

journalctl -p 0

错误代码：

0: 紧急情况
1: 警报
2: 危急
3: 错误
4: 警告
5: 通知
6: 信息
7：调试

当你指定错误代码时，它显示该等级及更高的所有信息。例如，如果你指定下面的命令，它会显示所有优先级为 2、1 和 0 的信息：

journalctl -p 2

如何查看特定启动的日志

当你运行 ​​journalctl​​ 命令时，它会显示当前启动的信息，即你正在运行的会话中的信息。但也可以查看过去的启动信息。

在每次重启时，日志都会持续更新。journald 会记录不同启动时的日志。要查看不同启动时的日志，请使用以下命令。

journalctl --list-boots

journalctl list-boots

• 第一个数字显示的是 journald 的唯一的启动跟踪号码，你可以在下一个命令中使用它来分析该特定的启动。
• 第二个数字是启动 ID，你也可以在命令中指定。
• 接下来的两个日期、时间组合是存储在相应文件中的日志的时间。如果你想找出某个特定日期、时间的日志或错误，这就非常方便了。

要查看一个特定的启动号码，你可以选择第一个启动跟踪号码或启动 ID，如下所示。

journalctl -b -45

journalctl -b 8bab42c7e82440f886a3f041a7c95b98

journalctl -b 45

你也可以使用 ​​-x​​ 选项，在显示屏上添加 systemd 错误信息的解释。在某些情况下，这是个救命稻草。

journalctl -xb -p 3

journalctl -xb

如何查看某一特定时间、日期的日志记录

​​journalctl​​ 功能强大，可以在命令中提供类似英语的参数，用于时间和日期操作。

你可以使用 ​​--since​​ 选项与 ​​yesterday​​、​​today​​、​​tomorrow​​ 或 ​​now​​ 组合。

下面是一些不同命令的例子。你可以根据你的需要修改它们。它们是不言自明的。以下命令中的日期、时间格式为 ​​"YYYY-MM-DD HH:MM:SS"​​

journalctl --since "2020-12-04 06:00:00"

journalctl --since "2020-12-03" --until "2020-12-05 03:00:00"

journalctl --since yesterday

journalctl --since 09:00 --until "1 hour ago"

journalctl --since 09:00 --until

你也可以将上述内容与错误级别开关结合起来。

如何查看内核特定的日志记录

Linux 内核信息也可以从日志中提取出来。要查看当前启动时的内核信息，请使用以下命令：

journalctl -k

如何查看某个服务、PID 的日志

你可以从 journald 日志中过滤出某个 systemd 服务单元的特定日志。例如，如果要查看 NetworkManager 服务的日志，请使用下面的命令。

journalctl -u NetworkManager.service

journalctl NetworkManager service

如果你不知道服务名称，可以使用下面的命令来列出系统中的 systemd 服务。

systemctl list-units --type=service

如何查看用户、组的日志

如果你正在分析服务器日志，在多个用户登录的情况下，这个命令很有帮助。你可以先用下面的命令从用户名中找出用户的 ID。例如，要找出用户 ​​debugpoint​​ 的 ID：

id -u debugpoint

然后使用 ​​_UID​​ 选项指定该 ID 与来查看该用户产生的日志。

journalctl _UID=1000 --since today

journalctl _UID

同样地，使用 ​​_GID​​ 选项也可以查到用户组的情况。

如何查看一个可执行文件的日志

你也可以查看某个特定程序或可执行文件的日志。例如，如果你想找出 ​​gnome-shell​​ 的信息，你可以运行以下命令。

journalctl /usr/bin/gnome-shell --since today

journalctl gnome-shell

Conclusion

Hope this guide can help you use ​​journalctl​​ to view and analyze systemd logs on your Linux desktop or server and troubleshoot. If you know how to use these commands, systemd log management is very powerful and can make your life easier when debugging. All major Linux distributions now use systemd. Ubuntu, Debian, Fedora, and Arch all use systemd as their default operating system component. If you want to know about Linux distributions that do not use systemd, you may want to look at ​​MX-Linux​​, Gentoo, Slackware, Void Linux.

The above is the detailed content of How to use journalctl to view and analyze systemd logs (with examples). For more information, please follow other related articles on the PHP Chinese website!