Home > Article > Operation and Maintenance > How to use journalctl to view and analyze systemd logs (with examples)
Many people say that systemd is not good and that it has a great impact on the system. This is also a controversial topic. But you can't deny that it provides a complete set of tools to manage and troubleshoot your system. Imagine when you come across a broken system with no GUI, you could mess up booting and GRUB. In this case, you can boot from a live system, mount your Linux partition, and browse the systemd logs to find the problem.
systemd has three basic components, as follows:
systemd
: The system and service manager of the Linux operating system. systemctl
: This command is used to review and control the status of the systemd system and service manager. systemd-analyze
: This command provides performance statistics on system startup and retrieves additional status and tracing information from the System and Service Manager. In addition to these three services, systemd also provides other services, such as journald, logind, networkd, etc. In this guide, we will discuss systemd’s journald service.
By design, systemd provides a centralized way to handle all operating system logs from processes, applications, etc. All these log events are handled by systemd's journald daemon. The journald daemon collects all logs from all over the Linux operating system and stores them as binary data in files.
There are many benefits of centrally recording events and system problems in binary data. For example, because system logs are stored in binary rather than text form, you can translate them in text, JSON objects, and more to meet various needs. In addition, since the logs are stored sequentially, it is super easy to track individual events through date/time operations on the logs.
Please remember that the log files collected by journald have thousands of lines and are constantly updated with every boot and every event. Therefore, if you have a long-running Linux operating system, the log size should be in GB. Since there are thousands of logs, it's best to filter them with basic commands to learn more about system issues.
journald’s configuration file exists in the following path. It contains various flags on how logging should be done. You can take a look at this file and make the necessary changes. But I recommend not modifying this file unless you know what you are doing.
/etc/systemd/journald.conf
journald stores logs in binary format. They are saved in a directory under this path:
/var/log/journal
For example, in the following path, there is a directory that contains all system logs so far.
journalctl log file path
Do not use the cat
command, and do not use nano
or vi
to open these files. They (being binary) cannot be displayed normally.
The basic command to view journald logs is:
journalctl
journalctl
该命令提供了所有应用程序和进程的日志条目,包括错误、警告等。它显示的列表中,最旧的日志在顶部,当前的日志在底部。你需要不断按回车键来逐行滚动浏览。你也可以使用 PAGE UP
和 PAGE DOWN
键来滚动。按 q
键可以退出这个视图。
默认情况下,journalctl
以当前系统时区显示日志的时间。然而,你可以很容易地在命令中提供时区,将同一日志转换为不同的时区。例如,要以 UTC 查看日志,请使用以下命令:
journalctl --utc
journalctl --utc
系统产生的日志有不同的优先级。有些日志可能是可以忽略的警告,有些可能是重要的错误。你可能想只看错误,不看警告。这也可以用下面的命令来实现。
要查看紧急系统信息,请使用:
journalctl -p 0
journalctl -p 0
错误代码:
0: 紧急情况 1: 警报 2: 危急 3: 错误 4: 警告 5: 通知 6: 信息 7:调试
当你指定错误代码时,它显示该等级及更高的所有信息。例如,如果你指定下面的命令,它会显示所有优先级为 2、1 和 0 的信息:
journalctl -p 2
当你运行 journalctl
命令时,它会显示当前启动的信息,即你正在运行的会话中的信息。但也可以查看过去的启动信息。
在每次重启时,日志都会持续更新。journald 会记录不同启动时的日志。要查看不同启动时的日志,请使用以下命令。
journalctl --list-boots
journalctl list-boots
要查看一个特定的启动号码,你可以选择第一个启动跟踪号码或启动 ID,如下所示。
journalctl -b -45
journalctl -b 8bab42c7e82440f886a3f041a7c95b98
journalctl -b 45
你也可以使用 -x
选项,在显示屏上添加 systemd 错误信息的解释。在某些情况下,这是个救命稻草。
journalctl -xb -p 3
journalctl -xb
journalctl
功能强大,可以在命令中提供类似英语的参数,用于时间和日期操作。
你可以使用 --since
选项与 yesterday
、today
、tomorrow
或 now
组合。
下面是一些不同命令的例子。你可以根据你的需要修改它们。它们是不言自明的。以下命令中的日期、时间格式为 "YYYY-MM-DD HH:MM:SS"
journalctl --since "2020-12-04 06:00:00"
journalctl --since "2020-12-03" --until "2020-12-05 03:00:00"
journalctl --since yesterday
journalctl --since 09:00 --until "1 hour ago"
journalctl --since 09:00 --until
你也可以将上述内容与错误级别开关结合起来。
Linux 内核信息也可以从日志中提取出来。要查看当前启动时的内核信息,请使用以下命令:
journalctl -k
你可以从 journald 日志中过滤出某个 systemd 服务单元的特定日志。例如,如果要查看 NetworkManager 服务的日志,请使用下面的命令。
journalctl -u NetworkManager.service
journalctl NetworkManager service
如果你不知道服务名称,可以使用下面的命令来列出系统中的 systemd 服务。
systemctl list-units --type=service
如果你正在分析服务器日志,在多个用户登录的情况下,这个命令很有帮助。你可以先用下面的命令从用户名中找出用户的 ID。例如,要找出用户 debugpoint
的 ID:
id -u debugpoint
然后使用 _UID
选项指定该 ID 与来查看该用户产生的日志。
journalctl _UID=1000 --since today
journalctl _UID
同样地,使用 _GID
选项也可以查到用户组的情况。
你也可以查看某个特定程序或可执行文件的日志。例如,如果你想找出 gnome-shell
的信息,你可以运行以下命令。
journalctl /usr/bin/gnome-shell --since today
journalctl gnome-shell
Hope this guide can help you use journalctl
to view and analyze systemd logs on your Linux desktop or server and troubleshoot. If you know how to use these commands, systemd log management is very powerful and can make your life easier when debugging. All major Linux distributions now use systemd. Ubuntu, Debian, Fedora, and Arch all use systemd as their default operating system component. If you want to know about Linux distributions that do not use systemd, you may want to look at MX-Linux, Gentoo, Slackware, Void Linux.
The above is the detailed content of How to use journalctl to view and analyze systemd logs (with examples). For more information, please follow other related articles on the PHP Chinese website!