介绍

journalctl是一个用于查看系统日志的命令行工具,它用于访问和管理 systemd-journald 服务收集的日志信息。systemd-journaldSystemd 系统管理守护进程的一部分,负责收集、存储和检索系统日志。只用journalctl一个命令,查看所有日志(内核日志和应用日志)。
journalctl需要管理员权限才能运行

  • 以下是一些常用的参数:
    • --since:指定起始时间,显示从指定时间开始的日志条目。
    • --until:指定结束时间,显示到指定时间结束的日志条目。
    • --identifier:按照指定的标识符(如进程名称或单元名称)筛选日志条目。
    • --unit:按照指定的单元(服务、套接字、设备等)筛选日志条目。
    • --priority 或 -p:按照指定的日志级别筛选日志条目。
    • --grep:按照指定的关键字筛选包含该关键字的日志条目。
    • --boot:按照指定的引导 ID 筛选日志条目。
    • --system 或 --user:选择系统日志或用户日志。
    • --output:指定输出日志的格式,如 short、short-iso、json 等。
    • --follow 或 -f:实时跟踪日志的变化,类似于 tail -f 命令。
  • 更多详细参数查看 man journalctl

部分参数示例

查看所有日志,一般不会这样用,输出太多了,不便于查看

[root@localhost ~]# journalctl
Oct 21 21:19:30 localhost kernel: microcode: microcode updated early to revision 0xf4, date = 2023-02-23
Oct 21 21:19:30 localhost kernel: Linux version 6.1.0-13-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREE>
Oct 21 21:19:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.1.0-13-amd64 root=/dev/mapper/localhost--vg-root ro quiet
Oct 21 21:19:30 localhost kernel: BIOS-provided physical RAM map:
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] reserved
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000001000-0x000000000008ffff] usable
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000090000-0x0000000000090fff] type 20
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000091000-0x000000000009efff] usable
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x000000000009f000-0x00000000000fffff] reserved
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d8fcfff] usable
..........

[root@localhost ~]# journalctl
Oct 21 21:19:30 localhost kernel: microcode: microcode updated early to revision 0xf4, date = 2023-02-23
Oct 21 21:19:30 localhost kernel: Linux version 6.1.0-13-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREE>
Oct 21 21:19:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.1.0-13-amd64 root=/dev/mapper/localhost--vg-root ro quiet
Oct 21 21:19:30 localhost kernel: BIOS-provided physical RAM map:
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] reserved
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000001000-0x000000000008ffff] usable
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000090000-0x0000000000090fff] type 20
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000091000-0x000000000009efff] usable
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x000000000009f000-0x00000000000fffff] reserved
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d8fcfff] usable
..........

[root@localhost ~]# journalctl
Oct 21 21:19:30 localhost kernel: microcode: microcode updated early to revision 0xf4, date = 2023-02-23
Oct 21 21:19:30 localhost kernel: Linux version 6.1.0-13-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREE>
Oct 21 21:19:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.1.0-13-amd64 root=/dev/mapper/localhost--vg-root ro quiet
Oct 21 21:19:30 localhost kernel: BIOS-provided physical RAM map:
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] reserved
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000001000-0x000000000008ffff] usable
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000090000-0x0000000000090fff] type 20
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000091000-0x000000000009efff] usable
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x000000000009f000-0x00000000000fffff] reserved
Oct 21 21:19:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d8fcfff] usable
..........

查看内核日志,不显示应用日志

[root@localhost ~]# journalctl  -k
Oct 28 00:55:30 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:55:30 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:55:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:55:30 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007eda3000-0x000000007ef7dfff] ACPI data

[root@localhost ~]# journalctl  -k
Oct 28 00:55:30 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:55:30 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:55:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:55:30 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007eda3000-0x000000007ef7dfff] ACPI data

[root@localhost ~]# journalctl  -k
Oct 28 00:55:30 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:55:30 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:55:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:55:30 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007eda3000-0x000000007ef7dfff] ACPI data

查看系统本次启动日志

[root@localhost ~]# journalctl -b
Oct 28 00:55:30 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:55:30 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:55:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:55:30 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved

[root@localhost ~]# journalctl -b
Oct 28 00:55:30 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:55:30 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:55:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:55:30 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved

[root@localhost ~]# journalctl -b
Oct 28 00:55:30 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:55:30 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:55:30 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:55:30 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:55:30 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved

查看系统上次启动日志

# -1 意为上一次启动,该选项意思为倒数第几次启动,从0开始。例:-0为倒数第0次启动,即本次启动。-10为倒数第10次启动
[root@localhost ~]# journalctl -b -1
Oct 28 00:53:39 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:53:39 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:53:39 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:53:39 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007eda3000-0x000000007ef7dfff] ACPI data
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007ef7e000-0x000000007f42dfff] ACPI NVS
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007f42e000-0x000000007fc4afff] reserved

# -1 意为上一次启动,该选项意思为倒数第几次启动,从0开始。例:-0为倒数第0次启动,即本次启动。-10为倒数第10次启动
[root@localhost ~]# journalctl -b -1
Oct 28 00:53:39 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:53:39 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:53:39 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:53:39 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007eda3000-0x000000007ef7dfff] ACPI data
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007ef7e000-0x000000007f42dfff] ACPI NVS
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007f42e000-0x000000007fc4afff] reserved

# -1 意为上一次启动,该选项意思为倒数第几次启动,从0开始。例:-0为倒数第0次启动,即本次启动。-10为倒数第10次启动
[root@localhost ~]# journalctl -b -1
Oct 28 00:53:39 localhost kernel: microcode: updated early: 0xd6 -> 0xf4, date = 2023-02-23
Oct 28 00:53:39 localhost kernel: Linux version 6.4.0-0.deb12.2-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 S>
Oct 28 00:53:39 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-amd64 root=/dev/mapper/localhost--vg-root ro reboot=bios quiet
Oct 28 00:53:39 localhost kernel: BIOS-provided physical RAM map:
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000005efff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000000005f000-0x000000000005ffff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000060000-0x000000000009ffff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007d553fff] usable
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007d554000-0x000000007eda2fff] reserved
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007eda3000-0x000000007ef7dfff] ACPI data
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007ef7e000-0x000000007f42dfff] ACPI NVS
Oct 28 00:53:39 localhost kernel: BIOS-e820: [mem 0x000000007f42e000-0x000000007fc4afff] reserved

根据日志级别筛查

*  使用-p参数查询日志级别,可选参数如下:
  * 0 或 emerg:紧急情况
  * 1 或 alert:警报
  * 2 或 crit:临界状态
  * 3 或 err:错误
  * 4 或 warning:警告
  * 5 或 notice:注意
  * 6 或 info:信息
  * 7 或 debug:调试信息

[root@localhost ~]# journalctl -b -0 -p err
Oct 28 16:00:59 localhost sshd[94464]: error: kex_exchange_identification: banner line contains invalid characters
Oct 29 01:19:02 localhost sshd[150735]: error: kex_exchange_identification: Connection closed by remote host
Oct 29 01:19:25 localhost sshd[768]: error: beginning MaxStartups throttling
Oct 29 06:04:01 localhost sshd[196313]: error: kex_exchange_identification: banner line contains invalid characters
Oct 29 21:04:29 localhost sshd[277023]: error: kex_exchange_identification: banner line contains invalid characters
Oct 29 21:26:26 localhost sshd[278774]: error: kex_exchange_identification: banner line contains invalid characters
Oct 30 07:37:47 localhost sshd[307251]: error: kex_exchange_identification: Connection closed by remote host
Oct 30 07:43:33 localhost sshd[768]: error: beginning MaxStartups throttling

查看指定时间的日志

* `--since`可选参数示例如下
	* --since="2023-10-16 14:22:02"
	* --since "30 min ago"
	* --since yesterday
	* --since "2021-01-01" --until "2021-09-16 13:40"
	* --since 07:30 --until "2 hour ago"
* 使用` man 7 systemd.time`命令查看更多支持的时间参数

[root@localhost ~]# journalctl --since="2023-10-30 14:22:02" --until "2023-10-31 13:40"
Oct 30 14:25:23 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=114.247.113.183 DST=192.168.1.80 LEN=70 TOS=0x00 PREC=0x00 TTL=116 ID=35>
Oct 30 14:25:38 localhost smartd[716]: Device: /dev/sdc [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 112 to 113
Oct 30 14:25:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=222.129.130.135 DST=192.168.1.80 LEN=69 TOS=0x00 PREC=0x00 TTL=119 ID=26>
Oct 30 14:26:04 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=222.129.130.135 DST=192.168.1.80 LEN=66 TOS=0x00 PREC=0x00 TTL=119 ID=26>
Oct 30 14:29:51 localhost sshd[337868]: Received disconnect from 58.247.31.242 port 50136:11: disconnected by user
Oct 30 14:29:51 localhost sshd[337868]: Disconnected from user root 58.247.31.242 port 50136

显示结尾n行日志

* `-n`参数指定需要查询的行数(从后往前)。

[root@localhost ~]# journalctl -n 15
Oct 30 21:13:23 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=101.80.50.91 DST=192.168.1.80 LEN=59 TOS=0x00 PREC=0x00 TTL=54 ID=61000 >
Oct 30 21:13:43 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=157.0.138.53 DST=192.168.1.80 LEN=58 TOS=0x00 PREC=0x00 TTL=57 ID=50602 >
Oct 30 21:14:11 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=117.65.234.127 DST=192.168.1.80 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=2188>
Oct 30 21:14:25 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=123.160.221.48 DST=192.168.1.80 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=2210>
Oct 30 21:14:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=124.79.246.214 DST=192.168.1.80 LEN=60 TOS=0x08 PREC=0x00 TTL=117 ID=142>
Oct 30 21:15:17 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=185.216.140.186 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=19>
Oct 30 21:15:24 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=183.211.128.84 DST=192.168.1.80 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=1029>
Oct 30 21:15:43 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=172.105.80.248 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=219>
Oct 30 21:16:08 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=172.104.244.253 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=17>
Oct 30 21:16:26 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=172.232.218.227 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=238 ID=12>
Oct 30 21:16:46 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=118.193.103.142 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=50>
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Oct 30 21:17:01 localhost CRON[564548]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session closed for user root
Oct 30 21:17:03 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=77.90.185.110 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=4999>
lines 1-15/15 (END)

滚动显示最新日志,Ctrl+c 停止。与 tail -f 类似

[root@localhost ~]# journalctl -f
Oct 30 21:16:26 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=172.232.218.227 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=238 ID=12741 PROTO=TCP SPT=60000 DPT=39285 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:16:46 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=118.193.103.142 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=50572 PROTO=TCP SPT=65488 DPT=45054 WINDOW=512 RES=0x00 SYN URGP=0
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Oct 30 21:17:01 localhost CRON[564548]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session closed for user root
Oct 30 21:17:03 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=77.90.185.110 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=4999 PROTO=TCP SPT=49406 DPT=389 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:17:24 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=89.248.165.234 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=62693 PROTO=TCP SPT=49800 DPT=9674 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:17:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=222.70.57.0 DST=192.168.1.80 LEN=58 TOS=0x00 PREC=0x00 TTL=117 ID=20304 PROTO=UDP SPT=26316 DPT=54090 LEN=38
Oct 30 21:18:05 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=143.42.205.133 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=65209 PROTO=TCP SPT=60000 DPT=800 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:18:29 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=89.248.165.234 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=25611 PROTO=TCP SPT=49800 DPT=9651 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:18:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=117.65.234.127 DST=192.168.1.80 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19596 DF PROTO=TCP SPT=43899 DPT=38891 WINDOW=7300 RES=0x00 SYN URGP=0

[root@localhost ~]# journalctl -f
Oct 30 21:16:26 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=172.232.218.227 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=238 ID=12741 PROTO=TCP SPT=60000 DPT=39285 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:16:46 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=118.193.103.142 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=50572 PROTO=TCP SPT=65488 DPT=45054 WINDOW=512 RES=0x00 SYN URGP=0
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Oct 30 21:17:01 localhost CRON[564548]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session closed for user root
Oct 30 21:17:03 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=77.90.185.110 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=4999 PROTO=TCP SPT=49406 DPT=389 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:17:24 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=89.248.165.234 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=62693 PROTO=TCP SPT=49800 DPT=9674 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:17:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=222.70.57.0 DST=192.168.1.80 LEN=58 TOS=0x00 PREC=0x00 TTL=117 ID=20304 PROTO=UDP SPT=26316 DPT=54090 LEN=38
Oct 30 21:18:05 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=143.42.205.133 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=65209 PROTO=TCP SPT=60000 DPT=800 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:18:29 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=89.248.165.234 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=25611 PROTO=TCP SPT=49800 DPT=9651 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:18:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=117.65.234.127 DST=192.168.1.80 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19596 DF PROTO=TCP SPT=43899 DPT=38891 WINDOW=7300 RES=0x00 SYN URGP=0

[root@localhost ~]# journalctl -f
Oct 30 21:16:26 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=172.232.218.227 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=238 ID=12741 PROTO=TCP SPT=60000 DPT=39285 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:16:46 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=118.193.103.142 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=50572 PROTO=TCP SPT=65488 DPT=45054 WINDOW=512 RES=0x00 SYN URGP=0
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Oct 30 21:17:01 localhost CRON[564548]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Oct 30 21:17:01 localhost CRON[564547]: pam_unix(cron:session): session closed for user root
Oct 30 21:17:03 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=77.90.185.110 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=4999 PROTO=TCP SPT=49406 DPT=389 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:17:24 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=89.248.165.234 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=62693 PROTO=TCP SPT=49800 DPT=9674 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:17:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=222.70.57.0 DST=192.168.1.80 LEN=58 TOS=0x00 PREC=0x00 TTL=117 ID=20304 PROTO=UDP SPT=26316 DPT=54090 LEN=38
Oct 30 21:18:05 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=143.42.205.133 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=65209 PROTO=TCP SPT=60000 DPT=800 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:18:29 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=89.248.165.234 DST=192.168.1.80 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=25611 PROTO=TCP SPT=49800 DPT=9651 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 30 21:18:44 localhost kernel: [UFW BLOCK] IN=eno1 OUT= MAC=d4:5d:64:49:2e:3b:3c:06:a7:45:be:16:08:00 SRC=117.65.234.127 DST=192.168.1.80 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19596 DF PROTO=TCP SPT=43899 DPT=38891 WINDOW=7300 RES=0x00 SYN URGP=0

查看指定服务日志

* 在`/usr/lib/systemd`目录下`systemd-`打头的即服务。

[root@localhost ~]# journalctl /usr/lib/systemd/systemd-logind
Oct 21 21:19:34 localhost systemd-logind[659]: New seat seat0.
Oct 21 21:19:34 localhost systemd-logind[659]: Watching system buttons on /dev/input/event2 (Power Button)
Oct 21 21:19:34 localhost systemd-logind[659]: Watching system buttons on /dev/input/event1 (Power Button)
Oct 21 21:19:34 localhost systemd-logind[659]: Watching system buttons on /dev/input/event0 (Sleep Button)
Oct 21 21:19:34 localhost systemd-logind[659]: Watching system buttons on /dev/input/event8 (Logitech G903 LIGHTSPEED Wireless Gaming Mouse w/ HERO)
Oct 21 21:19:34 localhost systemd-logind[659]: Watching system buttons on /dev/input/event3 (Usb KeyBoard Usb KeyBoard)
Oct 21 21:19:34 localhost systemd-logind[659]: Watching system buttons on /dev/input/event4 (Usb KeyBoard Usb KeyBoard Consumer Control)
Oct 21 21:19:34 localhost systemd-logind[659]: Watching system buttons on /dev/input/event5 (Usb KeyBoard Usb KeyBoard System Control)

查看指定进程日志

Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605963159+08:00" level=info msg="[core] Channel Connectivity change to CONNECTING" module=grpc

">

[root@localhost ~]# ps -ef | grep docker
root 294013 1 0 Oct29 ? 00:13:02 /usr/sbin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

[root@localhost ~]# journalctl _PID=294013
Oct 29 23:25:45 localhost dockerd[294013]: time=

[root@localhost ~]# ps -ef | grep docker
root      294013       1  0 Oct29 ?        00:13:02 /usr/sbin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

[root@localhost ~]# journalctl _PID=294013
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.604753087+08:00" level=info msg="Starting up"
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605832952+08:00" level=info msg="[core] parsed scheme: \"unix\"" module=grpc
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605848372+08:00" level=info msg="[core] scheme \"unix\" not registered, fallback to default scheme" module=grpc
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605871997+08:00" level=info msg="[core] ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/conta>
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605883916+08:00" level=info msg="[core] ClientConn switching balancer to \"pick_first\"" module=grpc
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605891932+08:00" level=info msg="[core] Channel switches to new LB policy \"pick_first\"" module=grpc
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605916666+08:00" level=info msg="[core] Subchannel Connectivity change to CONNECTING" module=grpc
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605940619+08:00" level=info msg="[core] Subchannel picks a new address \"unix:///run/containerd/containerd.sock\>
Oct 29 23:25:45 localhost dockerd[294013]: time="2023-10-29T23:25:45.605963159+08:00" level=info msg="[core] Channel Connectivity change to CONNECTING" module=grpc

[root@localhost ~]# ps -ef | grep docker
root      294013       1  0 Oct29 ?        00:13:02 /usr/sbin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

[root@localhost ~]# journalctl _PID=294013
Oct 29 23:25:45 localhost dockerd[294013]: time=

### 查看某个路径的脚本的日志

[root@localhost ~]# journalctl /usr/bin/bash
Oct 21 21:55:44 localhost blkdeactivate[5593]: Deactivating block devices:
Oct 21 21:55:44 localhost blkdeactivate[5593]: [SKIP]: unmount of localhost--vg-swap_1 (dm-1) mounted on [SWAP]
Oct 21 21:55:44 localhost blkdeactivate[5593]: [SKIP]: unmount of localhost--vg-root (dm-0) mounted on /
-- Boot f664eb6353aa45f98e0347f376ef54b7 --
Oct 21 22:00:55 localhost blkdeactivate[2057]: Deactivating block devices:
Oct 21 22:00:55 localhost blkdeactivate[2057]: [SKIP]: unmount of localhost--vg-swap_1 (dm-1) mounted on [SWAP]
Oct 21 22:00:55 localhost blkdeactivate[2057]: [SKIP]: unmount of localhost--vg-root (dm-0) mounted on /
-- Boot bf42901cdb8f465e8b366916c10f1fbb --

[root@localhost ~]# journalctl /usr/bin/bash
Oct 21 21:55:44 localhost blkdeactivate[5593]: Deactivating block devices:
Oct 21 21:55:44 localhost blkdeactivate[5593]: [SKIP]: unmount of localhost--vg-swap_1 (dm-1) mounted on [SWAP]
Oct 21 21:55:44 localhost blkdeactivate[5593]: [SKIP]: unmount of localhost--vg-root (dm-0) mounted on /
-- Boot f664eb6353aa45f98e0347f376ef54b7 --
Oct 21 22:00:55 localhost blkdeactivate[2057]: Deactivating block devices:
Oct 21 22:00:55 localhost blkdeactivate[2057]: [SKIP]: unmount of localhost--vg-swap_1 (dm-1) mounted on [SWAP]
Oct 21 22:00:55 localhost blkdeactivate[2057]: [SKIP]: unmount of localhost--vg-root (dm-0) mounted on /
-- Boot bf42901cdb8f465e8b366916c10f1fbb --

[root@localhost ~]# journalctl /usr/bin/bash
Oct 21 21:55:44 localhost blkdeactivate[5593]: Deactivating block devices:
Oct 21 21:55:44 localhost blkdeactivate[5593]: [SKIP]: unmount of localhost--vg-swap_1 (dm-1) mounted on [SWAP]
Oct 21 21:55:44 localhost blkdeactivate[5593]: [SKIP]: unmount of localhost--vg-root (dm-0) mounted on /
-- Boot f664eb6353aa45f98e0347f376ef54b7 --
Oct 21 22:00:55 localhost blkdeactivate[2057]: Deactivating block devices:
Oct 21 22:00:55 localhost blkdeactivate[2057]: [SKIP]: unmount of localhost--vg-swap_1 (dm-1) mounted on [SWAP]
Oct 21 22:00:55 localhost blkdeactivate[2057]: [SKIP]: unmount of localhost--vg-root (dm-0) mounted on /
-- Boot bf42901cdb8f465e8b366916c10f1fbb --


### 查看指定用户的日志

[root@localhost ~]# journalctl UID=1000 --since today

[root@localhost ~]# journalctl UID=1000 --since today

[root@localhost ~]# journalctl UID=1000 --since today


### 查看某个Unit的日志

[root@localhost ~]# journalctl -u nginx.service
Oct 21 22:42:01 localhost systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Oct 21 22:42:01 localhost systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
Oct 21 23:30:55 localhost systemd[1]: Stopping nginx.service - A high performance web server and a reverse proxy server...
Oct 21 23:30:55 localhost systemd[1]: nginx.service: Deactivated successfully.
Oct 21 23:30:55 localhost systemd[1]: Stopped nginx.service - A high performance web server and a reverse proxy server.

[root@localhost ~]# journalctl -u nginx.service
Oct 21 22:42:01 localhost systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Oct 21 22:42:01 localhost systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
Oct 21 23:30:55 localhost systemd[1]: Stopping nginx.service - A high performance web server and a reverse proxy server...
Oct 21 23:30:55 localhost systemd[1]: nginx.service: Deactivated successfully.
Oct 21 23:30:55 localhost systemd[1]: Stopped nginx.service - A high performance web server and a reverse proxy server.

[root@localhost ~]# journalctl -u nginx.service
Oct 21 22:42:01 localhost systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Oct 21 22:42:01 localhost systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
Oct 21 23:30:55 localhost systemd[1]: Stopping nginx.service - A high performance web server and a reverse proxy server...
Oct 21 23:30:55 localhost systemd[1]: nginx.service: Deactivated successfully.
Oct 21 23:30:55 localhost systemd[1]: Stopped nginx.service - A high performance web server and a reverse proxy server.


### 日志正常输出,默认为分页输出

[root@localhost ~]# journalctl --no-pager --since today -n 200
Oct 30 00:00:03 localhost systemd[1]: Starting dpkg-db-backup.service - Daily dpkg database backup service...
Oct 30 00:00:03 localhost systemd[1]: Starting logrotate.service - Rotate log files...
Oct 30 00:00:03 localhost systemd[1]: dpkg-db-backup.service: Deactivated successfully.
Oct 30 00:00:03 localhost systemd[1]: Finished dpkg-db-backup.service - Daily dpkg database backup service.
Oct 30 00:00:03 localhost systemd[1]: Stopping cups-browsed.service - Make remote CUPS printers available locally...
Oct 30 00:00:03 localhost systemd[1]: cups-browsed.service: Deactivated successfully.
Oct 30 00:00:03 localhost systemd[1]: Stopped cups-browsed.service - Make remote CUPS printers available locally.
Oct 30 00:00:03 localhost systemd[1]: Stopping cups.service - CUPS Scheduler...

[root@localhost ~]# journalctl --no-pager --since today -n 200
Oct 30 00:00:03 localhost systemd[1]: Starting dpkg-db-backup.service - Daily dpkg database backup service...
Oct 30 00:00:03 localhost systemd[1]: Starting logrotate.service - Rotate log files...
Oct 30 00:00:03 localhost systemd[1]: dpkg-db-backup.service: Deactivated successfully.
Oct 30 00:00:03 localhost systemd[1]: Finished dpkg-db-backup.service - Daily dpkg database backup service.
Oct 30 00:00:03 localhost systemd[1]: Stopping cups-browsed.service - Make remote CUPS printers available locally...
Oct 30 00:00:03 localhost systemd[1]: cups-browsed.service: Deactivated successfully.
Oct 30 00:00:03 localhost systemd[1]: Stopped cups-browsed.service - Make remote CUPS printers available locally.
Oct 30 00:00:03 localhost systemd[1]: Stopping cups.service - CUPS Scheduler...

[root@localhost ~]# journalctl --no-pager --since today -n 200
Oct 30 00:00:03 localhost systemd[1]: Starting dpkg-db-backup.service - Daily dpkg database backup service...
Oct 30 00:00:03 localhost systemd[1]: Starting logrotate.service - Rotate log files...
Oct 30 00:00:03 localhost systemd[1]: dpkg-db-backup.service: Deactivated successfully.
Oct 30 00:00:03 localhost systemd[1]: Finished dpkg-db-backup.service - Daily dpkg database backup service.
Oct 30 00:00:03 localhost systemd[1]: Stopping cups-browsed.service - Make remote CUPS printers available locally...
Oct 30 00:00:03 localhost systemd[1]: cups-browsed.service: Deactivated successfully.
Oct 30 00:00:03 localhost systemd[1]: Stopped cups-browsed.service - Make remote CUPS printers available locally.
Oct 30 00:00:03 localhost systemd[1]: Stopping cups.service - CUPS Scheduler...


### 以JSON格式输出


{"_EXE":"/usr/lib/systemd/systemd","_SYSTEMD_CGROUP":"/init.scope","_UID":"0","_CAP_EFFECTIVE":"1ffffffffff","TID":"1","__MONOTONIC_TIMESTAMP":"19333651","CODE_LINE":"768","__REALTIM>

# 多行输出,提高可读性
[root@localhost ~]# journalctl -b -u nginx.service -o json-pretty
{
    "_UID" : "0",
    "INVOCATION_ID" : "393219bc05da474d95c080b5cfc27f4d",
    "_SELINUX_CONTEXT" : "unconfined\n",
    "PRIORITY" : "6",
    "_RUNTIME_SCOPE" : "system",
    "_SYSTEMD_SLICE" : "-.slice",
    "_MACHINE_ID" : "488a14197f1f48aaaaf23e5d2e2332f1",
    "_SYSTEMD_CGROUP" : "/init.scope",
    "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5",
    "_HOSTNAME" : "localhost",
    "__MONOTONIC_TIMESTAMP" : "19240849",
.......

">

[root@localhost ~]# journalctl -b -u nginx.service -o json
{

[root@localhost ~]# journalctl -b -u nginx.service -o json
{"__MONOTONIC_TIMESTAMP":"19240849","CODE_LINE":"581","_COMM":"systemd","TID":"1","_MACHINE_ID":"488a14197f1f48aaaaf23e5d2e2332f1","_SYSTEMD_CGROUP":"/init.scope","__REALTIME_TIMESTA>
{"_EXE":"/usr/lib/systemd/systemd","_SYSTEMD_CGROUP":"/init.scope","_UID":"0","_CAP_EFFECTIVE":"1ffffffffff","TID":"1","__MONOTONIC_TIMESTAMP":"19333651","CODE_LINE":"768","__REALTIM>

多行输出,提高可读性

[root@localhost ~]# journalctl -b -u nginx.service -o json-pretty
{
"_UID" : "0",
"INVOCATION_ID" : "393219bc05da474d95c080b5cfc27f4d",
"_SELINUX_CONTEXT" : "unconfined\n",
"PRIORITY" : "6",
"_RUNTIME_SCOPE" : "system",
"_SYSTEMD_SLICE" : "-.slice",
"_MACHINE_ID" : "488a14197f1f48aaaaf23e5d2e2332f1",
"_SYSTEMD_CGROUP" : "/init.scope",
"MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5",
"_HOSTNAME" : "localhost",
"__MONOTONIC_TIMESTAMP" : "19240849",
.......

[root@localhost ~]# journalctl -b -u nginx.service -o json
{

查看日志占据的硬盘空间

[root@localhost ~]# journalctl --disk-usage
Archived and active journals take up 235.8M in the file system.

[root@localhost ~]# journalctl --disk-usage
Archived and active journals take up 235.8M in the file system.

[root@localhost ~]# journalctl --disk-usage
Archived and active journals take up 235.8M in the file system.

指定日志文件的最大大小

[root@localhost ~]# journalctl --vacuum-size=10G
Vacuuming done, freed 0B of archived journals from /var/log/journal.
Vacuuming done, freed 0B of archived journals from /run/log/journal.
Vacuuming done, freed 0B of archived journals from /var/log/journal/488a14197f1f48aaaaf23e5d2e2332f1.

[root@localhost ~]# journalctl --vacuum-size=10G
Vacuuming done, freed 0B of archived journals from /var/log/journal.
Vacuuming done, freed 0B of archived journals from /run/log/journal.
Vacuuming done, freed 0B of archived journals from /var/log/journal/488a14197f1f48aaaaf23e5d2e2332f1.

[root@localhost ~]# journalctl --vacuum-size=10G
Vacuuming done, freed 0B of archived journals from /var/log/journal.
Vacuuming done, freed 0B of archived journals from /run/log/journal.
Vacuuming done, freed 0B of archived journals from /var/log/journal/488a14197f1f48aaaaf23e5d2e2332f1.

指定日志文件保存多久

[root@localhost ~]# journalctl --vacuum-time=1years
Vacuuming done, freed 0B of archived journals from /var/log/journal.
Vacuuming done, freed 0B of archived journals from /var/log/journal/488a14197f1f48aaaaf23e5d2e2332f1.
Vacuuming done, freed 0B of archived journals from /run/log/journal.

[root@localhost ~]# journalctl --vacuum-time=1years
Vacuuming done, freed 0B of archived journals from /var/log/journal.
Vacuuming done, freed 0B of archived journals from /var/log/journal/488a14197f1f48aaaaf23e5d2e2332f1.
Vacuuming done, freed 0B of archived journals from /run/log/journal.

[root@localhost ~]# journalctl --vacuum-time=1years
Vacuuming done, freed 0B of archived journals from /var/log/journal.
Vacuuming done, freed 0B of archived journals from /var/log/journal/488a14197f1f48aaaaf23e5d2e2332f1.
Vacuuming done, freed 0B of archived journals from /run/log/journal.

敲黑板!!

以上所有命令都可以组合使用

示例:

[root@localhost ~]# journalctl --since "2023-10-28" --until "2023-10-30" -u nginx.service -p info _COMM=systemd  --no-pager --output short-iso
2023-10-28T00:19:45+0800 localhost systemd[1]: Stopping nginx.service - A high performance web server and a reverse proxy server...
2023-10-28T00:19:45+0800 localhost systemd[1]: nginx.service: Deactivated successfully.
2023-10-28T00:19:45+0800 localhost systemd[1]: Stopped nginx.service - A high performance web server and a reverse proxy server.