背景(jing)

• 是(shi)什(shen)么(me)？

• Linux journal是systemd的一個組件，用于捕獲和存儲系(xi)統日志信息。
• Linux journal是systemd體系中(zhong)負責日志管理的部分，由journald服務處理。

• 解決(jue)什么(me)問(wen)題？

• journal旨(zhi)在解決(jue)傳統日志(zhi)系(xi)統中存在的(de)一些限制和問題。

• 由于系統日志以(yi)二進制形式存儲，這讓日志的解析(xi)和使用變(bian)得更加(jia)靈活，比如(ru)可以(yi)以(yi)文本、JSON等多種格式進行轉譯以(yi)滿足(zu)不同的需求。
• journal按時間順(shun)序存儲事件(jian)，使得追(zhui)蹤單個(ge)事件(jian)變得容易(yi)。
• journald還提供豐(feng)富的(de)過濾和搜(sou)索選(xuan)項，幫助系統管理員快速(su)定位和解決問題。

• 如何(he)使(shi)用？

• journalctl命令是與journal交互的主要工(gong)具(ju)，允許管理員查看(kan)和操作這些日志信息。

和(he)rsyslog區別

journalctl 和 syslog 都是 Linux 系統中用于處理(li)和查看系統日(ri)志的工(gong)具，我們從以下幾個方面來(lai)對比下兩者的區別(bie)：

• 存儲方式(shi)：

• syslog 使用(yong)文本文件(jian)來(lai)存儲(chu)日(ri)志信息，可(ke)以通過文本編輯器查看，通常存儲(chu)在 /var/log/syslog 或 /var/log/message
• journalctl 使用 systemd-journald 服務來(lai)存(cun)儲(chu)二進制格式的日志文件。通常存(cun)儲(chu)在(zai) /run/log/journal/ 或 /var/log/journal/

• 日志(zhi)內容(rong)：

• syslog 使用文(wen)(wen)本(ben)格式，記錄在文(wen)(wen)本(ben)文(wen)(wen)件(jian)中。日志信息包含時間戳、主機(ji)名(ming)、應用程序名(ming)等
• journalctl 使用二進制格式，可以(yi)存儲更多的元數(shu)據，例如進程 ID、用戶(hu) ID、SELinux 上下文等。這(zhe)使得日志更加(jia)結構化(hua)，支持(chi)更高級的查詢和過濾

• 查詢和過濾：

• syslog 的查詢和過濾通常(chang)使用(yong)命(ming)令行工(gong)具(ju)（例如(ru) grep）或者專用(yong)的工(gong)具(ju)（例如(ru) logrotate）
• journalctl 提(ti)供了更豐富(fu)和強(qiang)大的查詢(xun)和過(guo)濾功(gong)能，可以按(an)時間(jian)、服(fu)務單元、日志(zhi)級別等多個條件進行(xing)過濾。這使得查找(zhao)和分析(xi)特(te)定事件更加方便

• 實時查看：

• syslog 通(tong)常使(shi)用 tail 命令實時查(cha)看日志文件的末尾
• journalctl 可(ke)以使用 -f 或 --follow 選(xuan)項來實(shi)時查看(kan)最新的日志

• 服務和依賴關系：

• syslog 是(shi)一個通用的日(ri)志(zhi)(zhi)服務，可(ke)以(yi)由多個日(ri)志(zhi)(zhi)守護進程（如 rsyslog、syslog-ng）實現
• journalctl 是(shi) systemd 系(xi)統中的一部分，依賴(lai)于 systemd-journald 服務

• 配置文件的路徑：

• syslog 的(de)配置文件在 /etc/rsyslog.conf
• journalctl 的配置(zhi)文件(jian)在(zai) /etc/systemd/journald.conf

• 總(zong)體(ti)而言，journalctl 是 systemd 系(xi)(xi)統(tong)的一部(bu)分，提(ti)供了更現代化(hua)、結構化(hua)和(he)強大的日志管(guan)理(li)功能，但這(zhe)并(bing)不(bu)意味著 syslog 是過時(shi)的。在(zai)(zai)一些(xie)系(xi)(xi)統(tong)中，兩(liang)者可(ke)能同(tong)時(shi)存(cun)在(zai)(zai)，而且一些(xie)工(gong)具和(he)服務可(ke)能仍然使用(yong)傳統(tong)的 syslog。選擇使用(yong)哪(na)一個(ge)取決于系(xi)(xi)統(tong)的需求和(he)管(guan)理(li)員的偏好。

常見(jian)命令

查看已啟動的(de)service

systemctl list-units --type=service --state=active
UNIT                               LOAD   ACTIVE SUB     DESCRIPTION
aegis.service                      loaded active running Aegis Service
aliyun.service                     loaded active running Aliyun Assist
AssistDaemon.service               loaded active running AssistDaemon
atd.service                        loaded active running Job spooling tools
auditd.service                     loaded active running Security Auditing Service
chronyd.service                    loaded active running NTP client/server
cloud-config.service               loaded active exited  Apply the settings specified in cloud-config
cloud-final.service                loaded active exited  Execute cloud user/final scripts
cloud-init-local.service           loaded active exited  Initial cloud-init job (pre-networking)
cloud-init.service                 loaded active exited  Initial cloud-init job (metadata service crawler)
crond.service                      loaded active running Command Scheduler
dbus.service                       loaded active running D-Bus System Message Bus
getty@tty1.service                 loaded active running Getty on tty1
getty@tty2.service                 loaded active running Getty on tty2
gssproxy.service                   loaded active running GSSAPI Proxy Daemon
kmod-static-nodes.service          loaded active exited  Create list of required static device nodes for the current kernel
network.service                    loaded active running LSB: Bring up/down networking
polkit.service                     loaded active running Authorization Manager
postfix.service                    loaded active running Postfix Mail Transport Agent
rhel-dmesg.service                 loaded active exited  Dump dmesg to /var/log/dmesg
rhel-domainname.service            loaded active exited  Read and set NIS domainname from /etc/sysconfig/network
rhel-import-state.service          loaded active exited  Import network configuration from initramfs
rhel-readonly.service              loaded active exited  Configure read-only root support
rpcbind.service                    loaded active running RPC bind service
rsyslog.service                    loaded active running System Logging Service
serial-getty@ttyS0.service         loaded active running Serial Getty on ttyS0
sshd.service                       loaded active running OpenSSH server daemon
sysstat.service                    loaded active exited  Resets System Activity Logs
systemd-fsck-root.service          loaded active exited  File System Check on Root Device
systemd-journal-flush.service      loaded active exited  Flush Journal to Persistent Storage
systemd-journald.service           loaded active running Journal Service
systemd-logind.service             loaded active running Login Service
systemd-random-seed.service        loaded active exited  Load/Save Random Seed
systemd-remount-fs.service         loaded active exited  Remount Root and Kernel File Systems
systemd-sysctl.service             loaded active exited  Apply Kernel Variables
systemd-tmpfiles-setup-dev.service loaded active exited  Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service     loaded active exited  Create Volatile Files and Directories
systemd-udev-trigger.service       loaded active exited  udev Coldplug all Devices
systemd-udevd.service              loaded active running udev Kernel Device Manager
systemd-update-utmp.service        loaded active exited  Update UTMP about System Boot/Shutdown
systemd-user-sessions.service      loaded active exited  Permit User Sessions
systemd-vconsole-setup.service     loaded active exited  Setup Virtual Console
tuned.service                      loaded active running Dynamic System Tuning Daemon

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

43 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

查某服務-最新日志(zhi)

[root@iZwz93v6r4t2hixjvy9acoZ ~]# journalctl -u sshd -f
-- Logs begin at Tue 2024-04-09 10:35:44 CST. --
May 15 15:54:41 iZwz93v6r4t2hixjvy9acoZ sshd[7892]: Failed password for admin from 120.76.138.179 port 35866 ssh2
May 15 15:54:41 iZwz93v6r4t2hixjvy9acoZ sshd[7892]: Received disconnect from 120.76.138.179 port 35866:11: Bye Bye [preauth]
May 15 15:54:41 iZwz93v6r4t2hixjvy9acoZ sshd[7892]: Disconnected from 120.76.138.179 port 35866 [preauth]
May 15 18:14:21 iZwz93v6r4t2hixjvy9acoZ sshd[952]: Bad protocol version identification 'MGLNDD_112.74.62.175_22' from 52.160.38.231 port 36412
May 15 18:21:49 iZwz93v6r4t2hixjvy9acoZ sshd[2473]: Bad protocol version identification '\026\003\001' from 106.75.117.86 port 17348
May 15 18:21:50 iZwz93v6r4t2hixjvy9acoZ sshd[2474]: Bad protocol version identification 'GET / HTTP/1.1' from 106.75.117.86 port 17396
May 15 19:20:23 iZwz93v6r4t2hixjvy9acoZ sshd[13066]: Connection reset by 198.235.24.182 port 57536 [preauth]
May 15 20:15:57 iZwz93v6r4t2hixjvy9acoZ sshd[23226]: Accepted password for root from 36.111.36.149 port 13826 ssh2
May 15 20:20:33 iZwz93v6r4t2hixjvy9acoZ sshd[24091]: Did not receive identification string from 87.236.176.86 port 38419
May 15 20:20:34 iZwz93v6r4t2hixjvy9acoZ sshd[24092]: Connection closed by 87.236.176.86 port 51943 [preauth]

• -u sshd

• u是(shi)Unit縮寫(xie)，查sshd服務(wu)的日志(zhi)

• -f

• 類似(si)tail -f，實時顯示日(ri)志條(tiao)目，即隨著新條(tiao)目的(de)產(chan)生而不斷更新顯示

查某服務-某時(shi)間點后(hou)-某關鍵(jian)字日志

journalctl -u sshd --since "2024-05-15" | grep Connection
或
journalctl -u sshd --since today | grep Connection

查看內核日(ri)志（不顯示應(ying)用日(ri)志）

journalctl -k -f

• -k --dmesg

• Show kernel message log from the current boot

查看系統本次(ci)啟動的日志

journalctl -b -f