{{tag>SystemD}}
= Systemd journalctl journal logs
Voir https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs
== Requête sur les logs, chercher et trouver
Trouver les logs entres deux dates
Voir [[find_entre_deux_dates]]
journalctl --since "2016-10-18 06:50" --until "2016-10-18 09:00"
journalctl --since yesterday -p err
Par service et/ou par PID
journalctl -u pacemaker.service --since "2017-02-24 16:00" -p warning
journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
Voir aussi
ps -f -p 28097
systemctl status 28097
# Par PPID
ps -f --ppid 1
Erreur au boot
journalctl -b -p err
tailf
# dmesg -l warn
journalctl -f -p warning
Ouvrir un fichier spécifique
journalctl --file /tmp/plop.journal
Filtrer les logs json
journalctl -u nginx -o json-pretty |jq '. |select(.SYSLOG_IDENTIFIER=="plop")
Les commandes sudo
# journalctl -b -t sudo -p 5 -u session-*.scope
Sep 12 08:19:01 vmdeb01 sudo[601]: admin : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/bash
=== Options sur le forme
Arguments :
* ''--no-pager''
* ''-f'' : tail -f
== Configuration
=== Rendre persistant journalctl
Source : https://geekeries.de-labrusse.fr/?p=3189
Par défaut journalctl affiche uniquement les logs du dernier boot
# journalctl --boot=-1
Failed to look up boot -1: Cannot assign requested address
Pour avoir les logs persistant :
''/etc/systemd/journald.conf''
[Journal]
#Storage=auto
Storage=persistent
Compress=yes
#SystemMaxUse=
SystemMaxUse=250M
#ForwardToSyslog=yes
mkdir /var/log/journal
systemd-tmpfiles --create --prefix /var/log/journal
systemctl restart systemd-journald
== Journalctl et container
Source : https://docs.docker.com/engine/logging/drivers/journald/
|CONTAINER_ID | The container ID truncated to 12 characters. |
|CONTAINER_ID_FULL | The full 64-character container ID. |
|CONTAINER_NAME | The container name at the time it was started. If you use docker rename to rename a container, the new name isn't reflected in the journal entries. |
|CONTAINER_TAG,\\ SYSLOG_IDENTIFIER| The container tag ( log tag option documentation). |
|CONTAINER_PARTIAL_MESSAGE | A field that flags log integrity. Improve logging of long log lines. |
|IMAGE_NAME | The name of the container image. |
=== Retrieve log messages with journalctl
Use the journalctl command to retrieve log messages. You can apply filter expressions to limit the retrieved messages to those associated with a specific container:
sudo journalctl CONTAINER_NAME=webserver
You can use additional filters to further limit the messages retrieved. The ''-b'' flag only retrieves messages generated since the last system boot:
sudo journalctl -b CONTAINER_NAME=webserver
The -o flag specifies the format for the retrieved log messages. Use ''-o json'' to return the log messages in JSON format.
sudo journalctl -o json CONTAINER_NAME=webserver
View logs for a container with a TTY enabled
If TTY is enabled on a container you may see [10B blob data] in the output when retrieving log messages. The reason for that is that \r is appended to the end of the line and journalctl doesn't strip it automatically unless ''--all'' is set:
sudo journalctl -b CONTAINER_NAME=webserver --all
==== Journalctl container et Python
Retrieve log messages with the journal API
This example uses the systemd Python module to retrieve container logs:
import systemd.journal
reader = systemd.journal.Reader()
reader.add_match('CONTAINER_NAME=web')
for msg in reader:
print '{CONTAINER_ID_FULL}: {MESSAGE}'.format(**msg)
=== Autres
''/etc/systemd/journald.conf''
[Journal]
RateLimitInterval=10s
RateLimitBurst=6000
== Pb
=== Pb plus de logs avec journalctl ni dans /var/log/message
''/var/log/message'' vide ?
# journalctl
No journal files were found.
-- No entries --
Solution
systemctl restart systemd-journald
systemctl restart rsyslog.service