Trouver les logs entres deux dates
journalctl --since "2016-10-18 06:50" --until "2016-10-18 09:00" journalctl --since yesterday -p err
Par service et/ou par PID
journalctl -u pacemaker.service --since "2017-02-24 16:00" -p warning journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
Voir aussi
ps -f -p 28097 systemctl status 28097 # Par PPID ps -f --ppid 1
Erreur au boot
journalctl -b -p err
tailf
# dmesg -l warn journalctl -f -p warning
Ouvrir un fichier spécifique
journalctl --file /tmp/plop.journal
Filtrer les logs json
journalctl -u nginx -o json-pretty |jq '. |select(.SYSLOG_IDENTIFIER=="plop")
Les commandes sudo
# journalctl -b -t sudo -p 5 -u session-*.scope Sep 12 08:19:01 vmdeb01 sudo[601]: admin : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/bash
Arguments :
--no-pager-f : tail -fSource : https://geekeries.de-labrusse.fr/?p=3189
Par défaut journalctl affiche uniquement les logs du dernier boot
# journalctl --boot=-1 Failed to look up boot -1: Cannot assign requested address
Pour avoir les logs persistant :
/etc/systemd/journald.conf
[Journal] #Storage=auto Storage=persistent Compress=yes #SystemMaxUse= SystemMaxUse=250M #ForwardToSyslog=yes
mkdir /var/log/journal systemd-tmpfiles --create --prefix /var/log/journal systemctl restart systemd-journald
Source : https://docs.docker.com/engine/logging/drivers/journald/
| CONTAINER_ID | The container ID truncated to 12 characters. |
| CONTAINER_ID_FULL | The full 64-character container ID. |
| CONTAINER_NAME | The container name at the time it was started. If you use docker rename to rename a container, the new name isn't reflected in the journal entries. |
| CONTAINER_TAG, SYSLOG_IDENTIFIER | The container tag ( log tag option documentation). |
| CONTAINER_PARTIAL_MESSAGE | A field that flags log integrity. Improve logging of long log lines. |
| IMAGE_NAME | The name of the container image. |
Use the journalctl command to retrieve log messages. You can apply filter expressions to limit the retrieved messages to those associated with a specific container:
sudo journalctl CONTAINER_NAME=webserver
You can use additional filters to further limit the messages retrieved. The -b flag only retrieves messages generated since the last system boot:
sudo journalctl -b CONTAINER_NAME=webserver
The -o flag specifies the format for the retrieved log messages. Use -o json to return the log messages in JSON format.
sudo journalctl -o json CONTAINER_NAME=webserver
View logs for a container with a TTY enabled
If TTY is enabled on a container you may see [10B blob data] in the output when retrieving log messages. The reason for that is that \r is appended to the end of the line and journalctl doesn't strip it automatically unless --all is set:
sudo journalctl -b CONTAINER_NAME=webserver --all
Retrieve log messages with the journal API This example uses the systemd Python module to retrieve container logs:
import systemd.journal reader = systemd.journal.Reader() reader.add_match('CONTAINER_NAME=web') for msg in reader: print '{CONTAINER_ID_FULL}: {MESSAGE}'.format(**msg)
/etc/systemd/journald.conf
[Journal] RateLimitInterval=10s RateLimitBurst=6000
/var/log/message vide ?
# journalctl No journal files were found. -- No entries --
Solution
systemctl restart systemd-journald systemctl restart rsyslog.service