Linux教程FG118-systemd日志管理（journalctl）

本文档风哥主要介绍systemd日志管理的使用，包括journalctl的概念、journalctl与rsyslog的区别、journal日志结构、日志管理在生产环境的规划、日志管理最佳实践、日志管理安全配置建议、journalctl基础操作详解、journalctl高级使用技巧、journald配置详解、日志查询实战案例、日志分析实战案例、日志管理故障排查与解决等内容，参考Red Hat Enterprise Linux 10官方文档，适合Linux运维人员在学习和测试中使用，如果要应用于生产环境则需要自行确认。

Part01-基础概念与理论知识

1.1 journalctl的概念

journalctl是systemd的日志查看工具，用于查询和管理systemd-journald服务收集的日志。systemd-journald是systemd的日志服务，负责收集和存储系统日志。journalctl提供了强大的日志查询功能，支持按时间、服务、优先级等多种条件过滤日志。更多视频教程www.fgedu.net.cn

journalctl的主要特点：

统一日志管理
结构化日志存储
强大的查询功能
支持二进制存储
支持日志转发

1.2 journalctl与rsyslog的区别

journalctl与rsyslog的区别：

存储格式：journalctl使用二进制格式，rsyslog使用文本格式
查询功能：journalctl查询功能更强大
日志结构：journalctl支持结构化日志
兼容性：journalctl可以与rsyslog共存
性能：journalctl性能更好

1.3 journal日志结构

journal日志结构：

MESSAGE：日志消息内容
TIMESTAMP：时间戳
HOSTNAME：主机名
SYSLOG_FACILITY：日志设施
SYSLOG_IDENTIFIER：日志标识符
PID：进程ID
UID/GID：用户/组ID
UNIT：systemd单元

风哥提示：journalctl是systemd的日志查看工具，用于查询和管理systemd-journald服务收集的日志。journalctl提供了强大的日志查询功能。

Part02-生产环境规划与建议

2.1 日志管理在生产环境的规划

日志管理在生产环境的规划要点：

# 日志管理生产环境规划
– 配置日志存储策略
– 配置日志保留期限
– 配置日志大小限制
– 配置日志转发
– 定期清理日志

# 日志管理注意事项
– 确保日志存储空间充足
– 配置日志轮转
– 配置日志备份
– 配置日志监控
– 配置日志告警

2.2 日志管理最佳实践

日志管理最佳实践：

存储策略：配置合理的日志存储策略
保留期限：配置合理的日志保留期限
大小限制：配置日志大小限制
日志转发：配置日志转发到远程服务器
定期清理：定期清理过期日志

2.3 日志管理安全配置建议

日志管理安全配置建议：

访问控制：限制日志访问权限
日志加密：敏感日志加密存储
审计日志：启用审计日志
日志完整性：确保日志完整性
日志备份：定期备份日志

生产环境建议：配置合理的日志存储策略和保留期限，配置日志转发到远程服务器，定期清理过期日志。学习交流加群风哥微信: itpux-com

Part03-生产环境项目实施方案

3.1 journalctl基础操作详解

3.1.1 查看所有日志

# 查看所有日志
# journalctl
— Logs begin at Thu 2026-03-31 09:00:00 CST. —
Mar 31 09:00:00 localhost kernel: Linux version 5.14.0-362.8.1.el9_3.x86_64 (mockbuild@x86-01-vm.build.eng.bos.redhat.com) (gcc (GCC) 11.3.1 20221121 (Red Hat 11.3.1-4), GNU ld version 2.35.2-37.el9) #1 SMP PREEMPT_DYNAMIC Wed Nov 8 11:1
Mar 31 09:00:00 localhost kernel: Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-5.14.0-362.8.1.el9_3.x86_64 root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet
Mar 31 09:00:00 localhost kernel: x86/fpu: Supporting XSAVE feature 0x001: ‘x87 floating point registers’
Mar 31 09:00:00 localhost kernel: x86/fpu: Supporting XSAVE feature 0x002: ‘SSE registers’
Mar 31 09:00:00 localhost kernel: x86/fpu: Supporting XSAVE feature 0x004: ‘AVX registers’
Mar 31 09:00:00 localhost kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Mar 31 09:00:00 localhost kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using ‘compacted’ format.
Mar 31 09:00:00 localhost kernel: signal: max sigframe size: 1776
Mar 31 09:00:00 localhost kernel: BIOS-provided physical RAM map:
…

# 查看日志（反向排序，最新的在前）
# journalctl -r
— Logs begin at Thu 2026-03-31 09:00:00 CST. —
Mar 31 10:30:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 54321 ssh2
Mar 31 10:29:55 localhost sshd[1234]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 31 10:29:50 localhost systemd[1]: Started OpenSSH server daemon.
…

# 查看日志（显示行号）
# journalctl -n 10 –no-pager
Mar 31 10:30:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 54321 ssh2
Mar 31 10:29:55 localhost sshd[1234]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 31 10:29:50 localhost systemd[1]: Started OpenSSH server daemon.
Mar 31 10:29:45 localhost nginx[5678]: 192.168.1.100 – – [31/Mar/2026:10:29:45 +0800] “GET / HTTP/1.1” 200 612
Mar 31 10:29:40 localhost crond[9012]: (root) CMD (/usr/local/bin/backup.sh)
Mar 31 10:29:35 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:c0:00:08:00:50:56:c0:00:01:08:00 SRC=192.168.1.200 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12345 DF PROTO=TCP SPT=54321 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Mar 31 10:29:30 localhost systemd[1]: Starting Daily apt download activities…
Mar 31 10:29:25 localhost NetworkManager[3456]: [1711852165.1234] device (eth0): state change: activated -> deactivating (reason ‘connection-removed’, sys-iface-state: ‘managed’)
Mar 31 10:29:20 localhost dbus-daemon[7890]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’ requested by ‘:1.234′ (uid=0 pid=3456 comm=”/usr/sbin/NetworkManager –no-daemon” label=”system_u:system_r:NetworkManager_t:s0″)
Mar 31 10:29:15 localhost audit[1111]: USER_LOGIN pid=1111 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg=’op=login id=0 exe=”/usr/sbin/sshd” hostname=192.168.1.100 addr=192.168.1.100 terminal=/dev/pts/0 res=success’

3.1.2 按时间过滤日志

# 查看最近10条日志
# journalctl -n 10

# 查看今天的日志
# journalctl –since today

# 查看昨天的日志
# journalctl –since yesterday –until today

# 查看特定时间范围的日志
# journalctl –since “2026-03-31 10:00:00” –until “2026-03-31 11:00:00”

# 查看最近1小时的日志
# journalctl –since “1 hour ago”

# 查看最近30分钟的日志
# journalctl –since “30 minutes ago”

# 查看特定日期的日志
# journalctl –since “2026-03-31” –until “2026-04-01”

3.1.3 按服务过滤日志

# 查看nginx服务的日志
# journalctl -u nginx
— Logs begin at Thu 2026-03-31 09:00:00 CST. —
Mar 31 10:00:00 localhost systemd[1]: Starting nginx – high performance web server…
Mar 31 10:00:00 localhost nginx[1234]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Mar 31 10:00:00 localhost systemd[1]: Started nginx – high performance web server.
Mar 31 10:05:00 localhost nginx[1234]: 192.168.1.100 – – [31/Mar/2026:10:05:00 +0800] “GET / HTTP/1.1” 200 612
Mar 31 10:10:00 localhost nginx[1234]: 192.168.1.101 – – [31/Mar/2026:10:10:00 +0800] “GET /index.html HTTP/1.1” 200 612

# 查看sshd服务的日志
# journalctl -u sshd
— Logs begin at Thu 2026-03-31 09:00:00 CST. —
Mar 31 09:00:00 localhost systemd[1]: Starting OpenSSH server daemon…
Mar 31 09:00:00 localhost sshd[1234]: Server listening on 0.0.0.0 port 22.
Mar 31 09:00:00 localhost sshd[1234]: Server listening on :: port 22.
Mar 31 09:30:00 localhost sshd[5678]: Accepted password for root from 192.168.1.100 port 54321 ssh2
Mar 31 09:30:00 localhost sshd[5678]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

# 查看多个服务的日志
# journalctl -u nginx -u php-fpm

# 查看服务日志（实时跟踪）
# journalctl -u nginx -f
— Logs begin at Thu 2026-03-31 10:00:00 CST. —
Mar 31 10:30:00 localhost nginx[1234]: 192.168.1.100 – – [31/Mar/2026:10:30:00 +0800] “GET /api/data HTTP/1.1” 200 1024
Mar 31 10:30:05 localhost nginx[1234]: 192.168.1.101 – – [31/Mar/2026:10:30:05 +0800] “POST /api/submit HTTP/1.1” 201 256

3.1.4 按优先级过滤日志

# 查看错误级别及以上的日志
# journalctl -p err

# 查看警告级别及以上的日志
# journalctl -p warning

# 查看信息级别及以上的日志
# journalctl -p info

# 优先级级别（从低到高）：
# 0: emerg（紧急）
# 1: alert（警报）
# 2: crit（严重）
# 3: err（错误）
# 4: warning（警告）
# 5: notice（注意）
# 6: info（信息）
# 7: debug（调试）

# 查看紧急级别的日志
# journalctl -p 0

# 查看错误和警告级别的日志
# journalctl -p err -p warning

3.2 journalctl高级使用技巧

3.2.1 按字段过滤日志

# 按进程ID过滤
# journalctl _PID=1234

# 按可执行文件路径过滤
# journalctl _EXE=/usr/sbin/nginx

# 按命令行过滤
# journalctl _CMDLINE=/usr/sbin/nginx

# 按用户ID过滤
# journalctl _UID=0

# 按组ID过滤
# journalctl _GID=0

# 按主机名过滤
# journalctl _HOSTNAME=localhost

# 按systemd单元过滤
# journalctl _SYSTEMD_UNIT=nginx.service

# 按systemd用户单元过滤
# journalctl _SYSTEMD_USER_UNIT=myapp.service

3.2.2 日志输出格式

# 以JSON格式输出日志
# journalctl -o json
{ “__CURSOR” : “s=1234567890abcdef1234567890abcdef;i=123456;b=1234567890abcdef1234567890abcdef;m=1234567890abcdef;t=1234567890abcdef;x=1234567890abcdef”, “__REALTIME_TIMESTAMP” : “1711852200000000”, “__MONOTONIC_TIMESTAMP” : “1234567890”, “_BOOT_ID” : “1234567890abcdef1234567890abcdef”, “PRIORITY” : “6”, “_UID” : “0”, “_GID” : “0”, “_SYSTEMD_SLICE” : “system.slice”, “_TRANSPORT” : “journal”, “_EXE” : “/usr/sbin/nginx”, “_CAP_EFFECTIVE” : “1ffffffffff”, “_SELINUX_CONTEXT” : “system_u:system_r:httpd_t:s0”, “_AUDIT_LOGINUID” : “0”, “_SYSTEMD_CGROUP” : “/system.slice/nginx.service”, “_SYSTEMD_UNIT” : “nginx.service”, “_HOSTNAME” : “localhost”, “MESSAGE” : “192.168.1.100 – – [31/Mar/2026:10:30:00 +0800] \”GET / HTTP/1.1\” 200 612″, “_PID” : “1234” }

# 以简短格式输出日志
# journalctl -o short
Mar 31 10:30:00 localhost nginx[1234]: 192.168.1.100 – – [31/Mar/2026:10:30:00 +0800] “GET / HTTP/1.1” 200 612

# 以详细格式输出日志
# journalctl -o verbose
Thu 2026-03-31 10:30:00.123456 CST [s=1234567890abcdef1234567890abcdef;i=123456;b=1234567890abcdef1234567890abcdef;m=1234567890abcdef;t=1234567890abcdef;x=1234567890abcdef]
PRIORITY=6
_UID=0
_GID=0
_SYSTEMD_SLICE=system.slice
_TRANSPORT=journal
_EXE=/usr/sbin/nginx
_CAP_EFFECTIVE=1ffffffffff
_SELINUX_CONTEXT=system_u:system_r:httpd_t:s0
_AUDIT_LOGINUID=0
_SYSTEMD_CGROUP=/system.slice/nginx.service
_SYSTEMD_UNIT=nginx.service
_HOSTNAME=localhost
MESSAGE=192.168.1.100 – – [31/Mar/2026:10:30:00 +0800] “GET / HTTP/1.1” 200 612
_PID=1234

3.2.3 日志维护操作

# 查看日志磁盘使用情况
# journalctl –disk-usage
Archived and active journals take up 500.0M in the file system.

# 保留最近1天的日志
# journalctl –vacuum-time=1d
Vacuuming done, freed 200.0M of archived journals from /var/log/journal.

# 保留最近100MB的日志
# journalctl –vacuum-size=100M
Vacuuming done, freed 400.0M of archived journals from /var/log/journal.

# 保留最近10次启动的日志
# journalctl –vacuum-files=10
Vacuuming done, freed 100.0M of archived journals from /var/log/journal.

# 查看所有启动记录
# journalctl –list-boots
0 Thu 2026-03-31 09:00:00 CST—Thu 2026-03-31 10:30:00 CST
-1 Wed 2026-03-30 09:00:00 CST—Wed 2026-03-30 18:00:00 CST
-2 Tue 2026-03-29 09:00:00 CST—Tue 2026-03-29 20:00:00 CST

# 查看上次启动的日志
# journalctl -b -1

# 查看特定启动的日志
# journalctl -b 0

3.3 journald配置详解

3.3.1 journald配置文件

# 查看journald配置文件
# cat /etc/systemd/journald.conf
[Journal]
Storage=auto
Compress=yes
SystemMaxUse=500M
SystemMaxFileSize=100M
MaxRetentionSec=1week
ForwardToSyslog=yes
ForwardToKMsg=no
ForwardToConsole=no
ForwardToWall=yes
TTYPath=/dev/console
MaxLevelStore=debug
MaxLevelSyslog=debug
MaxLevelKMsg=notice
MaxLevelConsole=info
MaxLevelWall=emerg

# 配置说明：
# Storage：存储模式（volatile, persistent, auto）
# Compress：是否压缩日志
# SystemMaxUse：日志最大使用空间
# SystemMaxFileSize：单个日志文件最大大小
# MaxRetentionSec：日志最大保留时间
# ForwardToSyslog：是否转发到syslog
# ForwardToKMsg：是否转发到内核消息
# ForwardToConsole：是否转发到控制台
# ForwardToWall：是否转发到所有登录用户

3.3.2 配置持久化存储

# 1. 创建日志目录
# mkdir -p /var/log/journal

# 2. 设置目录权限
# systemd-tmpfiles –create –prefix /var/log/journal

# 3. 修改journald配置
# cat > /etc/systemd/journald.conf << 'EOF' [Journal] Storage=persistent Compress=yes SystemMaxUse=1G SystemMaxFileSize=100M MaxRetentionSec=1month ForwardToSyslog=yes EOF # 4. 重启journald服务 # systemctl restart systemd-journald # 5. 验证配置 # journalctl --disk-usage Archived and active journals take up 50.0M in the file system. # 6. 查看日志文件 # ls -la /var/log/journal/ total 12 drwxr-sr-x. 3 root systemd-journal 4096 Mar 31 10:00 . drwxr-xr-x. 10 root root 4096 Mar 31 09:00 .. drwxr-sr-x. 2 root systemd-journal 4096 Mar 31 10:00 1234567890abcdef1234567890abcdef # ls -la /var/log/journal/1234567890abcdef1234567890abcdef/ total 102400 -rw-r-----+ 1 root systemd-journal 8388608 Mar 31 10:00 system.journal -rw-r-----+ 1 root systemd-journal 8388608 Mar 31 09:00 system@1234567890abcdef-1234567890abcdef.journal

风哥提示：journalctl支持多种高级操作，如按字段过滤日志、多种输出格式、日志维护操作等。学习交流加群风哥QQ113257174

Part04-生产案例与实战讲解

4.1 日志查询实战案例

4.1.1 排查服务启动失败

# 1. 查看nginx服务最近的日志
# journalctl -u nginx -n 20
— Logs begin at Thu 2026-03-31 09:00:00 CST. —
Mar 31 10:00:00 localhost systemd[1]: Starting nginx – high performance web server…
Mar 31 10:00:00 localhost nginx[1234]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mar 31 10:00:00 localhost nginx[1234]: nginx: configuration file /etc/nginx/nginx.conf test failed
Mar 31 10:00:00 localhost systemd[1]: nginx.service: Control process exited, code=exited status=1
Mar 31 10:00:00 localhost systemd[1]: nginx.service: Failed with result ‘exit-code’.
Mar 31 10:00:00 localhost systemd[1]: Failed to start nginx – high performance web server.

# 2. 查看端口占用情况
# ss -tlnp | grep :80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:((“httpd”,pid=5678,fd=4))

# 3. 停止httpd服务
# systemctl stop httpd

# 4. 重新启动nginx服务
# systemctl start nginx

# 5. 验证服务已启动
# journalctl -u nginx -n 5
Mar 31 10:05:00 localhost systemd[1]: Starting nginx – high performance web server…
Mar 31 10:05:00 localhost nginx[1234]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Mar 31 10:05:00 localhost systemd[1]: Started nginx – high performance web server.

4.2 日志分析实战案例

4.2.1 分析SSH登录失败

# 1. 查看SSH登录失败的日志
# journalctl -u sshd –since “1 hour ago” | grep “Failed password”
Mar 31 10:00:00 localhost sshd[1234]: Failed password for root from 192.168.1.200 port 54321 ssh2
Mar 31 10:05:00 localhost sshd[1235]: Failed password for root from 192.168.1.200 port 54322 ssh2
Mar 31 10:10:00 localhost sshd[1236]: Failed password for admin from 192.168.1.200 port 54323 ssh2
Mar 31 10:15:00 localhost sshd[1237]: Failed password for root from 192.168.1.200 port 54324 ssh2
Mar 31 10:20:00 localhost sshd[1238]: Failed password for root from 192.168.1.200 port 54325 ssh2

# 2. 统计失败登录次数
# journalctl -u sshd –since “1 hour ago” | grep “Failed password” | wc -l
5

# 3. 统计失败登录的IP地址
# journalctl -u sshd –since “1 hour ago” | grep “Failed password” | awk ‘{print $11}’ | sort | uniq -c
4 192.168.1.200
1 192.168.1.201

# 4. 统计失败登录的用户名
# journalctl -u sshd –since “1 hour ago” | grep “Failed password” | awk ‘{print $9}’ | sort | uniq -c
4 root
1 admin

# 5. 查看特定IP的登录尝试
# journalctl -u sshd –since “1 hour ago” | grep “192.168.1.200”
Mar 31 10:00:00 localhost sshd[1234]: Failed password for root from 192.168.1.200 port 54321 ssh2
Mar 31 10:05:00 localhost sshd[1235]: Failed password for root from 192.168.1.200 port 54322 ssh2
Mar 31 10:15:00 localhost sshd[1237]: Failed password for root from 192.168.1.200 port 54324 ssh2
Mar 31 10:20:00 localhost sshd[1238]: Failed password for root from 192.168.1.200 port 54325 ssh2

# 6. 配置防火墙阻止恶意IP
# firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.200″ reject’
# firewall-cmd –reload

# 7. 查看防火墙规则
# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.200″ reject

4.3 日志管理故障排查与解决

4.3.1 日志存储空间不足

# 问题现象：日志存储空间不足
# 分析步骤：

# 1. 查看日志磁盘使用情况
# journalctl –disk-usage
Archived and active journals take up 2.0G in the file system.

# 2. 查看磁盘空间
# df -h /var/log/journal/
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 10G 9.5G 500M 95% /

# 3. 清理过期日志
# journalctl –vacuum-time=7d
Vacuuming done, freed 1.5G of archived journals from /var/log/journal.

# 4. 限制日志大小
# cat > /etc/systemd/journald.conf << 'EOF' [Journal] Storage=persistent Compress=yes SystemMaxUse=500M SystemMaxFileSize=50M MaxRetentionSec=1week EOF # 5. 重启journald服务 # systemctl restart systemd-journald # 6. 验证配置 # journalctl --disk-usage Archived and active journals take up 200.0M in the file system. # 7. 预防措施 # - 定期清理过期日志 # - 配置合理的日志大小限制 # - 监控磁盘空间 # - 配置日志轮转

生产环境建议：日志管理故障排查需要耐心和细致。日志存储空间不足需要清理过期日志并配置合理的日志大小限制。更多学习教程公众号风哥教程itpux_com

Part05-风哥经验总结与分享

5.1 日志管理经验总结

日志管理经验总结：

存储策略：配置合理的日志存储策略
保留期限：配置合理的日志保留期限
大小限制：配置日志大小限制
日志转发：配置日志转发到远程服务器
定期清理：定期清理过期日志

5.2 日志管理检查清单

日志管理检查清单：

配置前：规划日志存储策略
配置时：检查配置语法
配置后：验证日志记录
使用时：定期查看日志
维护时：定期清理过期日志
故障排查：查看日志、分析原因

5.3 日志管理相关工具推荐

日志管理相关工具推荐：

journalctl：systemd日志查看工具
rsyslog：传统日志服务
logrotate：日志轮转工具
grep/awk/sed：日志分析工具
ELK Stack：日志收集分析平台