526互联

journald / rsyslog / syslog

发布时间 2023-06-18 00:09:51作者: lightsong

journald / rsyslog / syslog

https://linuxconfig.org/advanced-logging-and-auditing-on-linux

journald 最流行。

journald is now ubiquitous across Linux systems because of its integration with systemd. Of course, not all Linux distros use systemd, but the vast majority do. rsyslog and syslog are also viable logging tools, but we have grouped them together in this section with journald because we feel that journald has largely replaced rsyslog and syslog in many situations.

 

在老旧的sysvinit系统上,使用rsyslog后者syslog-ng.

NOTE
journald is not available on systems with a different init system, such as SysV init. In these situations, installing rsyslog or syslog-ng would be recommended for a general purpose logging tool that collects everything in a centralized location.

 

优点:

索引日志文件

访问控制

日志过滤

Some of journald’s advantages include:

  • Indexed log files: looking up specific events is much faster and easier than in the plain text files of syslog
  • Access control on log files: users can only view pertinent log files, and root can see all of them
  • Log filtering: easy to find events based on time or level (critical vs warning, etc)

 

systemd收集到的日志都会被查看到。

The journalctl command can be used to view all of the logs collected by systemd. This includes logs related to the system’s kernel, initrd, various services and applications, as well as systemd itself. The journalctl command makes querying all of these logs pretty painless, since systemd gathers and stores all these various logs in a central location for administrators to view.

 

journalctl查看日志。

You will also find that other security tools like SELinux and AppArmor work hand in hand with journald, as it will store logs that are generated by these other tools. Mastering journald and some of the journalctl Linux command syntax will also help you in becoming more proficient with these other security tools and being able to quickly identify relevant log entries.

 

  1. Journald can and will log millions of entries in very little time, so it is not generally recommended to run the journalctl command by itself. Instead, you can use the --since and --until options can be used to help you isolate relevant logs that were logged during a certain timeframe. For example, to see all of the logs since yesterday: 
    $ journalctl --since yesterday
  2. You can also use the options in conjunction with each other. 
    $ journalctl --since yesterday --until "2 hours ago"
  3. To see entries that have been logged for a particular system service, use the -u flag. For example, to see all entries logged by Apache: 
    $ journalctl -u apache2.service
  4. To see only kernel related messages, use the -k option. 
    $ journalctl -k
  5. Since there are so many log entries, it can be helpful to only see those of a certain priority. The highest priority is level 0, and the lowest is level 7. The log levels are as follows: 
    0: emergency
1: alert
2: critical
3: error
4: warning
5: notice
6: info
7: debug

    Use the -p option to see logs of a certain level, plus any above it in priority. In this example, we will go with level 3, which is any entry marked as an error, critical, alert, or emergency.

     

     

    $ journalctl -p 3

More info: Introduction to the Systemd journal