我试图查看“午夜之前”(也就是昨天的最后一刻)到之后之间记录在我的系统上的内容。
~ # journalctl --since "2019-09-09 23:59" --until "2019-09-10 00:10"
-- Logs begin at Mon 2019-08-05 09:48:15 CEST, end at Tue 2019-09-10 17:04:00 CEST. --
~ #
输出为空,我被告知从一个月前到现在都有可用的日志。为什么没有显示它们?
光秃秃的journalctl显示出大量的日志(从八月开始,现在结束)
~ # journalctl | tail -5
Sep 10 17:10:53 srv synapse[1111]: 2019-09-10 17:10:53,792 synapse.access.http.8008 (...)
Sep 10 17:11:00 srv caddy[1111]: (...)
Sep 10 17:11:02 srv mqtt[1111]: 1568128262: New (...)
Sep 10 17:11:02 srv mqtt[1111]: 1568128262: New(...)
Sep 10 17:11:02 srv mqtt[1111]: 1568128262: Client (...)
~ # journalctl | head -5 root@srv
-- Logs begin at Mon 2019-08-05 09:48:15 CEST, end at Tue 2019-09-10 17:13:23 CEST. --
Aug 05 09:48:15 srv systemd[15247]: Stopped target Default.
Aug 05 09:48:15 srv systemd[15247]: Stopped target Basic System.
Aug 05 09:48:15 srv systemd[15247]: Stopped target Paths.
Aug 05 09:48:15 srv systemd[15247]: Stopped target Timers.
编辑 1:该时间范围内有事件:
~ # less /var/log/syslog.1
(...)
Sep 10 00:07:41 srv systemd[1]: Started Session 109446 of user root.
(...)
编辑2:有趣的是,对于另一个时间范围,我收到事件,但不是来自该时间范围:
~ # journalctl --since "2019-09-09 18:00" --until "2019-09-10 19:00"
-- Logs begin at Mon 2019-08-05 09:48:15 CEST, end at Tue 2019-09-10 19:21:44 CEST. --
Sep 10 15:51:26 srv systemd[468]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Sep 10 15:51:26 srv audit[468]: USER_START pid=468 uid=0 auid=0 ses=146446 msg='op=PAM:session_open acct="root" exe="/lib/systemd/systemd" hostname=? addr=? t
Sep 10 15:51:26 srv systemd[468]: Reached target Paths.
答案1
这是因为journald存储了定义的日志大小,您可以使用以下命令查看当前大小
journalctl --disk-usage
配置此行为并添加许多其他行为
/etc/systemd/journald.conf
/etc/systemd/journald.conf.d/*.conf
/run/systemd/journald.conf.d/*.conf
/usr/lib/systemd/journald.conf.d/*.conf
您的默认磁盘大小可能太小,无法容纳 24 小时日志