在 systemd 日志中提取特定日志的日志消息?

在 systemd 日志中提取特定日志的日志消息?

我想知道是否可以使用 systemd 的日志记录来提取特定日志的日志消息。例如,当我在 C 中打开日志时openlog('slog', LOG_CONS | LOG_PID, LOG_LOCAL1),仅提取记录在“ slog”或LOCAL1?下的消息。

当我执行类似journalctl -u slog或 之类的操作时journalctl -u LOG_LOCAL1,它只是告诉我日志何时开始和结束,而不是实际的日志消息。

答案1

是的,这是可能的,但是您将错误的开关传递给了journalctl.

根据日志控制(1)手册页:

  • 要读取具有给定系统日志标识符(例如“foo”)的消息,请发出journalctl -t foojournalctl SYSLOG_IDENTIFIER=foo

  • 要使用给定的系统日志工具读取消息,请发出journalctl SYSLOG_FACILITY=1(请注意,工具是使用其数值来存储和匹配的)。

SYSLOG_IDENTIFIER更一般地,系统日志标识符和设施作为单独的字段(和)存储在日志中SYSLOG_FACILITY。如果您需要从 C API 等方式访问日志,则必须直接在这些字段上添加匹配项。

journalctl -u开关用于在拥有生成消息的进程的 systemd 单元的名称上添加匹配项。所以这是错误的使用开关。

答案2

正确的。就可以了。是时候围绕journalctl 编写脚本了。

#!/bin/bash

# Provide a simple command-line interface for systemd "journalctl"
# See /usr/include/sys/syslog.h for syslog integer ids
# Example usage: "./syslog/bin/syslogga.sh --local0 --tail" to tail local0

set -o nounset

declare -a OPTIONS
declare -a MATCHES

OPTIONS=()
MATCHES=()

function processOptions {

   local UNKNOWN=
   local HELP=
   local SYSLOGSEL=0

   for P in "$@"; do

      if [[ $P == --kernel || $P == --kern || $P == -0 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=0")
         continue
      fi

      if [[ $P == --user || $P == -1 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=1")
         continue
      fi

      if [[ $P == --mail || $P == -2 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=2")
         continue
      fi

      if [[ $P == --daemon || $P == -3 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=3")
         continue
      fi

      if [[ $P == --auth || $P == -4 || $P == --selinux ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=4")
         continue
      fi

      if [[ $P == --syslog || $P == -5 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=5")
         continue
      fi

      if [[ $P == --lpr || $P == -6 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=6")
         continue
      fi

      if [[ $P =~ --news || $P == -7 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=7")
         continue
      fi

      if [[ $P == --uucp || $P == -8 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=8")
         continue
      fi

      if [[ $P == --cron || $P == -9 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=9")
         continue
      fi

      if [[ $P == --authpriv || $P == -10 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=10")
         continue
      fi

      if [[ $P == --ftp || $P == -11 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=11")
         continue
      fi

      if [[ $P == --local0 || $P == -16 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=16")
         continue
      fi

      if [[ $P == --local1 || $P == -17 ]]; then 
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=17")
         continue
      fi

      # In our system, local2 is sshd log
      if [[ $P == --local2 || $P == -18 || $P == --ssh ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=18")
         continue
      fi

      # In our system, local3 is pdns-recursor log
      if [[ $P == --local3 || $P == -19 || $P == --dns ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=19")
         continue
      fi

      if [[ $P == --local4 || $P == -20 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=20")
         continue
      fi

      if [[ $P == --local5 || $P == -21 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=21")
         continue
      fi

      if [[ $P == --local6 || $P == -22 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=22")
         continue
      fi

      if [[ $P == --local7 || $P == -23 ]]; then
         (( SYSLOGSEL += 1 )); if [[ $SYSLOGSEL -gt 1 ]]; then break; fi 
         MATCHES+=("SYSLOG_FACILITY=23")
         continue
      fi

      # Additional options

      if [[ $P =~ ^(--tail|-t|--follow|-f) ]]; then
         OPTIONS+=("--follow") # yup, "journalctl" uses "follow" instead of "tail"
         continue
      fi

      if [[ $P =~ ^(--pager-end|-e|--bottom|--btm|--end) ]]; then
         OPTIONS+=("--pager-end")
         continue
      fi

      if [[ $P =~ ^(--help|-h) ]]; then
         HELP=1
         break
      fi

      # if we are here, we encountered something unknown in P
      # if UNKNOWN is already set, add a comma for separation

      if [[ -n $UNKNOWN ]]; then
         UNKNOWN="$UNKNOWN,"
      fi

      UNKNOWN="${UNKNOWN}${P}"

   done

   if [[ $SYSLOGSEL -gt 1 ]]; then
       echo "More than one facility selected" >&2
       HELP=1
   fi

   if [[ -n $UNKNOWN ]]; then
      echo "Unknown parameters '$UNKNOWN'" >&2
      HELP=1
   fi

   if [[ -n $HELP ]]; then
      # Only in our setup:
      SPECIAL_16
      cat >&2 <<HERE
Facilities:
--kern[el] , -0
--user     , -1
--mail     , -2
--daemon   , -3
--auth     , -4 , --selinux
--syslog   , -5
--lpr      , -6
--news     , -7
--uucp     , -8
--cron     , -9
--authpriv , -10
--ftp      , -11
--local0   , -16 
--local1   , -17
--local2   , -18 , --ssh
--local3   , -19 , --dns
--local4   , -20
--local5   , -21
--local6   , -22
--local7   , -23
Options:
--tail , --follow , -t , -f
--pager-end, --btm, --bottom, --end, -e
HERE
      exit 1
   fi

}

processOptions "$@"

declare -a ALL

ALL=()

if [[ -n ${OPTIONS[@]:-""} ]]; then
   ALL+=(${OPTIONS[@]})
fi

if [[ -n ${MATCHES[@]:-""} ]]; then
   ALL+=(${MATCHES[@]})
fi

if [[ -n ${ALL[@]:-""} ]]; then

   echo Running journalctl "${ALL[@]}" >&2

   journalctl "${ALL[@]}"

else 

   echo "Nothing set"

fi

相关内容