Search This Blog

Saturday, January 2, 2016

RHEL 7 - Finding Events with journalctl

Outcomes:
Students will practise displaying the systemd jorunal output matching different criteria.

1. Output only systemd journal messages that originate from the systemd process that always runs with process id 1 on serverx.
[root@server1 /]# journalctl _PID=1
-- Logs begin at Fri 2016-01-01 10:21:47 CET, end at Sat 2016-01-02 03:50:22 CET. --
Jan 01 10:21:47 rhelserver1.example.com systemd[1]: Starting udev Kernel Socket.
Jan 01 10:21:47 rhelserver1.example.com systemd[1]: Listening on udev Kernel Socket.
Jan 01 10:21:47 rhelserver1.example.com systemd[1]: Starting udev Control Socket.
Jan 01 10:21:47 rhelserver1.example.com systemd[1]: Listening on udev Control Socket.
Jan 01 10:21:47 rhelserver1.example.com systemd[1]: Starting Sockets.

2. Display all systemd journal messages that originate from a system service started with userid 81 on serverx.
[root@server1 /]# journalctl _UID=81
-- Logs begin at Fri 2016-01-01 10:21:47 CET, end at Sat 2016-01-02 03:50:22 CET. --
Jan 01 10:22:40 server1.example.com dbus[887]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.servi
Jan 01 10:22:42 server1.example.com dbus[887]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Jan 01 10:22:51 server1.example.com dbus[887]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.
Jan 01 10:22:52 server1.example.com dbus[887]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jan 01 10:23:36 server1.example.com dbus[887]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.servi
Jan 01 10:23:36 server1.example.com dbus[887]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'

3. Output of jounal messages with priority warning and aboveon serverx.
[root@server1 /]# journalctl -p warning
-- Logs begin at Fri 2016-01-01 10:21:47 CET, end at Sat 2016-01-02 03:50:22 CET. --
Jan 01 10:21:47 rhelserver1.example.com kernel: ACPI: RSDP 00000000000f6a10 00024 (v02 PTLTD )
Jan 01 10:21:47 rhelserver1.example.com kernel: ACPI: XSDT 00000000bfeea633 0005C (v01 INTEL  440BX    06040000 VMW  01324272)
Jan 01 10:21:47 rhelserver1.example.com kernel:   node   0: [mem 0x00100000-0xbfedffff]
Jan 01 10:21:47 rhelserver1.example.com kernel:   node   0: [mem 0xbff00000-0xbfffffff]
Jan 01 10:21:47 rhelserver1.example.com kernel: Detected CPU family 6 model 61
Jan 01 10:21:47 rhelserver1.example.com kernel: Warning: Intel CPU model - this hardware has not undergone testing by Red Hat and might not
Jan 01 10:21:47 rhelserver1.example.com kernel: Built 1 zonelists in Node order, mobility grouping on.  Total pages: 773992
Jan 01 10:21:47 rhelserver1.example.com kernel: Policy zone: DMA32

4. Create a journalctl query to show all log events recorded in the previous 10 minutes on serverX. The command assumes a current time is  03:55:14 CET 2016
[root@server1 /]# journalctl --since="03:45:00" --until="03:55:00"
-- Logs begin at Fri 2016-01-01 10:21:47 CET, end at Sat 2016-01-02 04:01:02 CET. --
Jan 02 03:45:01 server1.example.com systemd[1]: Created slice user-0.slice.
Jan 02 03:45:01 server1.example.com nslcd[1580]: [f600e6] <group/member="lisa"> ldap_start_tls_s() failed (uri=ldap://ipa.example.com): Can'
Jan 02 03:45:01 server1.example.com nslcd[1580]: [f600e6] <group/member="lisa"> failed to bind to LDAP server ldap://ipa.example.com: Can't
Jan 02 03:45:01 server1.example.com nslcd[1580]: [f600e6] <group/member="lisa"> no available LDAP server found: Can't contact LDAP server: T
Jan 02 03:45:01 server1.example.com nslcd[1580]: [f600e6] <group/member="lisa"> no available LDAP server found: Server is unavailable: Trans
Jan 02 03:45:01 server1.example.com systemd[1]: Starting Session 99 of user root.
Jan 02 03:45:01 server1.example.com systemd[1]: Started Session 99 of user root.

5. Display only the events originating from the sshd service with the system unit file sshd.service recorded since 03:45:00 this morning or ServerX
[root@server1 /]# journalctl --since="03:45:00" --until="03:55:00"^C
[root@server1 /]# journalctl --since="03:45:00" _SYSTEMD_UNIT="sshd.service"
-- Logs begin at Fri 2016-01-01 10:21:47 CET, end at Sat 2016-01-02 04:05:02 CET. --
[root@server1 /]# journalctl _SYSTEMD_UNIT=sshd.service
-- Logs begin at Fri 2016-01-01 10:21:47 CET, end at Sat 2016-01-02 04:05:02 CET. --
Jan 01 10:22:49 server1.example.com sshd[1582]: Server listening on 0.0.0.0 port 2022.
Jan 01 10:22:49 server1.example.com sshd[1582]: Server listening on :: port 2022.

Thank you for reading.
For Reading other article, visit to “https://sites.google.com/site/unixwikis/

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)