通过journalctl查看日志

# 查看UID为1000的用户今天以来的日志
sudo journalctl _UID=1000 --since today

# 查看1分钟以前的日志
cqq@snort-ids  ~  sudo journalctl --since "1 min ago" [13:18:26]
-- Logs begin at Fri 2016-11-04 01:16:43 CST, end at Mon 2017-04-24 13:18:57 CST. --
4月 24 13:18:19 snort-ids sudo[12664]: cqq : TTY=pts/0 ; PWD=/home/cqq ; USER=root ; COMMAND=/usr/bin/vi /home/cqq/.zshrc
4月 24 13:18:19 snort-ids sudo[12664]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)
4月 24 13:18:26 snort-ids sudo[12664]: pam_unix(sudo:session): session closed for user root
4月 24 13:18:50 snort-ids sshd[12696]: Accepted password for cqq from 192.168.10.247 port 63715 ssh2
4月 24 13:18:50 snort-ids sshd[12696]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
4月 24 13:18:50 snort-ids systemd[1]: Started Session c12 of user cqq.
4月 24 13:18:50 snort-ids systemd-logind[246]: New session c12 of user cqq.
4月 24 13:18:57 snort-ids sudo[12743]: cqq : TTY=pts/0 ; PWD=/home/cqq ; USER=root ; COMMAND=/bin/journalctl --since 1 min ago
4月 24 13:18:57 snort-ids sudo[12743]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)

# 查看某个单元/服务的日志
cqq@snort-ids  ~  sudo journalctl -u ssh.service --since today [13:37:48]
-- Logs begin at Fri 2016-11-04 01:16:43 CST, end at Mon 2017-04-24 13:37:58 CST. --
4月 24 13:06:43 snort-ids sshd[12157]: Accepted password for cqq from 192.168.10.247 port 52067 ssh2
4月 24 13:06:43 snort-ids sshd[12157]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
4月 24 13:18:50 snort-ids sshd[12696]: Accepted password for cqq from 192.168.10.247 port 63715 ssh2
4月 24 13:18:50 snort-ids sshd[12696]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
4月 24 13:28:10 snort-ids sshd[13096]: Accepted password for cqq from 192.168.10.247 port 56326 ssh2
4月 24 13:28:10 snort-ids sshd[13096]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
cqq@snort-ids  ~  sudo journalctl -u apache2 --since "2015-01-10" [13:38:49]
-- Logs begin at Fri 2016-11-04 01:16:43 CST, end at Mon 2017-04-24 13:41:03 CST. --
4月 21 18:55:57 snort-ids systemd[1]: Starting The Apache HTTP Server...
4月 21 18:55:59 snort-ids systemd[1]: Started The Apache HTTP Server.
4月 22 01:59:04 snort-ids systemd[1]: Stopping The Apache HTTP Server...
4月 22 01:59:04 snort-ids systemd[1]: Stopped The Apache HTTP Server.
4月 22 01:59:04 snort-ids systemd[1]: Starting The Apache HTTP Server...
4月 22 01:59:05 snort-ids systemd[1]: Started The Apache HTTP Server.
4月 22 06:25:52 snort-ids systemd[1]: Reloading The Apache HTTP Server.
4月 22 06:25:52 snort-ids systemd[1]: Reloaded The Apache HTTP Server.
4月 23 06:25:34 snort-ids systemd[1]: Reloading The Apache HTTP Server.
4月 23 06:25:34 snort-ids systemd[1]: Reloaded The Apache HTTP Server.
4月 24 06:25:34 snort-ids systemd[1]: Reloading The Apache HTTP Server.
4月 24 06:25:35 snort-ids systemd[1]: Reloaded The Apache HTTP Server.

# 查看实时日志
cqq@snort-ids  ~  sudo journalctl -f [13:18:51]
[sudo] cqq 的密码：
-- Logs begin at Fri 2016-11-04 01:16:43 CST. --
4月 24 13:23:27 snort-ids sudo[12888]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)
4月 24 13:25:01 snort-ids CRON[12935]: pam_unix(cron:session): session opened for user root by (uid=0)
4月 24 13:25:01 snort-ids CRON[12942]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
4月 24 13:25:01 snort-ids CRON[12935]: pam_unix(cron:session): session closed for user root
4月 24 13:25:10 snort-ids sudo[12888]: pam_unix(sudo:session): session closed for user root
4月 24 13:25:57 snort-ids sudo[12990]: cqq : TTY=pts/0 ; PWD=/home/cqq ; USER=root ; COMMAND=/bin/journalctl -f
4月 24 13:25:57 snort-ids sudo[12990]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)
4月 24 13:26:06 snort-ids sudo[12990]: pam_unix(sudo:session): session closed for user root
4月 24 13:26:15 snort-ids sudo[13017]: cqq : TTY=pts/1 ; PWD=/home/cqq ; USER=root ; COMMAND=/bin/journalctl -f
4月 24 13:26:15 snort-ids sudo[13017]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
举个栗子。
先查看某个unit/service的状态，发现它failed，然后输出该unit/service的内容(到底写的是什么，错误在哪里)，发现错误是因为按照别人教程上写的，没把ruby的路径搞对，然后查看一下这个unit/service的日志，果然是有错的。