I would like to view only log messages created within a specified time range (08:00 - 11:00) for ALL days.
If I use:
journalctl --since 08:00 --until 11:00
It displays logs from current day only.
Any ideas?
First of all - where is your journalctl log file? Default journalctl collect logs since the launch of the system.
By default, the log file is in /var/log/journal. If this dir isn't exist set Storage=persistent in /etc/systemd/journald.conf and run systemctl restart systemd-journald.
And when journalctl saves all messages/events on all the days or when the system collects logs from a few days of the save settings day You can draw some interesting informations from journalctl in this way:
# Define year
year="2016"
# Defines the month in which you want to search
months=(08 09 10)
for i in "${months[#]}" ; do
# To set a range of days: 14 - 20
for j in `seq 14 20` ; do
journalctl --since "${year}-${i}-${j} 08:00:00" --until "${year}-${i}-${j} 11:00:00" >> /tmp/journal.${year}-${i}-${j}.log
done
done
If you want to check days from 1 to 9 will probably need to add a mechanism for adding 0 (01, 02, 03, ..., 09).
This is an example so you have to adjust it to your needs.
Related
Hi I have a bash script called by a systemd service that needs to run until the start of the next hour. Currently I have been using:
currentTime=$(date +"%s")
nextHour=$(date -d "$(date -d 'next hour' '+%H:00:00')" '+%s')
duration=$(((nextHour-currentTime)*1000))
Which works except for trying to calculate the difference between 11pm and midnight were as far as I can tell it gets the current days midnight from 23 hours previous.
Oct 13 23:00:05 host bash[2019]: 1665698405
Oct 13 23:00:05 host bash[2019]: 1665615600
Oct 13 23:00:05 host bash[2019]: -82805000
I figure I could put a conditional check with a different calculation if needed or perhaps look at a systemd timer for triggering the service but as the service needs to always activate on boot/reboot as well as running hour to hour this setup seemed more appropriate.
Would appreciate any advice on why this is happening and advice on most streamlined steps to avoid it.
This isn't really a question about bash, but seems to be more about date. Given that date has multiple different implementations, it seems wiser to choose a different tool to do the calculation. I suspect perl is more standardized and (almost) as available as date, so you might try to get the difference with:
perl -MTime::Seconds -MTime::Piece -E '
my $t = localtime; my $m = ($t + ONE_HOUR)->truncate(to => "hour"); say $m - $t'
In GNU/Linux on xorg session, what I want to do is to get how many seconds have passed since I stopped working with the computer (i.e. no keys pressed and/or cursor moved).
Running in the background, the script below will display secs in the status bar.
But the question is what THE_COMMAND will be.
While true; do
last_touched="$(THE_COMMAND)"
now="$(date +%s)"
secs=$((now - last_touched))
echo "${secs} seconds ago"
sleep 3
done
I remember asking the same question a while back.
Here is what I found,
last -aiF -n 1 userName
command can give you the current session.
When combined with awk you can get the result as follows
$ last -aiF -n2 username
username :1 Wed Apr 21 13:09:00 2021 still logged in 0.0.0.0
username :1 Wed Apr 21 07:28:47 2021 - down (05:39) 0.0.0.0
$ last -aiF -n 2 ogulcan | awk '{print $10}'
in
(05:39)
the lines here are the session times.
These times are counted as now - first boot login
But I believe these does not work best for you.
So here is the 8 year old question that may be helpful to you.
User Idle time in Linux
Using python you can calculate the idle time passed. Maybe this way, you can simply get what you want with python.
I want to look at last 1 hour of docker container log using docker logs --since option. Which value I should provide for --since parameter?
as the help says
--since string Show logs since timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes
I would do
docker logs mycontainer_or_id --since 60m
This syntax is correct according to my active container
Please refer to the Docker docs.
docker logs --since 1h
The --since option shows only the container logs generated after a given date. You can specify the date as an RFC 3339 date, a UNIX timestamp, or a Go duration string (e.g. 1m30s, 3h). Besides RFC3339 date format you may also use RFC3339Nano, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, and 2006-01-02.
You may want logs from a specific date, but docker might not like your date's format.
In such cases, check whether the UNIX date command parse it:
$ date -d "your date here"
Wed Oct 5 12:46:17 GMT 2022
If date's output looks right, then you can use date -I to produce a format that docker understands.
$ docker logs my_container --since "$(date -I -d "your date here")" | less -RX
My date command -
May 19 20:28:00
Crontab file -
ubuntu#ip:/etc/cron.daily$ crontab -l
24 20 19 5 1 /opt/sw/p3/scratch/test.py > /opt/sw/p3/scratch/test1.txt
Based on the above command and date, My job should have run at 20:24 on May 19 but I dont see any output in my test1.txt
test.py just prints a statement -
print "I will be run soon"
Why my crontab job did not run at that time?
If you are running this cron job on a remote server, please verify whether the server's timezone is same as your's. If not you can change the server default timezone and try setting the cron job again to a different date/time.
Is there anyway we can change the date format in a particular log file being logged to by syslog? I don't want to change the way all logs are being logged, but just by log file.
EDIT: I'm using syslogd (in FreeBSD)
This is how my file looks like now:
Dec 5 07:52:10 Log data 1
Dec 5 07:52:10 Log data 2
Dec 5 07:52:10 Log data 3
This is how I want it to look like:
20131205 07:52:10 Log data 1
20131205 07:52:10 Log data 2
20131205 07:52:10 Log data 3
My syslog.conf looks like this, where /var/log/my_log.log is my logfile:
+#
*.notice;local0.none;local1.none;local2.none;authpriv.none;kern.debug;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
ftp.info /var/log/xferlog
cron.* /var/log/cron
*.=debug /var/log/debug.log
console.info /var/log/console.log
local1.info /var/log/my_log.log
Even if you found a different solution, I give an answer for others.
Edit your syslog configuration file (On Debian for example: /etc/syslog-ng/syslog-ng.conf).
Then declare a new template like this :
template template_date_format {
template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${HOST} ${MSGHDR}${MSG}\n");
template_escape(no);
};
This is an example but you can use different macros according to syslog documentation linked in user9645's answer.
After that, find in this configuration file, all the files you want to change the output format and apply this template to them.
For example, I want to change /var/log/auth.log output format, then I change :
destination d_auth { file("/var/log/auth.log"); };
to :
destination d_auth { file("/var/log/auth.log" template(template_date_format)); };
Then restart syslog (service syslog-ng restart) and try a login to see the changes in your auth.log.
There are always a new options for the date problem, adding just a couple of lines.
My solution comes adding a file to /etc/rsyslog.d/, for example myrsyslog.conf, then add the format of your choice, mine is:
$template myformat,"%TIMESTAMP:1:10:date-rfc3339% %TIMESTAMP:19:12:date-rfc3339% %syslogtag%%msg%\n"
$ActionFileDefaultTemplate myformat
this will apply the new format to your logs making it easy to parse.
before
Sep 3 12:52:37 whs dhcpcd[477]: wlan0: expired address ...
Sep 3 12:52:37 whs dhcpcd[477]: wlan0: part of Router Advertisement expired
Sep 3 12:52:37 whs dhcpcd[477]: wlan0: deleting route to ...
after
2020-09-03 13:00:49 systemd[1]: rsyslog.service: Succeeded.
2020-09-03 13:00:49 systemd[1]: Stopped System Logging Service.
2020-09-03 13:00:49 systemd[1]: Starting System Logging Service...
I had the same issue using FreeBSD 9.2 and Zabbix system monitor GUI which cannot handle things like 'Jan' or 'Feb' in the date stamp (!) on the system log messages.
What I did was install the sysutils/syslog-ng port, and use the convert-syslogconf.awk script to migrate my /etc/syslog.conf to /usr/local/etc/syslog-ng.conf (which thankfully seemed to work well with even a fairly complex config) and added this custom formatting template to all the file() destinations:
template t_msgfmt {
template("${ISODATE} ${HOST} ${FACILITY} ${LEVEL} ${MSGHDR}${MSG}\n");
template_escape(no);
};
You can find (lots) more formatting info in the syslog-ng manual section 11.1. It is working good for me (so far) hope it helps you!
I ended up using an awk script to run through the log file and replace the date field
awk '{getDate="date -j -f \"%b %d %H:%M:%S\" \""$1" "$2" "$3"\" \"+%Y%m%d %H:%M:%S\""
while ( ( getDate | getline date ) > 0 ) { }
close(getDate);
print date,$2,$3,$4,$5}' Temp1 > Temp2
Many years later rsyslog has replaced syslogd and this has gotten super easy:
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
Comment out that one line and done.