通过journalctl查看日志

# 查看UID为1000的用户今天以来的日志
sudo journalctl _UID=1000 --since today

# 查看1分钟以前的日志
 cqq@snort-ids  ~  sudo journalctl --since "1 min ago"                                                                          [13:18:26]
-- Logs begin at Fri 2016-11-04 01:16:43 CST, end at Mon 2017-04-24 13:18:57 CST. --
4月 24 13:18:19 snort-ids sudo[12664]:      cqq : TTY=pts/0 ; PWD=/home/cqq ; USER=root ; COMMAND=/usr/bin/vi /home/cqq/.zshrc
4月 24 13:18:19 snort-ids sudo[12664]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)
4月 24 13:18:26 snort-ids sudo[12664]: pam_unix(sudo:session): session closed for user root
4月 24 13:18:50 snort-ids sshd[12696]: Accepted password for cqq from 192.168.10.247 port 63715 ssh2
4月 24 13:18:50 snort-ids sshd[12696]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
4月 24 13:18:50 snort-ids systemd[1]: Started Session c12 of user cqq.
4月 24 13:18:50 snort-ids systemd-logind[246]: New session c12 of user cqq.
4月 24 13:18:57 snort-ids sudo[12743]:      cqq : TTY=pts/0 ; PWD=/home/cqq ; USER=root ; COMMAND=/bin/journalctl --since 1 min ago
4月 24 13:18:57 snort-ids sudo[12743]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)

# 查看某个单元/服务的日志
 cqq@snort-ids  ~  sudo journalctl -u ssh.service --since today                                                                 [13:37:48]
-- Logs begin at Fri 2016-11-04 01:16:43 CST, end at Mon 2017-04-24 13:37:58 CST. --
4月 24 13:06:43 snort-ids sshd[12157]: Accepted password for cqq from 192.168.10.247 port 52067 ssh2
4月 24 13:06:43 snort-ids sshd[12157]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
4月 24 13:18:50 snort-ids sshd[12696]: Accepted password for cqq from 192.168.10.247 port 63715 ssh2
4月 24 13:18:50 snort-ids sshd[12696]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
4月 24 13:28:10 snort-ids sshd[13096]: Accepted password for cqq from 192.168.10.247 port 56326 ssh2
4月 24 13:28:10 snort-ids sshd[13096]: pam_unix(sshd:session): session opened for user cqq by (uid=0)
 cqq@snort-ids  ~  sudo journalctl -u apache2 --since "2015-01-10"                                                              [13:38:49]
-- Logs begin at Fri 2016-11-04 01:16:43 CST, end at Mon 2017-04-24 13:41:03 CST. --
4月 21 18:55:57 snort-ids systemd[1]: Starting The Apache HTTP Server...
4月 21 18:55:59 snort-ids systemd[1]: Started The Apache HTTP Server.
4月 22 01:59:04 snort-ids systemd[1]: Stopping The Apache HTTP Server...
4月 22 01:59:04 snort-ids systemd[1]: Stopped The Apache HTTP Server.
4月 22 01:59:04 snort-ids systemd[1]: Starting The Apache HTTP Server...
4月 22 01:59:05 snort-ids systemd[1]: Started The Apache HTTP Server.
4月 22 06:25:52 snort-ids systemd[1]: Reloading The Apache HTTP Server.
4月 22 06:25:52 snort-ids systemd[1]: Reloaded The Apache HTTP Server.
4月 23 06:25:34 snort-ids systemd[1]: Reloading The Apache HTTP Server.
4月 23 06:25:34 snort-ids systemd[1]: Reloaded The Apache HTTP Server.
4月 24 06:25:34 snort-ids systemd[1]: Reloading The Apache HTTP Server.
4月 24 06:25:35 snort-ids systemd[1]: Reloaded The Apache HTTP Server.

# 查看实时日志
 cqq@snort-ids  ~  sudo journalctl -f                                                                                           [13:18:51]
[sudo] cqq 的密码：
-- Logs begin at Fri 2016-11-04 01:16:43 CST. --
4月 24 13:23:27 snort-ids sudo[12888]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)
4月 24 13:25:01 snort-ids CRON[12935]: pam_unix(cron:session): session opened for user root by (uid=0)
4月 24 13:25:01 snort-ids CRON[12942]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
4月 24 13:25:01 snort-ids CRON[12935]: pam_unix(cron:session): session closed for user root
4月 24 13:25:10 snort-ids sudo[12888]: pam_unix(sudo:session): session closed for user root
4月 24 13:25:57 snort-ids sudo[12990]:      cqq : TTY=pts/0 ; PWD=/home/cqq ; USER=root ; COMMAND=/bin/journalctl -f
4月 24 13:25:57 snort-ids sudo[12990]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)
4月 24 13:26:06 snort-ids sudo[12990]: pam_unix(sudo:session): session closed for user root
4月 24 13:26:15 snort-ids sudo[13017]:      cqq : TTY=pts/1 ; PWD=/home/cqq ; USER=root ; COMMAND=/bin/journalctl -f
4月 24 13:26:15 snort-ids sudo[13017]: pam_unix(sudo:session): session opened for user root by cqq(uid=0)

举个栗子。
先查看某个unit/service的状态，发现它failed，然后输出该unit/service的内容(到底写的是什么，错误在哪里)，发现错误是因为按照别人教程上写的，没把ruby的路径搞对，然后查看一下这个unit/service的日志，果然是有错的。