13th Chapter Linux Log Management

Source: Internet
Author: User
Tags apache log rsyslog dmesg

1. Log Management

(1) Introduction

In CentOS 6.x, the log service has replaced the original SYSLOGD service via RSYSLOGD . RSYSLOGD Log service More advanced, more features. However, regardless of the use of the service, or the format of the log file is actually compatible with the SYSLOGD.

(2) new features of RSYSLOGD

① transferring log information based on TCP network protocol

② more secure Network transmission mode

③ a timely analysis framework with log messages

④ Background Database

Simple logical judgments can be written in the ⑤ configuration file.

⑥ compatible with SYSLOGD configuration files

(3) To see if the RSYSLOGD service is started:

  ① #ps aux | grep rsyslogd // whether to start

  ② #chkconfig--list | grep rsyslog // whether self-booting

(4) Function of common log

Log file

Description

/var/log/cron

Logs related to system timing tasks are logged

/var/log/cups/

Logs of printed information are logged

/var/log/dmesg

The kernel self-test information is recorded when the system is powered on . You can also use the DMESG command to view kernel self-test information directly.

/var/log/btmp

logs logging of incorrect logins . This file is a binary file, can not be viewed directly with VI, and to use the LASTB command to view, the command is as follows: #lastb

/var/log/lastlog

Logs that record the last logon time for all users in the system . This file is also a binary file, not directly VI, but to use the Lastlog command to view .

/var/log/mailog

Record message information

/var/log/message

Log records of important system information. Most of the important information in the Linux system is recorded in this log file. If there is a problem with the system, the first thing to check is this log file.

/var/log/secure

Record authentication and authorization information as long as the program that involves the account and password is recorded. For example, system login, SSH login, su switch user, sudo authorization, even add user and modify user password, etc. will be recorded in this log file.

/var/log/wtmp

record all users ' logon and logoff information , and record the system startup, restart and shutdown events. The same file is also a binary file, not directly vi, and need to use the last command to view

/var/run/utmp

Records user information that is currently logged in . This file will change as the user logs on and off, logging only the information of the currently logged-on user. The same file can not be directly VI, but to use W, who, users and other commands to query.

(5) In addition to the system default log, the system service installed in RPM will also be logged in the/var/log/directory (the source package installed service log is in the source package specified directory ). However, these logs are not recorded and managed by the RSYSLOGD service, but each service uses its own log management documents to log itself.

Log file

Description

/var/log/httpd/

Default log directory for the Apache service installed by RPM package

/var/log/mail/

Additional log directory for RPM package-installed mail Service

/var/log/samba/

The log directory of the Samba service installed by RPM package

/var/log/sssd

Daemon Security Service Directory

2. Rsyslogd Log service

(1) Log file format (with 4 columns)

 ① the time the event was generated

② host name of the server where the event occurred

③ the service name or program name that generated the event

Specific information about the ④ event

(2)/etc/rsyslog.conf configuration file

① File Contents:

    server name [connection symbol] Log level log record location

    authpriv.*/var/log/secure //"." is a connection symbol that represents a level greater than or equal to the specified later. "*" denotes all levels, which means that all logs related to the service of authentication are recorded in the/var/log/secure file.

② Service Name

Service Name

Description

Auth

Security and certification-related messages (deprecated Authpriv overrides)

Authpriv

Security and authentication-related messages (private)

Cron

System timed tasks Cront and at-generated logs

Daemon

Logs related to each daemon

Ftp

Log generated by the FTP daemon

Kern

Log generated by the kernel (not generated by user processes)

Local0-local7

Services reserved for local use

Lpr

Print the resulting log

Mail

Send and receive messages

News

News server-related logs

Syslog

Log information generated by the SYSLOGD service (although the service name has been RSYSLOGD, but many configurations are still in use syslogd, there is no modification of the service name)

User

Log information for the user level category

Uucp

UUCP subsystem log information, UUCP is the early Linux system for data Transfer Protocol, and later also used in the newsgroup service.

③ Connection Symbols

Connection symbols

Description

*

(not actually a connector)

Represents all log levels, such as "authpriv.*" on behalf of the log generated by the AUTHPRIV certification Information service, all log levels are recorded

“.”

The representation is recorded as long as the log (including this level) is higher than the subsequent level . For example: "Conf.info" represents the log generated by the Cron service, as long as the log level is greater than or equal to the info level.

". ="

The delegate logs only the required levels, and no other levels are recorded . For example: "*.=emerg" represents the log generated by the user and log service, as long as the rank is Emerg level. This usage is rare.

“.!”

The representation is not equal to, that is, Other level logs are recorded except for the level of the log .

④ Log Level

Rank name

Description

Debug

General level of debug information

Info

Basic notification Information

Notice

General information, but it is of some importance

Warning

Warning message, but it does not affect the operation of the service or system

Err

Error message, information that generally reaches the err level may have affected the operation of the service or system.

Crit

Critical state information, more severe than the ERR level

Alert

Warning status information, more serious than crit, must take immediate action

Emerg

Pain level information, the system has been unable to use

⑤ Log Record Location:

A.  Absolute path: such as "/var/log/secure"

B. system device files: such as "/dev/lp0"

C. forward to a remote host, such as "@192.168.0.210:514"

D. user name, such as "root"

E. ignore or discard logs, such as "~"

3. Log Rotation

(1) Command rules for log files

① If you have the "dateext" parameter in the configuration file, the log will use the date as the suffix of the log file. such as "secure-20170107". In this case, the log file name will not overlap, so you do not need to rename the log files, only need to save the specified number of logs, delete the extra log files.

② if the "dateexte" parameter is not in the configuration file, the log file needs to be renamed . When the 1th log rotation occurs, the current "secure" log is automatically renamed "Secure.1" and a new "secure" log is used to save the new log. When the 2nd time the journal rotation, "Secure.1" will be automatically renamed to SECURE.2, the current "secure" log is automatically renamed "Secure.1", and then the new "secure" log is used to save the new log, and so on.

(2) Logrotate configuration file (/etc/logrotate.conf)

Parameters

Description

Daily

The rotation cycle of the log is daily

Weekly

The rotation cycle of the journal is weekly

Monthly

The rotation cycle of the log is monthly

Rotate Digital

The number of log files that are retained. 0 means no backup

Compress

Log rotation, old logs are compressed

Create Mode owner Group

Create a new log, specifying the permissions of the new log with the owner and the owning group. such as create 0600 root utmp

(3) Add Apache log to rotation (General source package installation of the program only need to manually join the journal rotation, RPM package installed automatically added)

#VI /etc/logrotate.conf/usr/local/apache2/logs/access_log{  // use absolute path to specify the log to join the rotation      daily    create    

(4) Logrotate command: #logrotate [options] configuration file

Options

Description

-V

displays the log rotation process . Adding the-v option will show the process of log rotation

-F

force a log rotation . Forces all the logs in the configuration file to be replaced, regardless of whether the journal rotation condition has been met.

Note

If this command does not have an option, the log rotation is followed by the criteria in the configuration file

#logrotate –f/etc/logrotate.conf//force log rotation

13th Chapter Linux Log Management

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.