Introduction to Unix system logs and centralized collection

1. Log Functions

1. Running status
Reflects the current running status of the system and the actions that occur in the system.
2. Fault Warning
Forecasts possible or existing faults to facilitate timely handling.
3. troubleshooting
Analyzes and handles the causes and procedures of faults.
4. Security and audit
Records System logon and command execution.
Common Unix System Log Files
1. Solaris
/Var/adm/
/Var/adm/messages

2. HP UNIX
/Var/adm/syslog. Log
3. SCO Unix
/Etc/log directory

4. Red Hat
/Var/log directory

Introduction to three HP-UNIX log Maintenance
1. Common log files
/Etc/rc. Log: how to read text files,
/Var/adm/syslog. Log generally, system logs must note the prompt information and related analysis issues.
/Var/adm/SW/*. Log Software Installation Log Analysis problems.
/Var/adm/wtmp user logon information can be viewed using the last command
/Var/adm/btmp User Logon failure information can be viewed using the lastb command
/Var/SAM/log/samlog Sam log
/Var/spool/mqueue/syslog sendmail log
/Etc/shutdownlog shutdown Information
Logs viewed by/usr/ADM/diag/logxxx tools
/Var/adm/Nettl. log * network logs are handled by HP engineers
/Var/adm/crash core dump file is the responsibility of HP engineers
2. Log File Maintenance
(1) log file cleanup:
Log File cleanup
Run the following command to clear the log file:
#> File name or
# Cat/dev/null> file name
Note: if these files are deleted, the logon record function is disabled.
(2) Regular Log File cleaning
Wtmp and btmp files will grow without limit, so you need to regularly check these two files. Please delete useless information regularly
Prevent files from being too large. Wtmp and btmp files are not created by the program responsible for maintaining them. If these files are deleted
Logon record function.
(3) security considerations for log files
Some users enter a password or some passwords at the logon prompt. Such logon failures will be recorded in the btmps file
The password or part of the password is exposed. If the security policy requires that a user's previous sessions cannot be viewed by other users
Modify the file protection settings of the/var/adm/wtmp file. For these reasons, you should set file protection for these files so that only
An administrator can read the file.
Chmod 400/var/adm/btmp

3. HP-Unix common online detection tools
(1. stm
Support Tools Manager, a diagnostic and support toolkit that comes with the HP-Unix system. STM comes with a tool kit for hardware testing and log viewing. It is often used for routine maintenance.
Location of the generated log file:/var/STM/logs/OS
Supported by the background process diagmond and diaglogd.

(2) EMS
Event Monitoring Service, hp unix event alert service. You can manually set alarm thresholds to automatically monitor system running conditions through alarm thresholds.
Configuration tool:/etc/opt/resmon/lbin/monconfig
Location of the generated log file:/var/opt/resmon/log/event. Log
Supported by emsagent and p_client
Iv. Log File generation process of HP-UNIX Operating System
1. syslogd Process
Syslogd is a background process used to record system information.
The STARTUP script is located at/sbin/rc2.d/s220syslogd.
If the PS-Ef | grep syslog does not have a matching record, you can use the above script path to start the syslog process.
2. The configuration file syslog. conf can be implemented by modifying the configuration file:
(1. Record to system logs;
(2) write it to the system console;
(3) forward data to a specified user;
(4. syslogd forwarded to other hosts.
3. syslog. conf syntax introduction:
Example:
Nvbrg2 # [/] CAT/etc/syslog. conf
# @ (#) B .11.11 _ lR
#
# Syslogd configuration file.
#
# See syslogd (1 m) for information about the format of this file.
#
Mail. debug/var/adm/syslog/mail. Log
*. Info; mail. None/var/adm/syslog. Log
*. Alert Root
*. Alert/dev/console
*. Emerg *
*. Info; mail. debug; *. Alert; *. Emerg @ 133.191.3.252
Nvbrg2 # [/]
4. configuration parameters in syslog. conf in HP-Unix
Syslog messages use a standard format that includes the optional priority and devices.
Priority indicates the degree of urgency of the message. The subsystem that the device instructs to publish messages.
The priorities and device resources defined in/usr/include/syslog. h are listed below.
Syslog priority
Log_emerg is messy and is usually broadcast to all users.
Log_alert should immediately correct the situation, such as system database corruption.
Log_crit emergency, such as a hardware error. Log_err is generally incorrect.
Log_warning warning message. Log_notice is not an error but may require special attention.
Log_info information message.
Log_debug the message contains information that is usually used only when debugging programs.
Syslog messages use a standard format that includes the optional priority and devices.
Priority indicates the degree of urgency of the message. The subsystem that the device instructs to publish messages.
The priorities and device resources defined in/usr/include/syslog. h are listed below.
Introduces syslog device resource messages.
Syslog device resource message
Message description
Message generated by the kernel. No user process can generate these messages.
Message generated by a random user process. If no device is specified
Identifier.
Log_mail refers to messages from the email system.
Log_daemon refers to messages from system daemons such as inetd and ftpd.
Log_auth refers to messages from authorization systems such as login, Su, and Getty.
Messages generated by the syslogd daemon.
Log_lpr refers to messages sent from printer offline systems such as LP and lpsched.
Log_news is a message from the news system. Log_uucp refers to the message from the uucp system.
Log_cron messages from the cron daemon.
Log_local0-loc_local7 is retained for local use.

5. unfavorable factors in system maintenance of the current basic system group
(1) Insufficient personnel
(2) monitoring cannot be automated and relies entirely on manpower.
(3) low system maintenance efficiency
How to collect logs in a UNIX System in a centralized manner

1. Log collection methods:
(1) By modifying the log configuration files of each system, save the log information locally and forward it to the log server.
(2) Use a script program to periodically import log files to the centralized log server using the logger tool.
On the log server side, import the log information into the MySQL database by fields in certain ways.
Create a query page to query log messages as needed.
2. Advantages of log collection
(1) easier Log File Analysis-centralized logs allow administrators to centrally view and analyze the logs of various systems on one server to improve efficiency.
(2) enhanced security-log files are recorded locally and recorded on the centralized log server, improving the storage reliability of log files.
(3) Simplified log archiving-you can use a MySQL Statement on the centralized log server to archive system logs, simplifying complicated and troublesome work.
3. Disadvantages:
Syslogd only supports UDP forwarding. UDP is a "connectionless" protocol, which does not provide flow control or guarantee message delivery. Similarly, it may lose the forwarded log messages.
Syslogd currently only supports system-level log information. fields are automatically distinguished by information content and imported to the database. However, although alarms generated by databases and application systems of various systems can be collected, they cannot be classified into the database by information content and need to be improved in the next step.
6. Thoughts on the next step
1. The log system provides only one tool for monitoring system running conditions. However, to analyze and handle specific faults, you must analyze the specific problems, the final fault solution relies on the improvement of our maintenance level. In the future, we need to learn more, think more, and summarize more.

2. the centralized log program must improve and further optimize the centralized collection function of database and Application System Event Logs to facilitate maintenance.

3. In the long run, not only must system logs be centralized, but also the running performance indicators of various system hosts need to be centralized to improve maintenance efficiency.