Linux Log System Composition

Linux Log System Composition

The Linux Log system consists of three parts:

1. What tools are used to record the logs generated by the system?
Two processes managed by the syslog service Script: syslogd and klogd to record the logs generated by the system;
The klogd process is dedicated to the log information service generated by the kernel.
The syslogd process is a log information service specially generated for the Application Service (except the kernel;
Only when the logger interface is called can the application call syslogd to help record log information.

2. As long as the system service is running, log information will be generated. We use a dedicated tool to record it to the disk. To facilitate log analysis, the log file cannot be too large. We should delete the log file a long time ago. Who will accomplish these tasks?
Use the logrotate command to scroll the log files recorded by syslog.

RHEL5.4 deployment of central Log server rsyslog + Log Analyzer

Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3

RHEL5.4 deployment of central log server rsyslog + loganalyzer

Log servers using rsyslog mysql and logAnalyzer

Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3

3. to free people from busy work. Automated Management: rolling, backup, and compression of log files.
Use two loyal workers (processes): crond and anacron to complete all the above work.

Let's take a look at the implementation process of each of them:
1. syslog
Syslog is only a service script used to manage sysogd and klogd. Their configuration files are stored in/etc/syslog. conf.

[Root @ node2 logs] # cat/etc/syslog. conf

# Log anything (could t mail) of level info or higher.

# Don't log private authentication messages!

*. Info; mail. none; authpriv. none; cron. none/var/log/messages

# Asterisk (*) indicates all priority configurations.

# *. Info indicates to record all info-level logs of priority. Note that info-level logs are not included, and all logs with a higher info level are recorded. For example: notice, warn, err,..., panic

# *. Info; mail. none; authpriv. none; cron. none indicates all priority with asterisk (*), but not mail, authpriv, or cron.

# Indicates that the log information of the mail, authpriv, and cron systems will not be recorded in/var/log/messages.

# Log all the mail messages in one place.

Mail. *-/var/log/maillog

# Asterisk (*) indicates all priority.

# Mail. * Indicates recording all levels of log information generated by the system mail.

#-/Var/log/maillog horizontal line (-) indicates that the log information generated by System mail is asynchronously written to the disk. This means that it is first stored in the page cache buffer pool. Then, fl it to the disk at a time based on a certain policy.

# Mail is a very busy system and generates a large amount of log information. If the generated log information is immediately written to the disk, the efficiency is very low. The disk IO speed is very slow. Cause: The system is started by default.

# Two dirty pages are written to the thread. You can view [root @ node2 ~] through the/proc Interface # Cat/proc/sys/vm/nr_pdflush_threads. Linux will start more threads to write dirty pages based on the system's busy schedule.

# Of course, we can also adjust this kernel parameter. However, it should be adjusted according to the number of hardware CPUs.

# Everybody gets emergency messages

*. Emerg *

# *. Emerg * indicates that all system emerg-level logs are sent to all users.

# Save boot messages also to boot. log

Local7. */var/log/boot. log

# This item records all levels of log information in the system boot process.

Configuration File Format:
Facility. priority/path
Facility is used to define who generates the log information: the log information generated during the running of the software and subsystem.
Priority is used to define what type of log information is recorded. All information generated by the application is recorded in logs.

File, or only the error log information of the application is recorded.
/Path/file_name is used to define where to write log information.

View common facility and priority:

[Root @ node2 ~] # Man syslog. conf

# Common facility

The facility is one of the following keywords: auth, authpriv, cron,

Daemon, kern, lpr, mail, mark, news, security (same as auth), syslog,

User, uucp and local0 through local7.

# Common priority

The priority is one of the following keywords, in ascending order:

Debug, info, notice, warning, warn (same as warning), err, error (same

As err), crit, alert, emerg, panic (same as emerg ).

Syslog has a uniform log file format for administrators to read.
Standard Format of Linux system log files:
The time when the event occurs. which host logs generate log information for the system events?
Fields are separated by spaces.

[Root @ node2 ~] # Tail/var/log/cron

Jun 12 10:00:01 node2 crond [5487]: (root) CMD (/usr/lib/sa/sa1 1) Jun 12 10:01:01 node2 crond [5490] :( root) CMD (run-parts/etc/cron. hourly)

Note:
Event Time: Jun 12 10:01:01
Log of the Host: node2
System that generates log information: crond [5490]
System Events: CMD (run-parts/etc/cron. hourly)

[Root @ node2 ~] # Tail-2/var/log/messages

Jun 11 22:13:54 node2 syslogd 1.4.1: restart.

Jun 11 22:13:54 node2 kernel: klogd 1.4.1, log source =/proc/kmsg started.

For more details, please continue to read the highlights on the next page:

1 2 3 Next Page