"Brother Bird's Linux private dish" Reading notes: Login file (log) and its analysis __linux

Introduction to login Files

The login file records the activity information of the system, and by analyzing the information, we can solve the system errors and network problems. Login files are generally in the /var/log/ directory, in general messages file records the most information. The generation of the login file:
Software developers customize the resulting login file and its format Linux system provides login file management services to manage the services and procedures required for the unified management of login files:
Like syslogd (recording system and Network Service information) ,klogd (record core generated information) when the log file capacity becomes very large, access speed drops, we need logrotate To automate the processing of the capacity of the login file and the service to update the log login file: syslogd

SYSLOGD is responsible for Linux login files, generating login information for each service. The format of the login file:
event occurs when the host name of this event starts this event's service name and function name information the actual data content of the syslog configuration file:/etc/syslog.conf
Provides for:Service Name；Information Level；Information Logging LocationThere are seven major levels of information: Info,notice,warn (Warning), err (Error), Crit (critical point), Alert,emerg (panic). There are two additional special levels, Debug and none, for error detection. link symbol [. =!]: "." Indicates the level of information that is greater than or equal to the following, and ". =" indicates the level information that follows, ".!" Represents all other information that needs to be followed by a level of information. Example:
Mail.info/var/log/maillog #表示将mail信息等级info及以上的信息写入后面的文档中.
*.*;news,cron,mail.none/var/log/messages# except for cron,mail,news information, all other information is recorded in the following documentNote 1: Add "-" to the directory so that the information is stored in memory first, wait until the data volume to a certain extent again to write to the file, which is conducive to improve logon file access performance, but the abnormal power off (abnormal shutdown) may be due to the data could not be written to cause information loss. Information is typically stored for mail services.NOTE 2: The Linux for SuSE distribution, with the replacement of Syslog Syslog-ng, which is more flexible than the syslog, can make more detailed information filtering conditions. The syslog-ng main configuration file is stored in:/etc/syslog-ng/syslog-ng.conf, its configuration file syntax format and syslog.conf is very different, the format is: LOG statements "Sources-filters-destinations", first write these three blocks SOURCES, FILTERS, Destinations, and then the above process runs, that is, by defining multiple message sources, the message that matches several filters is directed to the specified destination to form a message path. Please refer to Syslog-ng for details.

Security settings for login files: Using the chattr command, plus the +A option, setting the login file can only add content and cannot be deleted and written. VI View Login file,: Wq command to leave, will cause the file can not continue to record the logon action, this time need to restart the Syslog service.

Login File Server settings: Modify SYSLOGD boot profile, usually in /etc/sysconfig/ , Vi/etc/sysconfig/syslog service: syslogd_options= "-M 0" Change to Syslogd_options= "-M 0-r", reboot the Syslog service client: vim/etc/syslog.conf add *.* @ host IP address, reboot syslog logrotate

This program executes daily, and the specific rules are recorded by /etc/cron.daily/logrotate . Logrotate configuration file:
/etc/logrotate.conf: Main parameter file, provide detail setting, set defaults for preset rotation status. The main rotate cycle, the number of login files reserved, whether to compress the login files and other parameters. /etc/logrotate.d/: The files in this directory are read into the/etc/logrorate.conf. The files can be added to execute scripts and need to be combined with sharedscripts and Endscript:

Sharedscripts
prerotate: A command made before starting logrotate, such as modifying the properties of a login file;
postrotate: A command that executes after logrotate, such as restarting a service kill -1;
both are important for file processing with special attributes.
Endscript

Log in file analysis

Logwatch is a centos default login file analysis software, no installed Linux version can install itself, or according to their actual requirements to write scripts to execute the analysis of the login file