13th Chapter Linux Log Management

1. Log Management

(1) Introduction

In CentOS 6.x, the log service has replaced the original SYSLOGD service via RSYSLOGD . RSYSLOGD Log service More advanced, more features. However, regardless of the use of the service, or the format of the log file is actually compatible with the SYSLOGD.

(2) new features of RSYSLOGD

① transferring log information based on TCP network protocol

② more secure Network transmission mode

③ a timely analysis framework with log messages

④ Background Database

Simple logical judgments can be written in the ⑤ configuration file.

⑥ compatible with SYSLOGD configuration files

(3) To see if the RSYSLOGD service is started:

　　① #ps aux | grep rsyslogd // whether to start

　　② #chkconfig--list | grep rsyslog // whether self-booting

(4) Function of common log

Log file	Description
/var/log/cron	Logs related to system timing tasks are logged
/var/log/cups/	Logs of printed information are logged
/var/log/dmesg	The kernel self-test information is recorded when the system is powered on . You can also use the DMESG command to view kernel self-test information directly.
/var/log/btmp	logs logging of incorrect logins . This file is a binary file, can not be viewed directly with VI, and to use the LASTB command to view, the command is as follows: #lastb
/var/log/lastlog	Logs that record the last logon time for all users in the system . This file is also a binary file, not directly VI, but to use the Lastlog command to view .
/var/log/mailog	Record message information
/var/log/message	Log records of important system information. Most of the important information in the Linux system is recorded in this log file. If there is a problem with the system, the first thing to check is this log file.
/var/log/secure	Record authentication and authorization information as long as the program that involves the account and password is recorded. For example, system login, SSH login, su switch user, sudo authorization, even add user and modify user password, etc. will be recorded in this log file.
/var/log/wtmp	record all users ' logon and logoff information , and record the system startup, restart and shutdown events. The same file is also a binary file, not directly vi, and need to use the last command to view
/var/run/utmp	Records user information that is currently logged in . This file will change as the user logs on and off, logging only the information of the currently logged-on user. The same file can not be directly VI, but to use W, who, users and other commands to query.

(5) In addition to the system default log, the system service installed in RPM will also be logged in the/var/log/directory (the source package installed service log is in the source package specified directory ). However, these logs are not recorded and managed by the RSYSLOGD service, but each service uses its own log management documents to log itself.

Log file	Description
/var/log/httpd/	Default log directory for the Apache service installed by RPM package
/var/log/mail/	Additional log directory for RPM package-installed mail Service
/var/log/samba/	The log directory of the Samba service installed by RPM package
/var/log/sssd	Daemon Security Service Directory

2. Rsyslogd Log service

(1) Log file format (with 4 columns)

　① the time the event was generated

② host name of the server where the event occurred

③ the service name or program name that generated the event

Specific information about the ④ event

(2)/etc/rsyslog.conf configuration file

① File Contents:

　　　　server name [connection symbol] Log level log record location

　　　　authpriv.*/var/log/secure //"." is a connection symbol that represents a level greater than or equal to the specified later. "*" denotes all levels, which means that all logs related to the service of authentication are recorded in the/var/log/secure file.

② Service Name

Service Name	Description
Auth	Security and certification-related messages (deprecated Authpriv overrides)
Authpriv	Security and authentication-related messages (private)
Cron	System timed tasks Cront and at-generated logs
Daemon	Logs related to each daemon
Ftp	Log generated by the FTP daemon
Kern	Log generated by the kernel (not generated by user processes)
Local0-local7	Services reserved for local use
Lpr	Print the resulting log
Mail	Send and receive messages
News	News server-related logs
Syslog	Log information generated by the SYSLOGD service (although the service name has been RSYSLOGD, but many configurations are still in use syslogd, there is no modification of the service name)
User	Log information for the user level category
Uucp	UUCP subsystem log information, UUCP is the early Linux system for data Transfer Protocol, and later also used in the newsgroup service.

③ Connection Symbols

Connection symbols	Description
* (not actually a connector)	Represents all log levels, such as "authpriv.*" on behalf of the log generated by the AUTHPRIV certification Information service, all log levels are recorded
“.”	The representation is recorded as long as the log (including this level) is higher than the subsequent level . For example: "Conf.info" represents the log generated by the Cron service, as long as the log level is greater than or equal to the info level.
". ="	The delegate logs only the required levels, and no other levels are recorded . For example: "*.=emerg" represents the log generated by the user and log service, as long as the rank is Emerg level. This usage is rare.
“.!”	The representation is not equal to, that is, Other level logs are recorded except for the level of the log .

④ Log Level

Rank name	Description
Debug	General level of debug information
Info	Basic notification Information
Notice	General information, but it is of some importance
Warning	Warning message, but it does not affect the operation of the service or system
Err	Error message, information that generally reaches the err level may have affected the operation of the service or system.
Crit	Critical state information, more severe than the ERR level
Alert	Warning status information, more serious than crit, must take immediate action
Emerg	Pain level information, the system has been unable to use

⑤ Log Record Location:

A.　 Absolute path: such as "/var/log/secure"

B. system device files: such as "/dev/lp0"

C. forward to a remote host, such as "@192.168.0.210:514"

D. user name, such as "root"

E. ignore or discard logs, such as "~"

3. Log Rotation

(1) Command rules for log files

① If you have the "dateext" parameter in the configuration file, the log will use the date as the suffix of the log file. such as "secure-20170107". In this case, the log file name will not overlap, so you do not need to rename the log files, only need to save the specified number of logs, delete the extra log files.

② if the "dateexte" parameter is not in the configuration file, the log file needs to be renamed . When the 1th log rotation occurs, the current "secure" log is automatically renamed "Secure.1" and a new "secure" log is used to save the new log. When the 2nd time the journal rotation, "Secure.1" will be automatically renamed to SECURE.2, the current "secure" log is automatically renamed "Secure.1", and then the new "secure" log is used to save the new log, and so on.

(2) Logrotate configuration file (/etc/logrotate.conf)

Parameters	Description
Daily	The rotation cycle of the log is daily
Weekly	The rotation cycle of the journal is weekly
Monthly	The rotation cycle of the log is monthly
Rotate Digital	The number of log files that are retained. 0 means no backup
Compress	Log rotation, old logs are compressed
Create Mode owner Group	Create a new log, specifying the permissions of the new log with the owner and the owning group. such as create 0600 root utmp

(3) Add Apache log to rotation (General source package installation of the program only need to manually join the journal rotation, RPM package installed automatically added)

#VI /etc/logrotate.conf/usr/local/apache2/logs/access_log{  // use absolute path to specify the log to join the rotation      daily    create    

(4) Logrotate command: #logrotate [options] configuration file

Options	Description
-V	displays the log rotation process . Adding the-v option will show the process of log rotation
-F	force a log rotation . Forces all the logs in the configuration file to be replaced, regardless of whether the journal rotation condition has been met.
Note	If this command does not have an option, the log rotation is followed by the criteria in the configuration file #logrotate –f/etc/logrotate.conf//force log rotation

13th Chapter Linux Log Management