1. Log Management
(1) Introduction
In CentOS 6.x, the log service has replaced the original SYSLOGD service via RSYSLOGD . RSYSLOGD Log service More advanced, more features. However, regardless of the use of the service, or the format of the log file is actually compatible with the SYSLOGD.
(2) new features of RSYSLOGD
① transferring log information based on TCP network protocol
② more secure Network transmission mode
③ a timely analysis framework with log messages
④ Background Database
Simple logical judgments can be written in the ⑤ configuration file.
⑥ compatible with SYSLOGD configuration files
(3) To see if the RSYSLOGD service is started:
① #ps aux | grep rsyslogd // whether to start
② #chkconfig--list | grep rsyslog // whether self-booting
(4) Function of common log
Log file |
Description |
/var/log/cron |
Logs related to system timing tasks are logged |
/var/log/cups/ |
Logs of printed information are logged |
/var/log/dmesg |
The kernel self-test information is recorded when the system is powered on . You can also use the DMESG command to view kernel self-test information directly. |
/var/log/btmp |
logs logging of incorrect logins . This file is a binary file, can not be viewed directly with VI, and to use the LASTB command to view, the command is as follows: #lastb |
/var/log/lastlog |
Logs that record the last logon time for all users in the system . This file is also a binary file, not directly VI, but to use the Lastlog command to view . |
/var/log/mailog |
Record message information |
/var/log/message |
Log records of important system information. Most of the important information in the Linux system is recorded in this log file. If there is a problem with the system, the first thing to check is this log file. |
/var/log/secure |
Record authentication and authorization information as long as the program that involves the account and password is recorded. For example, system login, SSH login, su switch user, sudo authorization, even add user and modify user password, etc. will be recorded in this log file. |
/var/log/wtmp |
record all users ' logon and logoff information , and record the system startup, restart and shutdown events. The same file is also a binary file, not directly vi, and need to use the last command to view |
/var/run/utmp |
Records user information that is currently logged in . This file will change as the user logs on and off, logging only the information of the currently logged-on user. The same file can not be directly VI, but to use W, who, users and other commands to query. |
(5) In addition to the system default log, the system service installed in RPM will also be logged in the/var/log/directory (the source package installed service log is in the source package specified directory ). However, these logs are not recorded and managed by the RSYSLOGD service, but each service uses its own log management documents to log itself.
Log file |
Description |
/var/log/httpd/ |
Default log directory for the Apache service installed by RPM package |
/var/log/mail/ |
Additional log directory for RPM package-installed mail Service |
/var/log/samba/ |
The log directory of the Samba service installed by RPM package |
/var/log/sssd |
Daemon Security Service Directory |
2. Rsyslogd Log service
(1) Log file format (with 4 columns)
① the time the event was generated
② host name of the server where the event occurred
③ the service name or program name that generated the event
Specific information about the ④ event
(2)/etc/rsyslog.conf configuration file
① File Contents:
server name [connection symbol] Log level log record location
authpriv.*/var/log/secure //"." is a connection symbol that represents a level greater than or equal to the specified later. "*" denotes all levels, which means that all logs related to the service of authentication are recorded in the/var/log/secure file.
② Service Name
Service Name |
Description |
Auth |
Security and certification-related messages (deprecated Authpriv overrides) |
Authpriv |
Security and authentication-related messages (private) |
Cron |
System timed tasks Cront and at-generated logs |
Daemon |
Logs related to each daemon |
Ftp |
Log generated by the FTP daemon |
Kern |
Log generated by the kernel (not generated by user processes) |
Local0-local7 |
Services reserved for local use |
Lpr |
Print the resulting log |
Mail |
Send and receive messages |
News |
News server-related logs |
Syslog |
Log information generated by the SYSLOGD service (although the service name has been RSYSLOGD, but many configurations are still in use syslogd, there is no modification of the service name) |
User |
Log information for the user level category |
Uucp |
UUCP subsystem log information, UUCP is the early Linux system for data Transfer Protocol, and later also used in the newsgroup service. |
③ Connection Symbols
Connection symbols |
Description |
* (not actually a connector) |
Represents all log levels, such as "authpriv.*" on behalf of the log generated by the AUTHPRIV certification Information service, all log levels are recorded |
“.” |
The representation is recorded as long as the log (including this level) is higher than the subsequent level . For example: "Conf.info" represents the log generated by the Cron service, as long as the log level is greater than or equal to the info level. |
". =" |
The delegate logs only the required levels, and no other levels are recorded . For example: "*.=emerg" represents the log generated by the user and log service, as long as the rank is Emerg level. This usage is rare. |
“.!” |
The representation is not equal to, that is, Other level logs are recorded except for the level of the log . |
④ Log Level
Rank name |
Description |
Debug |
General level of debug information |
Info |
Basic notification Information |
Notice |
General information, but it is of some importance |
Warning |
Warning message, but it does not affect the operation of the service or system |
Err |
Error message, information that generally reaches the err level may have affected the operation of the service or system. |
Crit |
Critical state information, more severe than the ERR level |
Alert |
Warning status information, more serious than crit, must take immediate action |
Emerg |
Pain level information, the system has been unable to use |
⑤ Log Record Location:
A. Absolute path: such as "/var/log/secure"
B. system device files: such as "/dev/lp0"
C. forward to a remote host, such as "@192.168.0.210:514"
D. user name, such as "root"
E. ignore or discard logs, such as "~"
3. Log Rotation
(1) Command rules for log files
① If you have the "dateext" parameter in the configuration file, the log will use the date as the suffix of the log file. such as "secure-20170107". In this case, the log file name will not overlap, so you do not need to rename the log files, only need to save the specified number of logs, delete the extra log files.
② if the "dateexte" parameter is not in the configuration file, the log file needs to be renamed . When the 1th log rotation occurs, the current "secure" log is automatically renamed "Secure.1" and a new "secure" log is used to save the new log. When the 2nd time the journal rotation, "Secure.1" will be automatically renamed to SECURE.2, the current "secure" log is automatically renamed "Secure.1", and then the new "secure" log is used to save the new log, and so on.
(2) Logrotate configuration file (/etc/logrotate.conf)
Parameters |
Description |
Daily |
The rotation cycle of the log is daily |
Weekly |
The rotation cycle of the journal is weekly |
Monthly |
The rotation cycle of the log is monthly |
Rotate Digital |
The number of log files that are retained. 0 means no backup |
Compress |
Log rotation, old logs are compressed |
Create Mode owner Group |
Create a new log, specifying the permissions of the new log with the owner and the owning group. such as create 0600 root utmp |
(3) Add Apache log to rotation (General source package installation of the program only need to manually join the journal rotation, RPM package installed automatically added)
#VI /etc/logrotate.conf/usr/local/apache2/logs/access_log{ // use absolute path to specify the log to join the rotation daily create
(4) Logrotate command: #logrotate [options] configuration file
Options |
Description |
-V |
displays the log rotation process . Adding the-v option will show the process of log rotation |
-F |
force a log rotation . Forces all the logs in the configuration file to be replaced, regardless of whether the journal rotation condition has been met. |
Note |
If this command does not have an option, the log rotation is followed by the criteria in the configuration file #logrotate –f/etc/logrotate.conf//force log rotation |
13th Chapter Linux Log Management