Analysis of log systems from entry-level to proficient in Blackhorse Korean prefix Linux

Agenda
Understanding syslog System
Familiar with syslogd configuration files and Their syntax
Learn to view system logs
Understanding the necessity and implementation of log rolling
Syslog
What is Syslog
Logs are mainly used for system auditing, detection tracking, and analysis statistics.
To ensure the normal operation of the Linux system and accurately solve various system problems, carefully reading log files is a very important task for administrators.
The Linux kernel consists of many subsystems, including network, file access, and memory management. The subsystem needs to send some messages to users, including the sources and importance of the messages. All subsystems send messages to a public message area that can be maintained, so syslog is available.
Syslog is a comprehensive logging system. Its main function is to facilitate log management and classify log storage. SyslogProgramDesigners write log files from heavy and mechanicalCodeEvery program has its own logging policy. The Administrator has no control over the information stored or stored.

Syslogd configuration file
In/etc/syslog. conf, the configuration file of. syslogd specifies the events to be monitored in the system and the storage location of corresponding logs.
. CAT/etc/syslog. Cong

Syslogd-level field
The level field specifies the level and priority related to each function:
Alert-situations that require immediate attention.
Crit-reports of dangerous situations.
Err ---- except for emerg, alert, and crit errors.
Warning ---- warning information.
Notice ---- situations that require attention.
Info ---- information worth reporting.
Debug ------ messages caused by programs running in debug mode.
None ----- is used to disable any messages.
* ------ All levels. Except none.
Emerg-the system becomes unavailable due to an emergency.
Syslogd action field
The action field is used to describe the action of the corresponding function.
File ----- specify an absolute path log file to record the log information.
Username ----- send a message to a specified user. * indicates all users.
Device --- send a message to a specified device, such as/dev/ls.
@ Hostname sends the message to the resolved remote host hostname, which must be running syslogd and be able to identify the syslog configuration file.
View log files
. Common log files.
. Log files are usually stored in the/var/log directory. In addition to syslogd logs, this directory also contains the logs of the applications used.
To view the log file content, you must have the root permission. The information in the log file is very important. It only allows the super user to access the file.
Log
Cups/------ stores the log records of the cups printing system.
Httpd/--- logs Apache access logs and Error Log directories.
Mail/---- directory for storing mail logs.
News/---- stores the log directory of the INN news system.
Boot. Log ---- record the system startup log.
Dmesg ----- record the message log at system startup.
Maillog-records the mail system logs.
Messages ---- info or higher-level message logs recorded by syslogd.
Secure ------- authentication logs recorded by syslogd.
Wtmp-a permanent record of the entry and exit times of each user login.

View text log files
. Most log files are plain text files, and each line is a message. Any tool that can process plain text in Linux can be used to view log files. You can use Cat, Tac, more, less, tail, and grep for viewing.
Each line in the. File represents a message and is composed of four fixed formats.

. Timestamp: indicates the date and time when the message is sent.
. Host Name: the name of the computer that generates the message.
The name of the subsystem that generates the message. It can be "kernel", indicating the name of the message from the kernel or process, indicating the name of the program that sent the message.
. The process PID is in square brackets.
. Message: the content of the message.

# Strings wtmp
# Ls
# Strings btmp
View non-text log files
. Some log files are binary files and you need to use the corresponding commands.

Read # lastlog | more
. Use the lastlog command to check the last logon time of a specific user, and

Format and output the last logon log/var/log/lastlog.
. Last
. Last Command to search back/var/log/wtmp to display since file first

Users who have logged on since the creation.
. Lastb
Search for/var/log/btmp by the. lastb command to display information about unsuccessful logon.

.
. # Last-F btmp
. Who
The. who command queries the wtmp file and reports to each user currently logged on. Who

The default command output includes the user name, terminal type, logon date, and remote

Host.
. W
. W displays more detailed information.
Log rolling
. Why use Log scrolling?
. All log files will be accessed over time.

Therefore, log files must be cleaned regularly to avoid

Unnecessary waste of disk space. It also speeds up the system administrator's viewing

Log time, because opening a small file is far faster than opening a large file

The speed is much faster.
. Logrotate
Command Format: logrorate [Option] <configfile>
-D: displays the instruction execution process in detail to facilitate troubleshooting or understanding of Program Execution

Status.
-F: forcibly start the file maintenance operation, even if the logrotate command recognizes

Is not required.
-M command: Specifies the mail sending program. The default value is

Is/usr/bin/mail.
-V: detailed information is displayed when the execution log is rolled.
The default main configuration file of. logratate is/etc/logratate. conf.
./Etc/logratate. d directory files, these files are included

To the main configuration file/etc/logratate. conf.
. The basic format of each file is the same
. # Cat/etc/logratate. d/syslog