RHCE series (V): How to manage system logs (configuration, rotation, and import to database) in RHEL7)

To ensure the security of your RHEL7 system, you need to view the log files to monitor all activities in the system. In this way, you can detect any abnormal or potentially damaging activities and troubleshoot system faults or perform other appropriate operations. RHCE test-Part 5: Use Rsyslog and Logrotate to manage system logs in RHEL7. The rsyslogd daemon is responsible for system logs, which are run from/etc/rsyslog. conf (this file specifies all system days

To ensure the security of your RHEL 7 system, you need to view log files to monitor all activities in the system. In this way, you can detect any abnormal or potentially damaging activities and troubleshoot system faults or perform other appropriate operations.

RHCE test-Part 5: Use Rsyslog and Logrotate to manage system logs

In RHEL 7, the rsyslogd daemon is responsible for system logs from/etc/rsyslog. conf (this file specifies the default path for all system logs) and/etc/rsyslog. all files in d (if any) read the configuration information.

 

Rsyslogd Configuration

A quick look at rsyslog. conf is a good start. This file is divided into three main parts: module (rsyslong is modular), Global commands (used to set the global attributes of the rsyslogd Daemon), and rules. As you may guess, the last part indicates the record or display and where to save (also known as selector), which is also the focus of this article.

A typical line in rsyslog. conf is as follows:

Rsyslogd Configuration

In the preceding figure, we can see that a Selection Sub-includes one or more "device: Priority" pairs separated by semicolons, the device describes the message type (see section 4.1.1 of RFC 3164 to view the complete list of devices available for rsyslog). The priority indicates its severity, which may be one of the following:

• Debug
• Info
• Notice
• Warning
• Err
• Crit
• Alert
• Emerg

Although none is not a priority, it means that the specified device has no priority.

Note:: Given a priority indicates that the priority and the messages above the priority should be recorded in the log. Therefore, the line in the preceding example indicates that the rsyslogd daemon records all the priority values are info and above (no matter what device) except for messages that belong to the mail, authpriv, and cron services (do not consider messages from these devices) to/var/log/messages.

You can also use commas to separate multiple devices into one group and use the same priority for devices in the same group. For example, the following line:

1. *.info;mail.none;authpriv.none;cron.none /var/log/messages

You can also write as follows:

1. *.info;mail,authpriv,cron.none /var/log/messages

In other words, mail, authpriv, and cron are divided into a group and the keyword none is used.

 

Create a custom log file

You need to record all the daemon messages to/var/log/tecmint. log, we need. conf or/etc/rsyslog. add the following line to a separate file in the d directory (which is easy to manage:

1. daemon.*/var/log/tecmint.log

Then restart the daemon (note that the service name does not end with d ):

1. #systemctl restart rsyslog

View the custom log Content Before and After the two daemon restart:

Create a custom log file

As a self-learning exercise, I suggest you focus on devices and priorities, add additional messages to existing log files, or create a new log file as above.

 

Use Logrotate to rotate logs

To prevent the unlimited growth of log files, the logrotate tool is used to rotate, compress, remove, or send logs by email. This reduces the difficulty of managing a large number of log file systems. (Note: rotate is an automated process for archiving log files generated every day in system management)

Logrotate as a cron task (/etc/cron. daily/logrotate) runs every day and runs from/etc/logrotate. conf and/etc/logrotate. d.

For rsyslog, even if you can set the service inclusion in the master file, creating a separate configuration file for each service can help you better organize the settings.

Let's look at a typical logrotate. conf:

Logrotate Configuration

In the preceding example, logrotate performs the following operations for/var/log/wtmp: attempts to rotate once a month, but at least the file must be greater than 1 MB, create a new log file with the 0664 permission, user root, and group utmp. In the next step, only one archived log is saved, as specified by the rotation command:

Monthly Logrotate log

Let's take a look at another example in/etc/logrotate. d/httpd:

Rotate Apache Log Files

You can read more about its settings in the man Manual (man logrotate and man logrotate. conf) of logrotate. To facilitate your reading, this article also provides two articles in PDF format.

As a system engineer, it is very likely that you decide how often to save the log, depending on whether you have a separate partition/logical volume/var. Otherwise, you really need to consider deleting old logs to save storage space. On the other hand, according to your company's and customers' internal policies, you may have to keep multiple logs for future security reviews.

 

Save logs to the database

Of course, checking logs can be a very tedious task (even if there is a help like grep tool and regular expressions ). For this reason, rsyslog allows us to export them to the database (the relational database management systems supported by OTB include MySQL, MariaDB, PostgreSQL, and Oracle ).

This part of the Guide assumes that you have installed the MariaDB server and client on RHEL 7 for log management:

1. #yum update &&yum install mariadb mariadb-server mariadb-client rsyslog-mysql
2. #systemctl enable mariadb &&systemctl start mariadb

Then usemysql_secure_installationThe tool sets the password for the root user and other security considerations:

Ensure MySQL database security

Note: If you do not want to use the MariaDB root user to insert log messages to the database, you can configure another user account. The introduction to implementation is beyond the scope of this article, but the MariaDB knowledge has a detailed explanation. In this guide, we will use the root account.

Next, download the createDB. SQL script from GitHub and import it to your database server:

1. # mysql -u root -p < createDB.sql

Save server logs to the database

Finally, add the following row to/etc/rsyslog. conf:

1. $ModLoad ommysql
2. $ActionOmmysqlServerPort 3306
3. *.*:ommysql:localhost,Syslog,root,YourPasswordHere

Restart rsyslog and database server:

1. #systemctl restart rsyslog
2. #systemctl restart mariadb

 

Query logs using SQL syntax

Now execute some operations that will change the log (such as stopping and starting the service), then log on to your database server and use standard SQL commands to display and query logs:

1. USE Syslog;
2. SELECT ReceivedAt,Message FROM SystemEvents;

Query logs in the database

 

Summary

This article describes how to set system logs, rotate logs, and redirect messages to the database to simplify queries. We hope these skills will help you prepare for the RHCE examination and daily work.

As usual, we welcome your feedback. Contact us using the form below.

Via: http://www.tecmint.com/manage-linux-system-logs-using-rsyslogd-and-logrotate/

Author: Gabriel cánepa Translator: ictlyh Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address: Http://www.linuxidc.com/Linux/2015-11/124867.htm