We all know that logs are generated in the operating system to facilitate the Administrator to troubleshoot all aspects of the operating system. However, the default daily system logs do not classify the logs, so it is inconvenient to classify and troubleshoot the problems. Therefore, I have learned a lot about syslog. The following is a summary of the log classification configuration method.
Syslog configuration in Linux
1. syslog. conf file configuration instructions
A configuration record in the/etc/syslog. conf file consists of "selector" and "action", which are separated by tabs. The "option" is composed of one or more reserved fields in the format of "type. Level". Each reserved field is separated by a semicolon.
The "type" in the reserved field indicates the source of information generation, which can be:
Kern information generated by the kernel;
Information generated by user processes. For information generated by programs or tools not listed here, the default type is "user ";
Information generated by the mail system;
Daemon system daemon information, such as in. ftpd and telnetd; auth information generated during identity authentication by login, su, and getty; s
Yslog information generated by syslogd itself;
The lpr line prints the spooling system information;
News USENET information of the network news system;
Uucp UUCP system information;
Cron and at tool information;
The local0-7 is reserved for local use;
Timestamp information generated inside mark syslogd;
* All types except mark (this symbol cannot represent all levels ).
The "level" in the reserved field indicates the importance of the information, which can be:
Emerg is in the Panic status. Generally, it should be broadcast to all users;
Alert. The current status must be corrected immediately. For example, the system database crashes;
Crit critical status warning. For example, hardware faults;
Other err errors;
Warning;
Notice Note: Non-error reports, but should be specially handled;
Info notification information; debugging program information;
None is usually used for program debugging, indicating that information generated with the none level does not need to be sent.
For example, *. debug; mail. none indicates that all information except the mail information is sent during debugging.
The action field indicates the destination of the message. It can be:
/Filename log file. The file name specified by the absolute path. This file must be created in advance;
@ Host remote host;
User1 and user2 specify the user. If the specified user has logged on, the user will receive the message;
* All users. All logged-on users will receive the message.
2. start or stop the Syslog service:
The syslogd process is started by/etc/rc2.d/S74syslog at system startup. To manually start or stop syslogd, run the following command:
(Solaris/Linux platform)
Start #/etc/init. d/syslog start
Stop #/etc/init. d/syslog stop
(HP-UX platform)
Start #/sbin/init. d/syslog start
Stop #/sbin/init. d/syslog stop
(AIX platform)
Start # startsrc-s syslogd
(CentOS 6)
Start #/etc/init. d/rsyslog start
Stop #/etc/init. d/rsyslog stop
Iii. Log dumping
I. II. The log classification configuration method has been described. What is the most critical log dump function? Simply put, we don't want to make our logs too large, so we need to separate logs according to the time we set so that we can classify logs by time to facilitate Log retrieval.
Logrotate
The logrotate program is a log file management tool. It is used to delete the old log file and create a new log file. We call it a "dump ". We can dump the logs based on the log file size or the number of days. This process is generally executed by the cron program.
The logrotate program can also be used to compress log files and send logs to the specified email.
The logrotate configuration file is/etc/logrotate. conf. The main parameters are as follows:
Parameter Functions
Compress compresses logs after dumping through gzip
This parameter is used when nocompress does not require compression.
Copytruncate is used to back up and truncate the current log file that is still being opened.
Nocopytruncate backs up log files but does not truncate
Create mode owner group dump file, create a new log file using the specified file mode
Nocreate does not create a new Log File
When delaycompress and compress are used together, the dumped log files are compressed only when they are transferred to the next dump.
Nodelaycompress overwrites the delaycompress option, and the dump is compressed at the same time.
The error message sent to the specified Email address when the errors address exists
Ifempty dumps even empty files. This is the default logrotate option.
Notifempty is not dumped if it is an empty file
Mail address sends the dumped log file to the specified E-mail address
Do not send log files when nomail dump
The log file after the olddir directory is dumped is placed in the specified directory and must be in the same file system as the current log file.
The log file after noolddir dumping and the current log file are placed in the same directory
Prerotate/endscript can put this pair of commands that need to be executed before dumping. These two keywords must be in a separate line.
Postrotate/endscript can be placed into this pair of commands to be executed after the dump. These two keywords must be entered separately.
Daily indicates that the dump cycle is daily.
Weekly indicates that the dump cycle is weekly.
Monthly specifies the dump cycle as per month
Rotate count indicates the number of dump times before the log file is deleted. 0 indicates no backup, and 5 indicates five backups are retained.
Tabootext [+] list to prevent logrotate from dumping files with the specified extension. The default extension is. rpm-orig,. rpmsave, v, and ~
Size: dump a log file only when it reaches the specified Size. size can specify bytes (default), KB (sizek), or MB (sizem ).
For more details, please continue to read the highlights on the next page:
Rsyslog details: click here
Rsyslog: click here
RHEL5.4 deployment of central Log server rsyslog + Log Analyzer
Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3
RHEL5.4 deployment of central log server rsyslog + loganalyzer
Log servers using rsyslog mysql and logAnalyzer
Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3