10. System log (Linux)

Tags: linux system system log

1.System log default classification

/ var / log / messages ## System services and logs, including service information, errors, etc.
/ var / log / secure ## System authentication information log
/ var / log / maillog ## System mail service information
/ var / log / cron ## System scheduled task information
/var/log/boot.log ## System boot information

2. Log management service rsyslog

rsyslog is responsible for collecting logs and storing logs in categories

vim /etc/rsyslog.conf ## Main configuration file

Configuration content



Service.log level / storage file
*. * / var / log / westos


systemctl restart rsyslog

3. Log synchronization

(1) systemctl stop firewalld ## Close the fire wall of the two hosts

(2) vim /etc/rsyslog.conf ## Main configuration file
Configure log sender
*. * @ 172.25.0.11 ## Send logs to 11 hosts via udp protocol,



@udp, @@ tcp

Configure log acceptor
15 $ ModLoad imudp ## Log receiving plugin
16 $ UDPServerRun 514 ## Port used by log receiving plugin

650) this.width = 650; "src =" https://s1.51cto.com/wyfs02/M01/8F/E8/wKiom1jttUKBfs7FAAGpjbaw1JY620.png-wh_500x0-wm_3-wmp_4-s_3446375481.png "title =" Screenshot from 2017 -04-09 22-12-16.png "alt =" wKiom1jttUKBfs7FAAGpjbaw1JY620.png-wh_50 "/> (3) systemctl restart rsyslog

(4) netstat -anulpe | grep rsyslog (log receiver)

(5) Test
> / var / log / messages ## Make both sides
logger test ## Log sender

tail -f / var / log / messages ## Log receiver

650) this.width = 650; "src =" https://s5.51cto.com/wyfs02/M00/8F/E8/wKiom1jttXHCCSpEAAJRmfMpYdk858.png-wh_500x0-wm_3-wmp_4-s_1829079580.png "title =" Screenshot from 2017 -04-09 22-26-09.png "alt =" wKiom1jttXHCCSpEAAJRmfMpYdk858.png-wh_50 "/>

4. Log collection format
$ template WESTOS, "% timegenerated%% FROMHOST-IP%% syslogtag %% msg% \ n"

% timegenerated% ## Show log time
% FROMHOST-IP% ## show host ip
% syslogtag% ## Logging target
% msg% ## Log content
\ n ## Newline


* .info; mail.none; authpriv.none; cron.none / var / log / messages; << WESTOS >>

650) this.width = 650; "src =" https://s1.51cto.com/wyfs02/M00/8F/E7/wKioL1jttiDAkr2EAAD4A3iitxQ866.png-wh_500x0-wm_3-wmp_4-s_670096575.png "style =" float: none ; "title =" Screenshot from 2017-04-10 17-48-03.png "alt =" wKioL1jttiDAkr2EAAD4A3iitxQ866.png-wh_50 "/>



650) this.width = 650; "src =" https://s1.51cto.com/wyfs02/M02/8F/E7/wKioL1jttiGjeegLAAEH-w50Jb0574.png-wh_500x0-wm_3-wmp_4-s_1067170831.png "style =" float : none; "title =" Screenshot from 2017-04-10 17-54-17.png "alt =" wKioL1jttiGjeegLAAEH-w50Jb0574.png-wh_50 "/>



5. log analysis tool journal

 (1) systemd-journald ## process name

journalctl ## Direct execution, browse system logs



650) this.width = 650; "src =" https://s3.51cto.com/wyfs02/M01/8F/E8/wKiom1jttr-QHHuDAAESHEjZVQY043.png-wh_500x0-wm_3-wmp_4-s_4135630204.png "title =" Screenshot from 2017-04-10 17-57-04.png "alt =" wKiom1jttr-QHHuDAAESHEjZVQY043.png-wh_50 "/>

-n 3 ## Show the latest 3

650) this.width = 650; "src =" https://s4.51cto.com/wyfs02/M02/8F/E7/wKioL1jtuGmhgXoZAADHs6DxeCg188.png-wh_500x0-wm_3-wmp_4-s_4254088973.png "title =" Screenshot from 2017 -04-10 18-07-29.png "alt =" wKioL1jtuGmhgXoZAADHs6DxeCg188.png-wh_50 "/>
-p err ## Display error

650) this.width = 650; "src =" https://s2.51cto.com/wyfs02/M00/8F/E7/wKioL1jtuEvjfVPxAAFno9fbktE527.png-wh_500x0-wm_3-wmp_4-s_3744634401.png "title =" Screenshot from 2017 -04-10 18-07-04.png "alt =" wKioL1jtuEvjfVPxAAFno9fbktE527.png-wh_50 "/>-f ##

650) this.width = 650; "src =" https://s5.51cto.com/wyfs02/M00/8F/E8/wKiom1jtt96B6wiLAAGLV2MHyR8143.png-wh_500x0-wm_3-wmp_4-s_4008483778.png "title =" Screenshot from 2017 -04-10 18-06-48.png "alt =" wKiom1jtt96B6wiLAAGLV2MHyR8143.png-wh_50 "/>-

-since --until ## --since "[YYYY-MM-DD] [hh: mm: ss]" logs from when to when

650) this.width = 650; "src =" https://s1.51cto.com/wyfs02/M01/8F/E7/wKioL1jtt27T4Cw1AAFwdpQektw048.png-wh_500x0-wm_3-wmp_4-s_3904258718.png "style =" float: none ; "title =" Screenshot from 2017-04-10 18-05-51.png "alt =" wKioL1jtt27T4Cw1AAFwdpQektw048.png-wh_50 "/>

650) this.width = 650; "src =" https://s2.51cto.com/wyfs02/M02/8F/E8/wKiom1jtt2_TgUTQAAHw29AOgns318.png-wh_500x0-wm_3-wmp_4-s_2070541369.png "style =" float: none ; "title =" Screenshot from 2017-04-10 18-06-15.png "alt =" wKiom1jtt2_TgUTQAAHw29AOgns318.png-wh_50 "/>


-o verbose ## Show detailed process parameters that can be used by the log

650) this.width = 650; "src =" https://s3.51cto.com/wyfs02/M00/8F/E8/wKiom1jttwvQLZQQAAF0SYRbXgQ499.png-wh_500x0-wm_3-wmp_4-s_2968276618.png "title =" Screenshot from 2017 -04-10 18-05-12.png "alt =" wKiom1jttwvQLZQQAAF0SYRbXgQ499.png-wh_50 "/>

(2) Management of systemd-journald
## By default, this program will ignore the log information before restarting, if not:
mkdir / var / log / journal
chown root: systemd-journal / var / log / journal
chmod 2755 / var / log / journal
killall -1 systemd-journald
ls / var / log / journal / 4513ad59a3b442ffa4b7ea88343fa55f
system.journal user-1000.journal
650) this.width = 650; "src =" https://s5.51cto.com/wyfs02/M00/8F/FF/wKioL1juRbSRsOqSAAEIs1qlUPo116.png-wh_500x0-wm_3-wmp_4-s_3691708802.png "title =" Screenshot from 2017 -04-11 20-06-03.png "alt =" wKioL1juRbSRsOqSAAEIs1qlUPo116.png-wh_50 "/>

6. Time synchronization

Server
yum install chrony -y ## Install the service

vim /etc/chrony.conf ## Main configuration file
21 # Allow NTP client access from local network.
22 allow 172.25.0.0/24 ## Who is allowed to sync my time
27 # Serve time even if not synchronized to any NTP server.
28 local stratum 10 ## Do not sync anyone's time, time synchronization server level

systemctl restart chronyd
systemctl stop firewalld

650) this.width = 650; "src =" https://s3.51cto.com/wyfs02/M01/8F/F
E / wKioL1juRKHxyHfQAAC4_LqTEpk563.png-wh_500x0-wm_3-wmp_4-s_4116789172.png "title =" Screenshot from 2017-04-12 17-04-46.png "alt =" wKioL1juRKHxyHfQAAC4_LqTEpk563.png-wh_50 "/>
2. Client
vim /etc/chrony.conf
  3 server 0.rhel.pool.ntp.orgiburst
  4 server 1.rhel.pool.ntp.orgiburst ====> server ntpserverip iburst
  5 server 2.rhel.pool.ntp.org iburst ====>
  6 server 3.rhel.pool.ntp.orgiburst

systemctl restart chronyd

650) this.width = 650; "src =" https://s2.51cto.com/wyfs02/M00/90/00/wKiom1juRTrBpYGzAADQb0iEYbo537.png-wh_500x0-wm_3-wmp_4-s_1146538489.png "title =" Screenshot from 2017 -04-12 17-07-54.png "alt =" wKiom1juRTrBpYGzAADQb0iEYbo537.png-wh_50 "/>
test:
[[email protected] ~] # chronyc sources -v
210 Number of sources = 1

  .-- Source mode ‘^’ = server, ‘=‘ = peer, ‘#’ = localclock.
 / .- Source state ‘*’ = current synced, ‘+’ = combined, ‘-’ = not combined,
| / ‘?’ = Unreachable, ‘x’ = time maybe in error, ‘~’ = time too variable.
|| .- xxxx [yyyy] +/- zzzz
|| / xxxx = adjusted offset,
|| Log2 (Polling interval)-. | Yyyy = measured offset,
|| \ | zzzz = estimated error.
|| | |
MS Name / IP address Stratum PollReach LastRx Last sample
======================================================== ===============================
^ * 172.25.0.11 10 6 377 41 + 170us [+ 201us] +/- 191us

650) this.width = 650; "src =" https://s1.51cto.com/wyfs02/M00/90/00/wKiom1juQ2eSvem0AAFpZ1Nw4Pk985.png-wh_500x0-wm_3-wmp_4-s_2270510360.png "title =" Screenshot from 2017 -04-12 17-39-11.png "alt =" wKiom1juQ2eSvem0AAFpZ1Nw4Pk985.png-wh_50 "/>
7.timedatectl command
timedatectl status ## Show current time information
            set-time ## Set the current time
            set-timezone ## Set the current time zone
            set-local-rtc 0 | 1 ## Set whether to use UTC time

650) this.width = 650; "src =" https://s2.51cto.com/wyfs02/M00/90/00/wKiom1juRfezus-eAAFNLJbI1Pc240.png-wh_500x0-wm_3-wmp_4-s_2467221231.png "style =" float : none; "title =" Screenshot from 2017-04-11 20-15-17.png "alt =" wKiom1juRfezus-eAAFNLJbI1Pc240.png-wh_50 "/>

650) this.width = 650; "src =" https://s3.51cto.com/wyfs02/M00/8F/FF/wKioL1juRfjCsD0hAADzd6xP3V4527.png-wh_500x0-wm_3-wmp_4-s_1144654381.png "style =" float: none ; "title =" Screenshot from 2017-04-11 20-15-42.png "alt =" wKioL1juRfjCsD0hAADzd6xP3V4527.png-wh_50 "/>

8.rsyslog log classification

vim /etc/rsyslog.conf ## Main configuration file

Configuration content


Service.log level / storage file
*. * / var / log / westos

systemctl restart rsyslog

###format###

Log device (type). (Connection symbol) Log level Log processing method (action)

#### Log device (can be understood as log type): ####
auth ## pam generated logs
authpriv ## ssh, ftp and other login information authentication information
cron ## time task related
kern ## kernel
lpr ## print
mail ## Mail
mark (syslog)-rsyslog ## Internal service information, time mark
news ## 新闻 组
user ## Related information generated by the user program
uucp ## unix to unix copy, related communication between unix hosts
local 1 ~ 7 ## Custom log device

#### Log Level ####
———————————————————————-
debug ## With debug information, most log information
info ## General information log, most commonly used
notice ## Most important general information
warning ## Warning level
err ## Error level, information that prevents a function or module from working properly
crit ## Severity level, information that prevents the entire system or the entire software from working properly
alert ## Information that needs to be changed immediately
emerg ## Kernel crash and other serious information
none ## Record nothing

## Note: From top to bottom, from low to high, less and less information is recorded
## You can view the manual in detail: man 3 syslog

#### 连接 文字 ####
———————————————————————-
.xxx: indicates information of level xxx or higher
. = xxx: indicates information equal to xxx level
.! xxx: Information indicating levels other than xxx

##### Instance ####
1. Record to common file or device file ::
*. * /var/log/file.log # absolute path
*. * / dev / pts / 0
Test: logger -p local3.info ‘KadeFor is testing thersyslog and logger‘ The logger command is used to generate logs

2. Send to user (requires online to receive)
*. * root
*. * root, kadefor, up01 #Use, number to separate multiple users
*. * * # * Indicates all online users

3. Ignore and discard
local3. * ~ # ignore all levels of all local3 types of logs

4. Execute the script ::
local3. * ^ / tmp / a.sh # ^ followed by the absolute path of the executable script or program
                # The log content can be used as the first parameter of the script.
                # Can be used to trigger an alarm