Linux Learning 14th Log Management

14th. Log Management14.1Log Management-Introduction1, log service? in CentOS6The Log service in x has been replaced by RSYSLOGD with the original SYSLOGD service. RSYSLOGD Log service More advanced, more features. However, regardless of the use of the service, or the format of the log file is actually compatible with the SYSLOGD service, so learning basic and SYSLOGD services consistent.? What is the new feature of RSYSLOGD:? Transfer log information based on TCP network protocol; A more secure way of network transmission; a framework for timely analysis of log messages; a background database; a configuration file can write simple logical judgments;? is compatible with syslog configuration files. Confirm service startup [[email protected]~]# PS aux |grep rsyslogd #查看服务是否启动 chkconfig--list | grep rsyslog//No D here#查看服务是否自启动//Open by default, with Crond. 2, common log description of the role log file/var/log/Cron records the logs associated with the system's scheduled tasks. /var/log/cups/Log the printing information/var/log/DMESG records the system's kernel self-test information at boot time. You can also use the DMESG command to view kernel self-test information directly. /var/log/btmp logs logging of incorrect logins. This file is a binary file and cannot be viewed directly from VI, but to be viewed using the LASTB command, the command is as follows: [[email protected] log]# LASTB root tty1 Tue June4  A: -- A: -(xx:xx) #有人在6月4日22:38 Login error on local Terminal 1 using root user/var/log/Lastlog logs that record the last logon time for all users in the system. This file is also a binary file, not directly VI, but to use the Lastlog command to view. /var/log/mailog Record message information. /var/log/message records The log of important information about the system. This log file will record most important information of Linux system, if the system has problems, the first thing to check is this log file. /var/log/Secure Records authentication and authorization information, as long as the account and password procedures are recorded. For example, system login, SSH login, su switch user, sudo authorization, even add user and modify user password will be recorded in this log file. /var/log/Wtmp records the logon and logoff information of all users and records the startup, restart and shutdown events of the system. Also this file is a binary file, cannot be directly VI, and need to use the last command to view. /var/run/Utmp Records the information of the user who is currently logged in. This file will change as the user logs on and off, logging only the information of the currently logged-on user. Similarly, this file can not be directly VI, but to use w,who,users and other commands to query.? In addition to the system default logs, system services that are installed in RPM will also default to logging/var/log/Directory (the source package installs the service log is in the source package specified directory). However, these logs are not recorded and managed by the RSYSLOGD service, but each service uses its own log management documents to log itself. Log file Description/var/log/httpd/default log directory for the Apache service installed by RPM package/var/log/mail/additional log directory for RPM package-installed mail Service/var/log/samba/The log directory of the Samba service installed by RPM package/var/log/sssd/Daemon Security Service directory14.2Log Management-RSYSLOGD Service1, log file format? The basic log format contains the following four columns:? The time the event was generated; the hostname of the server where the event occurred; The service name or program name that generated the event; The specific information for the event. 2,/etc/rsyslog.conf configuration file Authpriv.* /var/log/secure #服务名称 [connection symbol] Log level logging location #认证相关服务. All log levels are recorded in/var/log/the service Name Service name description in the secure log Auth security and authentication-related messages (not recommended with Authpriv overrides) Authpriv security and authentication related messages (private) cron system timing tasks cront and at the day of generation Log daemon and each daemon related logs the log that the FTP daemon generates kern the log generated by the kernel (not generated by the user process) Local0-local7 for local use reserved services LPR printing generates log mail message information news server-related log syslog has log information generated by the SYSLOGD service (although the service name has been changed to Rsys LOGD, but many of the configuration is still in use SYSLOGD, here does not modify the service name). The log information of the user level category UUCP the log information of the UUCP subsystem, UUCP is the protocol for data transfer in earlier Linux systems, and is often used in newsgroup services. Connection symbol? The connection symbol can be identified as:? "* "represents all log levels, for example:" authpriv.*"On behalf of the logs generated by the AUTHPRIV certification Information service, all log levels are recorded?". The representation is recorded as long as the log (including this level) is higher than the subsequent level. For example: "Cron.info" represents the log generated by the Cron service, as long as the log level is greater than or equal to the info level, record? ".= "indicates only logs of the required level are recorded, and none of the other levels are recorded. For example: "*.=Emerg "Logs generated by the representative and log service, as long as the rank is Emerg level. This usage and rare, understanding is good? ".!"The representation is not equal, that is, other levels of logs are recorded except for the level of the log.     Log Rank class name Description Debug General debug Information Description Info Basic Notification Information Notice general information, but has a certain importance warning warning information, but does not affect the operation of the service or system err Error messages, which generally reach the err level and can affect the operation of the service or system. Crit Critical state information, more severe than the Err level alert warning status information, more severe than crit. Action must be taken immediately Emerg pain level information, the system has been unable to use the logging location? The absolute path to the log file, such as "/var/log/secure "? System device files, such as"/dev/lp0 "? Forward to a remote host, such as" @192.168.0.210:514"? Username, such as" root "//*, send to anyoneIgnore or discard logs, such as "~"14.3Log Management-Log Rotation//RPM package installed software will automatically join Logrotate.config to implement log rotationThe source code package installs the software to need to join manually, realizes the log rotation, especially Apache must realize the log rotation, otherwise the log file will be very big. 1, the naming rules for log files? If you have the "Dateext" parameter in the configuration file, the log will use the date as the suffix for the log file, such as "secure-20130605". In this case, the log file name does not overlap, so there is no need to rename the log files, just save the specified number of logs, delete the extra log files. If the "Dateext" parameter is not in the configuration file, then the log file needs to be renamed. When the first log rotation is made, the current "secure" log is automatically renamed secure.1, and then create a new secure log, which is used to save the new log. When the second log rotation is made, secure.1"will automatically be renamed to secure."2, the current secure log is automatically renamed secure.1, and a new secure log is also created to hold the new log, and so on. 2, logrotate profile parameter parameter description daily the rotation cycle of the log is the daily weekly log rotation cycle is the weekly monthly the rotation of the journal is the monthly rotate number of log files reserved Number. 0 means no backup compress log rotation when the old log is compressed the Create Mode owner group establishes a new log, specifying the permissions of the new log with the owner and the owning group. such as Create0600root utmp mail address log rotation, the output is sent by mail to the specified e-mail addresses. such as mail [email protected] Missingok If the log does not exist, the warning message for the log is ignored Notifempty if the log is an empty file, the minimum value for the log rotation minsize size log is not performed. That is, the log must reach this minimum value will be the rotation, or even if the time to achieve or not round size log only larger than the specified size to log rotation, instead of the time rotation. such as size 100k dateext Use date as the suffix of the log rotation file. such as Secure-20130605 3, add Apache log to rotation [[email protected]~]# vi/etc/logrotate.conf/usr/local/apache2/logs/access_log {daily Create rotate - }4, logrotate command [[email protected]~]# logrotate [options] Profile Name option: If this command does not have an option, the log rotation will follow the conditions in the configuration file-V: Displays the log rotation process. Plus.-v option, the process of rotation of the log is displayed-F: Force a log rotation. Forces all logs in the configuration file to be replaced, regardless of whether the log rotation condition has been met

Linux Learning 14th Log Management