In the management system, often encounter a variety of errors and anomalies. To find these errors and exceptions, you need a variety of logs to help locate the problem. Linux logs are stored in the/var/log folder below, the common log file has the following several;
/var/log/cron: Record whether the crontab schedule is running properly
/VAR/LOG/DMESG: The information generated during the kernel detection process at the beginning of the recording
/var/log/lastlog: You can record information about the last login system for all accounts on the system. This file cannot be read with the Cat command, but the Lastlog command can read the file
/var/log/maillog: Record mail-related information
/var/log/messages: Almost all system error messages are recorded in this file. This file is a must-see when the system has an inexplicable error
/var/log/secure: As long as it involves the software that needs to enter the account password, log in will be recorded in this file. such as the ssh,telnet of network online and other programs
/var/log/wtmp: Log The account information of the correct login system and the account information used in the login error
Here we use Lastlog to look at the format of the log: you can see the login user name, the use of the terminal has been logged on the date.
[Email protected]:/var/log# lastlog | grep root
Root tty1 Wed Jul 26 12:27:16 +0800 2017
So what is the level of service and who is it that needs to be recorded? This will use the Syslog configuration file. Some Linux systems are recorded in/etc/syslog.conf. But the config file in Ubuntun is in/etc/rsyslog.conf. Rsyslog.conf is used in the following format:
Format::
Log device (type). (connection symbol) log-level log processing mode (action)
Log device (can be understood as log type):
———————————————————————-
Log generated by Auth–pam
Verification information for login information such as Authpriv ssh,ftp
cron– Time Task related
kern– kernel
lpr– Printing
mail– Mail
Mark (syslog) –rsyslog service internal information, time identification
news– News Group
user– related information generated by the user program
Uucp–unix to UNIX copy, related communication between UNIX hosts
Local 1~7– custom log device
Log level:
———————————————————————-
debug– with modal information, most log information
info– General Information log, most commonly used
notice– information on the most important general conditions
warning– Warning Level
err– error level, information that prevents a feature or module from working correctly
crit– critical level that prevents the entire system or the entire software from working properly information
alert– information that needs to be modified immediately
emerg– critical information such as kernel crashes
None – don't record anything.
Let's take a few examples:
1 if I want to write mail-related data to/var/log/maillog. Then the following should be added in rsyslog.conf
Mail.info/var/log/maillog
2 If I want to write news and cron information to a file called/var/log/cronnews, but two program warning messages are recorded in/var/log/cronnews.warn, you should add the following:
News.*;cron.*/var/log/cronnews
News.=warn;cron.=warn/var/log/cronnews.warn
The. = Represents the required level is the next level, the others do not
.! Represents not equal to, and is recorded in addition to the rank of the class
One thing to note is that for log files, if you open it with vim and leave but execute: Wq parameters, then the file will not continue to log operations in the future unless you restart Rsyslog. /etc/init.d/rsyslog restart
We often see the following files in the/var/log file. Dpkg.log.1,dpkg.log.2. These are due to logrotate reasons. Because the log keeps on recording and the file gets bigger and larger, it can affect the system's operation, so the logrorate is to change the old log file name and create a new empty log file. Then the old record is saved for a period of time and deleted. This saves you a lot of hard disk space.
-rw-r--r--1 root root 0 Sep 3 14:04 dpkg.log
-rw-r--r--1 root root 161993 15:14 dpkg.log.1
-rw-r--r--1 root root 98629 Nov dpkg.log.10.gz
-rw-r--r--1 root root 177381 Jul 15:26 dpkg.log.2.gz
-rw-r--r--1 root root 23074 Jul 10:16 dpkg.log.3.gz
-rw-r--r--1 root root 224 Oct 9 dpkg.log.4.gz
-rw-r--r--1 root root 2861 Sep dpkg.log.5.gz
-rw-r--r--1 root root 335 June dpkg.log.6.gz
-rw-r--r--1 root root 1011 dpkg.log.7.gz
-rw-r--r--1 root root 221 May 7 dpkg.log.8.gz
-rw-r--r--1 root root 2206 Dec 1 dpkg.log.9.gz
So how is Logrotate's work mechanism defined, and these are recorded in the/etc/logrotate.conf?
# Rotate log files weekly rotate the log once a week
Weekly
# Use the Syslog group by default, since the owning group
# Of/var/log/syslog.
Su Root syslog
# Keep 4 weeks worth of backlogs keep only 4 log files
Rotate 4
# Create new (empty) log files after rotating old ones
Create log file is renamed, so create a new one to continue storage
# Uncomment this if you want your log files compressed modified logs need to be compressed
#compress
For example, for/var/log/wtmp files, set the following
/var/log/wtmp {
Missingok
Monthly
Create 0664 Root utmp
Rotate 1
}
But the reality is that we have a lot of services on the system, each service needs to modify the/etc/logrotate.conf file is also quite complicated. So you need to separate out a directory, each service is a separate file, and placed in the/ETC/LOGROTATE.D.
[Email protected]:/etc/logrotate.d# ls-al
Total 64
Drwxr-xr-x 2 root root 4096 21 11:32.
Drwxr-xr-x 147 root root 12288 Sep 21 21:55..
-rw-r--r--1 root root 126 may Apport
-rw-r--r--1 root root 173 Apr apt
-rw-r--r--1 root root 181 Feb Cups-daemon
-rw-r--r--1 root root 232 Mar 7 dpkg
-rw-r--r--1, root root, 1 LIGHTDM
-rw-r--r--1 root root 157 Jul pm-utils
-rw-r--r--1 root root 94 April PPP
-rw-r--r--1 root root 515 Feb 3 Rsyslog
-rw-r--r--1 root root 513 Feb speech-dispatcher
-rw-r--r--1 root root 178 7 UFW
-rw-r--r--1 root root 235 Feb unattended-upgrades
-rw-r--r--1 root root 122 Apr upstart
For example, look at the Rsyslog settings.
[Email protected]:/etc/logrotate.d# cat Rsyslog
/var/log/syslog
{
Rotate 7
Daily
Missingok
Notifempty
Delaycompress
Compress
Postrotate
Invoke-rc.d Rsyslog rotate >/dev/null
Endscript
}
where postrotate represents the command that is initiated after the logrotate has been done. Prerotate represents the order before the logrotate.
For example, if we want to set the/var/log/syslog file after rotate to only the added property. Can write like this
Postrotate
/usr/bin/chattr +a/var/log/syslog
Endscript
If the configuration files are OK, you can use the Logrotate command to test whether the settings are feasible.
LOGRORATE-VF logfile
-V: Start display mode, which shows the process of logrotate running
-F: Forces each file to be rotate regardless of whether it conforms to the profile's data
Learn Linux: Log files