Linux Beginner-System log (ii)

Linux Beginner-System log (ii)

Previously introduced in (a) to the different host log synchronization method, on one host can see the log of another host. Some additional information about the system log is described here.

1, the Log collection format

In the log collection, it can be seen from the graph, such arrangement or display method will increase the difficulty of the analysis, especially in the log synchronization, so in the log collection sometimes need to use some obvious collection format.

Log Acquisition format is edited in "/etc/chrony.conf", if it is to change the log synchronization of the acquisition format, you need to configure the receiver in the log. Edit format as shown, the edited text must be at the top of all collected address information, otherwise it will not take effect.

Display the edited text, "WE" is the format name, you can write it yourself. "%timegenerated%" is the time to display the log. "%fromhost-ip%" is the display host IP. "%syslogtag%" is the logging target. "%msg%" is the log content. ' \ n ' is a newline character. The ordering and formatting contents can be edited according to their own wishes.

After the edit is finished, enter the name of the directory you want to change the format to; WE ", save exit after entering" Systemctl restart Rsyslog.service "Restart service takes effect.

In addition, if all acquisition directories are required, the section after "$ActionfileDefaultTemplate" will be changed to "WE".

2. Time synchronization

In the process of log synchronization, if the time of the two hosts is inconsistent, there will be trouble and even confusion during log viewing and analysis, so it is also necessary to synchronize the two hosts in time. In time synchronization, the service side of the time does not change, the client to synchronize the service side of the time. The specific synchronization steps are as follows.

Before synchronizing, if the time synchronization service is not installed, you first need to enter the "Yum Install chrony-y" installation service. Also enter "Systemctl stop Firewalld" To turn off the firewall.

Service Side Synchronization Step: Enter "vim/etc/chrony.conf", with "#" commented out 3-6 lines of "server", delete 22 lines and 28 lines of "#", and the IP address of 22 lines to "0.0.0.0/0". After saving exit, enter "Systemctl restart Chronyd" to restart the service.

Synchronization steps for the client: enter "vim/etc/chrony.conf", delete the 4-6 rows of "server" and change "server 0.rhel.pool.ntp.org iburst" on line 3rd to "Server client IP iburst". Save to restart the service after exiting.

Test for synchronization when the client enters the command "Chronyc sources-v", "^*172.24.254.202 ..." appears after the double dash Indicates that the time synchronization was successful.

3. Time Information

As shown, enter "Timedatectl" or "timedatectl status" to see the current time information, such as time, timezone, synchronization time, etc.

The "timedatectl set-time" command can set the current time, set the time format to "2017-1-1 12:30:30".

"Timedatectl Set-timezone" can set the local time zone, the time zone can be viewed by "Timedatectl List-timezones", as shown in, set the current time zone to "Asia/shanghai".

"Timedatectl SET-LOCAL-RTC 0|1" can set whether to use UTC time, such as.

4. Log Analysis tool

4.1, Journal

Log analysis tool for "journal", directly Enter "journal" can directly view the log.

Add the parameter "-n" to display the most recent logs, such as the latest 5 logs need to enter the command "Journal-n 5".

Add parameter "-P ERR" To display error log information. Such as.

Add the parameter "-F" to monitor the log.

If you need to see a log after a certain amount of time, you need to add the parameter "--since". If you enter "journal--since" 2017-7-26 14:50:00 "" You can view the log information after this point in time.

Similarly, if you need to see a log before a certain time, the parameter is "--until". As shown in. You can also use "--since" and "--until" to view logs for a period of time.

The parameter "-O verbose" displays detailed process parameters that can be used by the log.

4.2. Journal Management

As can be seen in the comparison chart below, the journal tool ignores the log information before the system restarts, so the previous log information is not visible after the system restarts.

If you need to keep the log information before the system restarts, you need to do so.

After the above operation, the "LS" command can be found in the "system.journal" file, with the "file" command can be seen that the file is data. Then after the reboot, the system will no longer automatically ignore the pre-restart log.

It is important to note that after doing this, the system will only keep the log after the "system.journal" file is generated, and the log cannot be preserved until the above operation. , if you delete the established "journal" directory, it will cause "journalctl" to not see the log, the directory will appear again after the reboot, but the log will not appear.

Log management (i) and previous log management (ii) a brief description of some of the knowledge of log management in Linux systems.

Linux Beginner-System log (ii)