Linux Learning Notes (+) Linux log Management

1. Introduction

(1) Log service

The log service in CentOS 6.x has replaced the original SYSLOGD service by RSYSLOGD. RSYSLOGD Log service More advanced, more features. However, regardless of the use of the service, or the format of the log file is actually compatible with the SYSLOGD service, so learning basic and SYSLOGD services consistent.

New features of RSYSLOGD:

The transmission of log information based on TCP network protocol, more secure network transmission mode, a timely analysis framework with log messages, a background database, a simple logical judgment in the configuration file, and compatibility with the SYSLOGD configuration file.

1) Determine service startup

PS aux | grep rsyslogd #查看服务是否启动

Chkconfig–list | grep Rsyslog #查看是否自启动

2) The role of common logs

Log file	Description
/var/log/cron	Logs related to system timing tasks are logged
/var/log/cups	Log the printing information
/var/log/dmesg	It records the kernel self-test information when the system is powered on, or can use the DMESG command to view the kernel self-test information directly.
/var/log/btmp	Logs logging of incorrect logins. The file is a binary file and cannot be viewed directly from VI, but to use the LASTB command to view
/var/log/lastlog	Log the last logon time of all users in the system, the file is also a binary file, cannot be directly VI, but to use the Lastlog command to view
/var/log/mailog	Record message information
/var/log/message	Log records of important system information. This log will record most important information of Linux system amount, if the system has problems, the first thing to check is this log file
/var/log/secure	Record authentication and authorization information as long as the program that involves the account and password is recorded. such as system login, SSH login, su switch user, sudo authorization, even add user change user password will be recorded in this log file
/var/log/wtmp	Record all users ' logon and logoff information, and record the system startup, restart and shutdown events. Also this file is a binary file, you need to use the last command to view
/var/prun/utmp	Records the user information that is currently logged in. This file will be changed with the user login and logout, only the current user's information, the same file can not be between VI, you need to use W, who, users and other commands to query

In addition to the system default log, the system services installed in RPM will be logged in the/var/log/directory by default (the source package installs the service log in the source package specified directory), but these logs are not recorded and managed by the RSYSLOGD service, Instead, each service uses its own log management documents to log itself. The common logs are:

Log file	Description
/var/log/httpd	Default log directory for the Apache service installed by RPM package
/var/log/mail	Additional log directory for RPM package-installed mail Service
/var/log/samba/	The log directory of the Samba service installed by RPM package
/var/log/sssd/	Daemon Security Service Directory

2. RSYSLOGD Log Service

(1) Log file format

The basic log format contains four columns: The time the event was generated, the hostname of the server on which the event occurred, the service name or program name of the event, and the details of the event.

(2)/etc/rsyslog.conf configuration file

authpriv.*/var/log/secure

#服务名称 [connection symbol] Log level logging location

#认证相关服务. All log levels are recorded in the/var/log/secure log

Service Name	Description
Auth	Security and certification-related messages (deprecated Authpriv overrides)
Authpriv	Security and authentication-related messages (private)
Cron	System timed tasks Cront and at-generated logs
Daemon	Logs related to each daemon
Ftp	Log generated by the FTP daemon
Kern	Log generated by the kernel (not generated by user processes)
Local0-local7	Services reserved for local use
Lpr	Print the resulting log
Mail	Send and receive messages
News	News server-related logs
Syslog	There are log messages generated by the SYSLOGD service (although the service name has been changed to RSYSLOGD, but many of the configurations still follow syslogd, where the service name is not modified)
User	Log information for the user level category
Uucp	UUCP subsystem log information, UUCP is the early morning Linux system for data Transfer Protocol, and later also used in the newsgroup service

(3) Connection symbol

The general connection symbol is recognized as:

"*" represents all log levels, for example: "Authpriv.*" represents the log generated by the AUTHPRIV certification Information service, all log levels are recorded;

"." The representation is recorded as long as the log (including this level) is higher than the subsequent level. For example: "Cron.info" represents the log generated by the Cron service, as long as the log level is greater than or equal to the info level, the record;

". =" means only logs of the required level are recorded, and none of the other levels are logged. For example: "*.=emerg" represents people and logs generated by the log service, as long as the rank is Emerg level. This usage is seldom seen, and understanding is good;

".!" The representation is not equal, that is, in addition to the level of the log, other levels of logs are recorded.

(4) Log level

Rank name	Description
Debug	General Instructions for debugging information
Info	Basic notification Information
Notice	General information, but it is of some importance
Warning	Warning message, but it does not affect the operation of the service or system
Err	Error messages, which generally reach the err level and can affect the operation of the service system
Crit	Critical condition information, more severe than the ERR level
Alert	Warning status information, more serious than crit, must take immediate action
Emerg	Pain level information, the system is no longer available

(5) Log record location

The absolute path of the log file, such as "/var/log/secure";

System equipment files, such as "/dev/lp0";

Forward to the remote host, such as "@192.168.0.210:514";

User name, such as "root";

Ignore or discard logs, such as "~"

3. Log rotation (1) Naming rules for log files

First: If the configuration file has the "dateext" parameter, then the log will use the date as the suffix of the log file, such as "secure-20130603". In this case, the log file name does not overlap, so there is no need to rename the log files, just save the specified number of logs, delete the extra log files.

Second: If there is no "dateext" parameter in the configuration file, then the log file needs to be renamed. When the first log rotation occurs, the current "secure" log is automatically renamed "Secure.1" and a new "secure" log is used to save the new log. When the second log rotation, "Secure.1" is automatically renamed "Secure.2", the current "secure" log is automatically renamed "Secure.1", and then a new "secure" log to save the new log, and so on.

(2) logrotate configuration file

The configuration file is located in/etc/logortate.conf

Parameters	Parameter description
Daily	The rotation cycle of the log is daily
Weekly	The rotation cycle of the journal is weekly
Monthly	The rotation cycle of the log is monthly
Rotate Digital	The number of log files that are retained. 0 means no backup
Compress	Log rotation, old logs are compressed
Create Mode owner Group	Create a new log, specifying the permissions of the new log with the owner and the owning group, such as create 0600 root utmp
Mail address	The output is sent to the specified email address at the time of the log rotation
Missingok	If the log does not exist, the warning message for the log is ignored
Notifempty	If the log is an empty file, the log rotation is not performed
MinSize size	Log rotation of the minimum value, that is, the log must reach the minimum value will be the rotation, or even if the time to achieve or not round
Size sizes	Log rotation is only larger than the specified size, not by time rotation
Dateext	Use date as the suffix of the rotation file

Note: The global configuration is represented outside of curly braces, and if there is the same configuration in curly braces, it is replaced by the configuration in curly braces, otherwise it is replaced by braces.

(3) Adding Apache logs to rotation

If the service is installed by the RPM package, the default is to support rotation and no action is required. Only the source package installed services, you need to manually configure the rotation.

The access logs and errors in the/usr/local/apache2/logs/directory are not replaced by rotation and need to be added.

Vi/etc/logrotate.log

/usr/local/apache2/logs/access_log{

Daily

Create

Rotate 30

}

(4) Logrotate command

The format is: logrotate [options] Profile Name

If this command does not have an option, the log rotation is followed by the criteria in the configuration file, and the-V option displays the log rotation process. With the-v option, the rotation of the log is displayed, and the-F option forces the log rotation. Forces all the logs in the configuration file to be replaced, regardless of whether the journal rotation condition has been met.

Example: After adding Apache's rotation configuration, use this command for validation.

Linux Learning Notes (+) Linux log Management