1. Introduction
(1) Log service
The log service in CentOS 6.x has replaced the original SYSLOGD service by RSYSLOGD. RSYSLOGD Log service More advanced, more features. However, regardless of the use of the service, or the format of the log file is actually compatible with the SYSLOGD service, so learning basic and SYSLOGD services consistent.
New features of RSYSLOGD:
The transmission of log information based on TCP network protocol, more secure network transmission mode, a timely analysis framework with log messages, a background database, a simple logical judgment in the configuration file, and compatibility with the SYSLOGD configuration file.
1) Determine service startup
PS aux | grep rsyslogd #查看服务是否启动
Chkconfig–list | grep Rsyslog #查看是否自启动
2) The role of common logs
Log file |
Description |
/var/log/cron |
Logs related to system timing tasks are logged |
/var/log/cups |
Log the printing information |
/var/log/dmesg |
It records the kernel self-test information when the system is powered on, or can use the DMESG command to view the kernel self-test information directly. |
/var/log/btmp |
Logs logging of incorrect logins. The file is a binary file and cannot be viewed directly from VI, but to use the LASTB command to view |
/var/log/lastlog |
Log the last logon time of all users in the system, the file is also a binary file, cannot be directly VI, but to use the Lastlog command to view |
/var/log/mailog |
Record message information |
/var/log/message |
Log records of important system information. This log will record most important information of Linux system amount, if the system has problems, the first thing to check is this log file |
/var/log/secure |
Record authentication and authorization information as long as the program that involves the account and password is recorded. such as system login, SSH login, su switch user, sudo authorization, even add user change user password will be recorded in this log file |
/var/log/wtmp |
Record all users ' logon and logoff information, and record the system startup, restart and shutdown events. Also this file is a binary file, you need to use the last command to view |
/var/prun/utmp |
Records the user information that is currently logged in. This file will be changed with the user login and logout, only the current user's information, the same file can not be between VI, you need to use W, who, users and other commands to query |
In addition to the system default log, the system services installed in RPM will be logged in the/var/log/directory by default (the source package installs the service log in the source package specified directory), but these logs are not recorded and managed by the RSYSLOGD service, Instead, each service uses its own log management documents to log itself. The common logs are:
Log file |
Description |
/var/log/httpd |
Default log directory for the Apache service installed by RPM package |
/var/log/mail |
Additional log directory for RPM package-installed mail Service |
/var/log/samba/ |
The log directory of the Samba service installed by RPM package |
/var/log/sssd/ |
Daemon Security Service Directory |
2. RSYSLOGD Log Service
(1) Log file format
The basic log format contains four columns: The time the event was generated, the hostname of the server on which the event occurred, the service name or program name of the event, and the details of the event.
(2)/etc/rsyslog.conf configuration file
authpriv.*/var/log/secure
#服务名称 [connection symbol] Log level logging location
#认证相关服务. All log levels are recorded in the/var/log/secure log
Service Name |
Description |
Auth |
Security and certification-related messages (deprecated Authpriv overrides) |
Authpriv |
Security and authentication-related messages (private) |
Cron |
System timed tasks Cront and at-generated logs |
Daemon |
Logs related to each daemon |
Ftp |
Log generated by the FTP daemon |
Kern |
Log generated by the kernel (not generated by user processes) |
Local0-local7 |
Services reserved for local use |
Lpr |
Print the resulting log |
Mail |
Send and receive messages |
News |
News server-related logs |
Syslog |
There are log messages generated by the SYSLOGD service (although the service name has been changed to RSYSLOGD, but many of the configurations still follow syslogd, where the service name is not modified) |
User |
Log information for the user level category |
Uucp |
UUCP subsystem log information, UUCP is the early morning Linux system for data Transfer Protocol, and later also used in the newsgroup service |
(3) Connection symbol
The general connection symbol is recognized as:
"*" represents all log levels, for example: "Authpriv.*" represents the log generated by the AUTHPRIV certification Information service, all log levels are recorded;
"." The representation is recorded as long as the log (including this level) is higher than the subsequent level. For example: "Cron.info" represents the log generated by the Cron service, as long as the log level is greater than or equal to the info level, the record;
". =" means only logs of the required level are recorded, and none of the other levels are logged. For example: "*.=emerg" represents people and logs generated by the log service, as long as the rank is Emerg level. This usage is seldom seen, and understanding is good;
".!" The representation is not equal, that is, in addition to the level of the log, other levels of logs are recorded.
(4) Log level
Rank name |
Description |
Debug |
General Instructions for debugging information |
Info |
Basic notification Information |
Notice |
General information, but it is of some importance |
Warning |
Warning message, but it does not affect the operation of the service or system |
Err |
Error messages, which generally reach the err level and can affect the operation of the service system |
Crit |
Critical condition information, more severe than the ERR level |
Alert |
Warning status information, more serious than crit, must take immediate action |
Emerg |
Pain level information, the system is no longer available |
(5) Log record location
The absolute path of the log file, such as "/var/log/secure";
System equipment files, such as "/dev/lp0";
Forward to the remote host, such as "@192.168.0.210:514";
User name, such as "root";
Ignore or discard logs, such as "~"
3. Log rotation (1) Naming rules for log files
First: If the configuration file has the "dateext" parameter, then the log will use the date as the suffix of the log file, such as "secure-20130603". In this case, the log file name does not overlap, so there is no need to rename the log files, just save the specified number of logs, delete the extra log files.
Second: If there is no "dateext" parameter in the configuration file, then the log file needs to be renamed. When the first log rotation occurs, the current "secure" log is automatically renamed "Secure.1" and a new "secure" log is used to save the new log. When the second log rotation, "Secure.1" is automatically renamed "Secure.2", the current "secure" log is automatically renamed "Secure.1", and then a new "secure" log to save the new log, and so on.
(2) logrotate configuration file
The configuration file is located in/etc/logortate.conf
Parameters |
Parameter description |
Daily |
The rotation cycle of the log is daily |
Weekly |
The rotation cycle of the journal is weekly |
Monthly |
The rotation cycle of the log is monthly |
Rotate Digital |
The number of log files that are retained. 0 means no backup |
Compress |
Log rotation, old logs are compressed |
Create Mode owner Group |
Create a new log, specifying the permissions of the new log with the owner and the owning group, such as create 0600 root utmp |
Mail address |
The output is sent to the specified email address at the time of the log rotation |
Missingok |
If the log does not exist, the warning message for the log is ignored |
Notifempty |
If the log is an empty file, the log rotation is not performed |
MinSize size |
Log rotation of the minimum value, that is, the log must reach the minimum value will be the rotation, or even if the time to achieve or not round |
Size sizes |
Log rotation is only larger than the specified size, not by time rotation |
Dateext |
Use date as the suffix of the rotation file |
Note: The global configuration is represented outside of curly braces, and if there is the same configuration in curly braces, it is replaced by the configuration in curly braces, otherwise it is replaced by braces.
(3) Adding Apache logs to rotation
If the service is installed by the RPM package, the default is to support rotation and no action is required. Only the source package installed services, you need to manually configure the rotation.
The access logs and errors in the/usr/local/apache2/logs/directory are not replaced by rotation and need to be added.
Vi/etc/logrotate.log
/usr/local/apache2/logs/access_log{
Daily
Create
Rotate 30
}
(4) Logrotate command
The format is: logrotate [options] Profile Name
If this command does not have an option, the log rotation is followed by the criteria in the configuration file, and the-V option displays the log rotation process. With the-v option, the rotation of the log is displayed, and the-F option forces the log rotation. Forces all the logs in the configuration file to be replaced, regardless of whether the journal rotation condition has been met.
Example: After adding Apache's rotation configuration, use this command for validation.
Linux Learning Notes (+) Linux log Management