Linux Learning notes----4

Analyze and store logs (i)

1. System Log Schema

Permanent log: The process and operating system cores need to be able to log the events that occur, which can be used for system audits and problem troubleshooting, which are stored permanently in the/var/log directory and maintained and managed by the Rsyslog service.

Temporary log: The Sysetemd-journald daemon provides an improved log management service that collects messages from the kernel, boot process, and daemon errors that are written to a structured event log that is not retained by default after a restart. Syslog messages can also be forwarded by Systemd-journald to Rsyslog for further processing.

Introduction to System Log files

/var/log/messages Most system logging paths

/var/log/secure security and authentication-related logs

/var/log/maillog logs related to the mail server

/var/log/cron logs related to scheduled tasks

/var/og/boot.log message logs related to system startup

/VAR/LOG/DMESG Hardware detection Log DMESG view

/var/log/yum.log Yum installation Log

/var/log/wtmp last log in information log end view

2. View System log files

The RSYSLOGD service uses the device and priority of the log message to determine how to handle it. This is configured through the/etc/rsyslog.conf file, as well as the *.conf file in the/ETC/RSYSLOG.D. Administrators can place custom files with the. conf suffix into the/ETC/RSYSLOD.D directory, which has changed RSYSLOGD configuration without being overwritten by all rsyslog updates.

The/etc/rsyslog.conf # # # #RULES #部分包含定义日志消息保存位置的相关指令. The left side of each line represents the device and severity of the log message that matches the instruction, and the right side represents the file to which you want to save the log message.

Cases:

*.info;mail.none;authpriv.none;cron.none/var/log/messages

cron.*/var/log/cron device name. priority. exception file path

List of log priority levels

Encoding priority severity

0 Emerg System not available

1 Alert must take immediate action

2 Crit Serious condition

3 Err very serious error

4 Warning Warning Status

5 Notice normal but important events

6 Info Informational Event

7 Debug Debug Level messages

Log file Polling

Logs are rotated through the logrotate utility to prevent them from filling up the file system containing the/var/log/. When a log file is rotated, the name extension is used to rename it, and the name extension indicates the rotation date. After the original log file is rotated, a new log file is created and the service is notified of the write operation.

After several rotations (usually after four weeks), the original log file is discarded to free up disk space, and most log files are rotated once a week.

Configuration file/ETC/LOGROTATE.CONF/ETC/LOGROTATE.D

Analyzing System log Entries

The system log written by Rsyslog displays the oldest message at the beginning of the file, displays the most recent message at the end of the file, and all log information entries in the log file managed by Rsyslog are recorded in a standard format.

Cases:

Jan 8 14:31:25 localhost sshd[7447]: input_userauth_request:invalid user James [PreAuth]

Record the actual message sent by the time host program or process

Using tail to monitor log files

Tail-f/var/log/secure Real-time output of the last 10 lines of the secure log

Sending system log messages using Logger

The logger command can send a message to the Rsyslog service, which, by default, sends a message with a severity of Notcie to the device user unless otherwise specified by the-P option. Testing for changes to the Rsyslog configuration is particularly useful.

Cases:

Logger-p user.info "Debug Message Test"

Linux Learning notes----4