Linux Log Management

1 common system logs

/var/log/message Record system Important information log, very important

/var/log/cron Recording System Timing task log

/var/log/cups Record Print Information log

/VAR/LOG/DMESG system boot-up kernel self-test information, you can also use the DMESG command to directly view the kernel self-test information

/var/log/btmp error logging log, binary file, using LASTB command to view

/var/log/lastlog system All users last login time log, binary file, use Lastlog command to view

/var/log/mailog Logging of mail messages

/var/log/secure Records authentication and authorization information, as long as the authorization to account and password is recorded, such as, system login, SSH login, su switch, sudo authorization, even add user and modify user password

/var/log/wtmp Permanent record All users login, logoff information, while recording system startup, restart, shutdown events, binaries, use last view

/var/log/utmp records the user information that is currently logged in, this file changes with the user's login and logoff, only records the current logged-in user's information, using w,who,users and other commands to view

2 Viewing Log service and self-boot status

[[Email protected] log]# PS aux |grep rsyslogd

[Email protected] log]# chkconfig--list|grep rsyslog

3rd General format for content of log files

Date and time when the time occurred

Host name of the server on which this event occurred

Start the service name or program name for this event

Specific information about the event

such as/var/llog/message log:

[email protected] log]# cat messages

Nov 11:34:05 Darren rsyslogd: [Origin software= "Rsyslogd" swversion= "5.8.10" x-pid= "1282" x-info= "/HTTP/ Www.rsyslog.com "] Rsyslogd was huped

Nov 11:36:04 Darren dhclient[1178]: DHCPREQUEST on eth0 to 192.168.91.254 Port (XID=0X483CAAD7)

Nov 11:36:04 Darren dhclient[1178]: DHCPACK from 192.168.91.254 (XID=0X483CAAD7)

4th log configuration file /etc/rsyslog.conf

[[email protected] log]# cat/etc/rsyslog.conf |grep-v ' # '

#记录所有信息, but ignoring Mail,authpri,cron's information

*.info;mail.none;authpriv.none;cron.none/var/log/messages

authpriv.*/var/log/secure

#mail产生的日志过多,-Indicates that memory is stored first, batch brush disk

Mail.*-/var/log/maillog

Cron.*/var/log/cron

#当严重级别为emerg时, send all users in the form of a broadcast

*.emerg *

Uucp,news.crit/var/log/spooler

local7.*/var/log/boot.log

Format of/etc/rsyslog.conf:

service name; connection symbol; log level; log record location

(1) Service name

Authpriv major certification-related mechanisms, such as LOGIN,SSH,SU need account/password

Cron Timer task cron and at-generated logs

Daemon logs related to each daemon

Kern kernel-generated processes

Log generated by LPR printing

Mail message sending and receiving information

News server-related logs

Log information for user level categories

Syslog is the information generated by the RSYSLOGD service.

LOCAL0-LOCAL7 local use of reserved services

Log information for the UUCP subsystem

(2) Connection symbol

* represents all log levels

Mail.info indicates message information is greater than or equal to info level

. =info represents information equal to info level

.! Info indicates information that is not equal to info level

(3) Log level

None ignores certain service information

Debug General Debug Information description

Info Basic Notification Information

Warning warning message

ERR error message, which may affect service or system operation

Crit Critical state information, more severe than err

Alert warning status information, more severe than crit

Emerg Pain level information, system is no longer available

(4) Log record location

The file location of the log record

Set Chattr +a can only write data in the past, cannot modify the log, prevent the root user to operate by mistake

[Email protected] log]# chattr +a cron

[[email protected] log]# lsattr cron

-----a-------E-cron

Example: Customizing the log for a cron service

[Email protected] log]# vim/etc/rsyslog.conf

Cron.*/var/log/test.log--Add all the logs of the Cron service and log them to the/var/log/test.log file

[Email protected] log]#/etc/init.d/rsyslog Restart--Restart Rsyslog service

Do a timed task, test it, and finally generate the log file:

[Email protected] log]# CRONTAB-E

*/2 * * * * echo "This is test!" >>/tmp/root.txt

[Email protected] log]# Ll/var/log/test.log

-RW-------1 root root 2395 Nov 10:17/var/log/test.log

5 Building a log server

(1) Environment

CentOS Release 6.8 (Final)

client:192.168.91.5

server:192.168.91.3

Client and server firewall to be shut down, and to ping the

[[email protected] log]#/etc/init.d/iptables stop

[[email protected] log]#/etc/init.d/iptables stop

(2) Client Configuration

Edit the client file/etc/rsyslog.conf, specify the host IP for the write log:

[Email protected] log]# vim/etc/rsyslog.conf

Add to:

* * @@192.168.91.3:514

Restart the Rsyslog service:

[Email protected] log]#/etc/init.d/rsyslog restart

(3) Server configuration

Edit the server-side file/etc/rsyslog.conf, open the TCP protocol and port:

[Email protected] log]# vim/etc/rsyslog.conf

$ModLoad imtcp

$InputTCPServerRun 514

Restart the Rsyslog service:

[Email protected] log]#/etc/init.d/rsyslog restart

View Port 514:

[Email protected] log]# Netstat-nltup |grep 514

TCP 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 13721/rsyslogd

TCP 0 0::: 514:::* LISTEN 13721/RSYSLOGD

(4) test

Client

Generate logs on client

[[email protected] log]# logger ' Hello word! '

[[email protected] log]# cat/var/log/messages|grep ' Hello word! '

Nov 17:39:20 Zhishutang Root:hello word!

Server

Client logs are successfully written to the log service side

[[email protected] log]# cat/var/log/messages|grep ' Hello word! '

Nov 17:39:20 Zhishutang Root:hello word!

6th rotation of the log file logrotate

(1) configuration file

/etc/logrotate.conf

/etc/logrotate.d/

[Email protected] log]# cat/etc/logrotate.conf

Weekly default weekly rotation

Rotate 4 reserved Four log files by default

Create create a new empty log file

Dateext a date as a post-crime

#compress the old log is compressed and is not compressed by default

#大括号中的设置可以取代默认设置生效:

/var/log/wtmp {--Specify log file

Monthly--Monthly rotation

Create 0664 Root utmp--Permissions 0644, owner Root, owning group utmp

MinSize 1M--greater than 1M will not turn

Rotate 1--keep an old log file

}

/var/log/btmp {

Missingok

Monthly

Create 0600 Root utmp

Rotate 1

}

/usr/local/apache2/logs/access_log {

Daily

Create

Rotate 30

}

Files under the directory:

[Email protected] logrotate.d]# ll/etc/logrotate.d/

-rw-rw-r--1 root root 135 January Consolekit

-rw-r--r--1 root root 71 cups May

-rw-r--r--1 root root 139 May Dracut

-rw-r--r--1 root root 185 July 19:00 httpd

-rw-r--r--1 root root 329 July Psacct

-rw-r--r--1 root root 210 December syslog

-rw-r--r--1 root root 87 July 00:45 Yum

[Email protected] logrotate.d]# Cat/etc/logrotate.d/syslog

/var/log/cron

/var/log/maillog

/var/log/messages

/var/log/secure

/var/log/spooler

{

Sharedscripts

Postrotate

/bin/kill-hup ' cat/var/run/syslogd.pid 2>/dev/null ' 2>/dev/null | | True

Endscript

}

(2) Logrotate command

-V shows the rotation run process

-F Forced rotation

[[email protected]/]# logrotate-v/etc/logrotate.conf--show the rotation process

[Email protected]/]# logrotate-vf/etc/logrotate.conf--Forced rotation

#查看日志发生了什么变化:

[[email protected] log]# ls

Anaconda.ifcfg.log btmp-20161115 dmesg.old maillog-20161114 Samba spooler-20161115

Anaconda.log cluster Dracut.log maillog-20161115 secure Tallylog

Anaconda.program.log consolekit dracut.log-20160920.gz Messages secure-20161101 wtmp

Anaconda.storage.log cron dracut.log-20161114 messages-20161101 secure-20161107 wtmp-20161115

Anaconda.syslog cron-20161101 httpd messages-20161107 secure-20161114 yum.log

Anaconda.xlog cron-20161107 lastlog messages-20161114 secure-20161115 yum.log-20160920

Anaconda.yum.log cron-20161114 Mail messages-20161115 spooler yum.log-20161114

Audit cron-20161115 Maillog Ntpstats spooler-20161101

Boot.log cups maillog-20161101 prelink spooler-20161107

Btmp DMESG maillog-20161107 sa spooler-20161114

You can find these five kinds of logs

/var/log/cron

/var/log/maillog

/var/log/messages

/var/log/secure

/var/log/spooler

It was originally a weekly rotation, but after the forced rotation, it took effect in time.

This article is from the "10979687" blog, please be sure to keep this source http://10989687.blog.51cto.com/10979687/1872929

Linux Log Management