Linux (Radhat) Basic Learning-System log Management

System log Management 1. System log

系统日志是记录系统中硬件、软件和系统问题的信息，同时还可以监视系统中发生的事件。用户可以通过它来检查错误发生的原因，或者寻找受到×××时×××者留下的痕迹。系统日志包括系统日志、应用程序日志和安全日志。

2. System Log Default classification

/var/log/messages       系统服务的日志，包括服务的信息，报错等等/var/log/secure           系统登陆认证信息日志/var/log/maillog             系统邮件服务信息日志/var/log/cron                 系统定时任务信息日志/var/log/boot.log           系统启动信息日志

3. System Log Capture

1. Log Management Service Rsyslog

rsyslog负责采集日志和分类存放日志，并不产生日志

2. File configuration for collecting logs

vim /etc/rsyslog.conf   ------------>主配置文件     *.*                              /var/log/westos服务.日志级别             存放文件

Configuration-Time Write format

Log device (type).                              Log-level log processing (action) such as *. * indicates that all system logs (1) Log device (type) auth Pam generated log authpriv                                    Verification information for login information such as SSH,FTP cron time task related Kern Kernel lpr print mail message mark (syslog) –rsyslog service inside the letter                                   Information about the user program generated by the news news Group UUCP For UNIX to UNIX copy, related communication between UNIX hosts local 1~7 custom log device (2) connector. XXX indicates greater than or equal to XXX level Other information. =xxx represents the information equal to the XXX level.               XXX Indicates the level of information outside of XXX (3) log level debug with modal information, log information up to info general Information log, most commonly used notice Information of the most important general condition warning warning level err level, prevents a feature or module from working properly crit severity level, prevents the entire The system or the entire software does not work properly information alert needs to be immediately modified information Emerg kernel crashes and other critical information noneRecord PS: From top to bottom, level from low to high, and less information is recorded 

Detailed information can be viewed in the manual: Man 3 syslog
(3) Collection log storage directory

可以自定义目录，不过一般放在/var/log/底下。

！ Customize the format of each log you collect!
Edit file in log receiver: vim/etc/rsyslog.conf

在文件的第46行 ####RULES#### 后换行写入：$template LOGFMT, "%timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n"     格式     格式命名 :（冒号）                   "具体格式"%timegenerated%         显示日志时间%FROMHOST-IP%        显示主机ip%syslogtag%                 日志记录目标%msg%                             日志内容\n                                       换行例如：           *.*              /var/log/westos;LOGFMT                      

Restart service after configuration is complete

systemctl restart rsyslog

2. Remote synchronization of logs

1. Close the firewall of the log sender and receiver

systemctl stop firewalld            关闭两台主机的火墙systemctl disable firewalld     设置开机不启动

2. Configure the Log sender

编辑文件：vim /etc/rsyslog.conf*.*             @172.25.254.157 ---------->通过udp协议把日志发送到157主机ps：@  一个@表示使用udp协议发送            @@  两个@表示使用tcp协议发送systemctl restart rsyslog       重启日志服务

3. Configure the Log Receiver

编辑文件：vim /etc/rsyslog.conf在第15、16行$ModLoad imudp            志接收模块（插件）$UDPServerRun 514      开启日志接收插件使用端口重启日志服务：systemctl restart rsyslog

4. Testing

> /var/log/messages             两边都作清空日志记录logger test message            日志发送方产生测试日志（ogger命令后跟字符常用来测试日志是否被记录）tail -f /var/log/messages          查看接收端日志文件messages后10行（看是否存在刚刚写入的测试日志）

3. Time Synchronization Service

     服务名称：chronyd

1. Server side (shared time synchronized to one end of other hosts)

yum install chrony -y   安装服务（安装系统时已经安装，如果没有此服务再按照命令安装）

Sync time required to shut down firewall: Systemctl stop FIREWALLD

编辑文件：vim /etc/chrony.conf   在第21～30行# Allow NTP client access from local network.allow 172.25.254.0/24    ------------>允许谁去同步我的时间（此处允许ip前三位一样的主机）# Serve time even if not synchronized to any NTP server.ocal stratum 10              ------------>本机不去同步任何人的时间，本机作为时间源。重启服务：systemctl restart chronyd

Timedatectl set-timezone Asia/shanghai Change Time zone (no change when zone is consistent)

2. Client
Shut down firewall: Systemctl stop FIREWALLD

编辑文件vim /etc/chrony.conf按照第3～8行的格式写下同步时间的主机的ip：    server 0.rhel.pool.ntp.org iburst    server 1.rhel.pool.ntp.org iburst    server 2.rhel.pool.ntp.org iburst    server 3.rhel.pool.ntp.org iburst

For example: change it directly to: Server 172.25.250.200 iburst----------> native to synchronize the time of this IP host

重启服务：systemctl restart chronyd

Timedatectl set-timezone Asia/shanghai Change Time zone (no change when zone is consistent)

3. Testing

chronyc sources -v              ---------->使时间同步

"^": The table is the service side
"*": Indicates that synchronization is complete

4.journal

jounalctl                                                                  查看所有系统日志                        -n 3                                                   查看最近三条日志                        -p err                                              查看错误日志                        -o verbose                                    查看日志的详细参数                        --since “开始时间” --until "截止日期"

How to save the system log using Systemd-journald
This program writes the log to memory by default and does not write the hard disk. Unable to view the last system log after booting. And Rsyslog is the collection log.

1.建立文件：    mkdir /var/log/journal2.改变所有组：    chgrp systemd-journal /var/log/journal3.使产生的新文件所有组也是systemd-journald    chmod g+s /var/log/journal4.重启system-journal：    kill -1 systemd-journald

Generate files under Journal 946cb0e817 ... 8c4fc817, the file inside is a data type and can't be opened directly to view, with Journalctl view

5.timedatectl command

timedatectl     status                                   显示当前时间信息        set-time    “xxxx-xx-xx xx:xx:xx”           设定当前时间        set-timezone    时区                              设定当前时区        set-local-rtc 0|1                                      设定是否使用utc时间（0启动utc时间，1启动本地时间）timedatectl set-timezone Asia/Shanghai  同步时间为CST时区

Linux (Radhat) Basic Learning-System log Management