System log Default classification
/var/log/messages system services and logs, including service information, error, etc.
/var/log/secure System Certification Information log
/var/log/maillog System Mail Service information
/var/log/cron System Timing Task Information
/var/log/boot.log System Boot Information
Log Management Service Rsyslog
1.rsyslog is responsible for collecting logs and classifying storage logs
2.rsyslog Log Classification
VIM/ETC/RSYSLOG.CONF Master configuration file
Service. Log level/storage file
* */var/log/westos
Systemctl Restart Rsyslog Restart log service
format
Log device (type). (connection symbol) log-level log processing mode (action)
Log Device(Can be understood as log type):
Auth PAM-generated logs
Verification information for login information such as Authpriv ssh,ftp
Cron Time Task related
Kern kernel
LPR Printing
Mail message
Mark (syslog) –rsyslog service internal information, time identification
News Newsgroups
Related information generated by user program
UUCP Unix to UNIX copy, related communication between UNIX hosts
Local 1~7 custom log device
Log Level
———————————————————————-
Debug with modal information, the most log information
Log of info-like information, most commonly used
Notice information on the most important general conditions
Warning Warning Level
Err error level, information that prevents a feature or module from working correctly
Crit critical level that prevents the entire system or the entire software from working properly information
Alert requires immediate modification of the information
Emerg critical information such as kernel crashes
None records anything.
Note: From top to bottom, levels are low to high, with less information logged
Detailed information can be viewed in the manual: Man 3 syslog
Connection Symbols
———————————————————————-
. XXX: Indicates information greater than or equal to XXX level
. =XXX: Represents information equal to XXX level
.! XXX: Information indicating the level outside of XXX
Example
1. Record to normal file or device file::
*./var/log/file.log Absolute Path
* */dev/pts/0
2. Send to User (need online to receive)
*. * Root
* * ROOT,KADEFOR,UP01 use, number to separate multiple users
* * * indicates all online users
3. Ignore, Discard
local3.* ~ ignores all levels of logs for all LOCAL3 types
4. Execute the script:
local3.* ^/tmp/a.sh ^ number followed by an absolute path to an executable script or program
The log content can be used as the first parameter of a script.
Can be used to trigger alarms
Log Synchronization
Systemctl Stop FIREWALLD shuts down the firewall of two hosts
Configuring the Log Sender
*. * @172.25.0.11 sends logs to the 11 host via the UDP protocol, @udp, @ @tcp
To configure a log receiver
$ModLoad IMUDP Log Receive Plugin
$UDPServerRun 514 Log Receive plugin uses port
Netstat-anulpe | grep rsyslog
UDP 0 0 0.0.0.0:514 0.0.0.0:* 0 122073 32654/rsyslogd
UDP6 0 0::: 514:::* 0 122074 32654/rsyslogd
Test
>/var/log/messages on both sides
Logger test Message Log Sender
Tail-f/var/log/message Log Receiver
Cat/var/log/message
1. Change the sender profile and restart the service when it is complete
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/9C/9F/wKiom1lzWb_y6DLXAABxVEJf42g553.png "style=" float : none; "title=" screenshot from 2017-07-22 14-27-41.png "alt=" Wkiom1lzwb_y6dlxaabxvejf42g553.png "/>
2. Change receiver profile, view listening port, restart service after completion
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M01/9C/9F/wKioL1lzWezRpDeGAAAqH_m370w177.png "title=" Screenshot from 2017-07-22 14-21-35.png "alt=" Wkiol1lzwezrpdegaaaqh_m370w177.png "/>
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9C/9F/wKiom1lzWb3zzNbCAABCZ8HOBI0418.png "style=" float : none; "title=" screenshot from 2017-07-22 16-12-56.png "alt=" Wkiom1lzwb3zznbcaabcz8hobi0418.png "/>
3. Test results
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M02/9C/9F/wKioL1lzWb6Cz12dAACcr1Ouw-w052.png "style=" float : none; "title=" screenshot from 2017-07-22 15-55-44.png "alt=" Wkiol1lzwb6cz12daaccr1ouw-w052.png "/>
Log Capture Format
$template Westos, "%timegenerated%%fromhost-ip%%syslogtag%%msg%\n"
%timegenerated% Display Log Time
%fromhost-ip% Display Host IP
%syslogtag% Log Record target
%msg% Log Content
\ nthe line break
$ActionfileDefaultTemplate Westos
*.info;mail.none;authpriv.none;cron.none/var/log/messages;<<westos>>
Log Analysis tool journal
Systemd-journald Process Name
Journalctl direct execution, browse system log
-N 3 shows the latest 3 articles
-P ERR Display error
-F Monitoring Log
--since--until--since "[YYYY-MM-DD] [HH:MM:SS]" from what time to what time of the log
-o verbose show detailed process parameters that log can use
_systemd_unit=sshd.service Service Name
_pid=1182 Process PID
Management of Systemd-journald
By default, this program ignores log information before restarting, such as not ignoring:
Mkdir/var/log/journal
Chown root:systemd-journal/var/log/journal
chmod 2755/var/log/journal
Killall-1 Systemd-journald
ls/var/log/journal/4513ad59a3b442ffa4b7ea88343fa55f
System.journal user-1000.journal
Linux system logs