Log File function details

The purpose of logs is to record some important things, so that we can easily manage the server,

The following describes 20 log files under the/var/log/directory. Some of them are only used by specific versions. For example, dpkg. log can only be seen in Debian-based systems.

/Var/log/messages-including the overall system information, including logs during system startup. In addition, mail, Cron, daemon, Kern, and Auth are recorded in var/log/messages logs.

/Var/log/dmesg-contains kernel buffer information (kernel ring buffer ). When the system starts, many hardware-related information is displayed on the screen. You can use dmesg to view them.

/Var/log/auth. Log-contains the system authorization information, including the user logon and permission mechanisms used.

/Var/log/boot. Log-contains the system startup logs.

/Var/log/daemon. Log-contains logs of various background daemon processes.

/Var/log/dpkg. Log-including the installation or dpkg command to clear the logs of the software package.

/Var/log/Kern. Log-contains the logs generated by the kernel, which helps solve the problem during kernel customization.

/Var/log/lastlog-records the latest information of all users. This is not an ASCII file, so you need to use the lastlog command to view the content.

/Var/log/maillog/var/log/mail. Log-contains the log information of the system running email server. For example, all sendmail log information is sent to this file.

/Var/log/user. Log-logs of all levels of user information.

/Var/log/Xorg. X. log-log information from X.

/Var/log/alternatives. Log-update substitution information is recorded in this file.

/Var/log/btmp-records all logon Failure Information. Use the last command to view the btmp file. For example, "Last-F/var/log/btmp | more".

/Var/log/cups-logs involving all printed information.

/Var/log/Anaconda. Log-when installing Linux, all installation information is stored in this file.

/Var/log/yum. Log-contains information about software packages installed with yum.

/Var/log/cron-each time a Cron process starts a job, the related information is recorded in this file.

/Var/log/secure-contains authentication and authorization information. For example, sshd records all information (including logon failures) here.

/Var/log/wtmp or/var/log/utmp-contains logon information. Using wtmp, you can find out who is logging on to the system and who is using commands to display the file or information.

/Var/log/faillog-contains the User Logon Failure Information. In addition, the error logon command is recorded in this file.

In addition to the preceding log files,/var/log also contains the following sub-directories for specific system-based applications:

/Var/log/httpd/or/var/log/apache2-contains server access_log and error_log information.

/Var/log/Lighttpd/-include access_log and error_log of light httpd.

/Var/log/mail/-This subdirectory contains additional logs of the email server.

/Var/log/prelink/-contains the information modified by prelink in the. So file.

/Var/log/audit/-contains information stored by Linux audit daemon.

/Var/log/samba/-contains information stored by Samba.

/Var/log/SA/-contains the SAR files collected by the sysstat package on a daily basis.

/Var/log/sssd/-used for daemon Security Services

The SYSLOG tool is composed of a daemon. It can accept the log information accessing the system and process the information according to the instructions in the/etc/syslog. conf configuration file. Program, the daemon process and kernel provide the log information for accessing the system. Therefore, any program that wishes to generate log information can call the syslog interface to generate this information.

Generally, syslog receives information from various functions of the system. Each information includes important levels. The/etc/syslog. conf file notifies syslogd how to report information based on the device and Information Importance level.

2) ETC/syslog. conf

The/etc/syslog. conf file uses the following format:

Facility. Level Action

Blank rows and rows starting with # can be ignored. The facility. level field is also called seletor. You should use one or more tabs to separate facility and action. Most Linux systems use these spaces as separators. Analyze the three elements in/etc/syslog. conf.

Facility specifies the syslog function, which mainly includes the following:

Auth authentication activities reported by pam_pwdb.

Authpriv authentication activities including privileged information such as user names

Cron information related to cron and.

Daemon information related to the inetd daemon.

Kern kernel information is first transmitted through klogd.

LPR information related to the print service.

Email-related information

The internal function of Mark syslog is used to generate a timestamp.

News Information from the news server

Syslog information generated by Syslog

Information generated by user programs

Uucp information generated by uucp

Local0 ---- use local7 with a custom program. For example, use local5 as the SSH function.

* Wildcard represents all functions except mark

Priority corresponding to each function is arranged in a certain order, emerg is the highest level, followed by alert, and so on. Lack of time, the level specified in the/etc/syslog. conf record is this level and higher level. If you want to use a definite level, you can use two operators! (Not equal) and =.

User. = info

To notify syslog To accept all user function information at Info level.

The SYSLOG level is as follows:

Emerg or panic this system is not available

Conditions that alert needs to be modified immediately

Crit prevents incorrect conditions for certain tool or subsystem Functions

Error conditions for implementing err block functions of tools or some subsystems

Warning warning information

General conditions that notice is important

Info message

Debug does not contain other information about function conditions or problems.

None has no importance level, which is usually used for troubleshooting

* All levels except none

The activity represented by the action field has a lot of flexibility. In particular, you can use the name pipeline to enable syslogd to generate post-processing information.

Syslog mainly supports the following activities:

File specifies the absolute path of the file

Terminal or print full serial or parallel device identifier

@ Host remote log server

Username sends information to the specified user using write

Named Pipe specifies the absolute path of the FIFO file created using the mkfifo command.

Syslog: Log System

Syslogd: logs related to system processes

Klogd: logs related to kernel events

3) Call the syslogd daemon

The Syslog daemon is called by the/etc/rc. d/init. d/syslog script at runtime Level 2. The options are not used by default. But there are two options-R and-H which are useful.

If you want to use a log server, you must call syslogd-R. By default, syslog does not accept information from the remote system. If the-r option is specified, Syslogd listens to UDP packets from port 514.

If you want the log server to transmit log information, you can use the-H flag. Syslogd ignores the/etc/syslog. conf input that sends log information from one remote system to another.

The preceding section adds the-r-H parameter to syslogd_options in/etc/sysconfig/syslog.

4) klogd daemon

The klogd daemon obtains and records Linux kernel information. Generally, syslogd records all information sent from klogd. However, if you call a klogd with the-f filename variable, klogd records all information in Filename instead of transmitting it to syslogd. When another file is specified for logging, klogd writes all levels or priorities to the file. There is no configuration file similar to/etc/syslog. conf in klogd. The advantage of using klogd to avoid using syslogd is that you can find a large number of errors. If someone intrude into the kernel, you can use klogd to modify the error.

Enable the log server function:

# Provides UDP syslog resume tion

$ Modload imudp

$ Udpserverrun 514

# Provides TCP syslog restart tion

$ Modload imtcp

$ Inputtcpserverexecute 514

Rsyslog supports storing logs on the MySQL server:

1) install and configure the MySQL database service;

2) install the rsyslog-mysql package;

3) create a database on which rsyslog depends:

# Mysql </usr/share/doc/rsyslog-5.8.10/createdb. SQL

4) configure the rsyslog activation Module

In #### modules #### enable the module:

$ Modload ommysql

In the #### rules #### section, define the recorded log information in the database.

Facility. Priority: ommysql: server_ip, database, username, password

Steps:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/47/2A/wKioL1P3NFKjkN-_AAJMDi55wU4589.jpg "Title =" 1408.png" alt = "wKioL1P3NFKjkN-_AAJMDi55wU4589.jpg"/>

To enable these two functions: Work on UDP | TCP port 514,

Service syslog restart

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/47/29/wKiom1P3M-fzC9wCAACXBNxWog0667.png "Title =" Capture 123.png" alt = "wKiom1P3M-fzC9wCAACXBNxWog0667.png"/>

When we want to save our logs to other pingable hosts:

You can set Vim/etc/sysctl. conf

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/47/2A/wKioL1P3NpOw_9psAAAioOyaosQ228.png "Title =" Capture 345.png" alt = "wkiol1p3npow_9psaaaiooyaosq228.png"/>

172.16.249.229 is the Host IP address on which you can ping the other party's computer)

Service rsyslog restart

Test again:

For example, you can run Yum install-y bind * on the local machine *

View tail/var/log/messsages on your Log File

No records found

Go to the location where you saved the record and check that it has been synchronized to that host.

This article is from the regular expression and fgrep blog, please be sure to keep this source http://9025736.blog.51cto.com/9015736/1543638

Log File function details