Log Management in linux

1: The linux operating system uses logs to record various events of the system, program, and user. The log operation tool in alinux is rsyslog 1. the linux operating system uses logs to record various events of the system, program, and user.
A. The log operation tool in linux is the rsyslog command.
The configuration file of the rsyslog command is/etc/rsyslog. conf.
The specific field meanings are as follows:
*. Info; mail. none; authpriv. none; cron. none/var/log/messages
Mail.info/var/log/maillog
Authpriv. none/var/log/secure
Cron. */var/log/cron
Field description:
Mail. none mail indicates the service or monitoring object. log records are classified into important levels.
Debug, info, warning, error, crit, emerg. None indicates that it does not belong to any of the levels.
*. Info indicates to monitor all systems, programs, and user logs .. Info indicates information including info and warn error.

B. message sending location
Local File: absolute path
Printer: Device file
Remote server: @ IP_ADRESS
*: Send it to all users.
2: to store logs on another server, follow these steps:
Step 1:
Add the log level to be transferred and the service to be recorded in the/etc/rsyslog. conf configuration file.
Cron.info @ 172.1625.28 (use the @ symbol to indicate that the UDP protocol is used, and use the @ symbol to indicate that the TCP protocol is used)
Step 2:
Modify the/etc/rsyslog configuration file in the server where logs are stored to enable the remote log function.
Step 3:
Disable the firewall of the remote server.
Step 4:
Restart log service rsyslog restart.

3: log file introduction
/Var/log/secure ----------- record user logon authentication
/Var/log/cron ------------ record scheduled task operations
/Var/log/maillog -------------- record mail service
/Var/log/boot. log ------------- record boot information
/Var/log/messages ------------ kernel and public logs
/Var/log/dmesg -------------- kernel load driver log
/Var/log/lastlog: -------------- recent user logon event
/Var/log/wtmp -------------- user logon, logout, system startup, shutdown
/Var/log/utmp --------------- details of each user Currently logged on

4. user logon analysis
Last Command to view information of all logged-on users
Lastlog
The accton command is used to monitor commands that have been used during user logon, but is only monitored when enabled. Usage
Step 1: enable user behavior monitoring in accton/vat/account/pacct
Step 2: lastcomm -- user root check the commands used by the root user
Step 3: disable the monitoring service.

5: actively add logs
You can use the logger command to manually add logs to a log file. Script maintenance can be used to mark logs.
Log management must be backed up in a timely manner to control log access permissions and centrally manage logs.

6: log rotation function.
As log files become larger and larger after a period of time, log rotation is required. Log rotation stores logs in one time period to another, the subsequent log records start from the current stage.
Log rotation command: logrotate
The logrotate configuration file is/etc/logrotate. conf.
The important fields are as follows:
Rotate 4 is backed up once after four rotation cycles
The header of the sharedscripts script execution definition
End of the endscripts script execution definition
Postrotate execute script flag after Log rotation starts
Prerotate execute script flag before log rotation
Usage in work: add chattr + a/var/log/mylog to the log, and remove this permission from prerotate before the start of a rotation cycle, chattr-a/var/log/mylog. Add this permission to postrotate.