SYSLOGD & LOGROTATE

SYSLOGD & amp; LOGROTATE-Linux general technology-Linux technology and application information. For more information, see the following section. SYSLOGD & LOGROTATE

1. What is SYSLOGD?

SYSLOGD can be simply called a daemons that records system activities. For example, you can record who, when, where, and what has been done, or what has happened to your system, for example, when is the reboot or hardware or software error information? Of course, it also records the information of the Service running on your system.

SYSLOGD logs are generally stored in/var/log/, and are stored on another server. Because the information recorded by SYSLOGD is too important, it also involves log security issues.

General System Log information:

/Var/log/secure: records system security information, such as SSH, FTP, and POP3;
/Var/log/wtmp: record who has logged on to the system. Because this log has been encoded, you can only view it using the last command;
/Var/log/boot. log: as the name suggests, records the information about enabling or disabling the system and Wu fu;
/Var/log/message: system errors are recorded in this log;
/Var/log/mail: omitted;
/Var/log/httpd/: omitted;
/Var/log/mysqld. d: logs of these services are recorded.

2. SYSLOGD configuration instructions
2.1 start syslogd Service

First, you must determine whether your system is running the service.

Service syslog status
Ps-aux | grep syslog

If your system does not run this service, you can open it. There are many methods.

Service syslog start

If you want the system to run syslogd at the next startup, you can add it to the Service in setup. If you determine your default boot level, such as 3, you can also add a soft connection starting with S under/etc/rc. d/rc3.d. Alternatively, you can use chkconfig 2345 syslog on to add.

2.2 SYSLOGD service configuration file

The configuration file of syslogd is generally in/etc/syslog. conf. This file still follows the rules of other configuration files you have seen, for example, # Is a comment. You can see what your syslogd is helping you record. This is part of my syslog. conf:

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Kern. */dev/console
# Log anything (could t mail) of level info or higher.
# Don't log private authentication messages!
*. Info; mail. none; authpriv. none; cron. none/var/log/messages
# The authpriv file has restricted access.
Authpriv. */var/log/secure
# Log all the mail messages in one place.
Mail. */var/log/maillog
# Log cron stuff
Cron. */var/log/cron

2.3 SYSLOG. CONF configuration rules

Service name. storage or display location of information level

Service name: mail http at cron kern and so on.

Information level: 1) info: Some information prompts; 2) notice: information you need to pay attention to; 3) warn: Warning Information; 4) error: error information. You need to carefully check the cause of the error; 5) crit: Very serious error, reaching the critical point; 6) alert: warning, do you think of "Red Alert "? However, this is a serious mistake here. 7) emerg: The system is messy. redo it;

Storage or display location: 1) Absolute log Path: for example,/var/log; 2) one of your users; 3) host on the Network: log.company.com; 4) printer: /dev/lp0

2.4 application example

Mail.info/var/log/maillog
Information greater than or equal to info will be written to/var/log/maillog. ,

Mail. *; cron. */var/log/mailcron mail. = warn; cron. = warn/var/log/mailcronwarn
Information with a level of warn, written into/var/log/mailcronwarn, and other information written into/var/log/mailcron

*. *; Mail. none; cron. none/var/log/message
Records all information of all services except mail and cron.


3 Relationship Between SYSLOGD and logs in service configuration in the system

As mentioned above, syslogd provides Log service for the system. So what is the relationship between the log information defined in the configuration file and syslog. conf?

# Log anything (could t mail) of level info or higher.
# Don't log private authentication messages!
*. Info; mail. none; authpriv. none; cron. none/var/log/messages

What does this passage mean? I think it is to record all system information except mail, authpriv, and cron in/var/log/messages. That is, it records your own http information. Is that true? I have installed an httpd and specified the log to another file, such as/usr/website/log/httplog. Although I can see my httpd log information in/usr/website/log/httpdlog

# Cat/var/log/messages | grep HTTP

Is empty. Syslogd does not record the information you did not require it to record. Although the above *. info, this * Does not include your own service.

4. What is LOGROTATE?

LOGROTATE rotates log files. It is to name the current log as log.1, and then continue to write the log. If log.1 exists, it is named log.1 as log.2 and then named log as log.1, and so on, but it is not endless. At the end of this step is your definition in the logrotate configuration file. The default value of my system is 4. What are the operations on log.4? Delete.


Syslogd runs in daemons mode;
Logrotate runs as planned.


5. LOGROTATE configuration instructions
5.1 location of the logrotate configuration file

1)/etc/logrotate. conf
2)/etc/logrotate. d

/Etc/logrotate. conf is the main configuration file. files in/etc/logrotate. d will be read by/etc/logrotate. conf. If the configuration file in/etc/logrotate. d does not specify specific parameters, these parameters are determined by/etc/logrotate.

5.2 LOGROTATE configuration rules

The main configuration of logrotate is/etc/logrotate. conf, while the files in/etc/logrotate. d supplement/etc/logrotate. conf. You can also set it to prevent/etc/logrotate. conf from being too large.

5.2.1 configuration parameter description

Compress: Compress logs after dumping through gzip;
Nocompress: this parameter is used when no compression is required;
Copytruncate: used to back up and cut off the current log file that is still being opened;
Nocopytruncate: backs up log files but does not truncate them;
Create mode owner group: dump file. Create a New log file in the specified file mode;
Nocreate: do not create new log files;
Delaycompress & compress: the log file to be dumped is compressed at the next dump;
Nodelaycompress: overwrite the delaycompress option and compress the dump simultaneously;
Errors address: the error message sent to the specified Email address during special storage;
Ifempty: dumps even empty files. This is the default logrotate option;
Receivempty: if the file is empty, it is not dumped;
Mail address: Send the dump log file to the specified email address;
Nomail: log files are not sent During dump;
Olddir directory: The dumped log is placed in the specified directory and must be in the same file system as the current log file;
Noolddir: the log file after dumping and the current log file are placed in the same directory;
Prerotate/endscript: This pair can be put into the command to be executed before dumping. These two keywords must be entered separately;
Postrotate/endscript: the command to be executed after the dump can be put into this pair. These two keywords must be entered separately;
Daily: specifies that the dump cycle is daily;
Weekly: specifies that the dump cycle is weekly;
Monthly: Specifies the dump cycle as per month;
Rotate count: specifies the number of dump times before a log file is deleted. 0 indicates no backup, and 5 indicates five backups are retained;
Tabootext [+] list: to prevent logrotate from dumping files with the specified extension. The default extension is. rpm-orig,. rpmsave, v, and ~ Size: dump a log file only when it reaches the specified Size. size can specify bytes (default), KB (sizek), or MB (sizem );


5.2.2 How to Write LOGROTATE

Write the logfile (s) in front of the file. It contains the absolute path of the file. You can use blank characters to separate multiple logs or use the wildcard replacement;

Use {} to include all settings, generally including:

Prerotate Command executed before logrotate is started, for example,/usr/bin/charrt-a/var/log/logfile;
Postrotate executes the logrotate command, for example,/usr/bin/charrt + a/var/log/logfile;
The actions between prerotate and postrotate are:

1) weeky: Run once every week
2) rotate 4: retain four logs
3) create: logratoe and then create a log
4) compress: Indicates whether logs after rotate are compressed.
5) include/etc/logrotate. d: contains the rotation settings under the/etc/logrotate. d directory.

If you have written your rotation settings under/etc/logrotate. d, you can use the command (logrotate-f yourfile) to test the rotation settings.

Configure the dump parameters for the specified file:

You often need to configure parameters for the specified file. A common example is to dump/var/log/wtmp every month. The parameter format used for a specific file is:

# Note
/Full/path/to/file
{
Option (s)
}

The following example is a monthly dump of/var/log/wtmp:
# Use logrotate to rotate wtmp
/Var/log/wtmp
{
Monthly
Rotate 1
}

5.2.3 other issues due to this concern

Although the beginning of the curly braces can be placed on the same line as other texts, the curly braces at the end must be lined separately.
Use the prerotate and postrotate options

The following example shows a typical script/etc/logrotate. d/syslog, which is only valid for/var/log/messages.

/Var/log/messages
{
Prerotate
/Usr/bin/chattr-a/var/log/messages
Endscript
Postrotate
/Usr/bin/kill-HUP syslogd
/Usr/bin/chattr + a/var/log/messages
Endscript
}

The first line specifies that the script is valid for/var/log messages; The prerotate command specifies the previous actions of the dump; /usr/bin/chattr-a remove the "APPEND only" attribute of the/var/log/messages file; end of endscript; postrotate specifies the action after dumping; /usr/bin/killall-HUP syslogd is used to reinitialize the system log daemon syslogd;
/Usr/bin/chattr + a/var/log/messages: Specify the "APPEND only" attribute for the/var/log/messages file to prevent programmers or users from overwriting the file; the final endscript is used to end the postrotate script;

5.2.4/var/log/messages:
This is rare, but if you disable port 514/UDP in/etc/services, this file will not be generated.
5.3 LOGROTATE operation steps
LOGROTATE is run in three steps:
1) determine the system log file;
2) create a dump plan and parameters;
3) run the following code through cron: Red Hat Linux's default crontab to run logrotate every day.

#/Etc/cron. daily/logrotate
#! /Bin/sh
/Usr/sbin/logrotate/etc/logrotate. conf