Syslog ServiceSYSLOGD: System, responsible for recording non-kernel generated log informationKLOGD: Kernel, specifically responsible for recording the log information generated by the kernelKernel related logs for startupKernel---physical terminal (/dev/console)-- /VAR/LOG/DMESGView related logs for kernel startup#dmesg#cat/VAR/LOG/DMESGLog storage takes a scrolling way (log cut):Messages Messages.1 Messages.2,...Configuration file /etc/logrotate.conf
1. Topology map
For audit purposes, the source address of the syslog must be the actual address of the device, and for other reasons, the Syslog server cannot be placed in the intranet.
2. Interface configuration:
R1:
R1 (config) #int f0/0
R1 (config-if) #ip add 10.1.1.18 255.255.255.0
R1 (config-if) #no sh
R2:
R2 (config) #int f0/0
R2 (config-if) #ip add 10.1.1.28 255.255.255.0
R2 (config-if)
Modifying the mcollective supports syslog output while modifying the default UTC time to local time.Modulemcollectivemodulerpc#anauditplugin thatjustlogstoafile## Youcanconfigurewhichfileitlogstowiththe setting##plugin.rpcaudit.logfile classLogfileThis article is from the "Xiaofeng Moon" blog, make sure to keep this source http://kinda22.blog.51cto.com/2969503/1587623Modify Mcollective's audit support syslog
We use LinuxSyslogTo record the debug log of the product. Call one of the executable files. After the command is executed, view the debug log information, and the logs after a certain log are lost. After multiple attempts, it is found that logs are lost after a fixed log every time. This blog post will let us explore the details.I. Problem Discovery
Before discovering the real problem, I made the following attempts:
(1) Does a process exit some logic after a fixed log? Or will a signal be genera
Use shellSYslog log file write information
ApplicationProgramUse S The log file (in the/var/log directory) That yslog sends messages to the Linux system ). S Ysklogd provides two System Tools : One is System Log Record , The other is kernel information capture. Most programs usually use the C language or S Yslog application or library to send S Yslog message.
1. the logger command is a shell command (interface ). You can use the syslog
Today we recommend a--nxlog
Download Address: http://sourceforge.net/projects/nxlog-ce/files/
installation, because it is in MSI format, so it is not said. A simple configuration is required.
The test platform is Windows 7 64bit, so after installation, the directory and files are as follows:
After installation, you need to configure it, write to the address of the Syslog server, and in the nxlog.conf file in the Conf directory, see:
Module
No logging console; No logs are sent to the console;Logging console 3; Sends only 0,1,2,3 level log warnings to the console;Windows log turned into syslog using Ntsyslog;logging on; open log;Logging buffered 64000; Define save log message buffer to 64K;Cisco defaults to logging console 6;Level 7 for debug logging;The default Cisco does not send logs to vty and requires a command if it is to be displayed: Terminal monitor;Note: The command is executed
PHP Regular parsing | extraction | Filtering standard syslog log file contents
Log content:
Dec 15:10:48 root my:192.168.1.51 Test exit Mail Management system
Dec 15:11:23 root my:192.168.1.51 Stella exit Mail management system
...
Extract useful information by regular row by line and return the array
...
After parsing:
Array
[0]=>array (
[0]=>dec 30 15:10:48,
[1]=>root,
[2]=>my,
[3]=>192.168.1.51,
[4]=>test,
[5]=> Exit Mail Management system
),
[1]=>
The following error often occurs when traffic is high on a iptables Web server that is enabled:Ip_conntrack:table full, dropping packetThe cause of this problem is because the Web server received a large number of connections, in the case of iptables enabled, Iptables will all the connections are linked tracking processing, so that iptables will have a link tracking table, when the table full, the above error will occur.Iptables's Link Tracking table has a maximum capacity of/proc/sys/net/ipv4/i
will leave a record.Security log/var/log/secureScreen tools virtual screens, virtual terminals.Sometimes the script runs for a long time and cannot be interrupted halfway. So in order not to let a task accidentally interrupted, you need to ensure that the network can not make any mistakes.There are two ways to solve it:1, put in the background, there is output to the log.Nohup Execute command Log This will run in the background even if the terminal is disconnected.2,screen put in the background
The company is using Ubuntu server, with cacti to do the monitoring, through the SNMPD protocol monitoring, but when looking at the system log, SNMPD generated a lot of logs, sometimes to turn a lot of screen, to see system information, this to every day to see the System log Administrator, It was a nightmare. The following methods allow you to turn off SNMPD to the system log file so that the system log looks much simpler.
root@ubuntu:~# vim/etc/default/snmp
# This file controls the a
method can greatly reduce the router processing capability occupied. This is also a good way to view debugging output, because it is stored in a file that can be rolled and output to a workbook,And can be sorted or processed in any way you like. And if you need to view the debugging output on multiple routers at the same time, this is the only feasible method. Remind you again, search on I n t e r n e t, if not by chance u n I X, you can find cheap orFree s y s l o g application. Note that you
lines once you have the MIBs downloaded.
ExportMIBS=
# Snmpd control (yes means start daemon ).
SNMPDRUN=Yes
# Snmpd options (use syslog, close stdin/out/err ).
#SNMPDOPTS='-Lsd-Lf/dev/null-u snmp-g snmp-I-smux-p/var/run/snmpd. pid'// Comment out and change it to the following content
SNMPDOPTS='-Ls2d-Lf/dev/null-p/var/run/snmpd. pid-'
After that, run the command to restart the snmpd service. Then, you can view the system logs again, which
One. Configure Server-side
Configuring the Log server
Install Splunk 64-bit free version2. If there is a firewall on the log server, be sure to open udp514 and tcp146 in inbound rulesTwo. Configuring the Client
Cisco switches, routers1 Open Log service Router (config) #logging on2 Define the log server address Router (config) #logging host 192.168.2.1003 Define time timestamp Router (config) #service timestamps log datetime localtime Show-timezone msec3 Define time timestamp Ro
Purpose of audit:Records events at the core layer, reads and writes files, and calls from the system. Permission statusBelongs to the kernelSyslog purpose:Belongs to the application layer and records all application-layer error messages.Audit has three operating toolsThree commands available for audit:=> Auditctl-controls the kernel audit system, which can be used to retrieve, add, or delete rules, and set the watch for a specific case ).=> Ausearch-the tool used to check the Audit audit logs.=>
Turn from: http://blog.c1gstudio.com/archives/1765
Logstash + Elasticsearch + kibana+redis+syslog-ng
Elasticsearch is an open source, distributed, restful search engine built on Lucene. Designed for cloud computing, to achieve real-time search, stable, reliable, fast, easy to install and use. Supports the use of JSON for data indexing over HTTP.
Logstash is a platform for application log, event transmission, processing, management, and search. You can
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.