rsyslog.service
rsyslog.service 是负责Linux中的日志文件的一个服务(daemon)
配置文件:/etc/rsyslog.conf
输入:cat /etc/rsyslog.conf | grep -v "#" | grep -v "^$" 我们来查看一下 rsyslog.conf 的内容
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
- *.info: * 表示全部服务(daemon),在下面 " mail.*" 则单指“mail”这个服务
- *.info: info是一个信息等级。下面的信息从上到下,表示越来越严重。
| 信息等级 | 描述 |
|---|---|
| debug | 用来debug时产生的数据 |
| info | 一些基本的信息说明 |
| notice | 正常的信息,其危险等级比info高一些,比info还需要被注意到的信息内容 |
| warning | 警告信息,可能有问题,但还不至于影响某个daemon运行的信息 |
| err | (error)一些重大的错误,例如:配置文件的某些设置值造成某个服务无法正常启动的信息说明 |
| crit | (critical)比err还有严重的错误信息 |
| alert | 比crit更加严重的错误信息 |
| emerg | (emergency)系统已经几乎要到死机的状态,很严重的错误。通常都是硬件出问题,导致系统无法运行,才会出现这种信息 |
- *.info:“.” 中间的点,表示“连接符号”,全部连接符号如下:
| . | 表示比后面还要严重的等级(含该等级)的信息都会被记录下来 |
| .= | 表示只记录后面这种等级,“=”后面接的该等级 |
| .! | 表示不等于,除了该等级外的其他等级都记录。 |
*.info;mail.none;authpriv.none;cron.none /var/log/messages
上面这段表示,记录除了mail、authpriv、cron这三服务之外的其它服务的信息在/var/log/messages里面,且这些被记录服务的信息等级要大于或等于info。也就是说mail、authpriv、cron 这三个服务,以及等级低于info的其它信息并不记录在messages中。(none用于去除掉服务)
- ; :上面 “ ; ” 这个符号,用于分隔,每个分隔都需要有自己独立风格等级。
- , :也是一种分隔,不同于 ; ,这个分隔中等级只要接在最后一个即可。
例如我们可以写出下面(两种本质的等价的):
*.*;news,cron,mail.none /var/log/messages
*.*;news.none;mail.none;cron.none /var/log/messages
分析日志
在Centso7中提供了一个 logwatch 的命令来用于日志分析
18 OPTIONS
19 --detail level
20 This is the detail level of the report. level can be a positive integer, or high, med, low, which correspond to the integers 10, 5, and 0,
21 respectively.
22
23 --logfile log-file-group
24 This will force Logwatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, ...). Logwatch will there‐
25 fore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups.
26
27 --service service-name
28 This will force Logwatch to process only the service specified in service-name (i.e. login, pam, identd, ...). Logwatch will therefore also
29 process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services
30 to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.
31
32 --mailto address
33 Mail the results to the email address or user specified in address.
34
35 --range range
36 You can specify a date-range to process. Common ranges are Yesterday, Today, All, and Help. Additional options are listed when invoked with
37 the Help parameter.
38
39 --archives
40 Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz).
41 When used with "--range all", this option will make Logwatch search through the archives in addition to the regular logfiles. For other
42 values of --range, Logwatch will search the appropriate archived logs.
43
44 --debug level
45 For debugging purposes. level can range from 0 to 100. This will really clutter up your output. You probably don't want to use this.
46
47 --filename file-name
48 Save the output to file-name instead of displaying or mailing it.
49
50 --logdir directory
51 Look in directory for log subdirectories or log files instead of the default directory.
52
53 --hostlimit host1,host2
54 Limit report to hostname - host1, host2.
55
56 --hostname hostname
57 Use hostname for the reports instead of this system's hostname. In addition, if HostLimit is set in the logwatch.conf configuration file
58 (see MORE INFORMATION, below), then only logs from this hostname will be processed (where appropriate).
59
60 --html_wrap num-characters
61 Number of characters that html output should be wrapped to. Default is 80.
62
63 --numeric
64 Inhibits additional name lookups, displaying IP addresses numerically.
65
66 --no-oldfiles-log
67 Suppress the logwatch log, which informs about the old files in logwatch tmpdir.
68
69 --usage
70 Displays usage information
71
72 --help same as --usage.
查看今天messages里面的记录:
sudo logwatch --range today --archives /var/log/messages
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Fri Feb 5 21:25:21 2021
Date Range Processed: today
( 2021-Feb-05 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: study.centos7.binwatson
##################################################################
--------------------- pam_unix Begin ------------------------
sudo:
Sessions Opened:
binwatson -> root: 5 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Sudo (secure-log) Begin ------------------------
binwatson => root
-----------------
/bin/yum - 1 Time(s).
/sbin/logwatch - 4 Time(s).
---------------------- Sudo (secure-log) End -------------------------
--------------------- yum Begin ------------------------
Packages Installed:
perl-Date-Manip-6.41-2.el7.noarch
perl-Sys-MemInfo-0.91-7.el7.x86_64
logwatch-7.4.0-35.20130522svn140.el7_5.noarch
perl-Sys-CPU-0.54-4.el7.x86_64
---------------------- yum End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
devtmpfs 894M 0 894M 0% /dev
/dev/mapper/centos-root 10G 5.0G 5.1G 50% /
/dev/sda2 2.0G 239M 1.8G 12% /boot
/dev/mapper/centos-home 5.0G 83M 5.0G 2% /home
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################