Linux中的日志采集规则以及日志远程同步

实验一开始我们需要重启两台虚拟机，然后配置ip地址，然后在真机打开两个shell分别连接两个IP地址，将两台虚拟机名字分别改为node1和node2方便操作时进行辨认，本节课我们来学习日志。

更改名字命令如下：

 hostnamectl set-hostname node1.example.com

 hostnamectl set-hostname node2.example.com

1.日志采集规则：

用node1操作：日志存在于内存，rsyslog命令的意义在于将内存里面的东西收集放到硬盘里面。

[root@node1 ~]# > /var/log/messages           清空日志

[root@node1 ~]# cat /var/log/messages    

[root@node1 ~]# systemctl restart sshd.service     重启动

[root@node1 ~]# cat /var/log/messages              查看文件

Apr 13 21:59:19 localhost systemd: Stopping OpenSSH server daemon...

Apr 13 21:59:19 localhost systemd: Starting OpenSSH server daemon...

Apr 13 21:59:19 localhost systemd: Started OpenSSH server daemon.

[root@node1 ~]# systemctl stop rsyslog.service    停止收集日志的服务

[root@node1 ~]# > /var/log/messages

[root@node1 ~]# systemctl restart sshd.service

[root@node1 ~]# cat /var/log/messages             查看时候没有日志

[root@node1 ~]# systemctl start rsyslog.service   开始收集日志的服务

[root@node1 ~]# cat /var/log/messages

Apr 13 22:00:27 node1 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="30481" x-info="http://www.rsyslog.com"] start

Apr 13 22:00:27 node1 rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]

Apr 13 21:59:49 node1 systemd: Stopping System Logging Service...

Apr 13 21:59:49 node1 systemd: Stopped System Logging Service.

   

[root@node1 ~]# vim /etc/rsyslog.conf   编辑配置文件，把我们想保存的日志放在我们希望的目录中   *.* /var/log/westos

[root@node1 ~]# ls /var/log/westos

ls: cannot access /var/log/westos: No such file or directory

[root@node1 ~]# systemctl restart sshd.service

[root@node1 ~]# cat /var/log/westos

cat: /var/log/westos: No such file or directory

[root@node1 ~]# systemctl restart rsyslog.service 重启查看

[root@node1 ~]# cat /var/log/westos

Apr 13 22:03:25 node1 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="30596" x-info="http://www.rsyslog.com"] start

Apr 13 22:03:25 node1 rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]

Apr 13 22:03:25 node1 systemd: Stopping System Logging Service...

Apr 13 22:03:25 node1 systemd: Starting System Logging Service...

Apr 13 22:03:25 node1 systemd: Started System Logging Service.

在node2操作：

[root@node2 ~]# vim 第七天笔记

[root@node2 ~]# ssh [email protected]   连接第一台主机

[email protected]'s password:

Last login: Fri Apr 13 22:11:07 2018 from 172.25.254.221

[root@node1 ~]# cat /var/log/westos       查看配置文件

Apr 13 22:32:39 node1 sshd[31011]: pam_unix(sshd:session): session opened for user root by (uid=0)

刚才的连接操作已经被记录在配置文件当中。

日志规则：

*.*                      文件名称

日志类型.日志级别         日志存放文件

日志类型

auth              用户登录日志（产生日志）

authpriv          服务认证日志

kern              内核日志

cron              定时任务日志

lpr               打印机日志

mail              邮件日志

news              新闻日志

user              用户相关程序日志

local 1-7         用户自定义日志

 

日志级别

debug           系统调试信息

info            常规信息

warning         警告信息

error           报错信息（级别低，阻止了某个功能不能正常运行）

crit            报错（级别高，阻止了整个软件或者系统不能正常工作）

alert           需要立即修改的信息

emerg           内核崩溃

none            不采集任何日志信息

 

vim /etc/rsyslog.conf

auth.debug             /var/log/westos

auth.*

*.*                     /var/log/log.all

 

系统常用日志：

/var/log/messages       所有日志级别的常规信息，不包含邮件，服务认证，定时任务

/var/log/maillog        邮件日志

/var/log/secure         服务认证日志

/var/log/cron           定时任务认证

 

2.日志的远程同步（运维人员方便查看所有人的日志方便管理）

在日志发送方：node1

vim /etc/rsyslog.conf

*.*          @172.25.254.221(一个@代表UDP，两个@代表TCP)

systemctl restart rsyslog.services

具体操作：

[root@node1 ~]# vim /etc/rsyslog.conf          输入接受方主机地址

[root@node1 ~]# systemctl restart rsyslog      重启编辑配置文件

[root@node1 ~]# systemctl restart sshd.service 输入命令查看效果

[root@node1 ~]# systemctl restart sshd.service

[root@node1 ~]# systemctl restart sshd.service

[root@node1 ~]# systemctl restart sshd.service

 

在日志接受方：node2

vim /etc/rsyslog.conf

15,16行去掉注释开放通道

 

重启rsyslog

关闭防火墙

systemctl stop firewalld

systemctl disable firewalld

具体操作：

[root@node2 ~]# > /var/log/messages     清空日志

[root@node2 ~]# cat /var/log/messages

[root@node2 ~]# systemctl stop firewalld   关闭防火墙

[root@node2 ~]# systemctl disable firewalld

[root@node2 ~]# > /var/log/messages

[root@node2 ~]# cat /var/log/messages

[root@node2 ~]# cat /var/log/messages

Apr 14 01:06:51 node1 systemd: Stopping OpenSSH server daemon...

Apr 14 01:06:51 node1 systemd: Starting OpenSSH server daemon...

Apr 14 01:06:51 node1 systemd: Started OpenSSH server daemon.

3.定义日志采集格式：在日志接受方

vim /etc/rsyslog.conf

&template 格式名称，“日志采集格式"

*.info;mail.none;authpriv.none;cron.none                                                                 /var/log/messages格式名称

在rule底下编辑

$template westos,"%timegenerate% %FROMHOST-TP% %syslogtag% %msg%\n"

%timegenerate%        日志生成时间

%FROMHOST-TP%         日志来源主机

%syslogtag%           日志生成程序

%msg%                 日志内容

\n                    换行

 

[root@node2 ~]# vim /etc/rsyslog.conf

[root@node2 ~]# > /var/log/messages

[root@node2 ~]# cat /var/log/messages

Apr 14 01:24:59 node1 systemd: Stopping OpenSSH server daemon...

Apr 14 01:24:59 node1 systemd: Starting OpenSSH server daemon...

Apr 14 01:24:59 node1 systemd: Started OpenSSH server daemon.

在发送端只需要重启sshd看效果。

4.日志查看工具

journalctl         直接查看内存重的日志

journalctl -n 3    显示最新的前三行

journalctl -p err  显示报错信息

journalctl -f      实时监控命令，用ctrl+c结束监控

journalctl --since --until  例如journalctl --since 01:30 --until 01:40

journalctl -o verbose   查看日志的详细参数

journalctl _pid=1248

[root@node2 ~]# journalctl -n 3    查看前三行

-- Logs begin at Fri 2018-04-13 20:55:15 EDT, end at Sat 2018-04-14 01:52:18 E

Apr 14 01:52:18 node2.example.com dbus[516]: [system] Activating service name=

Apr 14 01:52:18 node2.example.com dbus-daemon[516]: dbus[516]: [system] Succes

Apr 14 01:52:18 node2.example.com dbus[516]: [system] Successfully activated s

[root@node2 ~]# journalctl -p err 查看报错

-- Logs begin at Fri 2018-04-13 20:55:15 EDT, end at Sat 2018-04-14 01:52:18 E

Apr 13 20:55:15 localhost kernel: Failed to access perfctr msr (MSR c1 is 0)

Apr 13 20:55:16 localhost rpcbind[171]: rpcbind terminating on signal. Restart

[root@node2 ~]# journalctl -f   监控命令，在另外一台虚拟机连接本台随便输入命令这边会有显示。

-- Logs begin at Fri 2018-04-13 20:55:15 EDT. --

Apr 14 01:40:01 node2.example.com systemd[1]: Starting Session 38 of user ....

Apr 14 01:40:01 node2.example.com systemd[1]: Started Session 38 of user root.

[root@node2 ~]# journalctl --since 01:30 --until 01:38  显示一点半到一点三十八的日志

-- Logs begin at Fri 2018-04-13 20:55:15 EDT, end at Sat 2018-04-14 01:54:07 E

Apr 14 01:30:01 node2.example.com systemd[1]: Starting Session 37 of user root

[root@node2 ~]# systemctl status sshd.service                    

查看sshd的状态

sshd.service - OpenSSH server daemon

   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)

   Active: active (running) since Sat 2018-04-14 01:00:57 EDT; 54min ago

 Main PID: 1972 (sshd)

   CGroup: /system.slice/sshd.service

           └─1972 /usr/sbin/sshd -D

 

Apr 14 01:00:57 node2.example.com systemd[1]: Starting OpenSSH server daem....

[root@node2 ~]# systemctl restart sshd.service       重启sshd

[root@node2 ~]# systemctl status sshd.service        再次查看sshd的状态

sshd.service - OpenSSH server daemon

   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)

   Active: active (running) since Sat 2018-04-14 01:56:06 EDT; 2s ago

  Process: 3216 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)

 Main PID: 3217 (sshd)重启之后PID发生变化。

   CGroup: /system.slice/sshd.service

           └─3217 /usr/sbin/sshd -D

 

Apr 14 01:56:06 node2.example.com systemd[1]: Starting OpenSSH server daem....

[root@node2 ~]# journalctl -o verbose     查看日志的详细参数

-- Logs begin at Fri 2018-04-13 20:55:15 EDT, end at Sat 2018-04-14 01:56:06 E

Fri 2018-04-13 20:55:15.713861 EDT [s=f3c65c31d1d04ad3b6ac6a35a742ecac;i=1;b=8

    PRIORITY=6

    _TRANSPORT=driver

[root@node2 ~]# journalctl _PID=3217    查看pid为3217的进程

-- Logs begin at Fri 2018-04-13 20:55:15 EDT, end at Sat 2018-04-14 01:58:27 EDT. --

Apr 14 01:56:06 node2.example.com sshd[3217]: Server listening on 0.0.0.0 port 22.

Apr 14 01:56:06 node2.example.com sshd[3217]: Server listening on :: port 22.

对systemd-journald管理

默认此程序只负责对日志进行查看而不对日志进行保存和采集。

那么关机后在开机，对日志进行查看，只能查看到开机后的日志，系统之前的日志因为是保存在内存中的，所以关机就清空了，那么在开机是用journalctl查看不到的。

如何让systemdjournald保存日志到硬盘中？

mkdir /var/log/journal

chgrp systemd-journald /var/log/journal

chmod g+s /var/log/journal

killall -1 systemd-journald   刷新

journalctl -n 3      显示最新的日志前三行

date  

redoot               重启查看效果

journalctl

[root@node2 ~]# journalctl -n 3     查看最新命令的三行

-- Logs begin at Fri 2018-04-13 20:55:15 EDT, end at Sat 2018-04-14 02:21:02 EDT. --

Apr 14 02:21:02 node2.example.com dbus[516]: [system] Activating service name='org.free

Apr 14 02:21:02 node2.example.com dbus-daemon[516]: dbus[516]: [system] Successfully ac

Apr 14 02:21:02 node2.example.com dbus[516]: [system] Successfully activated service 'o

lines 1-4/4 (END)

[root@node2 ~]# date

Sat Apr 14 02:21:20 EDT 2018

[root@node2 ~]# reboot          重启date命令之前的日志丢失

Connection to 172.25.254.221 closed by remote host.

Connection to 172.25.254.221 closed.

[kiosk@foundation21 Desktop]$ ssh [email protected]

[email protected]'s password:

Last login: Sat Apr 14 02:22:25 2018

[root@node2 ~]# journalctl -n 3

-- Logs begin at Sat 2018-04-14 02:21:52 EDT, end at Sat 2018-04-14 02:22:43 EDT. --

Apr 14 02:22:33 node2.example.com gnome-session[1164]: Window manager warning: Log leve

Apr 14 02:22:34 node2.example.com gnome-session[1164]: (tracker-miner-fs:1572): GLib-CR

[root@node2 ~]# mkdir /var/log/journal      建立组

[root@node2 ~]# chown root.systemd-journal /var/log/journal/    

更改用户组

[root@node2 ~]# ls -ld /var/log/journal/                        

查看

drwxr-xr-x. 2 root systemd-journal 6 Apr 14 02:25 /var/log/journal/

[root@node2 ~]# chmod 2755 /var/log/journal/                   

 赋予权限

[root@node2 ~]# ls -ld /var/log/journal/                        

查看权限

drwxr-sr-x. 2 root systemd-journal 6 Apr 14 02:25 /var/log/journal/

[root@node2 ~]# ps aux | grep systemd-journald

root       361  0.0  0.2  40864  2208 ?        Ss   02:21   0:00 /usr/lib/systemd/systemd-journald

root      1781  0.0  0.0 112644   940 pts/0    R+   02:28   0:00 grep --color=auto systemd-journald

[root@node2 ~]# killall -9 systemd-journald                刷新

[root@node2 ~]# ls /var/log/journal/

946cb0e817ea4adb916183df8c4fc817

[root@node2 ~]# cd 

/var/log/journal/946cb0e817ea4adb916183df8c4fc817/

[root@node2 946cb0e817ea4adb916183df8c4fc817]# ls

system.journal

[root@node2 946cb0e817ea4adb916183df8c4fc817]# file 

system.journal

system.journal: data

[root@node2 946cb0e817ea4adb916183df8c4fc817]# journalctl -n    

查看日志

-- Logs begin at Sat 2018-04-14 02:21:52 EDT, end at Sat 2018-04-14 02:30:02 EDT. --

Apr 14 02:26:34 node2.example.com dbus[513]: [system] Successfully activated service 'c

[root@node2 946cb0e817ea4adb916183df8c4fc817]# date

Sat Apr 14 02:31:08 EDT 2018

[root@node2 946cb0e817ea4adb916183df8c4fc817]# reboot     重启

Connection to 172.25.254.221 closed by remote host.

Connection to 172.25.254.221 closed.

[kiosk@foundation21 Desktop]$ ssh [email protected]

[email protected]'s password:

Last login: Sat Apr 14 02:22:30 2018 from 172.25.254.21

[root@node2 ~]# journalctl -n                              查看后关机之前的日志也保存在目录下

-- Logs begin at Sat 2018-04-14 02:28:45 EDT, end at Sat 2018-04-14 02:32:13 EDT. --

Apr 14 02:31:56 node2.example.com fprintd[1143]: Launching FprintObject