一、journald
Enterprises, the log management is a very important issue general system, are reflected in the log. Logs are generated by the program itself, journald log collection tool that emerged after RHEL7, log generated by the program will be available for review on the disk
Service Name: systemd-journald.service
Log default storage path: /run/log
log viewer: journalctl
Example 1: The journalctlView log
example 2: journalctlView log latest three rows
example 3: a service restart sshd journalctlView log latest three lines
example 4: Specifies the view start time of the log journalctl --since, for example, the current time is 7:48 p.m., the system can be viewed from the start 19:47 log generated in
example 4: Specifies the view log termination time journalctl --until, the current time is 19:52, for example, see start from 19:47 to 19:48 end generated in the system log
example 5: shows the log with classic mode journalctl -o short, i.e. classic mode is the default mode, and with the journalctlresults shown when viewing the log in the same
example 6: all the bytes of the log, all available journalctl -o verbose
example 7: binary format suitable for display and backup outgoing journalctl -o export
example 8: display format js journalctl -o json
example 9: Specifies the level log journalctl -p 参数
log level can be divided into eight categories, listed in descending order in table
| 0 | emerg | Kernel crash |
|---|---|---|
| 1 | alert | You need to be modified immediately |
| 2 | crit | Severity level, to prevent the whole system does not work |
| 3 | err | Error level, prevent a function or a module does not work |
| 4 | warning | Warning Level |
| 5 | notice | General log important information |
| 6 | info | General information |
| 7 | debug | Program debugging information |
For example: the display information warning level journalctl -p warning
Example 10: View controllable log level journalctl -F PRIORITY, the display can be viewed 2-7
Example 11: journalctl -p 数字Check the specified level log
Example 12: journalctl -uview the log specified service
such as: View log service sshd
Example 13: journalctl --disk-usage, View log size
to set the log storage size journalctl --vacuum-size=1Gis set to 1G, this command can be set up at the earliest log memory will fill up empty, complete the rollback log settings to prevent the system disk is filled
set the maximum storage time in the system log in journalctl --vacuum-time=1W
example 14: journalctl -fthe log is monitoring
the establishment of a monitoring command in a shell
restart sshd service in another shell
example 14: journalctl -u sshdView will show a lot of time specified sshd service log service sshd log, when you want to view current or a certain specified can the log sshd service in a journalctl -o verboselookup id specified log view
example 15: You can view the specified logs by specifying the ip designated service manner
example 16: default log in journald stored location / run / log, so use tool journalctl when viewing the log, the log just after the system is turned from a current record
example 17: when the required When the permanent preservation logs, you need to change the storage path system logs
to create the directory / var / log / journal, and change the directory of all the groups and directory permissions, restart the service
to view the service current status
after reboot the system with the journalctllog before to see if is preserved the results showed that after reboot the system, previously saved log down
Two, rsyslog
Service Name: rsyslog.service
Profile: /etc/rsyslog.conf
log storage path is stored in the classification, as well as a common path for the log types in the following table
| / Var / log / messages | Logs record for most systems |
|---|---|
| / Var / log / secure | Security and authentication messages |
| / Var / log / maillog | Log information related to the mail service |
| / Var / log / cron | Associated with the scheduled task log information |
| /var/log/boot.log | And log information about the system starts |
rsyslog journal and in different ways, this embodiment does not provide a log collection log collection tool, but rather is provided directly by changing the acquisition profile
first experiment, custom log acquisition path
to all types of system, all levels are stored in the log / var / log / wang in
the system at all levels in all types of files in addition to authpriv types are stored in / var / log / dan in
the / var / log / content messages are emptied, change the configuration file to restart the service, look in / var / log / wang whether to save the system log
in rsyslog, a common log types are divided
| auth | Pam logs generated |
|---|---|
| authpriv | Log ssh, ftp and other login information generated |
| cron | Time-related tasks |
| kern | Kernel |
| news | Newsgroups |
| user | Information about the user program generated |
Common log level and a very similar journald
| debug | Debugging information, log information |
|---|---|
| info | Log general information, do common |
| notice | Important general information |
| warning | Warning Level |
| err | Error level, prevent a function or module does not work |
| crit | Severity level, prevent the entire system does not work |
| alert | You need to be modified immediately |
| emerg | Kernel crashes |
| none | Nothing Record |
The second experiment, the change log acquisition formats
still need to change the common format is defined in the configuration file
| %timegenerated% | Display log time |
|---|---|
| %FROMHOST-IP% | Show host ip |
| %syslogtag% | Logging goal |
| %msg% | Log content |
| \n | 换行 |
更改配置文件内容如下
定义日志格式WANG为30行所示
在日志存存放路径/var/log/messages后加上;WANG表示存放在此处的日志信息按照WANG的格式采集
默认情况下日志格式如下
更改后日志格式如下
三、远程同步日志
在企业管理过程中,需要查看不同主机上产生的日志,单独每个主机的查看非常不方便,所以需要将多台远程主机的日志同步到一台主机上再进行查看
此次实验需要两台能够通信的主机。我们将rhel7设置为日志接收端,将rhel8设置为日志发送端
接收端:这个功能的实现首先需要关闭接收端的防火墙,然后在配置文件中进行相应的操作
在日志接收端
打开日志同步接受插件并且指定插件使用的接口为514
重启服务并查看插件接口是否打开
发送端:同样需要更改配置文件
在接收端和发送端都清空/var/log/messages文件
在发送端:用日志测试工具logger产生测试日志
在接收端查看日志是否同步
四、timedatectl
示例1:更改当地时间timedatectl set-time 时间
示例2:列出系统中所有的时区
示例3:更改系统的时区
示例3:设置系统时间的计算方式
设定系统计算方式为UTC方式
设定系统时间计算方式为普通方式
五、时间同步服务
Service Name: chronyd.service
Profile: /etc/chrony.conf
In carrying out this function, we also need to be able to host two communications, so rhel7 as a time source, rhel8 to synchronize time 7
closed in rhel7 the firewall, make the following changes in the configuration file: On Time synchronization server function level is set to 10 and
change the configuration file as follows rhel8 the
results are shown in time synchronized to rhel7
