Article Directory
- Foreword
- journald
- Experimental Procedure (usage journalctl command)
- Experimental procedure (with journald permanent storage service logs)
- rsyslog
- Experimental Procedure (custom log acquisition path)
- Experimental procedure (how to change the format of the log collection)
- Experimental Procedure (remote synchronization logs)
- timedatectl
- Time Synchronization Service
- postscript
Foreword
Log collection is done by the individual program, because your program will perform some of their own information written to the log.
The journald and rsyslog is used to collect logs, and saved in a certain format. Before 7 Enterprise is only rsyslog. After 7 business both.
journald is not closed.
Set to make any significant modifications in the system, will have a log.
- Experimental environment
rhel7_node1: 172.25.254.10
rhel8_node1: 172.25.254.11
journald
Service Name: systemd-journald.service
[root@rhel7_node1 ~]# systemctl status systemd-journald.service
● systemd-journald.service - Journal Service
Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled)
Active: active (running) since Mon 2020-03-09 19:10:55 CST; 53min ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Main PID: 3353 (systemd-journal)
Status: "Processing requests..."
Tasks: 1
CGroup: /system.slice/systemd-journald.service
└─3353 /usr/lib/systemd/systemd-journald
Mar 09 19:10:55 rhel7_node1.westos.com systemd-journal[3353]: Runtime journal…).
Mar 09 19:10:55 rhel7_node1.westos.com systemd-journal[3353]: Journal started
Hint: Some lines were ellipsized, use -l to show in full.
Command provided is journalctl
default log storage path: / run / log (each reboot the system will log empty)
[root@rhel7_node1 ~]# cd /run/log
[root@rhel7_node1 log]# ls
journal
[root@rhel7_node1 log]# bootctl
System:
Machine ID: 4f72081b06bf47e99ea36241be61e2e4 #机器码,显示当前机器的日志
Boot ID: 15a33520fcfe40d48709fc6faa55a7ba
No suitable data is provided by the boot manager. See:
http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
for details.
[root@rhel7_node1 journal]# ls
4f72081b06bf47e99ea36241be61e2e4
Experimental Procedure (usage journalctl command)
-
journalctl
-n 3 (latest 3 log)[root@rhel7_node1 journal]# systemctl restart sshd [root@rhel7_node1 journal]# journalctl -n 3 -- Logs begin at Mon 2020-03-09 19:09:58 CST, end at Mon 2020-03-09 20:12:01 CST. -- Mar 09 20:12:00 rhel7_node1.westos.com sshd[10817]: Server listening on :: port 22. Mar 09 20:12:01 rhel7_node1.westos.com polkitd[7090]: Unregistered Authentication Agent for unix-pr Mar 09 20:12:00 rhel7_node1.westos.com systemd[1]: Started OpenSSH server daemon.–since "2020-02-13 17:00" (display the log after 17:00)
[root@rhel7_node1 ~]# journalctl --since "2020-03-10 16:25" -- Logs begin at Tue 2020-03-10 16:22:32 CST, end at Tue 2020-03-10 16:30:01 CST. -- Mar 10 16:25:24 rhel7_node1.westos.com gnome-shell[9919]: JS WARNING: [resource:///org/gnome/shell/ Mar 10 16:25:24 rhel7_node1.westos.com gnome-shell[9919]: JS WARNING: [resource:///org/gnome/shell/ Mar 10 16:25:26 rhel7_node1.westos.com dbus[7066]: [system] Activating via systemd: service name='n ...–until"2020-02-13 17:00" (Display Log to 17:00)
[root@rhel7_node1 ~]# journalctl --until "2020-03-10 16:22:33" -- Logs begin at Tue 2020-03-10 16:22:32 CST, end at Tue 2020-03-10 16:31:28 CST. -- Mar 10 16:22:32 localhost.localdomain systemd-journal[85]: Runtime journal is using 8.0M (max allow Mar 10 16:22:32 localhost.localdomain kernel: Initializing cgroup subsys cpuset Mar 10 16:22:32 localhost.localdomain kernel: Initializing cgroup subsys cpu Mar 10 16:22:32 localhost.localdomain kernel: Initializing cgroup subsys cpuacct ...-O(Log display provided)
short(Classic mode to display the log)[root@rhel7_node1 ~]# journalctl -o short -- Logs begin at Tue 2020-03-10 16:22:32 CST, end at Tue 2020-03-10 16:33:31 CST. -- Mar 10 16:22:32 localhost.localdomain systemd-journal[85]: Runtime journal is using 8.0M (max allow Mar 10 16:22:32 localhost.localdomain kernel: Initializing cgroup subsys cpuset Mar 10 16:22:32 localhost.localdomain kernel: Initializing cgroup subsys cpu Mar 10 16:22:32 localhost.localdomain kernel: Initializing cgroup subsys cpuacctverbose(Byte display all log)
[root@rhel7_node1 ~]# journalctl -o verbose -- Logs begin at Tue 2020-03-10 16:22:32 CST, end at Tue 2020-03-10 16:36:30 CST. -- Tue 2020-03-10 16:22:32.608315 CST [s=f137873616914c5dae3d6ba6f1bfd010;i=1;b=ea79dda9bc13465f9f8acb PRIORITY=6 _TRANSPORT=driver MESSAGE=Runtime journal is using 8.0M (max allowed 90.9M, trying to leave 136.4M free of 901.7M MESSAGE_ID=ec387f577b844b8fa948f33cad9a75e6 _PID=85 _UID=0 _GID=0 _COMM=systemd-journal _EXE=/usr/lib/systemd/systemd-journald _CMDLINE=/usr/lib/systemd/systemd-journald _CAP_EFFECTIVE=5402800cf _SYSTEMD_CGROUP=/system.slice/systemd-journald.service _SYSTEMD_UNIT=systemd-journald.service _SYSTEMD_SLICE=system.slice _BOOT_ID=ea79dda9bc13465f9f8acb8ed43f07b1 _MACHINE_ID=4f72081b06bf47e99ea36241be61e2e4 _HOSTNAME=localhost.localdomain Tue 2020-03-10 16:22:32.608396 CST [s=f137873616914c5dae3d6ba6f1bfd010;i=2;b=ea79dda9bc13465f9f8acb PRIORITY=6 _BOOT_ID=ea79dda9bc13465f9f8acb8ed43f07b1 _MACHINE_ID=4f72081b06bf47e99ea36241be61e2e4export(For transmission and backup binary format)
[root@rhel7_node1 ~]# journalctl -o export __CURSOR=s=f137873616914c5dae3d6ba6f1bfd010;i=1;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=170534;t=5a07b __REALTIME_TIMESTAMP=1583828552608315 __MONOTONIC_TIMESTAMP=1508660 _BOOT_ID=ea79dda9bc13465f9f8acb8ed43f07b1 PRIORITY=6 _TRANSPORT=driver MESSAGE=Runtime journal is using 8.0M (max allowed 90.9M, trying to leave 136.4M free of 901.7M ava MESSAGE_ID=ec387f577b844b8fa948f33cad9a75e6 _PID=85 ......json(Js output format)
[root@rhel7_node1 ~]# journalctl -o json { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=1;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=170534; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=2;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=170585; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=3;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=17059c; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=4;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=1705ad; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=5;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=1705b9; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=6;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=1705c7; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=7;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=1705d5; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=8;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=1705e3; { "__CURSOR" : "s=f137873616914c5dae3d6ba6f1bfd010;i=9;b=ea79dda9bc13465f9f8acb8ed43f07b1;m=1705f5;-p(Display the specified level logging)
0 emerg (serious problems logging system)
(Information Systems immediately to change) 1 Alert
2 Crit (critical level will cause the system not working properly)
3 ERR (program error)
4 warning (program warning)
5 Notice ordinary log (important information)
6 info (general information)
7 Debug (program debugging information)[root@rhel7_node1 ~]# journalctl -p err -- Logs begin at Tue 2020-03-10 16:22:32 CST, end at Tue 2020-03-10 16:41:07 CST. -- Mar 10 16:22:54 rhel7_node1.westos.com kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not Mar 10 16:23:14 rhel7_node1.westos.com smartd[7088]: DEVICESCAN failed: glob(3) aborted matching pa Mar 10 16:23:14 rhel7_node1.westos.com smartd[7088]: In the system's table of devices NO devices fo Mar 10 16:24:10 rhel7_node1.westos.com pulseaudio[10476]: [alsa-source-ES1371/1] alsa-source.c: ALS Mar 10 16:24:10 rhel7_node1.westos.com pulseaudio[10476]: [alsa-source-ES1371/1] alsa-source.c: Mos Mar 10 16:24:10 rhel7_node1.westos.com pulseaudio[10476]: [alsa-source-ES1371/1] alsa-source.c: We Mar 10 16:24:24 rhel7_node1.westos.com spice-vdagent[11460]: Cannot access vdagent virtio channel / ...-F PRIORITY (see 234567 controllable log level is because 01 is the kernel level)
[root@rhel7_node1 ~]# journalctl -F PRIORITY 2 3 4 7 5 6-in sshd (designated viewing service)
[root@rhel7_node1 ~]# journalctl -u sshd -- Logs begin at Tue 2020-03-10 16:22:32 CST, end at Tue 2020-03-10 16:47:43 CST. -- Mar 10 16:23:33 rhel7_node1.westos.com systemd[1]: Starting OpenSSH server daemon... Mar 10 16:23:35 rhel7_node1.westos.com sshd[7725]: Server listening on 0.0.0.0 port 22. Mar 10 16:23:35 rhel7_node1.westos.com sshd[7725]: Server listening on :: port 22. Mar 10 16:23:35 rhel7_node1.westos.com systemd[1]: Started OpenSSH server daemon.–disk-usage(View log size)
[root@rhel7_node1 ~]# journalctl --disk-usage Archived and active journals take up 8.0M on disk.–vacuum-size= 1G (log storage size setting: temporary)
[root@rhel7_node1 ~]# journalctl --vacuum-size=1G Vacuuming done, freed 0B of archived journals on disk.–vacuum-time= 1W (maximum log storage setting time: temporary)
[root@rhel7_node1 ~]# journalctl --vacuum-time=1W Failed to parse vacuum time: 1W-f(Monitoring logs)
Note: You need to view the log for a service when the first find this service ID (systemctl -o verbose), and then displays the entire contents of the log to find the _SYSTEMD_UNIT services, then enter the following command: journalctl _PID = 10924 _SYSTEMD_UNIT = sshd.service[root@rhel7_node1 ~]# journalctl _PID=19655 _SYSTEMD_UNIT=sshd.service -- Logs begin at Tue 2020-03-10 16:22:32 CST, end at Tue 2020-03-10 17:01:01 CST. -- Mar 10 16:59:50 rhel7_node1.westos.com sshd[19655]: Server listening on 0.0.0.0 port 22. Mar 10 16:59:50 rhel7_node1.westos.com sshd[19655]: Server listening on :: port 22.
Experimental procedure (with journald permanent storage service logs)
The system default log in: / run / log / journal in
the default mode after a system restart log will be cleared to permanently maintain the complete log about the operation:
mkdir /var/log/journal
chgrp systemd-journal /var/log/journal
chmod 2775 /var/log/journal
systemctl restart systemd-journald.service
When the server is restarted, the log storage path will be developed to: / var / log / journal
Test:
1. Check the log prior to the above steps
2 to restart the system
3. See log again
4.Log can be seen before and not saved, only see the new log after the restart
restarting again 5. Once done the system can see the logs are to be preserved
rsyslog
- Service Name: rsyslog.service
- Log storage:
/ var / log / messages # system service logs, general information service error
/ var / log / secure # system authentication information log
/ var / log / maillog # system mail log
/ var / log / cron # system timing task information
/var/log/boot.log # boot system log information - Profile: /etc/rsyslog.conf
Experimental Procedure (custom log acquisition path)
1. Modify the configuration file
vim /etc/rsyslog.conf
Log type. Logging level storage path
*.* /var/log/westos #把系统中所有级别的日志存放到westos中
*.*;authpriv.none /var/log/westos #把系统中所有级别的日志存放到westos中,但是除了authpriv不存放到westos中
Log Type:
auth # user authentication
authpriv # Service Certification
cron # time task
kern # kernel type
mail #-mail
news # system updates
user # user
Log Level:
Debug
info
Notice
a Waring
ERR
Crit
Alert
emerg
none
2. Implementation and test
Experimental procedure (how to change the format of the log collection)
1. Define log collection format
在配置文件中:
30 $template WESTOS, "%FROMHOST-IP% %timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n" #定义一个名为WESTOS的格式
#WESTOS: 格式名称
#%FORMHOST-IP%:日志来源主机IP
#%timegenerated%: 日志生成时间
#%syslogtag%: 日志生成服务
#%msg%: 日志内容
#\n: 换行
2. Set the log collection application format
. Wildcard Wildcard authpriv.none / var / log / westos; WESTOS
54 *.info;mail.none;authpriv.none;cron.none /var/log/messages;WESTOS #将此格式应用到某个记录日志的文件
3. Clear the original log file
[root@rhel7_node1 log]# > /var/log/messages
4. Restart log service
[root@rhel7_node1 log]# systemctl restart rsyslog
5. View the new log format
[root@rhel7_node1 log]# cat /var/log/messages
127.0.0.1 Mar 10 19:45:03 systemd: Stopping System Logging Service...
127.0.0.1 Mar 10 19:45:03 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="23061" x-info="http://www.rsyslog.com"] exiting on signal 15.
127.0.0.1 Mar 10 19:45:03 systemd: Stopped System Logging Service.
127.0.0.1 Mar 10 19:45:03 systemd: Starting System Logging Service...
127.0.0.1 Mar 10 19:45:03 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="23120" x-info="http://www.rsyslog.com"] start
127.0.0.1 Mar 10 19:45:03 systemd: Started System Logging Service.
Experimental Procedure (remote synchronization logs)
In the enterprise, in order to facilitate the management, we need to focus view the log, rather than a view to a station. So we need to store all logs to a host.
Experimental environment:
rhel7_node1: 172.25.254.10 # stored log as a log receiving end, everyone logs are stored to this host
rhel8_node1: 172.25.254.11 # Send logs to host rhel7_node
1. Set the receiving all log rhel7
turn off firewall
systemctl stop firewalld
Select the udp protocol because of this experiment and its operating environment, including network and higher efficiency requirements
vim /etc/rsyslog.conf
15 $ModLoad imudp ##打开日志接受插件
16 ¥UDPServerRun 514 ##指定插件使用接口
Restart the service:
root@rhel7_node1 ~]# systemctl restart rsyslog
Query Port:
root@rhel7_node1 ~]# netstat -antlupe | grep rsyslog
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 67600 11115/rsyslogd
udp 0 0 :::514 :::* 0 67601 11115/rsyslogd
此时企业7的udp接受端口已经打开
2.rhel8 set into the transmission log rhel7
settings profile:
vim /etc/rsyslog.conf
*.* @172.25.254.10
# @ 表示使用udp传输日志
# @@ 表示使用tcp传输日志
# @172.25.254.11 把本机日志用udp方式发送到172.25.254.11主机
Restart the service:
systemctl restart rsyslog
test:
8 and in rhel7
"> /var/log/messages" #清空日志文件以便观察
In the rhel8
logger westos test message #制造日志文件
In rhel7 8 can be seen a log generated
[root@rhel7_node1 log]# cat /var/log/messages
Mar 10 20:41:48 rhel8_node1 root[6352]: westos haha
timedatectl
View the current system time:
[root @ rhel7_node1 log] # timedatectl
Local Time: Wed 2020-03-11 00:39:37 CST
Universal Time: Tue 2020-03-10 16:39:37 UTC # GMT, London time
RTC time: Tue 2020-03-10 16:39:38 # hardware time
time Zone: Asia / of Shanghai (CST, +0800)
the NTP Enabled: NO
the NTP the synchronized: NO
the RTC in the TZ local: NO
the DST Active: n-/ A
set the system time
timedatectl set-time "2020-02-13 10:41:55"
All the time zone display system
timedatectl list-timezones
Set the system time zone
timedatectl set-timezone "Asis/Shanghai"
Calculation time setting system
timedatectl set-local-rtc 0|1 #0表示使用utc时间计算方法(即硬件时间+时区)
#1表示使用local时间计算方式
Time Synchronization Service
When the host system need to change a lot of time, not a single one change: Cause
Service Name: chronyd.service
profile: /etc/chrony.conf
Experimental procedure (synchronization time two hosts)
Requirements: rhel7 as a time source
rhel8 time synchronization rhel7
1. In rhel7
编辑配置文件:
vim /etc/chrony.conf
26 allow 192.168.0.0/24 #允许172.25.254.0.网段主机同步时间
29 local stratum 10 #开启时间同步服务功能并设定级别为10
重启时间同步服务并关闭火墙:
systemctl restart chronyd.service
systemctl stop firewalld
In the rhel8
vim /etc/chrony.conf
3 pool 172.25.254.11 iburst
Restart Service
systemctl restart chronyd
View:
View of time in rhel8 in:
[root@rhel8_node1 ~]# date
2020年 03月 10日 星期二 17:00:50 CST
Use chronyc command to check the time effects:
[root@rhel8_node1 ~]# chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.0.10 3 6 177 56 -862us[ -565us] +/- 23ms #证明已经从企业7上同步过来了时间
postscript
journald response is faster, flexible processing
rsyslog more accurate
more experiments in this section!
