Linux log management
For operation and maintenance personnel, no matter what system is managed, the monitoring, calling, and management of log files are an important part of it. The resolution of server problems starts from viewing the system (error) log. In this article, we will take a look at log management in Linux systems.
Introduction to log management
Introduction to logs
The system log is a file that records various information such as system hardware checks, kernel actions, software startups, and user actions. Through the system log, you can judge the system health status, detect system problems, find evidence of attacks, etc.
Log Service in Linux System
Older system logs are mainly syslog
completed by services, and newer systems are replaced by more powerful rsyslog
services syslog
, but the operation methods of the two are basically the same.
Check whether the log service is turned on, use the systemctl
command to check and start the service
#查看服务是否启动
systemctl list-units | grep rsyslog
#若没有启动,则启动服务
systemctl start rsyslog.service
Common logs and their functions
The system log of Linux is mainly stored in the /var/log
directory. The main files and their functions are listed in the following table.
Log file name | effect |
---|---|
cron | System timing tasks related logs |
cups | Print information log |
dmesg | Record system boot kernel self- dmesg check information, use command to view |
btmp | Log for logging in error messages (binary files cannot be viewed with vim, use lastb commands) |
wtmp | Record the log of login, logout and shutdown information (also cannot be viewed with vim, use last commands) |
lastlog | Record the last login time of each user, use the lastlog command to view |
Maillog | Record mail information |
massages | Record most of the important information of the system, if there is a problem, check this file (record level info, mentioned below) |
secure | Record verification and authorization related information, mainly related to user accounts and authorization |
In addition, some system-installed application services will record logs in this directory by default, but instead of using rsyslog
service management, applications have their own log management services. The application service log installed through the source package is recorded in its installation directory
Log file format
The basic log format mainly contains four kinds of content
- Time of event
- Host name where the event occurred
- The service or program (or kernel) where the event occurred, including the process PID
- Event content
Log management service rsyslog configuration
Configuration format of the log management service
rsyslog
The configuration file of the service is/etc/rsyslog.conf
Configuration file format: service name [connection symbol] log level log record location
among them:
-
The service name is the name of the service installed in the system. If multiple service names use the same level, they can be separated by commas
-
Between two rules (mainly used for exclusion), use a semicolon to separate, see the sample for details
-
The connection symbol is given below, and the log level is also given below
-
Logging location is not just the absolute path of the file, there are the following ways
Logging location Sample description Absolute file path / var / log / messages System device file /dev/lp0 (Use printer output) Forward to remote host @192.168.0.2:123 username root or * (means all users) Ignore log (do not record) ~
Main service name for log service management
service name | Description |
---|---|
auth | User account security and authentication information (different from authpriv) |
authpriv | User account security and authentication information (private) |
cron | System timing task |
daemon | Various daemons |
ftp | ftp daemon related logs |
kern | The kernel generates logs |
lpr | Print log |
Mail sending and receiving log | |
news | News server related logs |
syslog | Logs generated by the rsyslog service |
user | User category log |
Log service configuration file connector
Joiner | Description |
---|---|
* | Represents all user levels |
. | Logs with a higher level (including) than the log level given later will be recorded |
.= | Grade equal to the one given later |
.! | The grade is not equal to the one given later |
Log level
Log levels increase from top to bottom
Log level | Description |
---|---|
debug | General debugging information |
info | Basic notification information |
notice | General attention information |
warning | General warning message, currently has no effect on system operation, but problems may occur in the future |
err | Error message, which may affect some system functions |
crit | critical fatal error, more serious than the error message |
alert | Warning status information, if not processed, it may cause system damage |
emerg | System unavailable |
In addition, .none means that no log is recorded, and is generally used in exclusionary situations
Log service configuration example
auth,authpriv.* /var/log/auth.log #逗号分隔表示两个服务同样等级,都为所有
*.*;auth,authpriv.none -/var/log/syslog #所有服务的所有信息,但排除了上面两个服务
Log rotation
If all the records from the beginning are recorded in one file, it will inevitably cause slower reading and writing, increase in occupancy, and even increase the risk of losing all logs due to damage to a single file. In order to solve this problem, the Linux system adopts the log rotation method, cutting and packaging the records of a period of time ago into another archive file, and the main log file starts recording from a new start.
Log file naming (rotation) rules
- If there is a "dateext" parameter in the configuration file, the log will use the date as the file suffix, the log file name will not overlap, and the old file will not be renamed
- Without this parameter, the log file will be renamed. When a new file is enabled, for example
messages
, the old file will be changedmessages.1
, the originalmessages.1
file will be changedmessages.2
, and so on, the premature file may be compressed, and the old file that exceeds the maximum serial number will be deleted.
The configuration file of log rotation is /etc/logrotate.conf
, and the specific information can also be saved in the /etc/logrotate.d
directory, in which log rotation information can be set, man logrotate
see the help for specific parameters
parameter | Description |
---|---|
daily | Rotate by day |
weekly | Rotate by day |
monthly | Rotate by month |
rotate n | n is a number, the number of log files to be retained, 0 means no backup |
compress | Compress old logs |
create [mode] [owner] [group] | Create a new log permission mode, owner and group, such as create 0640 root adm |
The settings for specific files should be included in a special syntax, for example,
# no packages own wtmp -- we'll rotate it here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
Use braces to enclose the settings after the specific file name. The following settings only take effect for one file.