Linux log overview
1. Log function
- Used to record various events that occur during the operation of the system and programs
- By reading the log, it is helpful to diagnose and solve system failures
2. The location and record content of common log files
(1) Kernel and public message log:
- /var/log/messages: Record Linux kernel messages and public log information of various applications, including startup, IO errors, network errors, program failures, etc. For applications or services that do not use an independent log file, you can generally obtain related event record information from the log file.
(2) Scheduled task log:
- /var/log/cron: record event information generated by crond scheduled task
(3) System boot log:
- /var/log/dmesg: Record various event information of the Linux system during the boot process
(4) Mail system log:
- /var/log/maillog: Record the email activity entering or sending out the system.
(5) User login log:
- /var/log/secure: Record security event information related to user authentication.
- /var/log/lastlog: Record the latest login events of each user. Binary format
- /var/log/wtmp: Record each user login, logout and system startup and shutdown events. Binary format
- /var/run/btmp: Record failed, wrong login attempts and verification events. Binary format
分析工具
users、 who、w 、last、lastb
last命令用于查询成功登录到系统的用户记录
lastb命令用于查询登录失败的用户记录
Three, the general format of log records
4. Overview of common logs
Most of the log files of the Linux operating system are placed in the directory /var/log/ by default
4.1 Kernel and system log
- Unified management by the system service rsyslog (define log format and level), the log format is basically similar
- Package: rsyslog-7.4.7-16.el7.x86_64
Main program: /sbin/rsyslogd
Configuration file: /etc/rsyslog.co - Location: /var/log/messages
4.1.1 View the rsyslog.conf configuration file
vim /etc/rsyslog.conf
4.1.2 Priority of Linux kernel log messages
The lower the number level, the higher the priority and the more important the message
| Grade number | news | level | Description |
|---|---|---|---|
| 0 | EMERG | urgent | Will cause the host system to be unavailable. |
| 1 | ALERT | caveat | Problems that must be resolved immediately |
| 2 | CRIT | serious | More serious situation |
| 3 | ERR | error | Run error |
| 4 | WARNING | remind | May affect system functions and need to remind users |
| 5 | NOTICE | note | Will not affect normal functions, but events that require attention |
| 6 | INFO | information | General information |
| 7 | DEBUG | debugging | Program or system debugging information, etc. |
4.2 User log
Record system user login and logout information
vim /var/log/secure
4.3 Program log
Independently managed by the corresponding application
- Web service: Nar/log/httpd/
access_log //Record customer access events
error_log //Record error events - Proxy service: /var/log/squid/
access.log, cache.log - analyzing tool
- Text view, grep filter search, view in Webmin management suite
- Text filtering, formatting and editing tools such as awk and sed
- Webalizer, Awstats and other dedicated log analysis tools
Five, log management strategy
(1) Make backups and archives in time
(2) Extend the log retention period
(3) Control log access rights
- Logs may contain various sensitive information, such as accounts, passwords, etc.
(4) Centralized management of logs
- Send the server's log file to the unified log file server
- Facilitate the unified collection, sorting and analysis of log information
- Prevent accidental loss, malicious tampering or deletion of log information