in? Your rsyslog log management manual has arrived, please check

rsyslog log management and logrotate log storage rotation

Foreword:

The system log is a recording program that records the operation of the server system and the operating status of the software. If the system and software make an error during operation, we can obtain the record when the problem occurred in the log, and use this to find a solution to the problem.

1. rsyslog system log management system

1. What is rsyslog system log management system

①Transfer log information based on TCP network protocol.
②A safer network transmission method.
③ An instant analysis framework with log information.
④Background database.
⑤ Simple logical judgment can be written in the configuration file.
⑥ Compatible with syslog configuration file

2. How to start the rsyslogd log management system

#####查看
ps aux | grep "rsyslog"

#####启动
systemctl  start rsyslog

#####关闭
systemctl  stop rsyslog

3. Directory where logs are saved

/var/log/massages
Record system and service running status information and error information
/var/log/secuer
Service authentication, user login information
/var/log/yum.log
yum related log,
/var/log/cron
task schedule related log,
/var/log/dmesg
boot related log,
/var/log/maillog
mail log,
/var/log/boot.log
system startup information

Log content analysis, check with Li Li: View the secuerl security certification log information.
You can see the following figure, which
月份 日期 时分秒 服务器主机名 程序(sshd或则su) 模块 详细信息
can be roughly divided into: You can see that a king user was created at 14:32 and a password was set, 33 points in the 10.8.11.61 terminal Log in to the king user, 35 minutes su to switch to the root user, and record the actions of entering the wrong password.

In addition to the system default log under the log directory, the software logs installed in RPM mode will also appear under /var/log/. Generally, a directory is created with the name of the program software to store the log files of the software separately. Installed with yum, not here, but in the directory where the source package is installed. For example :
/var/log/httpd/
RPM installation method, apache website program log
/usr/local/httpd/logs/
YUM installation method, apache website program log

How 4. rsyslog configuration
/etc/rsyslog.conf ,
rsyslogd main configuration file (key). There are three main options to configure

MODULES ********************: Related module configuration

GLOBAL DIRECTIVES ******: global configuration

RULES ************************: Rule settings related to logging

1.) #### MODULES #### Description, remote service log configuration.
For related module configuration, you can choose a variety of monitoring methods here. If we are just a local service, just comment out all here. If the remote server logs, then we have to do the following configuration:

Server: 192.168.1.1 Client: 192.168.0.2

Step 1 : Select the tcp 514 port on the server.
Step 2 : Add the configuration file to the server path etc/rsyslog.d/*. The configuration file of the client that the customer wants to monitor, for example, I am monitoring 192.168.1.2, just under the path Create a configuration file of 192.168.1.2.conf,
edit the following content in vim: fromhost -ip, isequal, "192.168.1.2" /var/log/client/192.168.1.2.log
fromhostwhich host name is sent and
fromhost-ipwhich ip is sent of
msgthe log information in the content is determined
hostnamefrom the log in the host name is determined
comparison operators include the following
containscomprising
isequalequal
startswithto begin ...
step three : 192.168.1.2 client opens /etc/rsyslog.conf, end of the line plus a specified log server's ip address and port number to stay *.*@@192.168.1.1:514quit, you can restart.

2.) #### GLOBAL DIRECTIVES #### Description

3.) #### RULES #### Description

It consists of equipment carrier + security level + log storage location.

Equipment:
Regarding equipment or equipment carrier, it is the default of the system. We can specify the storage path of this type of equipment and monitoring logs later.
So when we encounter third-party software, it is not managed by rsyslog, but we want it to be managed by rsyslog, how do we do it?
Idea: We want third-party software to hand over to rsyslog to manage logs, then we need to modify the configuration file of the third-party software. For example, modify vim /vsftpd.cofn. If you do not know to modify the parameters, we can first manlook vsftpd.confin the help documentation search keywords: rsysylog can be prompted, we follow the prompts, you can know how to modify the configuration to rsyslog management attributable to the equipment, or equipment carrier, then Where to put the log file after setting management.
For example:
change the device carrier in the ssh configuration, and then
open the ssh configuration file in a separate location where the log directory is saved vim /etc/ssh/sshd-config.

SyslogFanility  AUTHPRIV     #可以看到默认的这个载体指向的都是secure安全日志里
######我们给注释掉，然后改成没有用的设备载体，重新指向日志目录
SyslogFanility  local1       #这个设备载体不可以自己自定义。local1是空闲的载体，就设置这个了，随后在指定目录即可

symbol:

Security Level:

Store log directory:

2. logrotate log storage rotation

1. Why do log rotation

1. Avoid excessive logging, take up too much /var/logspace
2. Convenient log viewer
3. log rotation program is logrotate
4. logrotatedaemon itself is not the system, he was executed by crond scheduled task every day.

2. How to configure log rotation

1. Open the logrotate configuration file

vim /etc/logrotate.conf 

2. Configure default rotation conditions

# see "man logrotate" for details
# rotate log files weekly
weekly  #一个礼拜

# keep 4 weeks worth of backlogs
rotate 4   #保留四份

# create new (empty) log files after rotating old ones
create     #创建一个新的日志文件

# use date as a suffix of the rotated file
dateext    #时间戳，新日志文件

# uncomment this if you want your log files compressed
#compress   #压缩日志文件，查看时候需要解压

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d    加载外部目录

3. Configure custom rotation conditions
   In addition to the above custom documents, we can also customize the rotation method

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    
                  #指定要配置的日志文件
    monthly                  #按照月来轮换，而不是上面默认的周
    create 0664 root utmp    #轮转后的新日志文件，权限是0664，属于root用户，utmp组
        minsize 1M           #大小不超过1M
    rotate 1                 #保留1份，一月一次
}

/var/log/btmp {
    
    
    missingok                #如果日志文件不存在，不报错
    monthly
    create 0600 root utmp
    rotate }

All logs can be set here, but there are too many settings to find, so we can set up sub-configuration files. In the custom settings directory, there is a configuration rule for each program log.

Give a chestnut:
set ssh custom rotation, keep one month's log file, log is greater than 15M and rotate directly.
①First create a sshd rotation configuration file in the sub configuration directory

vim /etc/logrotate.d/sshd

②Edit the following configuration content, save, and restart the service.

/var/log/sshd.log {
    
                  #日志所在目录
    missingok                    #没有日志不报错
    monthly                      #每月进行轮转
    create 0664 root root        #创建新的日志权限为0664  属主是root  属组是root
        minsize 15M              #最大15M
    rotate 1                     #轮转1次 
}

================================================= ================================================= ================================================= ================================================= ================================================= =============================================
Hard browsing and watching, if right You are helpful, please like it (σﾟ∀ﾟ)σ…:*☆