Article Directory
Preface
The fact that files and files in the Linux system are stored separately is stated in the blog before that this time it is based on a basic concept.
The log most intuitively reflects the operating status of the system and software services, and a lot of relevant information can be known through the log.
1. File storage system
inode和block
In the previous blog, it was said that files and file names are stored separately. File data is composed of meta-information and actual data
. The most common storage medium for files is hard disk. The smallest storage unit on hard disk is sector, each sector is 512 bytes.
Block, also called block, is composed of 8 consecutive sectors with a size of 4k, which is the smallest unit of file access.
Inode, translated as "index node" can also be called i-node for storing file meta-information.
A file must occupy one inode number and at least one block.
The properties and working process of the inode
There are three main time attributes for files in Linux:
ctime, last change time
atime, last access time
mtime, last modification time.
When opening a file by file name in the Linux system, the system will first find the inode number corresponding to the file, and pass the inode Get the inode number based on the number, then find the block where the file is located according to the inode number, and read the data.
There are two ways to view the inode number. ls and stat are as follows:
ls -i file name
stat file name
ls only lists the file name and inode number. The
stat command can list more information in more detail.
The inode itself also occupies hard disk space. The size of each inode is generally 128 bytes or 256 bytes. The total number of inodes is determined when the hard disk is partitioned. When partitioning, the hard disk is divided into two areas, one for file data and the other for storing the inode number. You can use the df -i command to view the total number of indoes corresponding to each hard disk partition and the total number of indoes that have been used.
Due to the characteristics of the inode number, the Linux file system has the following characteristics:
1 The file contains special characters and may not be deleted normally , You can delete the inode number directly or delete the file.
2 Moving a file or renaming a file only changes the file name and does not affect the inode number.
3 After opening a file, the system uses the inode number to identify the file instead of the file name.
4 After the file data is modified and saved, a new inode number will be generated.
find ./ inum inode number -exec rm -i {}; You can use the inode number to delete files.
Find ./ -inum 1146878 -delete
can use the inode number to delete files, the latter does not prompt when deleting.
Common malfunctions
inode
Speaking in front of inode numbers also take up space when a partition inode number of surface space is not full but in fact has not been exhausted stored data when
using shell script way to perform cover
display inode number has been exhausted
but The storage space is not full,
delete the empty files to create a folder
Recovery of accidentally deleted files
In the case of files accidentally deleted during work, you need to use a file recovery tool. extundelete is an open source Linux data recovery tool that supports ext3 and ext4 file formats, but ext4 can only be recovered in centos6. The
first step is to view the hard disk. The file format must be ext3 before it can be restored in centos7.
Mount
and decompress
the software package . The environment where the software is installed depends on the packages e2fsprogs-deve1 and e2fsprogs-libs
After that, compile and install to
let the system recognize this file.
Check the inode number 1-2 of the file to be restored in this partition. It shows that it has been deleted. Now we need to restore this file.
Recovered files
A folder will be generated in the current directory and there will be recovered files
Two, log
1. The function and classification of the log
The log is used to record various events that occur during the operation of the system and programs. The log can help diagnose and solve system faults.
The main categories of logs are kernel log, user log, program log. The
kernel log is a system log with system service rsyslog unified management, and the log format is similar to the main configuration file /etc/rsyslog.conf. The
user log records information about system users logging in and out of the system.
Program log
The log files independently managed by various applications have different recording formats.
The storage location of the log is in the /var/log directory by default. The
executed log will be displayed in var/log/messages.
The format of the log is composed of the time stamp, host name, subsystem name, and message field. The
system and kernel logs are managed by rsyslog. The
main program is /sbin/rsyslogd configuration file is in /etc/rsyslog.conf
2. Log security level
Pay close attention to the first three levels. The smaller the level, the more urgent the situation is. The appearance of these three levels indicates that a very serious failure has occurred.
Log analysis
Divided into system information and program information.
System information saves some information such as user login and logout.
var/log/lastlog is the latest login information
var/log/wtmp is the user login, logout system switch machine
var/run/utmp is the detailed information of each user currently logged in
var/log/secure is the user authentication related security event.
Analysis tools often have users who w last lastb
last command is used to query user records that have successfully logged in to the system
lastb command is used to query user records
that have failed to log in. Users who w can be viewed only after transcoding.
Log management standards
Make log backups and archives in a timely manner.
Extend the log retention period (according to the actual situation).
Control log access rights. The log may contain various key information such as passwords, accounts, etc. The
log needs to be centrally managed. The server itself has limited storage. A single server can be used for logging. The file server facilitates the unified management, collection and analysis of
logs to prevent accidental loss of log information, malicious tampering or deletion.