Log Viewing and Time Management in Linux

1.journald service

(It disappears after restarting, you can only view the log after booting)

• This service is available after Enterprise Seven version systemd -journald.service
• Log viewing command: journalctl
• The default log storage path: /run/log

1) Usage of journalctl command

• journalctl ##Journal Service
  

• journalctl -n 3 ##The latest three entries of the journal
  

• journalctl --since “10:30:00” ##Display the log after 10:30
  

• journalctl --since “10:30:00” --until “10:40:00”##Display the log of 10:30——10:40
  

• journalctl -o ##Specify parameter view

  • journalctl -o short ##Classic mode display log
    

  • journalctl -o verbose ##Display all bytes of the log
    

  • journalctl -o export ##Binary format suitable for outgoing and backup
    

  • journalctl -o json ##js format display output
    

• journalctl -p ##Display the log of the specified level

  • journalctl -p 0 ## emerg system serious problem log (generally none)
    

  • journalctl -p 1 ##alert The information to be changed immediately in the system (generally none)
    

  • journalctl -p 2 ##crit severity level will cause the system software to not work normally
    

  • journalctl -p 3 ##err program error
    

  • journalctl -p 4 ##warning program warning
    

  • journalctl -p 5 ##notice General log of important information
    

  • journalctl -p 6 ##info General information
    

  • journalctl -p 7 ##debug The program takes the wrong information
    

• journalctl -F PRIORITY ##View the controllable log level

• journalctl -u sshd ##Specify viewing service
  

• journalctl --disk-usage ##View log size
  

• journalctl --vacuum-size=2G ##Set log storage size
  

• journalctl --vacuum-time=1w ##The longest log storage time in the system
  

• journalctl -f ##Monitor log
  

• journalctl _PID=3603 ##Specify process id view
  

2) Use journalctl service to store logs permanently

• The log is saved by default: /run/log/journal

• Create a hard disk directory for storing logs:
  experiment preparation
  mkdir /var/log/journal/
  chgrp systemd-journal /var/log/journal/
  chmod2775 /var/log/journal/
  cd /var/log/journal/
  

  systemctl restart systemd-journald.service
  

• journalctl ##View log
  

• date

• Reboot

• journalctl ##You can see that the log is still before restarting
  

• rm -rf log record name##Delete log record

• systemctl restart systemd-journald.service
• journalctl ##Unable to view the log before booting

2.rsyslog

1. rsyslog system log collection service

Preparation before the experiment:
create a second virtual machine
westos-vmctl create westos_node2

And create an IP address
for it. Change the bridge connection mode to bridged in the real machine.

You can ping 172.25.254.173 to be successful.
Remotely log in to the two virtual machines and rename them to distinguish them.

• rsyslog.service ##System log (collection log service)

• Log storage:

  • /var/log/messages ##System service log, general information, service error
  • /var/log/secure ##System authentication information log
  • /var/log/mailing ##System mail log information
  • /var/log/cron ##System timing task information
  • /var/log/boot.log ##System boot log information

• Configuration file: /etc/rsyslog.conf

• systemctl status rsyslog.service ##View service status

• Experiment 1: Customize the log collection path
  vim /etc/rsyslog.conf

• Log type. Log level Log storage path

  • *.* /var/log/westos ##Store all levels of logs in the system in westos
    1. Edit the configuration file
    2. Clear the log file westos
    3. Restart the logging service
    4. View the westos log file

  
  

  • "authpriv.*/var/log/westos ##Store authpriv authentication information in westos
    1. Edit the configuration file
    2. Clear the log file westos
    3. Restart the sshd service
    4. Restart the logging service
    5. Use the virtual machine node2 to log in remotely node1 and failed, you can see the failed login record
    

• Log type

  • auth ##User authentication
  • authpriv ##Service authentication
  • cron ##Time task
  • kern ##Kernel type
  • mail ##Mail
  • news ##System update information
  • user ##User

• Log level

  • debug ##The program takes wrong information
  • info ##Regular program operation information
  • notice ##Ordinary log of important information
  • waring ##Program warning
  • err ##Program error
  • crit ##Severity level will cause the system software to not work properly
  • alert ##Information to be changed immediately in the system
  • emerg ##Serious problem log of the system
  • none ##Do not collect

2. How to change the log collection style

• Characteristics of each transmission method:

  • TCP transmission is stable and safe (three-way handshake)
  • UDP transmission is fast
  • This experiment uses UDP transmission

• Preparation before the experiment:

  • Recipient settings
    
    

  • Sender settings
    
    

• The recipient can receive the sender's log, and the log file needs to be cleared before viewing the received log

  

1. Define the log collection format

• $template WESTOS_FORMAT,"%FROMOST-IP% %timegenerate% %syslogtag%
  %msg%\n"
• meaning:
  • #WESTOS_FORMAT Format name
  • #%FROMHOST-IP% Log source host IP
  • #%timegenerate% Log generation time
  • #%syslogtag% Log generation service
  • #%msg% log content
  • #\n Line break

2. Set the log collection format application

• *.*; /var/log/westos;WESTOS ##Receive the westos log file in WESTOS mode
  1. The receiver edits the configuration file
  2. The two parties clear the log file
  3. The sender updates the log
  4. The receiver checks whether the log is Edit mode
  1) Receive IP address
  2) Receive IP address, timestamp, content and other information
  
• Set WESTOS as the default format. After
  setting, all log files will be output in WESTOS mode.
  

3.timedatectl

• (East Eighth District is eight hours earlier than London time, and West Fourth District is four hours later than London time)
• timedatectl set-time “2020-02-12 10:41:55” ##Set system time
  
• timedatectl list-timezones ##Display all time zones of the system
  
• timedatectl set-timezone “Asia/shanghai” ##Set system time zone
  
• timedatectl set-local -rtc 0|1 ##Set system time calculation method
  ##0 means using utc time calculation method
  

4. Time synchronization service

#Service name: chronyd.service #Configuration
file: /etc/chrony.conf

• Server (port for sharing time)

  • systmctl disable --now firewalld ##Turn off the firewall
    

  • vim /etc/chrony.conf ##Edit configuration file
    

  • systemctl enable --now chronyd ##Open chronyd service
    

  • systemctl status chronyd ##View service status
    

  • watch -n 1 timedatectl ##Monitor server time

• Client

  • vim /etc/chrony.conf ##Edit configuration file
    

  • systemctl restart chronyd ##Restart the chronyd service

  • chronyc sources -v ##Detect connection status
    

  • watch -n 1 timedatectl ##Check whether the monitoring time is consistent with the server
    

• If the RTC time is inconsistent:

  • clock -w ##Synchronize system time to hardware
  • clock -s ##Hardware time synchronization to the system