Importance of log files:
Troubleshoot system errors; troubleshoot network services; logbook of past events
Common log file names:
/var/log/cron: View information about processes. Is there any error in the process, is it executed, is /etc/crontab written correctly, etc.
/var/log/dmesg: Records various information generated by the trusted detection process when the system is started. Since CentOS cancels the display of the core hardware detection process at startup by default, an additional copy of the data is recorded in this file
/var/log/lastlog: record the information about the last login of all accounts on the system
/var/log/maillog or /var/log/mail/*: Log mail. Mainly record the information generated by sendmail (SMTP protocol provider) and dovecot (POP3 protocol provider). SMTP is the communication protocol used for sending letters, and POP3 is the communication protocol used for receiving letters. sendmail and dovecot are two sets of software for reaching a communication agreement.
/var/log/messages (important): almost all error messages (or important messages) that occur in the system are recorded here; when an inexplicable error occurs in the system, this file is the login file that must be consulted
/var/log/secure: As long as the software that "needs to enter the account password" is involved, the login (regardless of correct or incorrect login) will be recorded in this file. Including the system login program, the gdm program used for graphical interface login,
Programs such as su, sudo, as well as programs such as ssh and telnet connected to the network, login information
/var/log/wtmp,/var/log/faillog: record the account information of the person who correctly logged in to the system and the account information used when logging in incorrectly
/var/log/httpd/*,/var/log/news/*,/var/log/samba/* (important): log files made by individual services
Log service classification:
rsyslogd: system log, logs generated by non-kernel systems
Example: /var/log/messages: system standard error log storage location
/var/log/maillog: logs generated by the mail system
/var/log/secure: system security log
klogd: dedicated to recording the logs generated by the kernel
/var/log/dmesg: Kernel logging location
Note: In CentOS 6.x, the log service has been replaced by rsyslogd, the original syslogd service
Make sure the service starts:
psaux | grep rsyslogd to see if the service is started
chkconfig --list | grep rsyslogd to see if the service starts automatically
rsyslogd log service:
1. /etc/rsyslog.conf configuration file:
Format: service name [connection symbol] log level log location
: : Authpriv. * / Var / log / secure
#Authentication related services. All log levels are recorded in /var/log/secure
link symbol
Connection symbols can be recognized as:
" * " represents all log levels, for example: "authpriv.*" represents the logs generated by the authpriv authentication information service, all log levels are recorded
" . " means that as long as the log is higher than the following level (including this level), it will be recorded.
For example: "cron.info" represents the log generated by the cron service. As long as the log level is greater than or equal to the info level, it will be recorded.
" .= " means that only logs of the required level are recorded, and all other levels are not recorded. For example: "*.=emerg" represents the logs generated by the human and log service, as long as the level is the emerg level, it will be recorded. This usage and rare, just understand
" .! " means not equal, that is, except for the log of this level, the logs of other levels are recorded.
2. Log recording location:
The absolute path to the log file, such as "/var/log/secure"
System device files, such as "/dev/lp0"
Forward to the remote host, such as "@@192.168.198.136:514"
One of @ is using udp protocol, and two @@ are using tcp protocol
Log rotation:
logrotate
logrotate is mainly for the rotation of the login file, and the configuration of "in what state will the login file be rotated" must be recorded
The main function of logrotate is to move old log files into old files and recreate them
Configuration file:
/etc/lorotate.conf (main parameter file)
/etc/logrotate.d (directory, all files in it will be actively read into /etc/logrotate.conf! If there are no detailed configurations specified, the rules of the file /etc/logrotate.conf will be used. to specify as the default!)
Naming rules for log files:
a) If there is a "dateext" parameter in the configuration file, then the log will use the date as the suffix of the log file.
Benefits: The log file does not need to be renamed, just specify the number of logs and delete the excess.
b) If there is no "dateext" parameter in the configuration file, then the log file needs to be renamed.
The correct way to write logrotate is:
File name: The absolute path file name of the log file to be processed is written in front, and multiple log files can be separated by a space character;
Parameters: The parameters for the rotation of the above file names are enclosed by { };
Environment: External commands can be called for additional command execution. This setting needs to be used with the sharedscripts...endscripts setting. The available environments are:
prerotate : Restart the command before logrotate, such as modifying the properties of the log file, etc.;
postrotate : a command to start after logrotate, such as restarting (kill -HUP) a service;
Prerotate and postrotate are very important execution programs for processing files with special attributes.
logrotate command
[root@localhost ~]#logrotate [ options ] configuration file name
Options:
If this command has no options, log rotation is performed according to the conditions in the configuration file
-v : Display the log rotation process. With the -v option added, the log rotation process will be displayed
-f : Force log rotation. Regardless of whether the log rotation conditions are met, force all logs in the configuration file to be rotated
-d : Option to run logrotate in rehearsal mode . To verify, without actually rotating any log files, you can simulate a walkthrough of log rotation and display its output.