1. System log default classification
/var/log/messages System services and logs, including service information, error reports, etc.
/var/log/secure system authentication information log
/var/log/maillog system mail service information
/ var/log/cron system scheduled task information
/var/log/boot.log System boot information
2. Log management service rsyslog 1.
rsyslog is responsible for collecting logs and classifying and storing logs
2. rsyslog log classification
vim /etc/rsyslog.conf ##Main configuration file
service.loglevel /storefile*.
* /var/log/westos
*.*;authpriv.none /var/log/westos
systemctl restart rsyslog
Format
log device (type). (connection symbol) log level log processing method (action)
log device (can be understood as log type):
auth ##pam generated log
authpriv ##ssh,ftp and other login information verification information
cron # #Time task related
kern ##Kernel
lpr ##Print
mail ##Mail
mark(syslog)–rsyslog ##Service internal information, time stamp
news ##Newsgroup
user ##Related information generated by user program
uucp ##unix to unix copy, related communication between unix hosts
local 1~7 ##custom log device
####log level####
———————————————————— ————-
debug ##With debug information, the most log information is
info ##Logs with general information, the most commonly used
notice ##The information of the most important common conditions
warning ##Warning level
err ##Error level, information that prevents a function or module from working properly
crit ##Severity level, information that prevents the entire system or the entire software from working properly
alert ##Information that needs to be modified immediately
emerg ##Serious information such as kernel crash
none ##Nothing is logged
##Note: From top to bottom, the level is from low to high, the information recorded is less and less
##Details can be viewed in the manual: man 3 syslog
####Connection symbols####
————————————————————————-
.xxx: Indicates information greater than or equal to xxx level
.=xxx: Indicates information equal to xxx level
. !xxx: Indicates in Information at levels other than xxx
#####Instance####
1. Log to normal file or device file::
*.* /var/log/file.log # Absolute path
*.* /dev/pts/ 0
test: logger -p local3.info 'KadeFor is testing the rsyslog and logger ' logger command is used to generate log
2. Send to user (requires online to receive)
*.* root
*.* root,kadefor,up01 # use , to separate multiple users
*.* * # * sign means all online users
3. Ignore, discard
local3.* ~ # Ignore all logs of all levels of all local3 types
4. Execute script::
local3.* ^/tmp/a.sh # ^ sign followed by The absolute path of the executable script or program
# The log content can be used as the first parameter of the script.
# Can be used to trigger an alarm
Log synchronization
systemctl stop firewalld ##Close the firewall
configuration log sender of two hosts
*.* @172.25.0.11 ##Send logs to host 11 through udp protocol, @udp, @@tcp
configure log receiver
15 $ModLoad imudp ##Log receiving plugin
16 $UDPServerRun 514 ##Log receiving plugin uses port
netstat -anulpe | grep rsyslog
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 122073 32654/rsyslogd
udp6 0 0 :::514::: * 0 122074 32654/rsyslogd
-a ##all
-n ##Do not parse
-t ##tcp
-u ##udp
-p ##Process name
-e ##Extended information
test
> /var/log/messages ## do both sides
logger test message ##Log sender
tail -f /var/log/message ##Log receiver
####Log collection format####
$template WESTOS, "%timegenerated% %FROMHOST-IP% %syslogtag% % msg%\n"
%timegenerated% ##Display log time
%FROMHOST-IP% ##Display host ip
%syslogtag% ##Logging target
%msg% ##Log content
\n ##
Newline $ActionfileDefaultTemplate WESTOS
*.info;mail.none;authpriv.none;cron.none /var/log/messages;<<WESTOS>>
####3. Log analysis tool journal
###### systemd-journald ##Process name
journalctl ##Direct execution, browse the system log
-n 3 ##Display the latest 3
-p err ##Display error
-f # #Monitor log
--since --until ## --since "[YYYY-MM-DD] [hh:mm:ss]" Log from what time to what time
-o verbose ##Display the detailed process that the log can use Parameters
##_SYSTEMD_UNIT=sshd.service service name
##_PID=1182 Process pid
management of systemd-journald
##By default, this program will ignore the log information before restart, if not:
mkdir /var/log/journal
chown root :systemd-journal /var/log/journal
chmod 2755 /var/log/journal
killall -1 systemd-journald
ls /var/log/journal/4513ad59a3b442ffa4b7ea88343fa55f
system.journal user-1000.journal
####4. Time synchronization####
1. Server
yum install chrony -y ##Install service
vim /etc/chrony.conf ##Main configuration file
21 # Allow NTP client access from local network.
22 allow 172.25.0.0/24 ##Allow who to synchronize my time
27 # Serve time even if not synchronized to any NTP server.
28 local stratum 10 ##Do not synchronize anyone's time, time synchronization server level
systemctl restart chronyd
systemctl stop firewalld
2. client
vim /etc/chrony.conf
3 server 172.25.254.100 iburst
systemctl restart chronyd
test:
[root@localhost ~]# chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| / xxxx = adjusted offset,
|| Log2(Polling interval) -. | yyyy = measured offset,
|| \ | zzzz = estimated error.
|| | |
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 172.25.0.11 10 6 377 41 +170us[ +201us] +/- 191us
####5.timedatectl command ####
timedatectl status ##Display current time information
set-time ##Set current time
set- timezone ##Set the current time zone
set-local-rtc 0|1 ##Set whether to use utc time
list-timezone ##View all supported