Log collection rules, time synchronization and at delay

First reset the two virtual machines and
set the ip to +100 +200
nm-connection-editor

make settings

control hostname

hostnamectl set-hostname node2或1.example.com

Exit and reconnect

Log
in /var/log/messages
1. Log collection rules 


 #vim /etc/rsyslog.conf #You can change the log collection rules after entering
* . * file name

Log type. Log level Log storage file

The configuration file needs to be re-read after the change #systemctl restart restart rsyslog.service

     
auth user login log (pam generated log)
authpriv service authentication log (sshd authentication)
kern kernel log
cron scheduled task log
lpr printer log
mail mail log
news news
user user related program log
local 1-7 user-defined log




For example : vim /etc /rsyslog.conf
auth.debug /var/log/westos
*.* /var/log/log.allLog








level
debug #System debugging information
info #General information
warning #Warning information
err #Error (low level, preventing a certain The function does not work properly)
crit #Error report (high level, preventing the entire software or the entire system from working properly)
alert #Information that needs to be modified immediately
energ #Kernel crash
none #Do not collect any log information Common





system logs (see the log cat /var /log/...)


/var/log/messages #General information of all log levels (excluding mail service authentication timing tasks)

/var/log/maillog #Mail log

/var/log/secure #Service authentication log

/var/log/cron #Scheduled task log

2. Remote synchronization of logs

On log sender
vim /etc/rsyslog.conf

*.* @192.25.254.201 #Log receiver address

Send all logs to 192.25.254.201

systemctl restart rsyslog.service(重启)

On log receiver
vim /etc/rsyslog.conf
15$ModLoad imudp

16$UDPServerRun 514

close firewall
systemctl restart rsyslog
systemctl stop firewalld

systemctl disable firewalld

(Go back and execute > /etc/rc.d/rc.local first)






3. Define the log collection format




Receiver
vim /etc/rsyslog.conf
$template format name, "log collection format"
*.info;mail.none;authpriv .none;cron.none




.info;mail.none;authpriv.none;cron.none /var/log/messages;westos
$template westos,"%timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n"
%timegenerated% log generation time
%FROMHOST-IP% log source host ip
 %syslogtag% log generator
%msg% #log content

\n #newline

After that, restart the two virtual machines systemctl restart rsyslog

Empty >/var/log/messages

then cat /var/log/messages

Reciprocating observation

journalctl View log tool (without collection)

journalctl -n 3 to view the latest three

journalctl -p err View system errors

journalctl -f user ctrl+c to end monitoring

journalctl --since --until View from one period to another

journalctl -o verbose View log detailed parameters 

 

_pid=xxx journalctl _PID=xxx view

(systemctl status sshd view PID

  systemctl restart sshd.service restart will change) restart reboot

 Management of systemd-journald
By default , this program is only responsible for viewing logs without saving and collecting logs.
Then power off and then power on to view the logs. Only the logs after booting can be viewed. The previous logs of the system are stored in memory. , so after the shutdown, the sky is clear

How to keep systemd-journal on hard drive

mkdir /var/log/journal (the format of the created directory cannot be changed)

chgrp systemd-journal    /var/log/journal

chmod g+s   /var/log/journal   

   

killall -1 systemd-journald

journalctl -n 3 (see the last time the journal was saved)

date (see shutdown time)

reboot

journalctlcat (see whether the log is saved before shutdown)

It can be seen that 6. Time synchronization
is saved on the server side
vim /etc/chrony.conf Line
29 local stratum 10 #Turn on the time sharing function and set the sharing level #After
                                  this parameter is turned on, the machine will not
                                   synchronize other people's time to this machine Machine
22 line allow 172.25.254.101 which clients are allowed to access the chrono shared time
systemctl restart chronyd




on the client
vim /etc/chrony.conf
server 172.25.254.201 iburst

systemctl restart chronyd

chronyc sources -v(查看时间同步状态)
210 Number of sources = 1


  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||                                                /   xxxx = adjusted offset,
||         Log2(Polling interval) -.             |    yyyy = measured offset,
||                                  \            |    zzzz = estimated error.
||                                   |           |                         
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 172.25.254.101            10   6    17     9    +15ms[  +15ms] +/-   85ms

timedatectl View time

timedatectl list-timezones ##List timetables

timedatectl set-timezone Asia/Shanghai ##Set the time to China time

Set local time
timedatectl set-local-rtc 0 ###Do not use local time

vim /etc/adjtime

timedatectl set-local-rtc 1 ###Use local time

vim /etc/adjtime

timedatectl set-time '2018-11-11 11:11:11' set time






delay
at
at time

at now+5min

at -l ####See which delay commands are available

at -r 1 ####Delete the delay command of the corresponding label








at command user blacklist
vim /etc/at.deny
When the whitelist is established, except for the super user and other users in the list can not execute at, and the blacklist invalid
vim /etc/at.allow