Article directory
What are logs? Why manage logs?
1. The process of processing logs
2. Common log files (system, application)
View log information dynamically
1. Install related programs (installed by default)
Fourth, the main configuration file
View the main configuration file through vim /etc/rsyslog.conf
Explain RULES information in detail
foreword
This article takes you to understand the esyslog system log management in log management, understand where the logs come from, how to observe the logs, configure log device files, and learn how to view some common types of log information. The question that needs to be concerned in this article: what kind of program ---> what log is generated ---> where to put it
What are logs? Why manage logs?
Logs are information that records hardware, software, and system problems in the system, and can also monitor events that occur in the system. Users can use it to check why the error occurred, or to find traces left by the attacker when it was attacked. System logs include system logs, application logs, and security logs.
For statistical information, for troubleshooting.
[root@localhost ~]# ps aux | grep rsyslogd root 1264 0.0 0.2 214432 2088 ? Ssl 04:47 0:01 /usr/sbin/rsyslogd -n root 12597 0.0 0.0 112828 980 pts/0 S+ 08:25 0:00 grep --color=auto rsyslogd
1. The process of processing logs
Where does the log come from?
The first category: rsyslog: a system full-time log program.
Handles most logging
Information related to system operation, such as login information, program startup and shutdown information, and error information.
The second category: httpd/nginx/mysql: various applications that can record logs in their own way.
Observe the rsyslogd program
[root@localhost ~]# ps aux | grep rsyslogd
root 1264 0.0 0.2 214432 2088 ? Ssl 04:47 0:01 /usr/sbin/rsyslogd -n
root 12597 0.0 0.0 112828 980 pts/0 S+ 08:25 0:00 grep --color=auto rsyslogd
2. Common log files (system, application)
tail -1 /var/log/messages //system main log file
tail -f /var/log/messages //Dynamic view the tail of the log file
tail /var/log/secure //authentication, security
tail /var/log/yum.log //yum
tail /var/log/maillog //related to mail postfix
tail /var/log/cron //logs generated by crond and at processes
tail /var/log/dmesg //related to system startup
tail /var/log/audit/audit.log //system audit log
tail /var/log/mysqld.log //Mysql
tail /var/log/xferlog //related to accessing the FTP server
tail /var/log/wtmp //Currently logged in user (command: w)
tail /var/log/btmp //Recently logged in users (command last)
tail /var/log/lastlog //login status of all users (command: lastlog)
Take tail -1 /var/log/messages as an example to understand log fields.
o rsyslogd
[root@localhost ~]# tail -1 /var/log/messages
Nov 14 08:25:14 localhost systemd: Started LSB: Bring up/down networking.
Nov 14 08:25:14: time
localhost: computer namesystemd: Started LSB: Bring up/down networking.: log message
View log information dynamically
Command: tail -f The log to be viewed // Dynamically view the tail of the log file
The code is as follows (taking the system log as an example):
[root@localhost ~]# tail -f /var/log/messages
Nov 14 08:25:13 localhost NetworkManager[1000]: <info> [1668385513.6475] audit: op="sleep-control" arg="off" pid=12283 uid=0 result="fail" reason="Already awake"
Nov 14 08:25:13 localhost systemd: Stopping LSB: Bring up/down networking...
Nov 14 08:25:13 localhost network: 正在关闭接口 ens33: [ 确定 ]
Nov 14 08:25:14 localhost network: 正在关闭环回接口: [ 确定 ]
Nov 14 08:25:14 localhost systemd: Stopped LSB: Bring up/down networking.
Nov 14 08:25:14 localhost systemd: Starting LSB: Bring up/down networking...
Nov 14 08:25:14 localhost NetworkManager[1000]: <info> [1668385514.2556] device (lo): carrier: link connected
Nov 14 08:25:14 localhost network: 正在打开环回接口: [ 确定 ]
Nov 14 08:25:14 localhost systemd: Started LSB: Bring up/down networking.
Nov 14 08:30:01 localhost systemd: Started Session 28 of user root.
Nov 14 08:31:11 localhost dbus[813]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Nov 14 08:31:11 localhost dbus[813]: [system] Successfully activated service 'org.freedesktop.problems'
At this time, enter the dynamic view log information, and then open another terminal to operate the system and observe the changes in the dynamic log.
Switch users on the second terminal, and the dynamic log information updates the log information in real time. Other log information can also be viewed through the tailf command.
Three, rsyslogd configuration
1. Install related programs (installed by default)
[root@localhost ~]# yum install rsyslog logrotate
已加载插件:fastestmirror, langpacks
Determining fastest mirrors
dvd | 3.6 kB 00:00
软件包 rsyslog-8.24.0-55.el7.x86_64 已安装并且是最新版本
软件包 logrotate-3.8.6-19.el7.x86_64 已安装并且是最新版本
无须任何处理
[root@localhost ~]#
2. Start the program
[root@localhost ~]# systemctl start rsyslog.service
3. View related documents
[root@localhost ~]# rpm -qc rsyslog
/etc/logrotate.d/syslog
/etc/rsyslog.conf
/etc/sysconfig/rsyslog
/etc/rsyslog.conf //rsyslogd main configuration file (key)
/etc/sysconfig/rsyslog //rsyslogd related files, definition level (understanding)
/etc/logretate.d/syslog //related to log rotation
Fourth, the main configuration file
The conf file named after the program name under etc is the main configuration file, which tells the rsyslogd process what logs and where they should be stored.
View the main configuration file through vim /etc/rsyslog.conf
Mainly look at the information under RULES.
RULES
RULES: Rules are a set of strategies for generating and storing logs.
Rules are composed of equipment + level + storage location.
RULES consists of FACILITY+LEVEL+FILE.
facility
It is the system's definition of a certain type of event. For example, AUTHPRIV is a security event, and CRON is a scheduled task event. Used to collect similar program logs
Command: man 3 syslog View facility
LOG_SYSLOG: log generated by syslogd itself
LOG_AUTHPRIV: security authentication
LOG_CRON: scheduler (cron and at)
LOG_MAIL: mail system (mail subsystem)
LOG_USER (default): user-related
LOG_DAEMON: background process
LOG_FTP: file server (ftp daemon)
LOG_KERN: kernel device (kernel messages)
LOG_LPR: printer device (printer subsystem)
LOG_LOCAL0 through LOG_LOCAL7: User-defined devices
Regarding the relationship between the program and the device, the program itself will decide which devices to send the logs to. Such as SSH program equipment, security equipment. This is defined by the developer.
[root@localhost ~]# grep Facility /etc/ssh/sshd_config
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LEVEL
LOG_EMERG: Upgraded, well-known, the service cannot continue to run, such as the configuration file is lost.
LOG_ALERT: Alarm, which needs to be dealt with immediately, such as 95% of the disk is empty
LOG_GRIT: fatal behavior
LOG_ERR: error behavior
LOG_WARNING: warning message
LOG_NOTICE: general, important standard information
LOG_INFO: standard information
LOG_DEBUG: debugging information, required for troubleshooting, generally not recommended
The levels are descending from top to bottom. The higher the level, the less information, and the lower the level, the more information.
Explain RULES information in detail
*.info; mail.none; authpriv.none; cron.none /var/log/messages
syslog excludes mail, authentication, and schedule logs.authpriv* /var/log/secure (SSH information)
mail.* -/var/log/maillog (send mail) //Here is a - symbol, which means that it is recorded in an asynchronous way, because the log is generally relatively large.
cron.* /var/log/cron (creating tasks)
We can change the log storage location in this file, but in a production environment, it is not recommended to change these log locations. If you change, please back up the original content at the changed location, and write the date of the change to facilitate later maintenance.
Summarize
Through this article, learn the introduction of rsyslog system log management in log management, and learn how to view these log information and the types of logs. When we report an error in our operation, we can find out the error by viewing the log to proceed. maintain.
It's not easy to create, please give me a like and follow with your little hands, tell me in the comment area if you have any comments, and learn together.