This article takes you to understand the esyslog system log management in log management, understand where the logs come from, how to observe the logs, configure log device files, and learn how to view some common types of log information. The question that needs to be concerned in this article: what kind of program ---> what log is generated ---> where to put it

What are logs? Why manage logs?

Logs are information that records hardware, software, and system problems in the system, and can also monitor events that occur in the system. Users can use it to check why the error occurred, or to find traces left by the attacker when it was attacked. System logs include system logs, application logs, and security logs.

For statistical information, for troubleshooting.
[root@localhost ~]# ps aux | grep rsyslogd
root       1264  0.0  0.2 214432  2088 ?        Ssl  04:47   0:01 /usr/sbin/rsyslogd -n
root      12597  0.0  0.0 112828   980 pts/0    S+   08:25   0:00 grep --color=auto rsyslogd

1. The process of processing logs

Where does the log come from?

The first category: rsyslog: a system full-time log program.

Handles most logging

Information related to system operation, such as login information, program startup and shutdown information, and error information.

The second category: httpd/nginx/mysql: various applications that can record logs in their own way.

Observe the rsyslogd program

[root@localhost ~]# ps aux | grep rsyslogd
root       1264  0.0  0.2 214432  2088 ?        Ssl  04:47   0:01 /usr/sbin/rsyslogd -n
root      12597  0.0  0.0 112828   980 pts/0    S+   08:25   0:00 grep --color=auto rsyslogd

2. Common log files (system, application)

tail -1 /var/log/messages //system main log file

tail -f /var/log/messages //Dynamic view the tail of the log file

tail /var/log/secure //authentication, security

tail /var/log/yum.log //yum

tail /var/log/maillog //related to mail postfix

tail /var/log/cron //logs generated by crond and at processes

tail /var/log/dmesg //related to system startup

tail /var/log/audit/audit.log //system audit log

tail /var/log/mysqld.log //Mysql

tail /var/log/xferlog //related to accessing the FTP server

tail /var/log/wtmp //Currently logged in user (command: w)

tail /var/log/btmp //Recently logged in users (command last)

tail /var/log/lastlog //login status of all users (command: lastlog)

Take tail -1 /var/log/messages as an example to understand log fields.

o rsyslogd
[root@localhost ~]# tail -1 /var/log/messages
Nov 14 08:25:14 localhost systemd: Started LSB: Bring up/down networking.

Nov 14 08:25:14: time
localhost: computer name

systemd: Started LSB: Bring up/down networking.: log message

View log information dynamically

Command: tail -f The log to be viewed // Dynamically view the tail of the log file

The code is as follows (taking the system log as an example):

[root@localhost ~]# tail -f /var/log/messages
Nov 14 08:25:13 localhost NetworkManager[1000]: <info>  [1668385513.6475] audit: op="sleep-control" arg="off" pid=12283 uid=0 result="fail" reason="Already awake"
Nov 14 08:25:13 localhost systemd: Stopping LSB: Bring up/down networking...
Nov 14 08:25:13 localhost network: 正在关闭接口 ens33： [  确定  ]
Nov 14 08:25:14 localhost network: 正在关闭环回接口： [  确定  ]
Nov 14 08:25:14 localhost systemd: Stopped LSB: Bring up/down networking.
Nov 14 08:25:14 localhost systemd: Starting LSB: Bring up/down networking...
Nov 14 08:25:14 localhost NetworkManager[1000]: <info>  [1668385514.2556] device (lo): carrier: link connected
Nov 14 08:25:14 localhost network: 正在打开环回接口： [  确定  ]
Nov 14 08:25:14 localhost systemd: Started LSB: Bring up/down networking.
Nov 14 08:30:01 localhost systemd: Started Session 28 of user root.
Nov 14 08:31:11 localhost dbus[813]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Nov 14 08:31:11 localhost dbus[813]: [system] Successfully activated service 'org.freedesktop.problems'

At this time, enter the dynamic view log information, and then open another terminal to operate the system and observe the changes in the dynamic log.

Switch users on the second terminal, and the dynamic log information updates the log information in real time. Other log information can also be viewed through the tailf command.

Three, rsyslogd configuration

1. Install related programs (installed by default)

[root@localhost ~]# yum install rsyslog logrotate
已加载插件：fastestmirror, langpacks
Determining fastest mirrors
dvd                                                   | 3.6 kB     00:00     
软件包 rsyslog-8.24.0-55.el7.x86_64 已安装并且是最新版本
软件包 logrotate-3.8.6-19.el7.x86_64 已安装并且是最新版本
无须任何处理
[root@localhost ~]#

2. Start the program

[root@localhost ~]# systemctl start rsyslog.service

3. View related documents

[root@localhost ~]# rpm -qc rsyslog
/etc/logrotate.d/syslog
/etc/rsyslog.conf
/etc/sysconfig/rsyslog

/etc/rsyslog.conf //rsyslogd main configuration file (key)

/etc/sysconfig/rsyslog //rsyslogd related files, definition level (understanding)

/etc/logretate.d/syslog //related to log rotation

Fourth, the main configuration file

The conf file named after the program name under etc is the main configuration file, which tells the rsyslogd process what logs and where they should be stored.

View the main configuration file through vim /etc/rsyslog.conf

Mainly look at the information under RULES.

RULES

RULES: Rules are a set of strategies for generating and storing logs.

Rules are composed of equipment + level + storage location.

RULES consists of FACILITY+LEVEL+FILE.

facility

It is the system's definition of a certain type of event. For example, AUTHPRIV is a security event, and CRON is a scheduled task event. Used to collect similar program logs

Command: man 3 syslog View facility

LOG_SYSLOG: log generated by syslogd itself

LOG_AUTHPRIV: security authentication

LOG_CRON: scheduler (cron and at)

LOG_MAIL: mail system (mail subsystem)

LOG_USER (default): user-related

LOG_DAEMON: background process

LOG_FTP: file server (ftp daemon)

LOG_KERN: kernel device (kernel messages)

LOG_LPR: printer device (printer subsystem)

LOG_LOCAL0 through LOG_LOCAL7: User-defined devices

Regarding the relationship between the program and the device, the program itself will decide which devices to send the logs to. Such as SSH program equipment, security equipment. This is defined by the developer.

[root@localhost ~]# grep Facility /etc/ssh/sshd_config 
#SyslogFacility AUTH
SyslogFacility AUTHPRIV

LEVEL

LOG_EMERG: Upgraded, well-known, the service cannot continue to run, such as the configuration file is lost.

LOG_ALERT: Alarm, which needs to be dealt with immediately, such as 95% of the disk is empty

LOG_GRIT: fatal behavior

LOG_ERR: error behavior

LOG_WARNING: warning message

LOG_NOTICE: general, important standard information

LOG_INFO: standard information

LOG_DEBUG: debugging information, required for troubleshooting, generally not recommended

The levels are descending from top to bottom. The higher the level, the less information, and the lower the level, the more information.

Explain RULES information in detail

*.info; mail.none; authpriv.none; cron.none /var/log/messages
syslog excludes mail, authentication, and schedule logs.

authpriv* /var/log/secure (SSH information)
mail.* -/var/log/maillog (send mail) //Here is a - symbol, which means that it is recorded in an asynchronous way, because the log is generally relatively large.
cron.* /var/log/cron (creating tasks)

We can change the log storage location in this file, but in a production environment, it is not recommended to change these log locations. If you change, please back up the original content at the changed location, and write the date of the change to facilitate later maintenance.

Summarize

Through this article, learn the introduction of rsyslog system log management in log management, and learn how to view these log information and the types of logs. When we report an error in our operation, we can find out the error by viewing the log to proceed. maintain.

It's not easy to create, please give me a like and follow with your little hands, tell me in the comment area if you have any comments, and learn together.

Linux log management rsyslog system log management

Article directory

foreword