CentOS 7 file system and log analysis Detailed

Server 2019-10-17 14:39:52 views: null

Linux file system

In dealing with a variety of Linux systems failures occur, the symptoms are most likely to find fault, but the cause of this failure is the key to the ultimate failure of exclusion. Familiar with common Linux system log files, to understand the general failure analysis and solutions will help administrators quickly locate the point of failure, "right", and promptly resolve system problems.

Detailed block and inode

  • Then the file storage drive, a hard disk storage unit is the smallest "sectors", each sector stores 512 bytes

  • File data includes meta-information and the actual data

  • Meta information file contains attribute information, the content file is opened for the actual data input

  • Block (Block)

    • Eight successive sectors of a block (4k)
    • It is the smallest unit of file access
  • the inode (inode)
    • Chinese translation of "inode", also i-node
    • Used to store the files meta information

About CentOS 7 file system and log analysis

inode content

inode contains meta-information file

  • Number of bytes in the file
  • The file has a User ID
  • Group ID documents
  • Read files, write, and execute permissions
  • Timestamp file
  • ……

Use stat command to view the inode information

[Root @ localhost mnt] # stat abc.txt // View abc file inode information
  File: "abc.txt"
  Size: 12: 8 IO blocks: an ordinary file 4096
Equipment: 802h / 2050d Inode: 18123362 hard link: 1
Permissions: (0644 / -rw-r - r--) Uid :( 0 / root) Gid :( 0 / root)
环境:unconfined_u:object_r:mnt_t:s0
Last Visit: 2019-09-0204: 12: 18.210370997 +0800
Recent changes: 2019-09-0204: 12: 18.210370997 +0800
Recent changes: 2019-09-0204: 12: 18.210370997 +0800
Created: -

Linux file system attributes three main time

  • ctime (change time): Last change a file or directory (attributes) of time
  • The last time a file or directory: atime (access time)
  • mtime (modify time): last modified files or directories (content) of time

Directory file structure

  • It is the file directory
  • Directory file structure

About CentOS 7 file system and log analysis

  • Each has an inode number, inode number with the operating system to identify different files
  • Internal Linux system does not use file names, use the inode number to identify the file command
  • For the user, the file name inode number just another name for easy identification

inode numbers

  • When a user opens a file by file name, the internal system process

    • The system finds the inode number corresponding to the file name
    • By inode number, get inode information
    • According inode information, where to find the data block file, read data
  • View inode number of methods
    • ls -i command: View inde number corresponding to the file name
[Root @ localhost mnt] # ls -i abc.txt // node view file information 
18123362 abc.txt

inode size

  • inode will consume disk space, the size of each inode, typically 128 bytes or 256 bytes

  • Inode when determining the total formatted file system

  • The total number of inode using df -i command to view each hard disk partition and the number already in use
[Root @ localhost mnt] # df -i // view the partition node information
Inode file system is used (I) can be used (I) has a mount point (I)%
/dev/sda2      10485760  121203 10364557       2% /
devtmpfs         229708     376   229332       1% /dev
tmpfs            233381       1   233380       1% /dev/shm
tmpfs            233381     560   232821       1% /run
tmpfs            233381      16   233365       1% /sys/fs/cgroup
/dev/sda5       5241856     146  5241710       1% /home
/dev/sda1       3145728     328  3145400       1% /boot
tmpfs            233381       6   233375       1% /run/user/42
tmpfs            233381      17   233364       1% /run/user/0
/dev/sr0              0       0        0        - /run/media/root/ 7 x86_64

The special role of the inode

  • Since the inode number and file name separated, resulting in some of the Linux system has the following phenomenon
    • When the file name replacement special characters may not delete the file normal, delete inode, you can also delete files
    • By node number to delete the file command: find ./* -inum [Node No.] -delete
[root@localhost mnt]# ls -i
16777284 ac1.txt  18123362 ac2.txt  18123366 ac3.txt  18123370 ac4.txt  18123371 ac5.txt
[root@localhost mnt]# find ./* -inum 16777284 -delete
[root@localhost mnt]# ls -i
18123362 ac2.txt  18123366 ac3.txt  18123370 ac4.txt  18123371 ac5.txt
  • Move or rename a file, just change the file name does not affect the inode number
[root@localhost mnt]# ls -i
18123362 ac2.txt  18123366 ac3.txt  18123370 ac4.txt  18123371 ac5.txt
[root@localhost mnt]# mv ac2.txt /opt
[root@localhost mnt]# ls -i /opt
18123362 ac2.txt   1389838 rh
  • After opening a file, the file system is identified by the inode number, the file name is no longer considered

Simple process to access files

About CentOS 7 file system and log analysis

xfs types of file backup and restore

Xfs file recovery we need to first back up files to another hard disk when the file is damaged can be restored through the backup file (there are backup files are backed by compressed files make fixed-format).

  • xfs types of files can be used with xfsrestore xfsdump tools for backup and recovery. If the xfsrestore xfsdump tool system is not installed, the tool can be installed by yum.
[root@localhost mnt]# yum install xfsdump -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.ustc.edu.cn
 * extras: centos.ustc.edu.cn
 * updates: centos.ustc.edu.cn
Dependencies are resolved
-> Checking Services
---> packages will be upgraded xfsdump.x86_64.0.3.1.4-1.el7
---> packages will be updated xfsdump.x86_64.0.3.1.7-1.el7
... // ... omitted part

  • Command Format

    Path xfsdump -f backup storage location or device files to be backed up

  • There are two levels of backup xfsdump

    • 0: full backup (default is 0)
    • 1 to 9: represents incremental backup
  • Common backup parameters
    • -f: Specifies the backup file directory
    • -L: Specifies the session label label
    • -M: Specifies the device label media label
    • -s: back up individual files, not directly with the path behind -s.
[Root @ localhost ~] # fdisk / dev / sdb // Create a new disk
Welcome to the fdisk (util-linux 2.23.2).

Change will stay in memory until you decide to write the changes to disk.
Please think twice before using the write command.

Device does not contain a recognized partition table
Use disk identifier 0x57599cea create a new DOS disk label.

Command (input m to get help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1):
Starting sector (2048-41943039, the default is 2048):
We will use the default value 2048
Last sector, sector + or + size {K, M, G} (2048-41943039, default 41943039):
We will use the default value 41,943,039
Partition 1 is set to Linux type, size to 20 GiB

Command (input m to get help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
[Root @ localhost ~] # mkfs.xfs / dev / sdb1 // format the disk
meta-data = / dev / sdb1 help = 512 agcount = 4, agsize = 1310656 blks
         =                       sectsz=512   attr=2, projid32bit=1
         Crc finobt = = 1 = 0, sparse = 0
data     =                       bsize=4096   blocks=5242624, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=2560, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[Root @ localhost ~] # mkdir / opt / data // create the mount point
[Root @ localhost ~] # mount / dev / sdb1 / opt / data // mount disks created
[Root @ localhost ~] # cp / etc / passwd / opt / data // copy passwdd directory to mount the disk
[Root @ localhost ~] # ls / opt / data // View Files
passwd
[Root @ localhost ~] # xfsdump -f / mnt / xfs_dump / dev / sdb1 // backup file using the command
xfsdump: using file dump (drive_simple) strategy
xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control

 ============================= dump label dialog ==============================

please enter label for this dump session (timeout in 300 sec)
 -> xfs_dump // Enter the backup file name
session label entered: "xfs_dump"

 --------------------------------- end dialog ---------------------------------

xfsdump: level 0 dump of localhost.localdomain:/opt/data
xfsdump: dump date: Mon Sep  2 05:27:29 2019
xfsdump: session id: 96c17954-e969-4041-9d9e-4bd59746ddab
xfsdump: session label: "xfs_dump"
xfsdump: ino map phase 1: constructing initial dump list
xfsdump: ino map phase 2: skipping (no pruning necessary)
xfsdump: ino map phase 3: skipping (only one dump stream)
xfsdump: ino map construction complete
xfsdump: estimated dump size: 25216 bytes
xfsdump: /var/lib/xfsdump/inventory created

 ============================= media label dialog =============================

please enter label for media in drive 0 (timeout in 300 sec)
 -> sdb1 // Enter the backup device
media label entered: "sdb1"

 --------------------------------- end dialog ---------------------------------

xfsdump: creating dump session media file 0 (media 0, file 0)
xfsdump: dumping ino map
xfsdump: dumping directories
xfsdump: dumping non-directory files
xfsdump: ending media file
xfsdump: media file size 24264 bytes
xfsdump: dump size (non-dir files) : 2592 bytes
xfsdump: dump complete: 13 seconds elapsed
xfsdump: Dump Summary:
xfsdump:   stream 0 /mnt/xfs_dump OK (success)
xfsdump: Dump Status: SUCCESS // backup success
[Root @ localhost ~] # rm -rf / opt / data / * // delete disk files
Whether [root @ localhost ~] # ls / opt / data // View Files deleted
[Root @ localhost ~] # xfsrestore -f / mnt / xfs_dump / opt / data // execute command to restore files
xfsrestore: using file dump (drive_simple) strategy
xfsrestore: version 3.1.7 (dump format 3.0) - type ^C for status and control
xfsrestore: searching media for dump
xfsrestore: examining media file 0
xfsrestore: dump description: 
xfsrestore: hostname: localhost.localdomain
xfsrestore: mount point: /opt/data
xfsrestore: volume: /dev/sdb1
xfsrestore: session time: Mon Sep  2 05:27:29 2019
xfsrestore: level: 0
xfsrestore: session label: "xfs_dump"
xfsrestore: media label: "sdb1"
xfsrestore: file system id: 2e3df4e8-dd92-46f7-84ca-f254c4e579bd
xfsrestore: session id: 96c17954-e969-4041-9d9e-4bd59746ddab
xfsrestore: media id: d27aafc8-a405-4a8f-b7f0-1a018a7026ee
xfsrestore: using online session inventory
xfsrestore: searching media for directory dump
xfsrestore: reading directories
xfsrestore: 1 directories and 1 entries processed
xfsrestore: directory post-processing
xfsrestore: restoring non-directory files
xfsrestore: restore complete: 0 seconds elapsed
xfsrestore: Restore Summary:
xfsrestore:   stream 0 /mnt/xfs_dump OK (success)
xfsrestore: Restore Status: SUCCESS
Whether [root @ localhost ~] # ls / opt / data // View File Recovery
passwd // file recovery success
  • Limit the use of xfsdump
    • Only backup mounted file system
    • You must use root privileges to operate
    • XFS file system can only back up
    • Data backup can only be resolved so that xfsrestore
    • Two file systems can not back up with the same UUID

Log Files

Log function

  • A recording system, a variety of events running program
  • By reading log to help diagnose and resolve system failures

Classification of the log file

  • The kernel and system log

    • Unified management by the system service syslog, log format is similar to the basic

  • Users log

    • Related information recording system user login and exit system
  • Log
    • Log files by the independent management of various applications, recording format is not uniform

Log save location

  • Default is located at / var / log directory

The main log file Introduction

  • Core and the common message log: / var / log / messages

  • Scheduled Tasks log: / var / log / cron

  • System boot log: / var / log / dmesg

  • Mail system log: / var / log / maillog

  • User login log: / var / log / lastlog, / var / log / secure, / var / log / wtmp, / var / run / btmp

Log Management

  • By a unified management system services rsyslogd
    • Package: reyelog-7.4.7-16.el7.x86_64
    • The main programs: / sbin / rsyslogd
    • Profile: /etc/rsyslog.conf
[Root @ localhost ~] # vim /etc/rsyslog.conf // view the log file configuration information

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
... // ... omitted part
[Root @ localhost ~] # cd / var / log // view the log file directory
[root@localhost log]# ls
anaconda  dmesg               libvirt   rhsm               tallylog                Xorg.0.log
audit     dmesg.old           maillog   sa                 tuned                   Xorg.0.log.old
boot.log  firewalld           messages  samba              vmware-vgauthsvc.log.0  Xorg.1.log
btmp      gdm                 ntpstats  secure             vmware-vmsvc.log        Xorg.9.log
chrony    glusterfs           pluto     speech-dispatcher  vmware-vmusr.log        yum.log
cron      grubby_prune_debug  ppp       spooler            wpa_supplicant.log
cups      lastlog             qemu-ga   sssd               wtmp

  • Check the system log file

    [Root @ localhost log] # vim messages // view the system log file

Aug 10 03:53:40 localhost journal: Runtime journal is using 8.0M (max allowed 91.1M, trying to leave 136.7M free of 903.6M available → current limit 91.1M).
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuset
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpu
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuacct
Aug 10 03:53:40 localhost kernel: Linux version 3.10.0-693.el7.x86_64 ([email protected]) (gcc  version 4.8.5 20150623 ( 4.8.5-16) (GCC) ) #1 SMP Tue Aug 22 21:09:27 UTC 2017
Aug 10 03:53:40 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-693.el7.x86_64   root=UUID=729c9a26-dfdc-40f9-ae91-1ade55be51bb ro crashkernel=auto rhgb quiet LANG=zh_CN.UTF-8
Aug 10 03:53:40 localhost kernel: Disabled fast string operations
Aug 10 03:53:40 localhost kernel: e820: BIOS-provided physical RAM map:
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved
... // ... omitted part
  • last command to view the user login log
[root@localhost log]# last
root     pts/0        192.168.144.1    Mon Sep  2 05:17   still logged in   
reboot   system boot  3.10.0-693.el7.x Mon Sep  2 05:17 - 05:58  (00:40)    
root     pts/0        192.168.144.1    Mon Sep  2 04:11 - crash  (01:05)    
root     :0           :0               Mon Sep  2 04:11 - crash  (01:05)    
reboot   system boot  3.10.0-693.el7.x Mon Sep  2 04:10 - 05:58  (01:47)    
root     pts/0        :0               Sun Aug 25 01:10 - 01:10  (00:00)    
root     :0           :0               Sun Aug 25 01:10 - crash (8+03:00)   
... // ... omitted part
  • lastb View user logins log
[root@localhost log]# lastb
root     :0           :0               Sun Aug 25 01:10 - 01:10  (00:00)    
root     :1           :1               Sat Aug 10 06:26 - 06:26  (00:00)    

btmp begins Sat Aug 10 06:26:22 2019

  • View Log File

    1, install httpd service, build Apache Web Services; then turn off the firewall, so that the host can access

[Root @ localhost ~] # yum install httpd -y // install httpd service
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.ustc.edu.cn
 * extras: centos.ustc.edu.cn
 * updates: centos.ustc.edu.cn
Dependencies are resolved
-> Checking Services
---> packages will be installed httpd.x86_64.0.2.4.6-89.el7.centos.1
... // ... omitted part
[Root @ localhost ~] # systemctl start httpd // start the service
[Root @ localhost ~] # systemctl stop firewalld.service // turn off the firewall
[root@localhost ~]# setenforce 0                       
[Root @ localhost ~] # cd / var / log // view the log file directory to see if the smell generated httpd log file directory
[root@localhost log]# ls
anaconda  dmesg               lastlog   qemu-ga            sssd                    wtmp
audit     dmesg.old           libvirt   rhsm               tallylog                Xorg.0.log
boot.log  firewalld           maillog   sa                 tuned                   Xorg.0.log.old
btmp      gdm                 messages  samba              vmware-vgauthsvc.log.0  Xorg.1.log
chrony    glusterfs           ntpstats  secure             vmware-vmsvc.log        Xorg.9.log
cron      grubby_prune_debug  pluto     speech-dispatcher  vmware-vmusr.log        yum.log
cups      httpd               ppp       spooler            wpa_supplicant.log

2, host access through the building site to see the system's log file

About CentOS 7 file system and log analysis

[Root @ localhost log] # cd httpd // httpd program into the directory
[root@localhost httpd]# ls 
access_log  error_log
[Root @ localhost httpd] # vim access_log // view the log file

192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/bootstrap.min.css HTTP/1.1" 200 19341 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/open-sans.css HTTP/1.1" 200 5081 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Level log messages

  • 0 EMERG (emergency): can lead to a host system unavailable
  • 1 ALERT (warning): You must take immediate measures to solve the problem
  • 2 CRIT (serious): more serious cases
  • 3 ERR (error): An error occurs running
  • 4 WARNING (remind): events that may affect the function of the system
  • 5 NOTICE (Note): It is noteworthy that the system will not affect
  • 6 INFO (Information): General Information
  • 7 DEBUG (debug): programmers debug information

Log Management Policy

  • Backup and archiving in a timely manner
  • Extend the shelf life log
  • Access control log
  • Your logs may contain all kinds of sensitive information, such as accounts, passwords, etc.

Centralized log management

  • The server's log file sent to the unified server log files

  • Easy to collect the same log information, collation and analysis
  • To prevent accidental loss of log information, tampering or delete

Guess you like

Origin www.linuxidc.com/Linux/2019-10/160966.htm
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com