Log Management
Introduction
rsyslog log management system
that will produce what kind program to give place where log
rotation logrotate log
will be a lot of split logs management, delete old logs
process logs of the
first class
rsyslog system program full-time log
processing most of the logger
information about the system, such as login information, the program starts, and error status closed
[root@localhost ~]# ps aux | grep rsyslog
root 635 0.0 0.3 210180 3924 ? Ssl 18:28 0:00 /usr/sbin/rsyslogd -n
root 1435 0.0 0.0 112660 972 pts/0 R+ 18:35 0:00 grep --color=auto rsyslog
The second category
of various types of applications, you can log in their own way
common log file (system-process applications)
tail -10 /var/log/messages
//系统主日志文件
tail -f /var/log/messages
//动态查看日志文件的尾部
tailf /var/log/secure
//认证、安全
tail /var/log/yum.log
//yum
tail /var/log/maillog
//跟邮件postfix相关
tail /var/log/cron
//crond、at进程产生的日志
tail /var/log/dmesg
//和系统启动相关
tail /var/log/audit/audit.log
//系统审计日志
tail /var/log/mysqld.log
//MySQL
tail /var/log/xferlog
//和访问FTP服务器相关
tail /var/log/wtmp
//当前登录的用户(命令:w)
tail /var/log/btmp
//最近登录的用户(命令last)
tail /var/log/lastlog
//所有用户的登录情况(命令lastlog )
rsyslog configuration
related programs
[root@localhost yum.repos.d]# yum -y install rsyslog logrotate
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.ustc.edu.cn
* extras: ftp.sjtu.edu.cn
* updates: mirrors.tuna.tsinghua.edu.cn
Package rsyslog-8.24.0-41.el7_7.2.x86_64 already installed and latest version
Package logrotate-3.8.6-17.el7.x86_64 already installed and latest version
Nothing to do
starting program
[root@localhost ~]# systemctl start rsyslog.service
Related configuration files
[root@localhost ~]# rpm -qc rsyslog
/etc/logrotate.d/syslog 和日志办轮转的
/etc/rsyslog.conf rsyslog主配置文件
/etc/sysconfig/rsyslog rsyslog相关的文件,定义级别
The main configuration file
to tell what rsyslog process logs on what
the main configuration file Introduction
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* ssh信息 /var/log/secure
# Log all the mail messages in one place.
mail.* 邮件信息 -/var/log/maillog
# Log cron stuff
cron.* 创建任务 /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
RULES rule i.e.
rules are stored in a log, and the log generating policy
rule has equipment level + + memory locations
RULES composition has FACILITY_LEVEL + FILE
facility
is a system definition for certain types of events. As AUTHPRIV is a secure event, CRON task is to plan the event.
# Man 3 syslog
**设备类型**
LOG_SYSLOG
syslogd自身产生的日志
LOG_AUTHPRIV
安全认证
LOG_CRON
(cron and at)
LOG_MAIL
邮件系统mail subsystem
LOG_USER (default)
用户相关
LOG_DAEMON
后台进程
LOG_FTP
ftp daemon
LOG_KERN
kernel messages
LOG_LPR
打印机
printer subsystem
LOG_LOCAL0 through LOG_LOCAL7
用户自定义设备
**程序类型示例**
关于程序和设备的联系问题,程序自身会决定将日志交给哪类设备。如SSH程序会选择安全类设备。这一点由开发者定义。
#grep Facility /etc/ssh/sshd_config
SyslogFacility AUTHPRIV
请问这个程序是属于哪个设备呢?
认证设备
level level
LOG_EMERG 紧急,致命,服务无法继续运行,如配置文件丢失
LOG_ALERT 报警,需要立即处理,如磁盘空使用95%
LOG_CRIT 致命行为
LOG_ERR 错误行为
LOG_WARNING 警告信息
LOG_NOTICE 普通,重要的标准信息
LOG_INFO 标准信息
LOG_DEBUG 调试信息,排错所需,一般不建议使用
从下到上,级别从低到高,记录的信息越来越少
Rules schematic
rotate logs
About
log records various information program is running.
It can analyze user behavior through the log, running track record, look for procedural issues.
Unfortunately, disk space is limited
logging controversy like an airplane black box, and then record important information can only record what happened last period of time.
To save space and easy to organize, log files often need to press! Or time! Size and other dimensions into multiple copies, delete the old time log file.
Rotate the new configuration according to
the type of profile of
the master file
[root@localhost ~]# ls /etc/logrotate.conf 决定着每个日志如何轮转
/etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly //轮转的周期 一周轮转一次
# keep 4 weeks worth of backlogs
rotate 4 //保留4份
# create new (empty) log files after rotating old ones
create //轮转后创建新文件
# use date as a suffix of the rotated file
dateext //使用日期作为后缀
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d //包含该目录下的子配置文件
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp { //对某日志文件设置轮转方法
monthly //一个月轮转一次
create 0664 root utmp //轮转后创建新文件
minsize 1M
rotate 1 //保留一次
}
/var/log/btmp {
missingok //丢失不提示
monthly //每个月轮转一次
create 0600 root utmp //轮转后创建文件,并设置权限
rotate 1 //保留一份
}
# system-specific logs may be also be configured here.
sub file
[root@localhost ~]# ls /etc/logrotate.d/*
/etc/logrotate.d/bootlog /etc/logrotate.d/syslog /etc/logrotate.d/wpa_supplicant /etc/logrotate.d/yum
Examples of rotation
[root@BJcoud_computing_hp_hao ~]# vim /etc/logrotate.d/yum
/var/log/yum.log {
missingok
# notifempty
# maxsize 30k
# yearly
daily
rotate 3
create 0777 root root
}
Error Model
[root@BJcoud_computing_hp_hao ~]# logrotate /etc/logrotate.conf 手动轮转
[root@BJcoud_computing_hp_hao ~]# ls /var/log/yum*
/var/log/yum.log /var/log/yum.log-20200227 文件只有一个,因为日期没变
Correct demonstration
[root@BJcoud_computing_hp_hao ~]# date 04251010
Sat Apr 25 10:10:00 CST 2020
[root@BJcoud_computing_hp_hao ~]# logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
[root@BJcoud_computing_hp_hao ~]# ls /var/log/yum*
/var/log/yum.log /var/log/yum.log-20200227 /var/log/yum.log-20200423 /var/log/yum.log-20200425