Log management service

Time:2021-12-29

Log management service

Basic introduction

  1. Log file is an important system file, which records many important system events, such as user login information, system startup information, system security information, etc
  2. /The var / log directory is where the system log files are saved
  3. centos7. 6. The log management service is rsyslogd, centos6 X is syslogd, which is compatible.

Common log files:
日志文件

configuration file

Profile, in/etc/rsyslog.conf, the storage rules are convenient. Where do you put those things.
format
Format is*.*The first * indicates the log type and the second * indicates the log level.

  1. Log type
type explain
auth Log generated by PAM
authpriv Authentication information of SSH, FTP and other login information
corn Time task related
kern kernel
lpr Print
mail mail
mark(syslog)-rsyslog Service internal information, time identification
news Newsgroup
user Relevant information generated by the user program
uucp UNIX to nuix copy related communication between hosts
local 1-7 Custom log device
  1. log level
level explain
debug There is debugging information
info General information log, most commonly used
notice Information on the most important general conditions
warning Warning level
err Error level, information that prevents a function or module from working properly
crit Severity level, information that prevents the whole system or the whole software from working normally
alert Information requiring immediate modification
emerg Kernel crash and other important information
none Do nothing

From top to bottom, the level is higher and higher, and the recorded information is less and less

premise

Whether rsyslogd is running:ps aux | grep "rsyslogd" | grep -v "rsyslogd

view log

  1. Note the current user permissions
  2. Use the command to view, which can be cat / more / less, etc

For example:

[[email protected] ~]# cat /var/log/secure
Jan  3 20:39:18 rH7-1 sshd[10878]: Accepted password for lczmx from 192.168.255.1 port 19375 ssh2

Log format:
Time master by which program (service) occurrence time description information
example:

  1. Modify the configuration file and use a custom file to accept and save information
  2. View the log of this file
#In / etc / rsyslog Add in conf
*.*                                     /var/log/all.log

#Create all under / var / log log
touch all.log

#Log in to the host with SSH and check the log. If there is no information, you can restart rsyslog service

grep "sshd" /var/log/all.log 

Jan  5 13:28:26 rH7-1 sshd[10428]: Received disconnect from 192.168.255.1 port 2226:11: disconnected by user
Jan  5 13:28:26 rH7-1 sshd[10428]: Disconnected from 192.168.255.1 port 2226
Jan  5 13:28:26 rH7-1 sshd[10424]: pam_unix(sshd:session): session closed for user lczmx
Jan  5 13:28:29 rH7-1 sshd[10562]: Accepted password for lczmx from 192.168.255.1 port 2248 ssh2
Jan  5 13:28:30 rH7-1 sshd[10562]: pam_unix(sshd:session): session opened for user lczmx by (uid=0)

Log rotation

Move and rename the old log file, and create an empty log file. When the old log file exceeds the saving range, delete it.
How to set a profile for rotation:/etc/logrotate.conf
Profile parameters

parameter explain
daily Every day
weekly weekly
monthly monthly
Rotate number Keep several copies. 0 means no backup
compress Is the old log compressed during rotation
create mode owner group Create a new log and specify the permission, owner and group
mail address During rotation, the output content is sent to the specified email address by mail
missingok When the log does not exist, ignore the warning information of the log
notifempty When the log is an empty file, log rotation is not performed
minsize The minimum value of rotation. Only when the minimum value is reached will it rotate
size Logs are rotated when they are larger than the specified size, not by time
dateext Take the date as the suffix of the rotation file
sharedscripts The script after this keyword is executed only once
prerotate/endscript Execute script before rotation
postrotate/endscript Execute script after rotation
  1. Dateext parameter: named after the date. You need to specify the number of logs to save. If the number exceeds, delete the redundant log files.
  2. If there is no dateext parameter, XX is used by default 1、xx. 2. When generating a new log file, the number will be pushed back.

/etc/logrotate. Conf file:

# see "man logrotate" for details
#Rotate log files weekly
weekly

#Keep 4 weeks worth of backlogs
rotate 4

#Create new (empty) log files after rotating old ones after log rotation
create

#Use date as a suffix of the rotated file
dateext

#Uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
#The following is the configuration log file, which can be written here or in / etc / logrotate d

include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    Create 0664 root utmp # 664 permission, owner: root, group: utmp
	minsize 1M 	#  Minimum rotation size of file
    rotate 1 	#  Keep only one copy
}

/var/log/btmp {
    missingok 	#  Ignore if log does not exist
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

Operation principle of log rotation

Crond daemon execution:/etc/cron.daily/logrotate
logrotateContents of the document:

#!/bin/sh

/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

/etc/cron.daily/logrotateMedium executionlogrotateCommand and specify configuration information:/etc/logrotate.conf

View memory log

Memory log is the log stored in memory, which is used tojournalctlIt should be noted that the log in the memory will be cleared after the computer is turned off.

Common commands:

  • journalctlYou can view the memory log
  • journalctl -n 3View the latest 3 logs
  • journalctl --since 19:00 --until 19:10:10View the log from the start time to the end time, and add a date
  • journalctl -p errError log
  • journalctl -o verboseLog details
  • journalctl _PID=123 _COMM=sshdView the log containing these parameters

My GitHub
My blog
My notes