Linux日志管理1之rsyslog

最新推荐文章于 2023-02-17 15:07:22 发布

星星※

最新推荐文章于 2023-02-17 15:07:22 发布

阅读量417

点赞数

文章标签： linux 运维 ssh

本文链接：https://blog.csdn.net/qq_45955904/article/details/110939934

版权

一、rsyslog 系统日志管理
讨论问题：什么程序---->产生的什么日志---->放到什么地方
二、处理日志的进程
第一类：rsyslogd：系统专职日志程序。处理绝大部分日志记录，系统操作有关的信息，如登录信息，程序启动关闭信息，错误信息
[root@localhost ~]# ps aux | grep rsyslogd
root 997 0.0 0.2 216420 5048 ? Ssl 07:01 0:01 /usr/sbin/rsyslogd -n
第二类：httpd/nginx/mysql: 各类应用程序，可以以自己的方式记录日志.
[root@localhost ~]# ls /var/log/httpd/
access_log access_log-20201213 error_log error_log-20201213
[root@localhost ~]# ls /usr/local/nginx/log/access_log
三、常见的日志文件(系统、进程、应用程序)

在这里插入图片描述
（1）[root@localhost ~]# ls /var/log/ //系统日志一般都存在/var/log下

anaconda           btmp           firewalld           maillog-20201213   secure            tuned                 vmware-vgauthsvc.log.0
audit              cron           grubby_prune_debug  messages           secure-20201213   vmware-network.1.log  vmware-vmsvc.log
boot.log           cron-20201213  httpd               messages-20201213  spooler           vmware-network.2.log  wtmp
boot.log-20201211  dmesg          lastlog             rhsm               spooler-20201213  vmware-network.3.log  yum.log
boot.log-20201213  dmesg.old      maillog             sa                 tallylog          vmware-network.log

（2）/var/log/messages //系统主日志文件
messages 日志是核心系统日志文件。它包含了系统启动时的引导消息，以及系统运行时的其他状态消息。IO 错误、网络错误和其他系统错误都会记录到这个文件中。其他信息，比如某个人的身份切换为 root，也在这里列出。如果服务正在运行，比如 DHCP 服务器，您可以在 messages 文件中观察它的活动。通常，/var/log/messages 是您在做故障诊断时首先要查看的文件。
[root@localhost ~]# tailf /var/log/messages //实时监测系统主日志文件

Dec 14 10:36:48 localhost NetworkManager[728]: <info>  [1607913408.7008] dhcp4 (ens33):   domain name 'localdomain'
Dec 14 10:36:48 localhost NetworkManager[728]: <info>  [1607913408.7008] dhcp4 (ens33): state changed bound -> bound
Dec 14 10:36:48 localhost systemd: Starting Network Manager Script Dispatcher Service...
Dec 14 10:36:48 localhost dbus[722]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Dec 14 10:36:48 localhost dhclient[11194]: bound to 192.168.64.129 -- renewal in 895 seconds.
Dec 14 10:36:48 localhost dbus[722]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Dec 14 10:36:48 localhost systemd: Started Network Manager Script Dispatcher Service.
Dec 14 10:36:48 localhost nm-dispatcher: req:1 'dhcp4-change' [ens33]: new request (2 scripts)
Dec 14 10:36:48 localhost nm-dispatcher: req:1 'dhcp4-change' [ens33]: start running ordered scripts...
Dec 14 10:40:01 localhost systemd: Started Session 46 of user root.

//日志格式：
时间主机系统日志内容
（3）[root@localhost ~]# tailf /var/log/secure //安全信息和系统登录与网络连接的信息

[root@localhost ~]# tail -f /var/log/secure
Dec 15 20:13:14 localhost sshd[99976]: Accepted password for root from 10.8.161.66 port 57556 ssh2
Dec 15 20:13:14 localhost sshd[99976]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 15 20:13:15 localhost sshd[99976]: error: no more sessions
Dec 15 20:13:15 localhost sshd[99976]: error: no more sessions
Dec 15 20:13:48 localhost sshd[99976]: pam_unix(sshd:session): session closed for user root
Dec 15 20:13:59 localhost sshd[101430]: Accepted password for root from 10.8.161.66 port 57833 ssh2
Dec 15 20:13:59 localhost sshd[101430]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 15 20:14:00 localhost sshd[101430]: error: no more sessions
Dec 15 20:14:00 localhost sshd[101430]: error: no more sessions
Dec 15 20:14:00 localhost sshd[101430]: error: no more sessions

（4）[root@localhost ~]# tailf /var/log/yum.log //yum软件安装信息

[root@localhost ~]# tailf /var/log/yum.log
Dec 14 15:03:02 Installed: perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64
Dec 14 15:03:02 Installed: perl-IO-Compress-2.061-2.el7.noarch
Dec 14 15:03:02 Installed: perl-PlRPC-0.2020-14.el7.noarch
Dec 14 15:03:03 Installed: perl-DBI-1.627-4.el7.x86_64
Dec 14 15:03:03 Installed: perl-DBD-MySQL-4.023-6.el7.x86_64
Dec 14 15:03:08 Installed: 1:mariadb-server-5.5.68-1.el7.x86_64
Dec 14 15:03:08 Installed: php-gd-5.4.16-48.el7.x86_64
Dec 14 15:03:09 Installed: gd-2.0.35-26.el7.x86_64
Dec 14 15:03:09 Installed: php-mysql-5.4.16-48.el7.x86_64
Dec 14 15:03:09 Installed: php-5.4.16-48.el7.x86_64

（5）[root@localhost ~]# tail /var/log/maillog //邮件系统日志

[root@localhost ~]# tailf /var/log/maillog
Dec 13 19:17:31 localhost postfix/postfix-script[985]: starting the Postfix mail system
Dec 13 19:17:32 localhost postfix/master[987]: daemon started -- version 2.10.1, configuration /etc/postfix
Dec 14 09:11:26 localhost postfix/postfix-script[1020]: starting the Postfix mail system
Dec 14 09:11:26 localhost postfix/master[1022]: daemon started -- version 2.10.1, configuration /etc/postfix
Dec 15 09:01:34 localhost postfix/postfix-script[1018]: starting the Postfix mail system
Dec 15 09:01:34 localhost postfix/master[1020]: daemon started -- version 2.10.1, configuration /etc/postfix

（6）[root@localhost ~]# tail /var/log/cron //crond、at进程产生的日志（定制任务日志）

[root@localhost ~]# tail /var/log/cron
Dec 15 19:30:01 localhost CROND[53101]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 19:40:01 localhost CROND[63946]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 19:50:01 localhost CROND[74752]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:00:01 localhost CROND[85630]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:01:01 localhost CROND[86725]: (root) CMD (run-parts /etc/cron.hourly)
Dec 15 20:01:01 localhost run-parts(/etc/cron.hourly)[86725]: starting 0anacron
Dec 15 20:01:01 localhost run-parts(/etc/cron.hourly)[86734]: finished 0anacron
Dec 15 20:10:01 localhost CROND[96521]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:20:01 localhost CROND[114209]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:30:01 localhost CROND[4212]: (root) CMD (/usr/lib64/sa/sa1 1 1)

（7）[root@localhost ~]# tail /var/log/dmesg //核心系统启动日志

[root@localhost ~]# tail /var/log/dmesg
[   10.804682] Bluetooth: HCI device and connection manager initialized
[   10.804685] Bluetooth: HCI socket layer initialized
[   10.804688] Bluetooth: L2CAP socket layer initialized
[   10.804693] Bluetooth: SCO socket layer initialized
[   10.933968] Adding 2097148k swap on /dev/mapper/centos-swap.  Priority:-2 extents:1 across:2097148k FS
[   10.940513] usbcore: registered new interface driver btusb
[   10.991348] ppdev: user-space parallel port driver
[   10.998999] XFS (sda1): Mounting V5 Filesystem
[   11.698910] XFS (sda1): Ending clean mount
[   12.255591] type=1305 audit(1607994087.104:3): audit_pid=635 old=0 auid=4294967295 ses=4294967295 res=1

（8）[root@localhost ~]# tail /var/log/audit/audit.log //系统审计日志
（9）# tail /var/log/mysqld.log //MySQL
（10）# tail /var/log/xferlog //和访问FTP服务器相关
（11）# tail /var/log/wtmp //当前登录的用户（命令：w）
（12）# tail /var/log/btmp //最近登录的用户（命令last）
（13）# tail /var/log/lastlog //所有用户的登录情况（命令lastlog ）
四、rsyslogd配置
1.相关程序
yum install rsyslog logrotate //默认已安装
2.启动程序
systemctl start rsyslog.service
3.相关文件

[root@localhost ~]# rpm -qc rsyslog
/etc/logrotate.d/syslog
/etc/rsyslog.conf
/etc/sysconfig/rsyslog

rpm -qc rsyslog             //观察日志程序的配置文件 -c表示查询配置文件
/etc/rsyslog.conf             //rsyslogd的主配置文件（关键）
/etc/sysconfig/rsyslog     //rsyslogd相关文件，定义级别
/etc/logrotate.d/syslog     //和日志轮转（切割）相关
五、主配置文件/etc/rsyslog.conf
[root@localhost ~]# vim /etc/rsyslog.conf

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

1.RULES
RULES：即规则，是一套生成日志，以及存储日志的策略。
RULES即规则，有三部分组成（由设备FACILITY+LEVEL级别+FILE存放位置)。
authpriv.*    /var/log/secure（SSH信息）
mail.*         -/var/log/maillog（发邮件）
cron.*         /var/log/cron（创建任务）
这里有一个-符号, 表示是使用异步的方式记录, 因为日志一般会比较大
*.info;mail.none;authpriv.none;cron.none /var/log/messages
系统日志排除了邮件，认证，计划日志。
2.FACILITY&LEVEL
（1）facility设备
1）facility
是系统对某种类型APP事件的定义。如AUTHPRIV是安全事件，CRON是计划任务事件。用来收集同类程序日志。

2）设备类型
LOG_SYSLOG syslogd     自身产生的日志
LOG_AUTHPRIV               安全认证
LOG_CRON                       调度程序(cron and at)
LOG_MAIL                          邮件系统mail subsystem
LOG_USER (default)          用户相关
LOG_DAEMON                   后台进程
LOG_FTP                           文件服务器ftp daemon
LOG_KERN                        内核设备kernel messages
LOG_LPR                           打印机设备 printer subsystem
LOG_LOCAL0 through LOG_LOCAL7     用户自定义设备

（2）level级别
在这里插入图片描述（3）程序类型示例
1）修改ssh程序的设备类型

[root@localhost ~]# vim /etc/ssh/sshd_config
#SyslogFacility AUTHPRIV
SyslogFacility LOCAL5

2）修改rsyslog程序的规则

[root@localhost ~]# vim /etc/rsyslog.conf
local7.*                                      /var/log/boot.log
local5.*                                      /var/log/sunny

3）重启rsyslog程序和ssh程序
配置重写后之存在磁盘中，没有被加载，重启才会生效，重启后硬盘被读取到内存之中，重新加载硬盘。
[root@localhost ~]# systemctl restart rsyslog sshd
4）使用其他终端登录服务器，观察新日志文件。

[root@localhost ~]# ll /var/log/secure /var/log/sunny
-rw------- 1 root root 8669 12月 16 21:11 /var/log/secure
-rw------- 1 root root  373 12月 16 21:11 /var/log/sunny
[root@localhost ~]# exit
登出

连接断开
连接成功
Last login: Wed Dec 16 21:11:37 2020 from 192.168.64.1

[root@localhost ~]# ll /var/log/secure /var/log/sunny
-rw------- 1 root root 8863 12月 16 21:12 /var/log/secure
-rw------- 1 root root  536 12月 16 21:12 /var/log/sunny