一、rsyslog 系统日志管理
讨论问题:什么程序---->产生的什么日志---->放到什么地方
二、处理日志的进程
第一类:rsyslogd: 系统专职日志程序。处理绝大部分日志记录,系统操作有关的信息,如登录信息,程序启动关闭信息,错误信息
[root@localhost ~]# ps aux | grep rsyslogd
root 997 0.0 0.2 216420 5048 ? Ssl 07:01 0:01 /usr/sbin/rsyslogd -n
第二类:httpd/nginx/mysql: 各类应用程序,可以以自己的方式记录日志.
[root@localhost ~]# ls /var/log/httpd/
access_log access_log-20201213 error_log error_log-20201213
[root@localhost ~]# ls /usr/local/nginx/log/access_log
三、常见的日志文件(系统、进程、应用程序)
(1)[root@localhost ~]# ls /var/log/ //系统日志一般都存在/var/log下
anaconda btmp firewalld maillog-20201213 secure tuned vmware-vgauthsvc.log.0
audit cron grubby_prune_debug messages secure-20201213 vmware-network.1.log vmware-vmsvc.log
boot.log cron-20201213 httpd messages-20201213 spooler vmware-network.2.log wtmp
boot.log-20201211 dmesg lastlog rhsm spooler-20201213 vmware-network.3.log yum.log
boot.log-20201213 dmesg.old maillog sa tallylog vmware-network.log
(2)/var/log/messages //系统主日志文件
messages 日志是核心系统日志文件。它包含了系统启动时的引导消息,以及系统运行时的其他状态消息。IO 错误、网络错误和其他系统错误都会记录到这个文件中。其他信息,比如某个人的身份切换为 root,也在这里列出。如果服务正在运行,比如 DHCP 服务器,您可以在 messages 文件中观察它的活动。通常,/var/log/messages 是您在做故障诊断时首先要查看的文件。
[root@localhost ~]# tailf /var/log/messages //实时监测系统主日志文件
Dec 14 10:36:48 localhost NetworkManager[728]: <info> [1607913408.7008] dhcp4 (ens33): domain name 'localdomain'
Dec 14 10:36:48 localhost NetworkManager[728]: <info> [1607913408.7008] dhcp4 (ens33): state changed bound -> bound
Dec 14 10:36:48 localhost systemd: Starting Network Manager Script Dispatcher Service...
Dec 14 10:36:48 localhost dbus[722]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Dec 14 10:36:48 localhost dhclient[11194]: bound to 192.168.64.129 -- renewal in 895 seconds.
Dec 14 10:36:48 localhost dbus[722]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Dec 14 10:36:48 localhost systemd: Started Network Manager Script Dispatcher Service.
Dec 14 10:36:48 localhost nm-dispatcher: req:1 'dhcp4-change' [ens33]: new request (2 scripts)
Dec 14 10:36:48 localhost nm-dispatcher: req:1 'dhcp4-change' [ens33]: start running ordered scripts...
Dec 14 10:40:01 localhost systemd: Started Session 46 of user root.
//日志格式:
时间 主机 系统 日志内容
(3)[root@localhost ~]# tailf /var/log/secure //安全信息和系统登录与网络连接的信息
[root@localhost ~]# tail -f /var/log/secure
Dec 15 20:13:14 localhost sshd[99976]: Accepted password for root from 10.8.161.66 port 57556 ssh2
Dec 15 20:13:14 localhost sshd[99976]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 15 20:13:15 localhost sshd[99976]: error: no more sessions
Dec 15 20:13:15 localhost sshd[99976]: error: no more sessions
Dec 15 20:13:48 localhost sshd[99976]: pam_unix(sshd:session): session closed for user root
Dec 15 20:13:59 localhost sshd[101430]: Accepted password for root from 10.8.161.66 port 57833 ssh2
Dec 15 20:13:59 localhost sshd[101430]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 15 20:14:00 localhost sshd[101430]: error: no more sessions
Dec 15 20:14:00 localhost sshd[101430]: error: no more sessions
Dec 15 20:14:00 localhost sshd[101430]: error: no more sessions
(4)[root@localhost ~]# tailf /var/log/yum.log //yum软件安装信息
[root@localhost ~]# tailf /var/log/yum.log
Dec 14 15:03:02 Installed: perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64
Dec 14 15:03:02 Installed: perl-IO-Compress-2.061-2.el7.noarch
Dec 14 15:03:02 Installed: perl-PlRPC-0.2020-14.el7.noarch
Dec 14 15:03:03 Installed: perl-DBI-1.627-4.el7.x86_64
Dec 14 15:03:03 Installed: perl-DBD-MySQL-4.023-6.el7.x86_64
Dec 14 15:03:08 Installed: 1:mariadb-server-5.5.68-1.el7.x86_64
Dec 14 15:03:08 Installed: php-gd-5.4.16-48.el7.x86_64
Dec 14 15:03:09 Installed: gd-2.0.35-26.el7.x86_64
Dec 14 15:03:09 Installed: php-mysql-5.4.16-48.el7.x86_64
Dec 14 15:03:09 Installed: php-5.4.16-48.el7.x86_64
(5)[root@localhost ~]# tail /var/log/maillog //邮件系统日志
[root@localhost ~]# tailf /var/log/maillog
Dec 13 19:17:31 localhost postfix/postfix-script[985]: starting the Postfix mail system
Dec 13 19:17:32 localhost postfix/master[987]: daemon started -- version 2.10.1, configuration /etc/postfix
Dec 14 09:11:26 localhost postfix/postfix-script[1020]: starting the Postfix mail system
Dec 14 09:11:26 localhost postfix/master[1022]: daemon started -- version 2.10.1, configuration /etc/postfix
Dec 15 09:01:34 localhost postfix/postfix-script[1018]: starting the Postfix mail system
Dec 15 09:01:34 localhost postfix/master[1020]: daemon started -- version 2.10.1, configuration /etc/postfix
(6)[root@localhost ~]# tail /var/log/cron //crond、at进程产生的日志(定制任务日志)
[root@localhost ~]# tail /var/log/cron
Dec 15 19:30:01 localhost CROND[53101]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 19:40:01 localhost CROND[63946]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 19:50:01 localhost CROND[74752]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:00:01 localhost CROND[85630]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:01:01 localhost CROND[86725]: (root) CMD (run-parts /etc/cron.hourly)
Dec 15 20:01:01 localhost run-parts(/etc/cron.hourly)[86725]: starting 0anacron
Dec 15 20:01:01 localhost run-parts(/etc/cron.hourly)[86734]: finished 0anacron
Dec 15 20:10:01 localhost CROND[96521]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:20:01 localhost CROND[114209]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 20:30:01 localhost CROND[4212]: (root) CMD (/usr/lib64/sa/sa1 1 1)
(7)[root@localhost ~]# tail /var/log/dmesg //核心系统启动日志
[root@localhost ~]# tail /var/log/dmesg
[ 10.804682] Bluetooth: HCI device and connection manager initialized
[ 10.804685] Bluetooth: HCI socket layer initialized
[ 10.804688] Bluetooth: L2CAP socket layer initialized
[ 10.804693] Bluetooth: SCO socket layer initialized
[ 10.933968] Adding 2097148k swap on /dev/mapper/centos-swap. Priority:-2 extents:1 across:2097148k FS
[ 10.940513] usbcore: registered new interface driver btusb
[ 10.991348] ppdev: user-space parallel port driver
[ 10.998999] XFS (sda1): Mounting V5 Filesystem
[ 11.698910] XFS (sda1): Ending clean mount
[ 12.255591] type=1305 audit(1607994087.104:3): audit_pid=635 old=0 auid=4294967295 ses=4294967295 res=1
(8)[root@localhost ~]# tail /var/log/audit/audit.log //系统审计日志
(9)# tail /var/log/mysqld.log //MySQL
(10)# tail /var/log/xferlog //和访问FTP服务器相关
(11)# tail /var/log/wtmp //当前登录的用户(命令:w)
(12)# tail /var/log/btmp //最近登录的用户(命令last)
(13)# tail /var/log/lastlog //所有用户的登录情况(命令lastlog )
四、rsyslogd配置
1.相关程序
yum install rsyslog logrotate //默认已安装
2.启动程序
systemctl start rsyslog.service
3.相关文件
[root@localhost ~]# rpm -qc rsyslog
/etc/logrotate.d/syslog
/etc/rsyslog.conf
/etc/sysconfig/rsyslog
rpm -qc rsyslog //观察日志程序的配置文件 -c表示查询配置文件
/etc/rsyslog.conf //rsyslogd的主配置文件(关键)
/etc/sysconfig/rsyslog //rsyslogd相关文件,定义级别
/etc/logrotate.d/syslog //和日志轮转(切割)相关
五、主配置文件/etc/rsyslog.conf
[root@localhost ~]# vim /etc/rsyslog.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
1.RULES
RULES:即规则,是一套生成日志,以及存储日志的策略。
RULES即规则,有三部分组成(由设备FACILITY+LEVEL级别+FILE存放位置)。
authpriv.* /var/log/secure(SSH信息)
mail.* -/var/log/maillog(发邮件)
cron.* /var/log/cron(创建任务)
这里有一个-符号, 表示是使用异步的方式记录, 因为日志一般会比较大
*.info;mail.none;authpriv.none;cron.none /var/log/messages
系统日志排除了邮件,认证,计划日志。
2.FACILITY&LEVEL
(1)facility设备
1)facility
是系统对某种类型APP事件的定义。如AUTHPRIV是安全事件,CRON是计划任务事件。用来收集同类程序日志。
2)设备类型
LOG_SYSLOG syslogd 自身产生的日志
LOG_AUTHPRIV 安全认证
LOG_CRON 调度程序(cron and at)
LOG_MAIL 邮件系统mail subsystem
LOG_USER (default) 用户相关
LOG_DAEMON 后台进程
LOG_FTP 文件服务器ftp daemon
LOG_KERN 内核设备kernel messages
LOG_LPR 打印机设备 printer subsystem
LOG_LOCAL0 through LOG_LOCAL7 用户自定义设备
(2)level级别
(3)程序类型示例
1)修改ssh程序的设备类型
[root@localhost ~]# vim /etc/ssh/sshd_config
#SyslogFacility AUTHPRIV
SyslogFacility LOCAL5
2)修改rsyslog程序的规则
[root@localhost ~]# vim /etc/rsyslog.conf
local7.* /var/log/boot.log
local5.* /var/log/sunny
3)重启rsyslog程序和ssh程序
配置重写后之存在磁盘中,没有被加载,重启才会生效,重启后硬盘被读取到内存之中,重新加载硬盘。
[root@localhost ~]# systemctl restart rsyslog sshd
4)使用其他终端登录服务器,观察新日志文件。
[root@localhost ~]# ll /var/log/secure /var/log/sunny
-rw------- 1 root root 8669 12月 16 21:11 /var/log/secure
-rw------- 1 root root 373 12月 16 21:11 /var/log/sunny
[root@localhost ~]# exit
登出
连接断开
连接成功
Last login: Wed Dec 16 21:11:37 2020 from 192.168.64.1
[root@localhost ~]# ll /var/log/secure /var/log/sunny
-rw------- 1 root root 8863 12月 16 21:12 /var/log/secure
-rw------- 1 root root 536 12月 16 21:12 /var/log/sunny