liunx系统日志
内容:
• /var/log/messages
• /etc/logrotate.conf 日志切割配置文件
参考https://my.oschina.net/u/2000675/blog/908189
• dmesg命令
• /var/log/dmesg 日志
• last命令,调用的文件/var/log/wtmp
• lastb命令查看登录失败的用户,对应的文件时/var/log/btmp
• /var/log/secure /var/log/messages 系统的总日志syslog; 是做故障诊断是首要查看的日志文件,系统有一个轮回机制,每一个星期切换一个日志,切换后的日志名字类似于messages-20170930,会存放在/var/log/目录下面
那系统为什么有这个切割机制呢,是因为linux系统里面有个服务 logrotate ;防止系统日志无限制增大。
实战:
/etc/logrotate.conf 日志切割配置文件
[root@linux-128 ~]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly \\每周切割一次
# keep 4 weeks worth of backlogs
rotate 4 \\保留4个, 一个月
# create new (empty) log files after rotating old ones
create \\切割完后创建一个新文件
# use date as a suffix of the rotated file
dateext \\后缀
# uncomment this if you want your log files compressed
#compress \\是否要压缩,.tar.gz
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d \\还包含其他目录/etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
我们看下刚配置文件里面提到的/etc/logrotate.d
[root@linux-128 ~]# ls /etc/logrotate.d
chrony ppp syslog wpa_supplicant yum
查看/logrotate.d/目录下面的 syslog
[root@linux-128 ~]# cat /etc/logrotate.
logrotate.conf logrotate.d/
[root@linux-128 ~]# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
missingok
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
/var/log/messages对应的服务是syslogd,/bin/kill -HUP重启
dmesh命令
-
显示系统的启动信息,如果你的某个硬件有问题比如网卡,这个命令就可以查看到
-
dmesh -c 清楚内容
安全日志
last 命令
-
last 命令是来查看历史正确的登陆信息,调用的文件是/var/log/wtmp,这个文件是二进制文件,不能用cat,more,less,head,tail查看
-
lastd 命令是查看历史登陆失败的信息,调用文件是/var/log/btmp
/var/log/secure 文件也是登陆相关的日志,里面也会记录正确和失败登陆信息,比如遇到暴力破解都可以看到
[root@linux-128 ~]# tail -5 /var/log/secure
Apr 4 12:51:13 linux-128 polkitd[545]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr 4 12:51:34 linux-128 sshd[1333]: Server listening on 0.0.0.0 port 22.
Apr 4 12:51:34 linux-128 sshd[1333]: Server listening on :: port 22.
Apr 4 12:52:56 linux-128 sshd[2737]: Accepted publickey for root from 192.168.88.1 port 49461 ssh2: RSA 96:50:9f:6b:eb:62:48:cf:ef:f2:51:6f:bc:03:9e:72
Apr 4 12:52:56 linux-128 sshd[2737]: pam_unix(sshd:session): session opened for user root by (uid=0)
实验:A机器上 用tail -f /var/log/secure 动态查看;B机器上远程链接A机器
ssh root@192.168.88.128 ;然后密码输入错误,A机器上就能查看出来
screen命令
内容:
• 为了不让一个任务意外中断
• nohup command &
• screen是一个虚拟终端
• yum install -y screen
• screen直接回车就进入了虚拟终端
• ctral a组合键再按d退出虚拟终端,但不是结束
• screen -ls 查看虚拟终端列表
• screen -r id 进入指定的终端
• screen -S aming
• screen -r aming
• screen -wipe aming #删除会话
实战:
[root@linux-128 ~]# screen
[detached from 2863.pts-0.linux-128]
[1]+ 完成 nohup sleep 100
[root@linux-128 ~]# screen -ls
There is a screen on:
2863.pts-0.linux-128 (Detached)
1 Socket in /var/run/screen/S-root.
[root@linux-128 ~]# screen
[detached from 2882.pts-0.linux-128]
[root@linux-128 ~]# screen -ls
There are screens on:
2882.pts-0.linux-128 (Detached)
2863.pts-0.linux-128 (Detached)
2 Sockets in /var/run/screen/S-root.
[root@linux-128 ~]# screen -r 2882
[detached from 2882.pts-0.linux-128]
[root@linux-128 ~]# screen -S "wuzhou"
[detached from 2917.wuzhou]
[root@linux-128 ~]# screen -ls
There are screens on:
2917.wuzhou (Detached)
2900.pts-0.linux-128 (Detached)
2882.pts-0.linux-128 (Detached)
2863.pts-0.linux-128 (Detached)
4 Sockets in /var/run/screen/S-root.
[root@linux-128 ~]# screen -r wuzhou
[detached from 2917.wuzhou]
如果想关闭某个screen,先进入指定的screen,输入ctrl+d 或者 输入exit退出