一、认识日志管理
1.确定rsyslog服务是否启动
###查看服务是否启动
[root@myserver ~]# ps aux | grep rsyslogd
root 781 0.0 0.2 251584 4708 ? Sl Mar08 0:06 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
root 23178 0.0 0.0 103256 840 pts/0 S+ 22:23 0:00 grep rsyslogd
[root@myserver ~]#
2.查看服务是否是自启动
###查看服务是否是自启动
[root@myserver ~]# chkconfig --list | grep rsyslog
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
3.常见日志的作用
4.last命令
4.1 该命令用来列出目前与过去登录系统的用户相关信息。
执行last指令时,它会读取位于/var/log目录下名称为wtmp的文件,并把该给文件的内容记录的登录系统的用户名单全部显示出来。默认是显示wtmp的记录,btmp能显示的更详细,可以显示远程登录,例如ssh登录。
[root@myserver ~]# last
root pts/2 121.35.180.127 Sat May 20 03:42 still logged in
root pts/0 121.35.180.127 Sat May 20 03:34 still logged in
root pts/0 121.35.180.127 Sat May 20 03:31 - 03:34 (00:02)
root pts/0 121.35.180.127 Fri May 19 22:21 - 00:34 (02:13)
root pts/0 183.39.156.12 Wed May 17 23:13 - 23:44 (00:31)
root pts/3 61.144.175.139 Wed May 17 00:16 - 00:43 (00:27)
root pts/0 61.144.175.139 Wed May 17 00:07 - 02:20 (02:13)
root pts/2 61.144.175.139 Tue May 16 23:58 - 02:12 (02:14)
root pts/0 61.144.175.139 Tue May 16 21:44 - 00:02 (02:17)
root pts/0 113.87.163.216 Wed May 3 23:15 - 01:27 (02:12)
root pts/0 113.87.162.197 Tue May 2 22:57 - 01:15 (02:17)
root pts/3 220.231.189.27 Wed Apr 26 13:57 - 17:20 (03:22)
root pts/2 220.231.189.27 Wed Apr 26 13:56 - 13:57 (00:01)
root pts/0 220.231.189.27 Wed Apr 26 11:42 - 14:04 (02:22)
root pts/0 113.87.160.146 Wed Apr 26 00:41 - 01:15 (00:33)
root pts/2 113.87.160.146 Tue Apr 25 22:21 - 02:06 (03:45)
root pts/0 113.87.160.146 Tue Apr 25 21:38 - 23:54 (02:15)
root pts/0 220.231.189.27 Sat Apr 22 09:03 - 11:14 (02:11)
root pts/0 113.110.228.127 Fri Apr 21 23:19 - 01:47 (02:28)
root pts/0 113.87.163.93 Tue Apr 18 23:42 - 02:34 (02:52)
root pts/0 113.87.160.93 Tue Apr 18 00:53 - 01:09 (00:15)
root pts/2 113.87.160.93 Mon Apr 17 23:25 - 01:37 (02:12)
root pts/2 113.87.160.93 Mon Apr 17 21:37 - 21:37 (00:00)
root pts/0 113.87.160.93 Mon Apr 17 21:36 - 23:50 (02:13)
root pts/0 113.87.161.54 Thu Mar 30 23:10 - 02:32 (03:22)
root pts/0 220.231.189.27 Mon Mar 27 19:33 - 19:58 (00:25)
root pts/0 113.87.162.239 Mon Mar 20 22:23 - 00:35 (02:11)
user1 pts/3 220.231.189.27 Mon Mar 20 17:35 - 19:51 (02:15)
user1 pts/3 220.231.189.27 Mon Mar 20 17:28 - 17:31 (00:02)
root pts/0 220.231.189.27 Mon Mar 20 17:17 - 19:49 (02:31)
root pts/2 220.231.189.27 Mon Mar 20 16:32 - 18:43 (02:11)
root pts/0 220.231.189.27 Mon Mar 20 14:59 - 17:13 (02:14)
root pts/2 220.231.189.27 Thu Mar 16 11:28 - 13:40 (02:11)
root pts/0 220.231.189.27 Thu Mar 16 09:46 - 12:00 (02:13)
root pts/0 113.87.162.165 Wed Mar 15 23:23 - 01:35 (02:12)
root pts/2 220.231.189.27 Tue Mar 14 14:45 - 14:47 (00:01)
root pts/0 220.231.189.27 Tue Mar 14 14:38 - 16:58 (02:20)
root pts/1 183.39.158.19 Mon Mar 13 22:58 - 00:16 (01:18)
root pts/0 183.39.158.19 Mon Mar 13 21:52 - 00:36 (02:44)
root pts/0 220.231.189.27 Thu Mar 9 16:59 - 19:24 (02:24)
root pts/0 113.87.162.78 Wed Mar 8 23:42 - 00:31 (00:49)
root pts/0 220.231.189.27 Wed Mar 8 20:29 - 23:28 (02:59)
root pts/0 220.231.189.27 Wed Mar 8 17:30 - 20:06 (02:36)
reboot system boot 2.6.32-573.22.1. Wed Mar 8 17:30 - 03:42 (72+10:12)
root pts/0 220.231.189.27 Wed Mar 8 17:18 - down (00:11)
reboot system boot 2.6.32-573.22.1. Wed Mar 8 17:17 - 17:29 (00:12)
root pts/0 220.231.189.27 Wed Mar 8 17:13 - down (00:03)
reboot system boot 2.6.32-573.22.1. Wed Mar 8 17:13 - 17:17 (00:04)
root pts/0 220.231.189.27 Wed Mar 8 17:05 - down (00:07)
reboot system boot 2.6.32-573.22.1. Wed Mar 8 17:05 - 17:12 (00:07)
root pts/3 220.231.189.27 Wed Mar 8 16:49 - down (00:15)
root pts/2 220.231.189.27 Wed Mar 8 15:37 - down (01:27)
root pts/2 220.231.189.27 Wed Mar 8 15:22 - 15:26 (00:03)
root pts/2 220.231.189.27 Wed Mar 8 10:24 - 10:57 (00:32)
root pts/2 220.231.189.27 Thu Feb 16 16:30 - 18:44 (02:13)
root pts/2 220.231.189.27 Wed Jan 4 10:17 - 12:30 (02:13)
root pts/1 220.231.189.27 Fri Dec 16 15:41 - 17:36 (01:54)
root pts/0 220.231.189.27 Fri Dec 16 15:32 - 18:29 (02:56)
root pts/0 116.76.114.106 Thu Dec 15 22:57 - 23:08 (00:10)
root pts/0 220.231.189.27 Thu Dec 15 09:47 - 10:13 (00:25)
root tty1 Thu Dec 15 09:46 - down (83+07:18)
reboot system boot 2.6.32-573.22.1. Thu Dec 15 09:44 - 17:04 (83+07:20)
reboot system boot 2.6.32-573.22.1. Thu Dec 15 09:43 - 09:43 (00:00)
root pts/0 46.102.47.49 Thu Dec 15 04:45 - crash (04:57)
wtmp begins Thu Dec 15 04:45:27 2016
4.2 该命令的输出介绍
第一列:用户名
第二列:终端位置。pts/0 (伪终端) 意味着从诸如SSH或telnet的远程连接的用户.tty (teletypewriter) 意味着直接连接到计算机或者本地连接的用户
第三列:登录ip或者内核 。如果你看见:0.0 或者什么都没有,这意味着用户通过本地终端连接。除了重启活动,内核版本会显示在状态中。
第四列:开始时间
第五列:结束时间(still login in 还未退出 down 直到正常关机 crash 直到强制关机)
第六列:持续时间
5.RPM服务日志
除了系统默认的日志,采用RPM安装的系统服务也会默认把日志记录在/var/log/对应RPM包目录中,不过这些日志并不是由rsyslogd服务来记录和管理的,而是各个服务使用自己的日志管理文档来记录自身日志
常见RPM包日志存放在以下位置(在已安装对应RPM服务的情况下):
二、rsyslogd服务
1.日志文件格式
2./etc/rsyslog.conf配置文件
配置文件中的连接符号
日志等级
日志记录位置
三、日志轮替
1.日志的命名规则
1.1 配置了dateext参数的情况
1.2 没有配置dateext的情况
2. logrotate配置文件
[root@wenhaijin ~]# vim /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
#按周进行日志切割
weekly
# keep 4 weeks worth of backlogs
#设置日志轮替数量,保留四个日志
rotate 4
# create new (empty) log files after rotating old ones
#创建新的日志
create
# use date as a suffix of the rotated file
#用日期作为后缀来命名
dateext
# uncomment this if you want your log files compressed
#不开启压缩
#compress
# RPM packages drop log rotation information into this directory/etc/logrotate.d
#包含/etc/logrotate.d子目录下的所有配置文件
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
#以下配置是某些特殊日志的特殊配置,类似于局部变量,大括号内的属性优先级高于上面的全局配置
/var/log/wtmp {
monthly
create 0664 root utmp
"/etc/logrotate.conf" 35L, 662C
3. 将apache日志加入轮替
原则上,使用rpm包安装的程序,都不需要我们进行日志配置,默认已经配置好。只有通过源码包安装的程序,需要我们进行日志配置,通过源码包安装的程序,最好都进行日志配置,特别是像apache服务这样的程序,日志特别大,如果不进行日志切割配置和轮替,很容易将服务器的硬盘撑满。
4. logrotate命令的使用
4.1 使用-v选项查看日志的轮替过程
[root@wenhaijin ~]# logrotate -v /etc/logrotate.conf
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file cups
reading config info for /var/log/cups/*_log
reading config file dracut
reading config info for /var/log/dracut.log
reading config file httpd
reading config info for /var/log/httpd/*log
reading config file mysql
reading config info for /var/lib/mysql/mysqld.log
reading config file psacct
reading config info for /var/account/pacct
reading config file syslog
reading config info for /var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
reading config file yum
reading config info for /var/log/yum.log
reading config info for /var/log/wtmp
reading config info for /var/log/btmp
Handling 9 logs
rotating pattern: /var/log/cups/*_log weekly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/cups/error_log
log needs rotating
rotating log /var/log/cups/error_log, log->rotateCount is 4
dateext suffix '-20170531'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/cups/error_log to /var/log/cups/error_log-20170531
creating new /var/log/cups/error_log mode = 0600 uid = 0 gid = 7
removing old log /var/log/cups/error_log-20170207
rotating pattern: /var/log/dracut.log 1048576 bytes (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/dracut.log
log does not need rotating
rotating pattern: /var/log/httpd/*log weekly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/httpd/access_log
log does not need rotating
considering log /var/log/httpd/error_log
log does not need rotating
not running postrotate script, since no logs were rotated
rotating pattern: /var/lib/mysql/mysqld.log after 1 days (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/lib/mysql/mysqld.log
log /var/lib/mysql/mysqld.log does not exist -- skipping
not running postrotate script, since no logs were rotated
rotating pattern: /var/account/pacct after 1 days (31 rotations)
empty log files are not rotated, old logs are removed
considering log /var/account/pacct
log does not need rotating
not running postrotate script, since no logs were rotated
rotating pattern: /var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
weekly (4 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/cron
log needs rotating
considering log /var/log/maillog
log needs rotating
considering log /var/log/messages
log needs rotating
considering log /var/log/secure
log needs rotating
considering log /var/log/spooler
log needs rotating
rotating log /var/log/cron, log->rotateCount is 4
dateext suffix '-20170531'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/maillog, log->rotateCount is 4
dateext suffix '-20170531'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/messages, log->rotateCount is 4
dateext suffix '-20170531'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/secure, log->rotateCount is 4
dateext suffix '-20170531'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/spooler, log->rotateCount is 4
dateext suffix '-20170531'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/cron to /var/log/cron-20170531
creating new /var/log/cron mode = 0644 uid = 0 gid = 0
renaming /var/log/maillog to /var/log/maillog-20170531
creating new /var/log/maillog mode = 0644 uid = 0 gid = 0
renaming /var/log/messages to /var/log/messages-20170531
creating new /var/log/messages mode = 0644 uid = 0 gid = 0
renaming /var/log/secure to /var/log/secure-20170531
creating new /var/log/secure mode = 0644 uid = 0 gid = 0
renaming /var/log/spooler to /var/log/spooler-20170531
creating new /var/log/spooler mode = 0644 uid = 0 gid = 0
running postrotate script
removing old log /var/log/cron-20170326
removing old log /var/log/maillog-20170326
removing old log /var/log/messages-20170326
removing old log /var/log/secure-20170326
removing old log /var/log/spooler-20170326
rotating pattern: /var/log/yum.log yearly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/yum.log
log does not need rotating
rotating pattern: /var/log/wtmp monthly (1 rotations)
empty log files are rotated, only log files >= 1048576 bytes are rotated, old logs are removed
considering log /var/log/wtmp
log does not need rotating
rotating pattern: /var/log/btmp monthly (1 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/btmp
log needs rotating
rotating log /var/log/btmp, log->rotateCount is 1
dateext suffix '-20170531'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/btmp to /var/log/btmp-20170531
creating new /var/log/btmp mode = 0600 uid = 0 gid = 22
removing old log /var/log/btmp-20170401
4.2 使用-f选项强制进行日志轮替
当服务器日期不正确,且进行同步更新后,日志并没有进行轮替。比如说当前时间是2017-05-31,而服务器时间是2017-04-20,这时候将服务器时间进行同步,而从2017-04-20到2017-05-31这段时间的日志并未更新,此时就可以使用logrotate -f 来强制日志轮替
###使用以下命令进行强制日志轮替后,相应程序中的日志就得到了轮替
[root@wenhaijin ~]# logrotate -f /etc/logrotate.conf
[root@wenhaijin ~]#
5.使用logrotate管理nginx日志和web应用日志实践
5.1 使用logrotate管理nginx日志的轮替
###进入logrotate配置文件
cd /etc/logrotate.d/
###创建一个文件用来配置nginx日志的轮替
touch nginx
###编辑该配置文件
vim nginx
###加入以下内容
/app/nginx/logs/*.log {
daily
rotate 5
compress
###missingok配置表示:如果指定的目录不存在,logrotate会报错,此项用来关闭报错
missingok
###sharedscripts配置表示:postrotate脚本在压缩了日志之后只执行一次
sharedscripts
###postrotate配置表示:轮转之后执行的命令(在压缩旧日志之前)
postrotate
if [ -f /app/nginx/logs/nginx.pid ]; then
kill -USR1 `cat /app/nginx/logs/nginx.pid`
fi
endscript
}
手动执行如下命令,让logrotate帮我们执行一次日志轮替操作
/usr/sbin/logrotate -f /etc/logrotate.d/nginx
然后查看nginx对应的log文件夹
cd /app/nginx/logs
###发现nginx日志文件被分割和压缩了
[*********** logs]$ ls
access.log access.log.2.gz access.log.4.gz error.log error.log.2.gz error.log.4.gz nginx.pid
access.log.1.gz access.log.3.gz access.log.5.gz error.log.1.gz error.log.3.gz error.log.5.gz
这样,日志被切分和压缩后,就可以做一些操作,例如配置定时任务将压缩文件从该目录移走,可以防止日志文件太大将硬盘撑满的问题
5.2 使用logrotate管理web日志的轮替
###进入logrotate配置文件
cd /etc/logrotate.d/
###创建一个文件用来配置front组件的日志轮替信息
touch front
vim front
###添加如下配置
/app/imodule/web/tomcat-front/logs/catalina.out {
daily
rotate 5
create
dateext
}
保存退出,手动执行如下命令:
/usr/sbin/logrotate -f /etc/logrotate.d/front
然后查看front项目对应的log文件夹
cd /app/imodule/web/tomcat-front/logs
###发现nginx日志文件被分割,以日期进行后缀命名
[*********** logs]$ ls
catalina.out catalina.out-20171220
知识拓展(USR1信号):
在使用logrotate对nginx日志进行切割的时候有如下脚本:
if [ -f /app/nginx/logs/nginx.pid ]; then
kill -USR1 `cat /app/nginx/logs/nginx.pid`
fi
USR1亦通常被用来告知应用程序重载配置文件;例如,向Apache HTTP服务器发送一个USR1信号将导致以下步骤的发生:停止接受新的连接,等待当前连接停止,重新载入配置文件,重新打开日志文件,重启服务器,从而实现相对平滑的不关机的更改。