系统日志进程rsyslog
- 哪类程序产生的时系统日志?
- 产生的什么日志?
- 放在什么地方?
处理日志的进程
- rsyslogd:系统专职日志程序
- 各类应用程序,可用以自己的方式记录日志
[root@localhost ~]# ps aux|grep rsyslogd
root 666 0.0 0.2 216424 7232 ? Ssl 03:51 0:00 /usr/sbin/rsyslogd -n
root 956 0.0 0.0 12528 972 pts/0 R+ 04:04 0:00 grep --color=auto rsyslogd
常见的日志文件
-
系统日志路径:/var/log/messages
不要关注内容,涉及知识面较为广泛,只有专业的运维才合适熟悉其中内容 -
安全认证相关日志:/var/log/secure
-
yum相关日志:/var/log/yum.log
rsyslogd配置
- 安装:yum install rsyslog logrotate(默认已安装)
- 启动程序:systemctl start rsyslog.service
- 查看进程启动状态:systemctl status rsyslog
- 查看程序安装列表:rpm -qa
- 查看安装程序涉及到的文件:rpm -ql rsyslog
- 查看安装程序的配置文件:rpm -qc rsyslog
[root@localhost ~]# rpm -qc rsyslog
/etc/logrotate.d/syslog
/etc/rsyslog.conf
/etc/sysconfig/rsyslog
- /etc/rsyslog.conf:rsyslogd的主配置文件(关键)
- /etc/sysconfig/rsyslog:rsyslogd相关文件,定义级别(了解)
- /etc/logrotate.d/syslog:日志轮转相关配置
[root@localhost ~]# cat /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
日志RULE规则
程序/设备 日志级别 路径
如下
#### RULES ####
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# mail 的任务级别都存放日志到 /var/log/maillog
- 常用设备类型
| 设备类型名称 | 说明 |
|---|---|
| LOG_SYSLOG | syslogd自身产生的日志 |
| LOG_AUTHPRIV | 安全认证 |
| LOG_CRON | 调度程序(cron and at) |
| LOG_USER(default) | 用户相关 |
| LOG_DAEMON | 后台进程 |
| LOG_FTP | 文件服务器ftp daemon |
| LOG_KERN | 内核设备kernel messages |
| LOG_LPR | 打印机设备 |
| LOG_LOCAL0 ~ LOG_LOCAL0 | 用户自定义设备 |
- 日志级别
| 级别名称 | 说明 |
|---|---|
| LOG_EMERG | 紧急,致命,服务无法继续运行,如配置文件丢失等 |
| LOG_ALERT | 报警,需要立即处理,如磁盘使用率95% |
| LOG_CRIT | 致命行为 |
| LOG_ERR | 错误行为 |
| LOG_WARNING | 告警信息 |
| LOG_NOTICE | 普通,重要的标准信息 |
| LOG_INFO | 标准信息 |
| LOG_DEBUG | 调试信息,排错所需,一般不建议使用 |
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# *.info: *代表所有程序, info代表标准输出, 表示所有设备的所有info等级日志都输出到目标位置
# mail.none: none,在日志等级中是没有的,其实意思时排除,表示mail日志不用输出到这个位置
- 日志调整后重启
配置文件一般都已经被加载进入了内存,需要重新加载配置文件才能生效修改的配置
systemctl restart rsyslog
日志轮转logrotate (实用)
管理日志文件的大小,备份等,引入logrotate
- 主配置文件(全局规则):/etc/logrotate.conf
- 子配置文件(定制规则):/etc/logrotate.d/
cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
子配置文件夹中内容
ls -l /etc/logrotate.d/
total 20
-rw-r--r--. 1 root root 160 Sep 19 2018 chrony
-rw-r--r--. 1 root root 115 Apr 2 2020 samba
-rw-r--r--. 1 root root 224 Nov 27 2019 syslog
-rw-r--r--. 1 root root 100 Oct 30 2018 wpa_supplicant
-rw-r--r--. 1 root root 103 Apr 2 2020 yum
查看其中一个文件配置
cat yum
/var/log/yum.log {
missingok
notifempty
maxsize 30k
yearly
create 0600 root root
}
配置规则
| 配置代码 | 说明 |
|---|---|
| weekly | 每周轮转 |
| rotate 4 | 保存4份轮转出的备份日志文件,一起5份 |
| create 0600 root utemp | 轮转后创建新文件 0600 是权限 root 属主 utemp属组 |
| compress | 启用压缩 |
| dateext | 使用日期作为文件后缀 |
| /var/log/yum.log{ … } | 对这个文件实施对应的轮转规则 |
| minsize 1m | 最小文件大小,与日期条件为与的关系,如每天并且文件大小达到了1m就轮转一份日志 |
| maxsize 100m | 最大文件大小,与日期条件作为或的关系,如:每天轮转或者文件大小达到了100m就立刻轮转一份日志 |
| missingok | 文件丢失不提示 |
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
