RH124(10)----Linux系统中的日志管理

最新推荐文章于 2023-12-22 22:03:50 发布

dandan-99

最新推荐文章于 2023-12-22 22:03:50 发布

阅读量225

点赞数

本文链接：https://blog.csdn.net/weixin_45777669/article/details/109498505

版权

文章目录

实验环境

client_node2.test.com: 172.25.254.112
sever_node3.westos.com: 172.25.254.212
systemctl stop firewalld 关闭防火墙

1、journal命令

[root@node2 Desktop]# systemctl status systemed-journald 
[root@node2 Desktop]# cd /run/log/journal/ ##默认日志存放路径
[root@node2 journal]# ls
105326b025324973babc920ed9b5428e
[root@node2 journal]# hostnamectl 
[root@node2 journal]# cd 105326b025324973babc920ed9b5428e
[root@node2 105326b025324973babc920ed9b5428e]# ls
system.journal
[root@node2 105326b025324973babc920ed9b5428e]# file system.journal 
system.journal: Journal file, online  ##实时更新的
[root@node3 mnt]# journalctl  ##查看日志  

[root@node2 journal]# vim /etc/ssh/sshd_config 
修改第一行
[root@node2 journal]# systemctl restart sshd
[root@node2 105326b025324973babc920ed9b5428e]# journalctl -n 10 ##可以看到报错

[root@node3 mnt]# journalctl  --since "12:00" --until "12:05：59" ####显示时间段内的日志
[root@node3 mnt]# journalctl  --disk-usage  ####查看日志大小
[root@node3 mnt]# journalctl  --vacuum-size=1G ####设定日志存放大小
[root@node3 mnt]# journalctl  --vacuum-time=1w ## ##日志在系统中最长存放时间
[root@node3 mnt]# journalctl -o short                   ####设定日志的显示方式 -o 经典模式显示日志
[root@node3 mnt]# journalctl -o verbose              ##显示日志的全部字节
[root@node3 mnt]# journalctl -o export             ##适合传出和备份的二进制格式
[root@node3 mnt]# journalctl -o json               ##格式显示输出
[root@node3 mnt]# journalctl -p 4   ####日志的最新 4条
[root@node3 mnt]# journalctl -u sshd ####指定查看服务
[root@node3 mnt]# journalctl -F PRIORITY  ####查看可控日志级别
[root@node3 mnt]# journalctl -f  ## 监控日志

2、用 journald 服务永久存放日志

系统中默认日志在:/run/log/journal 中

[root@node3 ~]# systemctl status systemd-journald
[root@node1 journal]# rpm -qf /usr/lib/systemd/system/systemd-journald.service
systemd-239-29.el8.x86_64
[root@node3 journal]# rpm -qc systemd-239-29.el8.x86_64
/etc/systemd/journald.conf

默认方式在系统重启后日志会被清理要永久保存日志请完成以下操作:

[root@node3 ~]# mkdir /var/log/journal
[root@node3 ~]# chgrp systemd-journal  /var/log/journal
[root@node3 ~]# chmod 2775 /var/log/journal
[root@node3 ~]# ls /var/log/journal
[root@node3 ~]# systemctl restart systemd-journald
[root@node3 ~]# ls /var/log/journal
105326b025324973babc920ed9b5428e         
[root@node3 ~]# reboot 

[root@node3 ~]# ssh root@ 172.25.254.100
[root@node3 ~]# journalctl    ##重启后9点之前的也能看到
[root@node3 ~]# rm -fr  /var/log/journal/
[root@node3 ~]# systemctl restart systemd-journald
[root@node3 ~]# reboot
[root@node3 ~]# journalctl ##只显示设置时间15点之后的日志 开机的时间

当服务重启日志存放路径会被制定到:/var/log/journal

3、rsyslog命令

服务名称:rsyslog.service
自定义日志采集路径

[root@server2 ~]# > /var/log/messages 
[root@server2 ~]# systemctl restart rsyslog.service 
[root@server2 ~]# cat /var/log/messages 
Jun 23 15:40:47 server2 systemd[1]: Stopped Flush Journal to Persistent Storage.

[root@server2 ~]# systemctl stop rsyslog.service 
[root@server2 ~]# > /var/log/messages 
[root@server2 ~]# systemctl restart sshd
[root@server2 ~]# cat /var/log/messages   ##无日志生成
[root@server2 ~]# systemctl start  rsyslog.service 
[root@server2 ~]# cat /var/log/messages 
Jun 23 15:41:03 server2 systemd[1]: Stopping System Logging Service...
Jun 23 15:41:03 server2 rsyslogd[22283]: [origin software="rsyslogd" swVersion="8.37.0-9.el8" x-pid="22283" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jun 23 15:41:03 server2 systemd[1]: Stopped System Logging Service.
Jun 23 15:41:39 server2 systemd[1]: Stopping OpenSSH server daemon...
Jun 23 15:41:39 server2 systemd[1]: Stopped OpenSSH server daemon.     ##采集之前因服务停止未被采集的日志

[root@node3 ~]# vim /etc/rsyslog.conf 
添加47行 *.*      /var/log/westos  ##指定日志采集路径
[root@node3 ~]# systemctl restart rsyslog.service
[root@node3 ~]# ls -l /var/log/westos
[root@node3 ~]# cat /var/log/westos

## 不想出现服务认证日志 不采集这类型日志
[root@node3 ~]# vim /etc/rsyslog.conf 
添加47行 *.*;authpriv.none       /var/log/westos   ##系统中所有级别的日志存放到westos 中 但是 authpriv 不存放到 westos 中
[root@node3 ~]# systemctl restart rsyslog.service
[root@node3 ~]# cat /var/log/westos
Nov  1 16:31:51 node3 systemd[1]: Started Session 12 of user root.
Nov  1 16:31:51 node3 systemd-logind[880]: New session 12 of user root.

4、日志的远程同步

node3 中设定发送日志到node2 中

##设定接受所有人的日志
[root@node2 ~]# vim /etc/rsyslog.conf 
 19 module(load="imudp") # needs to be done just once 取消注释
 20 input(type="imudp" port="514") 取消注释

[root@node2 ~]# systemctl restart rsyslog.service
[root@node2 ~]# netstat -antplue | grep rsyslog 查看开启514接口
[root@node2 ~]# systemctl status firewalld
[root@node2 ~]# systemctl stop firewalld
[root@node2 ~]# > /var/log/messages
[root@node2 ~]# tail -f /var/log/messages  ##监控文件

## node3中设定发送日志到 node2 中
[root@node3 ~]# vim /etc/rsyslog.conf 
47 *.*       @172.25.254.112      ##一个@代表UOP协议 两个@@代表TCP协议
[root@node3 ~]# systemctl restart rsyslog.service

5、更改日志采集格式

定义日志采集格式
WESTOS_FORMAT: 格式名称
%FROMHOST-IP%: 日志来源主机 IP
%timegenerated%: 日志生成时间
%syslogtag%: 日志生成服务
%msg%: 日志内容
\n: 换行
设定日志采集格式应用

[root@node2 ~]# systemctl disable --now firewalld
[root@node2 Desktop]# > /var/log/messages        
[root@node2 Desktop]# vim /etc/rsyslog.conf
 19 module(load="imudp") # needs to be done just once 取消注释
 20 input(type="imudp" port="514") 取消注释
 33 # module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
 34 module(load="builtin:omfile" Template="WESTOSFORMAT")
 35 $Template WESTOSFORMAT,"%FROMHOST-IP% %timegenerated% %syslogtag% %msg%\n"  
 47 *.info;mail.none;authpriv.none;cron.none                /var/log/messages；WESTOSFORMAT ##当向messages内采集日志用的是WESTOSFORMAT格式
[root@node2 Desktop]# systemctl restart rsyslog.service
[root@node2 Desktop]# cat /var/log/messages

6、时间同步服务

timedatectl命令

[root@node2 Desktop]# timedatectl
 Local time: Tue 2020-11-10 11:05:48 CST      ##本地时间            
 Universal time: Tue 2020-11-10 03:05:48 UTC  ##格林威治时间
 RTC time: Tue 2020-11-10 03:05:48         ## 系统硬件时间
 Time zone: Asia/Shanghai (CST, +0800)     ## 时区
System clock synchronized: no              ##时间被同步过            
              NTP service: inactive        ##不是时间服务器              
          RTC in local TZ: no              ##RTC时间不是本地时间         
[root@node2 Desktop]# timedatectl set-local-rtc 0  ## 0  表示使用utc时间计算方式 使用的是绝对时间 格林威治时间  1 表示使用本地时间   
[root@node2 Desktop]# timedatectl list-timezones                      ##显示系统的所有时区
[root@node2 Desktop]# timedatectl set-time "2020-11-07 10:28:00"  ##设定系统时间
[root@node2 Desktop]# timedatectl set-timezone "Europe/London"      ##设定系统时区

时间同步

1.与网络时间同步
[root@server2 ~]# vim /etc/chrony.conf 
  5 server ntp1.aliyun.com iburst
[root@server2 ~]# systemctl restart chronyd.service 
[root@server2 ~]# chronyc sources -v
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 120.25.115.20                 2   6     7     1  -1037us[+65237m] +/-   19ms
[root@server2 ~]# timedatectl
               Local time: Wed 2021-06-23 16:54:24 CST
           Universal time: Wed 2021-06-23 08:54:24 UTC
                 RTC time: Sat 2021-08-07 16:11:01
                Time zone: Asia/Shanghai (CST, +0800)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no


2.与本地时间同步
## time_serve 172.25.25.112
[root@node2 Desktop]# vim /etc/chrony.conf
 23 # allow 192.168.0.0/16
 24 allow 1.1.1.0/24
 27 local stratum 10
[root@node2 Desktop]# systemctl restart chronyd.service 
[root@node2 Desktop]# systemctl stop firewalld

## time_clinet 1.1.1.212
[root@node3 Desktop]# timedatectl set-time "2020-11-07 10:00:00"
[root@node3 Desktop]# timedatectl 
[root@node3 Desktop]# vim /etc/chrony.conf
pool 172.25.254.112 iburst
[root@node3 Desktop]# systemctl restart chronyd
[root@node3 Desktop]# timedatectl 
               Local time: Sat 2020-11-07 11:00:21 CST
[root@node3 Desktop]# chronyc sources -v
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================

^* 172.25.254.112                3   6     3     1   -5481h[ -5481h] +/-   21ms

[root@server1 Desktop]# timedatectl set-ntp no ##关闭时间同步服务器