一、日志概述
1)常用的系统日志如下:
核心启动日志:/var/log/dmesg
系统报错或重启服务等日志:/var/log/messages
邮件系统日志:/var/log/maillog
cron(定制任务日志)日志:/var/log/cron
验证系统用户登录:/var/log/secure
2)文件/var/log/wtmp ,记录所有的登陆和登出
last命令查看所有登录过系统的用户和IP
[root@all-log-server ~]# last
root pts/0 192.168.198.1 Sat Jul 22 15:37 still logged in
reboot system boot 2.6.32-431.el6.x Sat Jul 22 15:24 - 15:38 (00:13)
test-1 pts/3 192.168.198.1 Sat Jul 22 14:59 - down (00:23)
wtmp begins Sat Jul 22 14:59:37 2017
清空登陆日志
[root@all-log-server ~]# > /var/log/wtmp
再次查看,日志木有记录信息
[root@all-log-server ~]# last
wtmp begins Sat Jul 22 15:41:34 2017
3)文件 /var/log/lastlog 记录每個用戶最后的登入信息
[root@all-log-server ~]# lastlog
用户名 端口 来自 最后登陆时间
root pts/0 192.168.198.1 六 7月 22 15:37:28 +0800 2017
bin **从未登录过**
daemon **从未登录过**
adm **从未登录过**
lp **从未登录过**
sync **从未登录过**
shutdown **从未登录过**
halt **从未登录过**
mail **从未登录过**
uucp **从未登录过**
operator **从未登录过**
games **从未登录过**
gopher **从未登录过**
ftp **从未登录过**
nobody **从未登录过**
dbus **从未登录过**
vcsa **从未登录过**
saslauth **从未登录过**
postfix **从未登录过**
sshd **从未登录过**
qd01 pts/2 192.168.198.1 六 7月 22 14:53:30 +0800 2017
test-1 pts/3 192.168.198.1 六 7月 22 14:59:37 +0800 2017
test-2 **从未登录过**
4)文件 /var/log/btmp 记录错误的登入事件
[root@all-log-server ~]# lastb
btmp begins Thu Jul 20 22:41:04 2017
现在另外一台主机登陆测试
[root@lszlab ~]# ssh 192.168.198.100
The authenticity of host '192.168.198.100 (192.168.198.100)' can't be established.
RSA key fingerprint is 2e:76:dd:05:a8:df:a6:6b:12:6f:e4:ad:4b:e1:e0:4a.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.198.100' (RSA) to the list of known hosts.
root@192.168.198.100's password:
Permission denied, please try again.
再次使用lastb命令,有记录到一次错误登陆的事件
[root@all-log-server ~]# lastb
root ssh:notty 192.168.198.135 Sat Jul 22 15:49 - 15:49 (00:00)
btmp begins Sat Jul 22 15:49:19 2017
5)日志记录方式: 先分类,然后每个类中再分级别
主要7种日志分类(FACILITY):
authpriv 安全认证相关
cron at和cron定时相关
daemon 后台进程相关
kern 内核产生
lpr 打印系统产生
mail 邮件系统相关
syslog 日志服务本身
local0到local7 #共8个类型,系统保留的:8个系统日志类型,给其它程序使用。或用户 自定义用
6)8个日志级别:以下排列,由轻到重
级别(PRIOROTY):
debug 排错信息。开发人
info 正常信息
notice 稍微要注意的
warn 警告
err(error) 错误
crit(critical) 关键的错误
alert 警报警惕
emerg(emergency) 紧急,突发事件
6)日志服务
配置文件: /etc/rsyslog.conf
[root@all-log-server ~]# vi /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
kern.* 内核类型的所级别日志
*.info;mail.none;news.none;authpriv.none;cron.none:由于 mail, news, authpriv, cron 等类别产生的信息较多,因此在 /var/log/messages 里面不记录这些项目。除此其他信息都写入 /var/log/messages 中
authpriv.* 认证方面的信息均写入 /var/log/secure ;
mail.*:邮件方面的信息则均写入 /var/log/maillog ;
cron.*:例行性工作排程均写入 /var/log/cron ;
local7.*:将本机开机时应该显示到屏幕的讯息写入到 /var/log/boot.log ;
7)记录日志的位置:
a)日志的相对路径:通常就是放在 /var/log 中
b)存在远程日志服务器上
c)有时日志会直接弹出在屏幕上。类似于wall命令
(# wall – send a message to everybody’s terminal.)
[root@all-log-server ~]# wall "hello"
Broadcast message from root@all-log-server (pts/0) (Tue Jul 25 06:07:19 2017):
hello
这样所有登录Linux的虚端的用户都会收到这个信息。
8) mail.* -/var/log/maillog
减号『 - 』作用:
由于邮件所产生的信息比较多,因此我们希望邮件产生的信息先储存在速度较快的内存中 (buffer) ,等到数据量够大了才一次性的将所有数据都填入磁盘内,这样将有利于减少对磁盘读写的次数,减少IO读写开销。另外,由于信息是暂存在内存内,因此若不正常关机导致登录信息未写入到文档中,可能会造成部分数据的遗失。
9)服务重启和开机启动:
[root@all-log-server ~]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@all-log-server ~]# chkconfig rsyslog on
10)日志的存储格式
DATA TIME HOSTNAME APP (NAME) [PID]: MESSAGES
说明:
DATA TIME:日志记录的日期和时间
HOSTNAME APP (NAME) [PID]:什么机器,什么程序 (程序的PID):
root@all-log-server ~]# tail -n 5 /var/log/messages
Jul 25 06:07:19 all-log-server wall[1253]: wall: user root broadcasted 1 lines (7 chars)
Jul 25 06:11:24 all-log-server kernel: Kernel logging (proc) stopped.
Jul 25 06:11:24 all-log-server rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1055" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jul 25 06:11:34 all-log-server kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jul 25 06:11:34 all-log-server rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1268" x-info="http://www.rsyslog.com"] start
10)用local0 定义sshd.log
修改配置文件/etc/ssh/sshd_config
[root@all-log-server ~]# vi /etc/ssh/sshd_config
SyslogFacility AUTHPRIV 替换成下面这条
SyslogFacility local0
重启sshd
[root@all-log-server ~]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
修改配置文件/etc/rsyslog.conf
[root@all-log-server ~]# vi /etc/rsyslog.conf
# Save boot messages also to boot.log
local7.* /var/log/boot.log
local0.* /var/log/sshd.log
重启rsyslog
[root@all-log-server ~]# service rsyslog restart
重启sshd
[root@all-log-server ~]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
查看/var/log/sshd.log
[root@all-log-server ~]# cat /var/log/sshd.log
Jul 25 07:56:14 all-log-server sshd[1446]: Received signal 15; terminating.
Jul 25 07:56:14 all-log-server sshd[1485]: Server listening on 0.0.0.0 port 22.
Jul 25 07:56:14 all-log-server sshd[1485]: Server listening on :: port 22.
11)防止日志被删除
[root@all-log-server ~]# cat /var/log/sshd.log
[root@all-log-server ~]# chattr +a /var/log/sshd.log
[root@all-log-server ~]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
[root@all-log-server ~]# cat /var/log/sshd.log
Jul 25 08:14:28 all-log-server sshd[1535]: Received signal 15; terminating.
Jul 25 08:14:28 all-log-server sshd[1558]: Server listening on 0.0.0.0 port 22.
Jul 25 08:14:28 all-log-server sshd[1558]: Server listening on :: port 22.
[root@all-log-server ~]# > /var/log/sshd.log
-bash: /var/log/sshd.log: 不允许的操作
加入了这个属性后,你的 /var/log/sshd.log 登录日志从此就仅能被增加,而不能被删除,直到 root 以 chattr -a /var/log/sshd.log 取消这个 a 的参数后,才能被删除。
[root@all-log-server ~]# chattr -a /var/log/sshd.log
[root@all-log-server ~]# > /var/log/sshd.log
[root@all-log-server ~]# cat /var/log/sshd.log
12)日志回滚
[root@all-log-server ~]# vi /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly 预设每个礼拜对日志档进行一次 rotate 的工作
# keep 4 weeks worth of backlogs
rotate 4 保留几个日志文档,预设是保留四个!
# create new (empty) log files after rotating old ones
create 回滚日志后,创建一个新的空文件来存储新的数据
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly 每个月一次,取代每周
create 0664 root utmp 设定新建文件的权限 、所有者、用户组
minsize 1M 日志容量一定要超过 1M 后才进行 rotate
rotate 1 仅保留一个,亦即仅有 wtmp.1 保留而已
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
二、配置远程日志服务器,实现日志集中管理
1)配置服务端
[root@all-log-server ~]# vi /etc/rsyslog.conf
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
改成
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
重启服务
[root@all-log-server ~]# service rsyslog restart
2)配置CLIENT端(发送端)
[root@lszlab ~]# vi /etc/rsyslog.conf
*.* @@192.168.198.100:514
保存重启服务
[root@lszlab ~]# /etc/init.d/rsyslog restart
3)服务端查看日志
[root@all-log-server ~]# tail -f /var/log/messages
Jul 25 09:03:31 all-log-server kernel: Kernel logging (proc) stopped.
Jul 25 09:03:31 all-log-server rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1462" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jul 25 09:03:42 all-log-server kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jul 25 09:03:42 all-log-server rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1591" x-info="http://www.rsyslog.com"] start
Jul 26 13:13:03 lszlab kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jul 26 13:13:03 lszlab rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2205" x-info="http://www.rsyslog.com"] start
Jul 26 13:13:45 lszlab kernel: Kernel logging (proc) stopped.
Jul 26 13:13:45 lszlab rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2205" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jul 26 13:13:55 lszlab kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jul 26 13:13:55 lszlab rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2218" x-info="http://www.rsyslog.com"] start
~~~(~^ v ^~)
