linux日志管理方法 linux日志管理实例 第一部分
本节内容:
linux日志管理
相关阅读:linux日志分析
一、linux日志相关文件
#很关键
[root@client01 ~]# ls /var/log/
anaconda.ifcfg.log anaconda.xlog btmp dmesg maillog secure wtmp
anaconda.log anaconda.
yum.log btmp-20130805 dmesg.old maillog-20130805 secure-20130805 yum.log
anaconda.program.log audit ConsoleKit dracut.log messages spooler
anaconda.storage.log boot.log cron httpd messages-20130805 spooler-20130805
anaconda.syslog boot.log-20130805 cron-20130805 lastlog rhsm tallylog
#关键日志,大部分记录在里面
[root@client01 ~]# ls /var/log/messages
/var/log/messages
#系统启动,硬件相关日志
[root@client01 ~]# ls /var/log/dmesg*
/var/log/dmesg /var/log/dmesg.old
#登录安全相关日志
[root@client01 ~]# ls /var/log/secure
/var/log/secure
#使用ssh登录,输入错误密码
[root@larrywen opt]# ssh 192.168.1.11
root@192.168.1.11's password:
Permission denied, please try again.
root@192.168.1.11's password:
Permission denied, please try again.
#监控文件,可以看到刚才输入的错误密码已经记录下来了
[root@client01 ~]# tail -f /var/log/secure
[root@client01 ~]# tail -n 4/var/log/secure
Aug 5 14:46:13 client01 sshd[2796]: pam_unix(sshd:auth): authenticationfailure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=root
Aug 5 14:46:15 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2
Aug 5 14:46:23 client01 unix_chkpwd[2800]: password check failed for user(root)
Aug 5 14:46:25 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2
#邮件相关日志
[root@larrywen opt]# ls /var/log/maillog
/var/log/maillog
#登录信息日志
[root@client01 ~]# ls /var/log/lastlog
#最后登录的信息
[root@client01 ~]# ls /var/log/lastlog
/var/log/lastlog
[root@client01 ~]# last
#最后登录错误的信息
[root@client01 ~]# lastb
#
selinux相关日志
[root@client01 ~]# ls /var/log/audit/
audit.log
[root@client01 ~]# ls /var/log/maillog*
/var/log/maillog /var/log/maillog-20130805
#之前日志的备份,一个星期切换一次,会自动备份
maillog-20130805
[root@larrywen 0805]# ls /var/log/maillog*
/var/log/maillog /var/log/maillog-20130729 /var/log/maillog-20130805
[root@larrywen 0805]# ls /var/log/boot.log*
/var/log/boot.log /var/log/boot.log-20130729 /var/log/boot.log-20130805
二、linux日志相关服务
[root@client01 ~]# ps -ef|grep log
#系统日志服务
root 959 1 0 08:49 ? 00:00:00 /sbin/rsyslogd -c 4
root 1133 1 0 08:49 ? 00:00:00 login -- root
root 2811 2776 0 14:54 pts/0 00:00:00 grep log
[root@client01 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#rsyslog:日志记录的位置,指定输出文件
#日志级别:Debug Warning
三、实验:linux日志转移(一台机器的日志备份到另一台机器)
client01:
[root@client01 ~]# ls /etc/*log*
/etc/csh.login /etc/login.defs /etc/
logrotate.conf /etc/rsyslog.conf
/etc/logrotate.d:
dracut httpd subscription-manager syslog up2date yum
[root@client01 ~]# ls /etc/rsyslog.conf
/etc/rsyslog.conf
[root@client01 ~]# vim /etc/rsyslog.conf
#模块:实现某个功能的程序
#不要急着写,支持异步写。等到一定量的时候才写,延迟写(负号的含义)
-/var/log/maillog
#修改文件
[root@client01 ~]# vim /etc/rsyslog.conf
[root@client01 ~]# grep "hongyi"/etc/rsyslog.conf -n
60:local3.* /var/log/hongyi.log
#重启服务
[root@client01 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#可以查看到生成了这个文件
[root@client01 ~]# ls /var/log/hongyi.log
/var/log/hongyi.log
#写日志
[root@client01 ~]# logger -p"local3.info" "this is test"
[root@client01 ~]# cat /var/log/hongyi.log
Aug 5 15:17:00 client01 root: this is test
#我们写local2.info,发现没有记录
[root@client01 ~]# logger -p"local2.info" "this is test"
[root@client01 ~]# cat /var/log/hongyi.log
Aug 5 15:17:00 client01 root: this is test
[root@client01 ~]# logger --help
logger: invalid option -- '-'
usage: logger [-is] [-f file] [-p pri] [-ttag] [-u socket] [ message ... ]
#性能
#一台机器上的文件保存到另一台机器上
[root@serv02 ~]# grep "UDP" /etc/rsyslog.conf -n -A1
12:# Provides UDP syslog reception
13-$ModLoad imudp.so
14:$UDPServerRun 514
15-
[root@serv02 ~]# grep "local3.*"/etc/rsyslog.conf -n
59:local3.* /tmp/up.log
[root@larrywen 0805]# man rsyslog.conf
serv01:
#rsyslog.conf做如下配置
[root@serv01 ~]# grep local3/etc/rsyslog.conf -n
#192.168.1.12是serv02的IP
#@:UDP 服务
#@@:TCP服务
60:local3.* @192.168.1.12
#重启服务
[root@serv01 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#Serv02配置完后,输出日志到第二台机器
[root@serv01 ~]# logger -p"local3.info" "hello,world"
serv02:
#rsyslog.conf文件做如下配置
[root@serv02 ~]# cat -n/etc/rsyslog.conf|
sed "8,9p;/local3/p" -n
8 $ModLoad imuxsock.so # provides support for local system logging(e.g. via logger command)
9 $ModLoad imklog.so # provides kernel logging support (previouslydone by rklogd)
59 local3.* /tmp/up.log
#重启服务
[root@serv02 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#查看文件可以看到
[root@serv02 ~]# cat /tmp/up.log
Aug 5 15:31:38 serv01 root: hello,world
#日志备份
四、linux日志 定时计划任务
[root@client01 ~]# yum install at -y
[root@client01 ~]# at now +3 minutes
at> echo "hello,wolrd" >/opt/aa01.txt
at> <EOT>
job 2 at 2013-08-05 16:20
Can't open /var/run/atd.pid to signal atd.No atd running?
[root@client01 ~]# /etc/init.d/atd start
Starting atd: [ OK ]
#相对当前时间
[root@client01 ~]# at now +3 minutes
at> echo "hello,wolrd" >/opt/aa01.txt
at> <EOT>
job 3 at 2013-08-05 16:21
[root@client01 ~]# at -l
3 2013-08-0516:21 a root:
2 2013-08-0516:20 a root
root@client01 opt]# ll
total 20
-rw-r--r--. 1 root root 12 Aug 5 16:20 aa01.txt
drwx------. 2 root root 16384 Jul 23 00:54lost+found
#支持分钟 小时 天
[root@client01 ~]# at now +1 days
[root@client01 opt]# at 16:28 08/05/2013
at> echo "hello,uplooking"> /opt/aa02.txt
at> <EOT>
job 4 at 2013-08-05 16:28
[root@client01 opt]# at -l
4 2013-08-0516:28 a root
[root@client01 opt]# at 18:20 08/06/2013
at> rm -rf /*<EOT>
job 5 at 2013-08-06 18:20
[root@client01 opt]# at -l
5 2013-08-0618:20 a root
4 2013-08-0516:28 a root
[root@client01 opt]# at --help
at: invalid option -- '-'
Usage: at [-V] [-q x] [-f file] [-mldbv]time
at -c job ...
atq [-V] [-q x]
atrm [-V] job ...
batch
#移除
[root@client01 opt]# atrm 5
#列出详细的任务
[root@client01 opt]# at -l
4 2013-08-0516:28 a root
#执行完后自动清除,本次有效
#crontab:循环有效
[root@client01 opt]# vim /etc/crontab
? ** * * * echo `date` >> /opt/aa03.txt
#添加规则
[root@client01 opt]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
30 18 * * * init 0
1 */2 10-20 7,8 5 wall "Have aholiday"
#列出所有的任务
[root@client01 opt]# crontab -l
* * * * * echo `date` >>/opt/aa03.txt
30 18 * * * init 0
[root@client01 opt]# crontab --help
crontab: invalid option -- '-'
crontab: usage error: unrecognized option
usage: crontab[-u user] file
crontab[-u user] [ -e | -l | -r ]
(defaultoperation is replace, per 1003.2)
-e (edit user's crontab)
-l (list user's crontab)
-r (delete user's crontab)
-i (prompt before deleting user's crontab)
-s (selinux context)
#查看编写的文件
[root@client01 opt]# cd /var/spool/
[root@client01 spool]# ls
anacron at cron lpd mail plymouth postfix up2date
[root@client01 spool]# cd cron/
[root@client01 cron]# ll
total 4
-rw-------. 1 root root 58 Aug 5 16:37 root
[root@client01 cron]# cat root
* * * * * echo `date` >>/opt/aa03.txt
30 18 * * * init 0
[root@client01 cron]# cd /etc/cron.
cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/cron.weekly/
#每天执行的
[root@client01 cron]# cat/etc/cron.d/0hourly
shell=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
01 * * * * root run-parts /etc/cron.hourly
#每个小时执行的
[root@client01 cron]# cat/etc/cron.hourly/0anacron
#!/bin/bash
#in case file doesn't exist
if test -r /var/spool/anacron/cron.daily;then
day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ];then
exit 0;
fi
# in case anacron is already running,
# there will be log (daemon won't berunning twice).
if test -x /usr/bin/on_ac_power; then
/usr/bin/on_ac_power &> /dev/null
if test $? -eq 1; then
exit 0
fi
fi
/usr/sbin/anacron -s
#查看每天执行的配置文件
[root@client01 cron]# cat/etc/cron.daily/logrotate
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf>/dev/null 2>&1
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with[$EXITVALUE]"
fi
exit 0
#查看syslog文件,可以看到日志的创建过程
[root@client01 logrotate.d]# cat syslog
/var/log/messages /var/log/secure/var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill-HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
#可以对日志的相关文件进行配置
[root@client01 cron]# cat/etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files afterrotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log filescompressed
#compress
# RPM packages drop log rotationinformation into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'llrotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also beconfigured here.