系统日志的管理(linux)（System log management (Linux)）

系统日志的管理(linux)（System log management (Linux)） 系统日志的管理(linux)(System log management (Linux)) Linux system log management Log classification: 1. log of connection time The connection time log is usually recorded by the two files, /var/log/wtmp and /var/run/utmp, but this The two file cannot be viewed directly by cat, and the file is automatically updated by the system, as follows: W/who/finger/id/last/lastlog/ac for review [root@xhot who ~]# Root tty1 2010-10-06 22:56 Root pts/0 2010-10-06, 22:26 (218.192.87.4) Root pts/1 2010-10-06, 23:41 (218.192.87.4) Root pts/3 2010-10-06, 23:18 (218.192.87.4) [root@xhot w ~]# 01:01:02, up, 2:36, 4, users, load, average: 0.15, 0.03, 0.01 USER, TTY, FROM, LOGIN@, IDLE, JCPU, PCPU, WHAT Root tty1 - 22:56, 1:20m, 0.16s, 0.16s, -bash Root, pts/0, 218.192.87.4, 22:26, 2:05m, 0.18s, 0.18s, -bash Root, pts/1, 218.192.87.4, 23:41, 0.00s, 0.41s, 0.00s, w Root, pts/3, 218.192.87.4, 23:18, 1:38m, 0.03s, 0.03s, -bash [root@xhot AC -p / / ~]# connection time view each user U51 1.23 U55 0.04 Root 95.21 / root connection can be seen for the longest time. Xhot 0.06 User1 3.93 Total 100.48 [root@xhot -a / / AC connection time ~]# view all users Total 100.49 [root@xhot -d / / AC connection time ~]# view user every day Sep 24 total 0.14 Sep 25 total 14.60 Sep 26 total 13.71 Sep 27 total 21.47 Sep 28 total 11.74 Sep 29 total 6.60 Sep 30 total 8.81 Oct 1 total 9.04 Oct 2 total 0.47 / / I can see 3, 4, 5, the national day to go out to play Oct 6 total 8.62 Today total 5.29 Several other orders are not specifically introduced 2. process monitoring log The process statistics monitor log is very effective in monitoring user's operation instructions. When servers are discovered recently, often You can use the process statistics log to log off without any reason to shutdown or delete files without reason: [root@xhot Accton /var/account/pacct / / ~]# open process log monitoring statistics [root@xhot lastcomm / / ~]# view process log statistics Accton, S, root, pts/1, 0, secs, Thu, Oct, 7, 01:20 Accton, root, pts/1 0, secs, Thu, Oct, 7, 01:20 AC, root, pts/1 0, secs, Thu, Oct, 7, 01:14 AC, root, pts/1 0, secs, Thu, Oct, 7, 01:14 Free, root, pts/1 0, secs, Thu, Oct, 7, 01:10 Lastcomm, root, pts/1 0, secs, Thu, Oct, 7, 01:09 Bash, F, root, pts/1, 0, secs, Thu, Oct, 7, 01:09 Lastcomm, root, pts/1 0, secs, Thu, Oct, 7, 01:09 Ifconfig, root, pts/1 0, secs, Thu, Oct, 7, 01:09 Lastcomm, root, pts/1 0, secs, Thu, Oct, 7, 01:09 Lastcomm, root, pts/1 0, secs, Thu, Oct, 7, 01:09 Lastcomm, root, pts/1 0, secs, Thu, Oct, 7, 01:09 Accton, S, root, pts/1, 0, secs, Thu, Oct, 7, 01:09 [root@xhot Accton ~]# / / close log monitoring statistical process 3. systems and service logs The system log service is managed by a service called syslog, such as the log files, which are driven by the syslog logging service: /var/log/lastlog: record the last time the user successfully logged in, login IP and other information /var/log/messages: record common system and service error messages in Linux operating systems /var/log/secure:Linux system security log, record user and workgroup deterioration, user login authentication /var/log/btmp: record the user, time, and remote IP address that the Linux login failed /var/log/cron: log crond plan task service execution ... ... [root@xhot cat /var/log/lastlog ~]# Lpts/0218.192.87.4 Lpts/1218.192.87.4 Lpts/1218.192.87.4 Lpts/0218.192.87.46 Lpts/0218.192.87.4 ... ... Introduction to Linux logging services 1. in the Linux system, most logs are driven and managed by the syslog logging service The syslog service is managed and managed by two important configuration files, namely, the /etc/syslog.conf master configuration file and the /etc/sysconfig/syslog assistant Configuration file, /etc/init.d/syslog is the startup script, where the main configuration file /etc/syslog.conf is spoken: /etc/syslog.conf statement structure: [root@xhot grep -v ~]# "#" /etc/syslog.conf / / lists each line of non heading # *.info; mail.none; authpriv.none; cron.none /var/log/messages Authpriv.* /var/log/secure Mail.* -/var/log/maillog Cron.* /var/log/cron *.emerg * Uucp, news.crit, /var/log/spooler Local7.* /var/log/boot.log Select the domain (message type. Error level) action field 2. message types: auth, authpriv, security, cron, daemon, Kern, LPR, mail, mark, local0~local7., news, syslog, user, uucp, and a. Error level: (level 8), debug, info, notice, warning|warn,, err|error, crit, alert, emerg|panic Action domains: file, user, console, @remote_ip Take the /etc/syslog.conf file above for three examples: *.info; mail.none; authpriv.none; cron.none /var/log/messages Any message that represents the info level is sent to the /var/log/messages log file, but the mail system and the authentication system Error level information except for scheduled tasks, not sent (none prohibited) Cron.* /var/log/cron indicates that all levels of cron information are sent to the /var/log/cron file *.emerg * indicates all message types of the emerg error level (danger state) to all users Linux log server configuration The configuration of this server is very simple, just a place to modify a file, and then restart the service: [root@xhot grep -v ~]# "#" /etc/sysconfig/syslog SYSLOGD_OPTIONS= "-m 0 -r" / / here as long as add "-r" on the line. KLOGD_OPTIONS= "-x"" SYSLOG_UMASK=077 [root@xhot service syslog restart ~]# Close the kernel logger: [confirm] Turn off the system log recorder: [confirm] Start the system log recorder: [confirm] Start the kernel logger: [sure] For messages sent to the server, the OS is scoped whenever the /etc/syslog.conf master configuration file is written For @server-ip, for example, for 218.192.87.24, this log server, put all of a Ubuntu system The info level auth information is sent to the log server, so for the /etc/syslog.conf file of the Ubuntu system, the last Line, adding auth.info @218.192.87.24 is OK Log dump service After a certain period of time, the content of the log file increases with the increase of time and amount of access, Log files are also growing. Also, when the log file exceeds the system control range, it also affects system performance Cause influence. The dump mode can be set to annual dump, monthly dump, weekly dump, and to a certain size dump. In Linux systems, often using the "logrotate" tool for log dumps, combined with the cron plan task, can be relaxed Implementing a dump of a log file. The setting of the dump mode is controlled by the /etc/logrotate.conf configuration file: [root@xhot cat /etc/logrotate.conf ~]# # see "man logrotate" for details / / can view the help file Rotate log files weekly # Weekly / / set weekly dump #保持4周的积压 4 / 4次最多转储旋转 #创建新的(空的)旧的日志文件旋转后 创建/当转储后文件不存储时创建它 #注释掉这如果你想让你的日志文件压缩 #压缩/以压缩方式转储 # RPM包滴日志旋转信息进入这个MATCH_ word word文档格式规范word作业纸小票打印word模板word简历模板免费word简历 _1714230957121_0 包括/ etc / logrotate的D /其他日志文件的转储方式，包含在该目录下 #没有包裹自己的wtmp --我们将旋转他们在这里 /var/log/messages wtmp { //设置/var/log/messages wtmp日志文件的转储参数 月/每月转储 创建0664根utmp /转储后文件不存在时创建它，文件所有者为根， 所属组为utmp，对应的权限为0664 1 / /转储一次旋转 } #系统特定的日志，也可以在这里配置。 举两个例子: 为/var/log /新闻/目录下的所有文件设置转储参数，每周转储，转 储2次，转储 时将老的日志文件放到/var/log /新闻/老目录下，若日志文件不存 在，则跳过。完成后重启 新闻新闻组服务，转储时不压缩。那么可以在/etc/中文件的最后添 加如下logrotate: /日志/新闻/ * { 月刊 旋转2 olddir /var/log /新闻/老 missingok postrotate 杀进程`猫/无功/运行/ PID `客栈。 endscript nocompress } 另一个例子:为/var/log/messages httpd /访问日志和/var/log/messages httpd /错误日志日志设置转储参数。转储 5次，转储时发送邮件给root@localhost用户，当日志文件达到100kb时才转储，转储后重启 httpd服务，那么可以直接在/etc/中文件的最后添加如下logrotate: /var/log/messages httpd / access.log /var/log/messages HTTP / 错误日志{。 旋转5 邮件root@localhost 100k大小= sharedscripts /sbin killall -HUP httpd endscript } 自定义日志转储(/ etc / logrotate。D / *) 通过下面一个例子将所有类型错误级别为信息的日志转储到/var/log/messages日志日志文件中，并设置测试。 /var/log/messages测试。日志达到50kb后进行转储，转储10次，转储时压缩，转储后重启syslog服务: 1、修改/ etc / syslog. conf文件使得如下: [根@ xhot ~ ] #尾1 /etc/syslog.conf /查看该文件的最后一行 *信息/var/log/messages test.log 2、重启syslog服务: [根@ xhot ~ ] # /sbin Syslog服务重新启动 关闭内核日志 记录 混凝土 养护记录下载土方回填监理旁站记录免费下载集备记录下载集备记录下载集备记录下载 器:[确定] 关闭系统日志记录器:[确定] 启动系统日志记录器:[确定] 启动内核日志记录器:[确定] 3、创建/ etc / logrotate。D日志日志转储参数配置文件，添加如下/测试: [根@ xhot ~ ] # vim /etc/ logrotate.d/test.log [根@ xhot ~ ] #猫/ etc / logrotate.d/test.log 测试日志{ 旋转10 50k大小= 压缩 postrotate killall -HUP syslog endscript } 4、查看文件/ etc /日常/ logrotate确保如下cron: [根@ xhot ~ ] #猫/ etc / cron.daily/logrotate #～/ SH / SH /usr/sbin / logrotate /etc/logrotate.conf exitvalue = $, 如果[ exitvalue美元～= 0;然后 /usr/bin /记录器- T logrotate警报”退出与exitvalue [美元]” FI Exit 0 5. Check the files after the dumps [root@xhot log]# PWD /var/log [root@xhot log]# LS test.log* ...... The / / will find the time to dump the compressed file and the original test.log file