日志管理相關知識
一 日志相關文件
[plain]
#很關鍵
[root@client01 ~]# ls /var/log/
anaconda.ifcfg.log anaconda.xlog btmp dmesg maillog secure wtmp
anaconda.log anaconda.yum.log btmp-20130805 dmesg.old maillog-20130805 secure-20130805 yum.log
anaconda.program.log audit ConsoleKit dracut.log messages spooler
anaconda.storage.log boot.log cron httpd messages-20130805 spooler-20130805
anaconda.syslog boot.log-20130805 cron-20130805 lastlog rhsm tallylog
#關鍵日志,大部分記錄在裡面
[root@client01 ~]# ls /var/log/messages
/var/log/messages
#系統啟動,硬件相關日志
[root@client01 ~]# ls /var/log/dmesg*
/var/log/dmesg /var/log/dmesg.old
#登錄安全相關日志
[root@client01 ~]# ls /var/log/secure
/var/log/secure
#使用ssh登錄,輸入錯誤密碼
[root@larrywen opt]# ssh 192.168.1.11
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
#監控文件,可以看到剛才輸入的錯誤密碼已經記錄下來了
[root@client01 ~]# tail -f /var/log/secure
[root@client01 ~]# tail -n 4/var/log/secure
Aug 5 14:46:13 client01 sshd[2796]: pam_unix(sshd:auth): authenticationfailure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=root
Aug 5 14:46:15 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2
Aug 5 14:46:23 client01 unix_chkpwd[2800]: password check failed for user(root)
Aug 5 14:46:25 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2
#郵件相關日志
[root@larrywen opt]# ls /var/log/maillog
/var/log/maillog
#登錄信息日志
[root@client01 ~]# ls /var/log/lastlog
#最後登錄的信息
[root@client01 ~]# ls /var/log/lastlog
/var/log/lastlog
[root@client01 ~]# last
#最後登錄錯誤的信息
[root@client01 ~]# lastb
#SELINUX相關日志
[root@client01 ~]# ls /var/log/audit/
audit.log
[root@client01 ~]# ls /var/log/maillog*
/var/log/maillog /var/log/maillog-20130805
#之前日志的備份,一個星期切換一次,會自動備份
maillog-20130805
[root@larrywen 0805]# ls /var/log/maillog*
/var/log/maillog /var/log/maillog-20130729 /var/log/maillog-20130805
[root@larrywen 0805]# ls /var/log/boot.log*
/var/log/boot.log /var/log/boot.log-20130729 /var/log/boot.log-20130805
二 日志相關服務
[plain]
[root@client01 ~]# ps -ef|grep log
#系統日志服務
root 959 1 0 08:49 ? 00:00:00 /sbin/rsyslogd -c 4
root 1133 1 0 08:49 ? 00:00:00 login -- root
root 2811 2776 0 14:54 pts/0 00:00:00 grep log
[root@client01 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#rsyslog:日志記錄的位置,指定輸出文件
#日志級別:Debug Warning
三 實驗:日志轉移(一台機器的日志備份到另一台機器)
client01:
[plain]
[root@client01 ~]# ls /etc/*log*
/etc/csh.login /etc/login.defs /etc/logrotate.conf /etc/rsyslog.conf
/etc/logrotate.d:
dracut httpd subscription-manager syslog up2date yum
[root@client01 ~]# ls /etc/rsyslog.conf
/etc/rsyslog.conf
[root@client01 ~]# vim /etc/rsyslog.conf
#模塊:實現某個功能的程序
#不要急著寫,支持異步寫。等到一定量的時候才寫,延遲寫(負號的含義)
-/var/log/maillog
#修改文件
[root@client01 ~]# vim /etc/rsyslog.conf
[root@client01 ~]# grep "hongyi"/etc/rsyslog.conf -n
60:local3.* /var/log/hongyi.log
#重啟服務
[root@client01 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#可以查看到生成了這個文件
[root@client01 ~]# ls /var/log/hongyi.log
/var/log/hongyi.log
#寫日志
[root@client01 ~]# logger -p"local3.info" "this is test"
[root@client01 ~]# cat /var/log/hongyi.log
Aug 5 15:17:00 client01 root: this is test
#我們寫local2.info,發現沒有記錄
[root@client01 ~]# logger -p"local2.info" "this is test"
[root@client01 ~]# cat /var/log/hongyi.log
Aug 5 15:17:00 client01 root: this is test
[root@client01 ~]# logger --help
logger: invalid option -- '-'
usage: logger [-is] [-f file] [-p pri] [-ttag] [-u socket] [ message ... ]
#性能
#一台機器上的文件保存到另一台機器上
[root@serv02 ~]# grep "UDP" /etc/rsyslog.conf -n -A1
12:# Provides UDP syslog reception
13-$ModLoad imudp.so
14:$UDPServerRun 514
15-
[root@serv02 ~]# grep "local3.*"/etc/rsyslog.conf -n
59:local3.* /tmp/up.log
[root@larrywen 0805]# man rsyslog.conf
serv01:
[plain]
#rsyslog.conf做如下配置
[root@serv01 ~]# grep local3/etc/rsyslog.conf -n
#192.168.1.12是serv02的IP
#@:UDP 服務
#@@:TCP服務
60:local3.* @192.168.1.12
#重啟服務
[root@serv01 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#Serv02配置完後,輸出日志到第二台機器
[root@serv01 ~]# logger -p"local3.info" "hello,world"
serv02:
[plain]
#rsyslog.conf文件做如下配置
[root@serv02 ~]# cat -n/etc/rsyslog.conf|sed "8,9p;/local3/p" -n
8 $ModLoad imuxsock.so # provides support for local system logging(e.g. via logger command)
9 $ModLoad imklog.so # provides kernel logging support (previouslydone by rklogd)
59 local3.* /tmp/up.log
#重啟服務
[root@serv02 ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
#查看文件可以看到
[root@serv02 ~]# cat /tmp/up.log
Aug 5 15:31:38 serv01 root: hello,world
#日志備份
四 定時計劃任務
[plain]
[root@client01 ~]# yum install at -y
[root@client01 ~]# at now +3 minutes
at> echo "hello,wolrd" >/opt/aa01.txt
at> <EOT>
job 2 at 2013-08-05 16:20
Can't open /var/run/atd.pid to signal atd.No atd running?
[root@client01 ~]# /etc/init.d/atd start
Starting atd: [ OK ]
#相對當前時間
[root@client01 ~]# at now +3 minutes
at> echo "hello,wolrd" >/opt/aa01.txt
at> <EOT>
job 3 at 2013-08-05 16:21
[root@client01 ~]# at -l
3 2013-08-0516:21 a root:
2 2013-08-0516:20 a root
root@client01 opt]# ll
total 20
-rw-r--r--. 1 root root 12 Aug 5 16:20 aa01.txt
drwx------. 2 root root 16384 Jul 23 00:54lost+found
#支持分鐘 小時 天
[root@client01 ~]# at now +1 days
[root@client01 opt]# at 16:28 08/05/2013
at> echo "hello,uplooking"> /opt/aa02.txt
at> <EOT>
job 4 at 2013-08-05 16:28
[root@client01 opt]# at -l
4 2013-08-0516:28 a root
[root@client01 opt]# at 18:20 08/06/2013
at> rm -rf /*<EOT>
job 5 at 2013-08-06 18:20
[root@client01 opt]# at -l
5 2013-08-0618:20 a root
4 2013-08-0516:28 a root
[root@client01 opt]# at --help
at: invalid option -- '-'
Usage: at [-V] [-q x] [-f file] [-mldbv]time
at -c job ...
atq [-V] [-q x]
atrm [-V] job ...
batch
#移除
[root@client01 opt]# atrm 5
#列出詳細的任務
[root@client01 opt]# at -l
4 2013-08-0516:28 a root
#執行完後自動清除,本次有效
#crontab:循環有效
[root@client01 opt]# vim /etc/crontab
** * * * echo `date` >> /opt/aa03.txt
#添加規則
[root@client01 opt]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
30 18 * * * init 0
1 */2 10-20 7,8 5 wall "Have aholiday"
#列出所有的任務
[root@client01 opt]# crontab -l
* * * * * echo `date` >>/opt/aa03.txt
30 18 * * * init 0
[root@client01 opt]# crontab --help
crontab: invalid option -- '-'
crontab: usage error: unrecognized option
usage: crontab[-u user] file
crontab[-u user] [ -e | -l | -r ]
(defaultoperation is replace, per 1003.2)
-e (edit user's crontab)
-l (list user's crontab)
-r (delete user's crontab)
-i (prompt before deleting user's crontab)
-s (selinux context)
#查看編寫的文件
[root@client01 opt]# cd /var/spool/
[root@client01 spool]# ls
anacron at cron lpd mail plymouth postfix up2date
[root@client01 spool]# cd cron/
[root@client01 cron]# ll
total 4
-rw-------. 1 root root 58 Aug 5 16:37 root
[root@client01 cron]# cat root
* * * * * echo `date` >>/opt/aa03.txt
30 18 * * * init 0
[root@client01 cron]# cd /etc/cron.
cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/cron.weekly/
#每天執行的
[root@client01 cron]# cat/etc/cron.d/0hourly
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
01 * * * * root run-parts /etc/cron.hourly
#每個小時執行的
[root@client01 cron]# cat/etc/cron.hourly/0anacron
#!/bin/bash
#in case file doesn't exist
if test -r /var/spool/anacron/cron.daily;then
day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ];then
exit 0;
fi
# in case anacron is already running,
# there will be log (daemon won't berunning twice).
if test -x /usr/bin/on_ac_power; then
/usr/bin/on_ac_power &> /dev/null
if test $? -eq 1; then
exit 0
fi
fi
/usr/sbin/anacron -s
#查看每天執行的配置文件
[root@client01 cron]# cat/etc/cron.daily/logrotate
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf>/dev/null 2>&1
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with[$EXITVALUE]"
fi
exit 0
#查看syslog文件,可以看到日志的創建過程
[root@client01 logrotate.d]# cat syslog
/var/log/messages /var/log/secure/var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill-HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
#可以對日志的相關文件進行配置
[root@client01 cron]# cat/etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files afterrotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log filescompressed
#compress
# RPM packages drop log rotationinformation into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'llrotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also beconfigured here.
五 模擬日志文件的拷貝
[plain]
#從man中進行示例的拷貝
[root@client01 logrotate.d]# manlogrotate.conf
#編輯文件
[root@client01 logrotate.d]# vim/etc/logrotate.conf
[root@client01 logrotate.d]# cat/etc/logrotate.conf
/opt/hongyi.log {
monthly
rotate 2
olddir /opt/old
missingok
create 0600 root hongyi
nocompress
}
#創建用戶
[root@client01 logrotate.d]# useradd hongyi
#創建目錄
[root@client01 logrotate.d]# mkdir /opt/old
#創建文件
[root@client01 logrotate.d]# touch/opt/hongyi.log
#編輯文件
[root@client01 logrotate.d]# vim/opt/hongyi.log
[root@client01 logrotate.d]# ls /opt
aa03.txt hongyi.log old
[root@client01 logrotate.d]# logrotate--help
Usage: logrotate [OPTION...]<configfile>
-d,--debug Don't do anything,just test (implies -v)
-f,--force Force file rotation
-m,--mail=command Command to sendmail (instead of `/bin/mail')
-s,--state=statefile Path of state file
-v,--verbose Display messagesduring rotation
Help options:
-?,--help Show this helpmessage
—usage Displaybrief usage message
#強制使配置文件生效
[root@client01 logrotate.d]# logrotate -f/etc/logrotate.conf
[root@client01 logrotate.d]# ls /opt
aa03.txt hongyi.log old
#可以看到已經生成了文件
[root@client01 logrotate.d]# ls /opt/old/
hongyi.log-20130805
#日志輪尋
#日志切換
[root@client01 ~]# ls /etc/cron.d
cron.d/ cron.daily/ cron.deny
#查看每天切換的
[root@client01 ~]# ls /etc/cron.daily/
logrotate makewhatis.cron rhsm-complianced
[root@client01 ~]# cat/etc/cron.daily/logrotate
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf>/dev/null 2>&1
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with[$EXITVALUE]"
fi
exit 0
[root@client01 ~]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files afterrotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log filescompressed
#compress
# RPM packages drop log rotationinformation into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'llrotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
/opt/hongyi.log {
monthly
rotate 2
olddir /opt/old
missingok
create 0600 root hongyi
nocompress
}
# system-specific logs may be also beconfigured here.
[root@client01 ~]# cd /etc/lo
localtime login.defs logrotate.conf logrotate.d/
[root@client01 ~]# cd /etc/logrotate.d/
[root@client01 logrotate.d]# ll
total 24
-rw-r--r--. 1 root root 103 Apr 27 2011 dracut
-rw-r--r--. 1 root root 185 Jun 24 2010 httpd
-rw-r--r--. 1 root root 71 May 5 2011 subscription-manager
-rw-r--r--. 1 root root 228 May 20 2009 syslog
-rw-r--r--. 1 root root 32 Apr 8 2010 up2date
-rw-r--r--. 1 root root 100 Apr 29 2011 yum
#程序切換 日志切換
#日志:很重要
#設置日期
[root@client01 opt]# date -s"2013-08-07"
Wed Aug 7 00:00:00 CST 2013
#強制使文件生效,v顯示過程
[root@client01 opt]# logrotate -fv/etc/logrotate.conf
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file dracut
reading config info for /var/log/dracut.log
reading config file httpd
reading config info for /var/log/httpd/*log
reading config file subscription-manager
reading config info for /var/log/rhsm/*.log
reading config file syslog
reading config info for /var/log/messages/var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log/var/log/cron
reading config file up2date
reading config info for /var/log/up2date
reading config file yum
reading config info for /var/log/yum.log
reading config info for /var/log/wtmp
reading config info for /var/log/btmp
reading config info for /opt/hongyi.log
olddir is now /opt/old
Handling 9 logs
rotating pattern: /var/log/dracut.log forced from command line (4 rotations)
empty log files are not rotated, old logsare removed
considering log /var/log/dracut.log
logdoes not need rotating
rotating pattern: /var/log/httpd/*log forced from command line (4 rotations)
empty log files are not rotated, old logsare removed
considering log /var/log/httpd/access_log
logdoes not need rotating
considering log /var/log/httpd/error_log
logdoes not need rotating
not running postrotate script, since nologs were rotated
rotating pattern: /var/log/rhsm/*.log forced from command line (4 rotations)
empty log files are not rotated, old logsare removed
considering log /var/log/rhsm/rhsmcertd.log
logdoes not need rotating
considering log /var/log/rhsm/rhsm.log
logdoes not need rotating
rotating pattern: /var/log/messages/var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log/var/log/cron forced from command line(4 rotations)
empty log files are rotated, old logs areremoved
considering log /var/log/messages
logneeds rotating
considering log /var/log/secure
logneeds rotating
considering log /var/log/maillog
logneeds rotating
considering log /var/log/spooler
logneeds rotating
considering log /var/log/boot.log
logneeds rotating
considering log /var/log/cron
logneeds rotating
rotating log /var/log/messages,log->rotateCount is 4
dateext suffix '-20130807'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/secure,log->rotateCount is 4
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/maillog,log->rotateCount is 4
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/spooler,log->rotateCount is 4
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/boot.log,log->rotateCount is 4
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
rotating log /var/log/cron,log->rotateCount is 4
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
fscreate context set to system_u:object_r:var_log_t:s0
renaming /var/log/messages to/var/log/messages-20130807
creating new /var/log/messages mode = 0600uid = 0 gid = 0
fscreate context set tosystem_u:object_r:var_log_t:s0
renaming /var/log/secure to/var/log/secure-20130807
creating new /var/log/secure mode = 0600uid = 0 gid = 0
fscreate context set tosystem_u:object_r:var_log_t:s0
renaming /var/log/maillog to/var/log/maillog-20130807
creating new /var/log/maillog mode = 0600uid = 0 gid = 0
fscreate context set tosystem_u:object_r:var_log_t:s0
renaming /var/log/spooler to/var/log/spooler-20130807
creating new /var/log/spooler mode = 0600uid = 0 gid = 0
fscreate context set tosystem_u:object_r:var_log_t:s0
renaming /var/log/boot.log to/var/log/boot.log-20130807
creating new /var/log/boot.log mode = 0644uid = 0 gid = 0
fscreate context set tosystem_u:object_r:var_log_t:s0
renaming /var/log/cron to/var/log/cron-20130807
creating new /var/log/cron mode = 0600 uid= 0 gid = 0
running postrotate script
rotating pattern: /var/log/up2date forced from command line (4 rotations)
empty log files are rotated, old logs areremoved
considering log /var/log/up2date
log/var/log/up2date does not exist -- skipping
rotating pattern: /var/log/yum.log forced from command line (4 rotations)
empty log files are not rotated, old logsare removed
considering log /var/log/yum.log
logdoes not need rotating
rotating pattern: /var/log/wtmp forced from command line (1 rotations)
empty log files are rotated, only log files>= 1048576 bytes are rotated, old logs are removed
considering log /var/log/wtmp
logneeds rotating
rotating log /var/log/wtmp,log->rotateCount is 1
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
fscreate context set to system_u:object_r:wtmp_t:s0
renaming /var/log/wtmp to/var/log/wtmp-20130807
creating new /var/log/wtmp mode = 0664 uid= 0 gid = 22
removing old log /var/log/wtmp-20130806
rotating pattern: /var/log/btmp forced from command line (1 rotations)
empty log files are rotated, old logs areremoved
considering log /var/log/btmp
logneeds rotating
rotating log /var/log/btmp,log->rotateCount is 1
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
fscreate context set to system_u:object_r:faillog_t:s0
renaming /var/log/btmp to/var/log/btmp-20130807
creating new /var/log/btmp mode = 0600 uid= 0 gid = 22
removing old log /var/log/btmp-20130806
rotating pattern: /opt/hongyi.log forced from command line (2 rotations)
olddir is /opt/old, empty log files arerotated, old logs are removed
considering log /opt/hongyi.log
logneeds rotating
rotating log /opt/hongyi.log,log->rotateCount is 2
dateext suffix '-20130807'
glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
fscreate context set tounconfined_u:object_r:usr_t:s0
renaming /opt/hongyi.log to/opt/old/hongyi.log-20130807
creating new /opt/hongyi.log mode = 0600uid = 0 gid = 500
removing old log/opt/old/hongyi.log-20130805
#可以查看old目錄下的文件
[root@client01 opt]# ls old/
hongyi.log-20130806 hongyi.log-20130807
[root@client01 opt]# cat hongyi.log
#查看文件的權限
[root@client01 opt]# ll
total 8
-rw-r--r--. 1 root root 2436 Aug 7 00:01 aa03.txt
-rw-------. 1 root hongyi 0 Aug 7 00:00 hongyi.log
drwxr-xr-x. 2 root root 4096 Aug 7 00:00 old
六 crontab——定時任務
[plain]
#延時執行,系統啟動後,檢測還沒有執行的任務。計劃任務
#什麼時候啟動機器,什麼時候檢測
[root@client01 opt]# cat /etc/anacrontab
# /etc/anacrontab: configuration file foranacron
# See anacron(8) and anacrontab(5) fordetails.
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to thebase delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during thefollowing hours only
START_HOURS_RANGE=3-22
#period in days delay in minutes job-identifier command
1 5 cron.daily nicerun-parts /etc/cron.daily
7 25 cron.weekly nicerun-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly
#crontab:列出和刪除
[root@client01 opt]# crontab -l
* * * * * echo `date` >>/opt/aa03.txt
30 18 * * * init 0
[root@client01 opt]# crontab --help
crontab: invalid option -- '-'
crontab: usage error: unrecognized option
usage: crontab[-u user] file
crontab[-u user] [ -e | -l | -r ]
(defaultoperation is replace, per 1003.2)
-e (edit user's crontab)
-l (list user's crontab)
-r (delete user's crontab)
-i (prompt before deleting user's crontab)
-s (selinux context)
[root@client01 opt]# crontab -r
[root@client01 opt]# crontab -l
no crontab for root