日志管理相關知識

日志管理相關知識 一 日志相關文件 [plain] #很關鍵 [root@client01 ~]# ls /var/log/ anaconda.ifcfg.log anaconda.xlog btmp dmesg maillog secure wtmp anaconda.log anaconda.yum.log btmp-20130805 dmesg.old maillog-20130805 secure-20130805 yum.log anaconda.program.log audit ConsoleKit dracut.log messages spooler anaconda.storage.log boot.log cron httpd messages-20130805 spooler-20130805 anaconda.syslog boot.log-20130805 cron-20130805 lastlog rhsm tallylog #關鍵日志，大部分記錄在裡面 [root@client01 ~]# ls /var/log/messages /var/log/messages #系統啟動，硬件相關日志 [root@client01 ~]# ls /var/log/dmesg* /var/log/dmesg /var/log/dmesg.old #登錄安全相關日志 [root@client01 ~]# ls /var/log/secure /var/log/secure #使用ssh登錄，輸入錯誤密碼 [root@larrywen opt]# ssh 192.168.1.11 [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied, please try again. #監控文件，可以看到剛才輸入的錯誤密碼已經記錄下來了 [root@client01 ~]# tail -f /var/log/secure [root@client01 ~]# tail -n 4/var/log/secure Aug 5 14:46:13 client01 sshd[2796]: pam_unix(sshd:auth): authenticationfailure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=root Aug 5 14:46:15 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2 Aug 5 14:46:23 client01 unix_chkpwd[2800]: password check failed for user(root) Aug 5 14:46:25 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2 #郵件相關日志 [root@larrywen opt]# ls /var/log/maillog /var/log/maillog #登錄信息日志 [root@client01 ~]# ls /var/log/lastlog #最後登錄的信息 [root@client01 ~]# ls /var/log/lastlog /var/log/lastlog [root@client01 ~]# last #最後登錄錯誤的信息 [root@client01 ~]# lastb #SELINUX相關日志 [root@client01 ~]# ls /var/log/audit/ audit.log [root@client01 ~]# ls /var/log/maillog* /var/log/maillog /var/log/maillog-20130805 #之前日志的備份，一個星期切換一次，會自動備份 maillog-20130805 [root@larrywen 0805]# ls /var/log/maillog* /var/log/maillog /var/log/maillog-20130729 /var/log/maillog-20130805 [root@larrywen 0805]# ls /var/log/boot.log* /var/log/boot.log /var/log/boot.log-20130729 /var/log/boot.log-20130805 二 日志相關服務 [plain] [root@client01 ~]# ps -ef|grep log #系統日志服務 root 959 1 0 08:49 ? 00:00:00 /sbin/rsyslogd -c 4 root 1133 1 0 08:49 ? 00:00:00 login -- root root 2811 2776 0 14:54 pts/0 00:00:00 grep log [root@client01 ~]# /etc/init.d/rsyslogrestart Shutting down system logger: [ OK ] Starting system logger: [ OK ] #rsyslog：日志記錄的位置，指定輸出文件 #日志級別：Debug Warning 三 實驗：日志轉移（一台機器的日志備份到另一台機器） client01： [plain] [root@client01 ~]# ls /etc/*log* /etc/csh.login /etc/login.defs /etc/logrotate.conf /etc/rsyslog.conf /etc/logrotate.d: dracut httpd subscription-manager syslog up2date yum [root@client01 ~]# ls /etc/rsyslog.conf /etc/rsyslog.conf [root@client01 ~]# vim /etc/rsyslog.conf #模塊：實現某個功能的程序 #不要急著寫，支持異步寫。等到一定量的時候才寫，延遲寫（負號的含義） -/var/log/maillog #修改文件 [root@client01 ~]# vim /etc/rsyslog.conf [root@client01 ~]# grep "hongyi"/etc/rsyslog.conf -n 60:local3.* /var/log/hongyi.log #重啟服務 [root@client01 ~]# /etc/init.d/rsyslogrestart Shutting down system logger: [ OK ] Starting system logger: [ OK ] #可以查看到生成了這個文件 [root@client01 ~]# ls /var/log/hongyi.log /var/log/hongyi.log #寫日志 [root@client01 ~]# logger -p"local3.info" "this is test" [root@client01 ~]# cat /var/log/hongyi.log Aug 5 15:17:00 client01 root: this is test #我們寫local2.info，發現沒有記錄 [root@client01 ~]# logger -p"local2.info" "this is test" [root@client01 ~]# cat /var/log/hongyi.log Aug 5 15:17:00 client01 root: this is test [root@client01 ~]# logger --help logger: invalid option -- '-' usage: logger [-is] [-f file] [-p pri] [-ttag] [-u socket] [ message ... ] #性能 #一台機器上的文件保存到另一台機器上 [root@serv02 ~]# grep "UDP" /etc/rsyslog.conf -n -A1 12:# Provides UDP syslog reception 13-$ModLoad imudp.so 14:$UDPServerRun 514 15- [root@serv02 ~]# grep "local3.*"/etc/rsyslog.conf -n 59:local3.* /tmp/up.log [root@larrywen 0805]# man rsyslog.conf serv01: [plain] #rsyslog.conf做如下配置 [root@serv01 ~]# grep local3/etc/rsyslog.conf -n #192.168.1.12是serv02的IP #@：UDP 服務 #@@：TCP服務 60:local3.* @192.168.1.12 #重啟服務 [root@serv01 ~]# /etc/init.d/rsyslogrestart Shutting down system logger: [ OK ] Starting system logger: [ OK ] #Serv02配置完後，輸出日志到第二台機器 [root@serv01 ~]# logger -p"local3.info" "hello,world" serv02: [plain] #rsyslog.conf文件做如下配置 [root@serv02 ~]# cat -n/etc/rsyslog.conf|sed "8,9p;/local3/p" -n 8 $ModLoad imuxsock.so # provides support for local system logging(e.g. via logger command) 9 $ModLoad imklog.so # provides kernel logging support (previouslydone by rklogd) 59 local3.* /tmp/up.log #重啟服務 [root@serv02 ~]# /etc/init.d/rsyslogrestart Shutting down system logger: [ OK ] Starting system logger: [ OK ] #查看文件可以看到 [root@serv02 ~]# cat /tmp/up.log Aug 5 15:31:38 serv01 root: hello,world #日志備份 四 定時計劃任務 [plain] [root@client01 ~]# yum install at -y [root@client01 ~]# at now +3 minutes at> echo "hello,wolrd" >/opt/aa01.txt at> <EOT> job 2 at 2013-08-05 16:20 Can't open /var/run/atd.pid to signal atd.No atd running? [root@client01 ~]# /etc/init.d/atd start Starting atd: [ OK ] #相對當前時間 [root@client01 ~]# at now +3 minutes at> echo "hello,wolrd" >/opt/aa01.txt at> <EOT> job 3 at 2013-08-05 16:21 [root@client01 ~]# at -l 3 2013-08-0516:21 a root： 2 2013-08-0516:20 a root root@client01 opt]# ll total 20 -rw-r--r--. 1 root root 12 Aug 5 16:20 aa01.txt drwx------. 2 root root 16384 Jul 23 00:54lost+found #支持分鐘 小時 天 [root@client01 ~]# at now +1 days [root@client01 opt]# at 16:28 08/05/2013 at> echo "hello,uplooking"> /opt/aa02.txt at> <EOT> job 4 at 2013-08-05 16:28 [root@client01 opt]# at -l 4 2013-08-0516:28 a root [root@client01 opt]# at 18:20 08/06/2013 at> rm -rf /*<EOT> job 5 at 2013-08-06 18:20 [root@client01 opt]# at -l 5 2013-08-0618:20 a root 4 2013-08-0516:28 a root [root@client01 opt]# at --help at: invalid option -- '-' Usage: at [-V] [-q x] [-f file] [-mldbv]time at -c job ... atq [-V] [-q x] atrm [-V] job ... batch #移除 [root@client01 opt]# atrm 5 #列出詳細的任務 [root@client01 opt]# at -l 4 2013-08-0516:28 a root #執行完後自動清除，本次有效 #crontab：循環有效 [root@client01 opt]# vim /etc/crontab  ** * * * echo `date` >> /opt/aa03.txt #添加規則 [root@client01 opt]# crontab -e no crontab for root - using an empty one crontab: installing new crontab 30 18 * * * init 0 1 */2 10-20 7,8 5 wall "Have aholiday" #列出所有的任務 [root@client01 opt]# crontab -l * * * * * echo `date` >>/opt/aa03.txt 30 18 * * * init 0 [root@client01 opt]# crontab --help crontab: invalid option -- '-' crontab: usage error: unrecognized option usage: crontab[-u user] file crontab[-u user] [ -e | -l | -r ] (defaultoperation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) -s (selinux context) #查看編寫的文件 [root@client01 opt]# cd /var/spool/ [root@client01 spool]# ls anacron at cron lpd mail plymouth postfix up2date [root@client01 spool]# cd cron/ [root@client01 cron]# ll total 4 -rw-------. 1 root root 58 Aug 5 16:37 root [root@client01 cron]# cat root * * * * * echo `date` >>/opt/aa03.txt 30 18 * * * init 0 [root@client01 cron]# cd /etc/cron. cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/cron.weekly/ #每天執行的 [root@client01 cron]# cat/etc/cron.d/0hourly SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ 01 * * * * root run-parts /etc/cron.hourly #每個小時執行的 [root@client01 cron]# cat/etc/cron.hourly/0anacron #!/bin/bash #in case file doesn't exist if test -r /var/spool/anacron/cron.daily;then day=`cat /var/spool/anacron/cron.daily` fi if [ `date +%Y%m%d` = "$day" ];then exit 0; fi # in case anacron is already running, # there will be log (daemon won't berunning twice). if test -x /usr/bin/on_ac_power; then /usr/bin/on_ac_power &> /dev/null if test $? -eq 1; then exit 0 fi fi /usr/sbin/anacron -s #查看每天執行的配置文件 [root@client01 cron]# cat/etc/cron.daily/logrotate #!/bin/sh /usr/sbin/logrotate /etc/logrotate.conf>/dev/null 2>&1 EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with[$EXITVALUE]" fi exit 0 #查看syslog文件，可以看到日志的創建過程 [root@client01 logrotate.d]# cat syslog /var/log/messages /var/log/secure/var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { sharedscripts postrotate /bin/kill-HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } #可以對日志的相關文件進行配置 [root@client01 cron]# cat/etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files afterrotating old ones create # use date as a suffix of the rotated file dateext # uncomment this if you want your log filescompressed #compress # RPM packages drop log rotationinformation into this directory include /etc/logrotate.d # no packages own wtmp and btmp -- we'llrotate them here /var/log/wtmp { monthly create 0664 root utmp minsize1M rotate 1 } /var/log/btmp { missingok monthly create 0600 root utmp rotate 1 } # system-specific logs may be also beconfigured here. 五 模擬日志文件的拷貝 [plain] #從man中進行示例的拷貝 [root@client01 logrotate.d]# manlogrotate.conf #編輯文件 [root@client01 logrotate.d]# vim/etc/logrotate.conf [root@client01 logrotate.d]# cat/etc/logrotate.conf /opt/hongyi.log { monthly rotate 2 olddir /opt/old missingok create 0600 root hongyi nocompress } #創建用戶 [root@client01 logrotate.d]# useradd hongyi #創建目錄 [root@client01 logrotate.d]# mkdir /opt/old #創建文件 [root@client01 logrotate.d]# touch/opt/hongyi.log #編輯文件 [root@client01 logrotate.d]# vim/opt/hongyi.log [root@client01 logrotate.d]# ls /opt aa03.txt hongyi.log old [root@client01 logrotate.d]# logrotate--help Usage: logrotate [OPTION...]<configfile> -d,--debug Don't do anything,just test (implies -v) -f,--force Force file rotation -m,--mail=command Command to sendmail (instead of `/bin/mail') -s,--state=statefile Path of state file -v,--verbose Display messagesduring rotation Help options: -?,--help Show this helpmessage —usage Displaybrief usage message #強制使配置文件生效 [root@client01 logrotate.d]# logrotate -f/etc/logrotate.conf [root@client01 logrotate.d]# ls /opt aa03.txt hongyi.log old #可以看到已經生成了文件 [root@client01 logrotate.d]# ls /opt/old/ hongyi.log-20130805 #日志輪尋 #日志切換 [root@client01 ~]# ls /etc/cron.d cron.d/ cron.daily/ cron.deny #查看每天切換的 [root@client01 ~]# ls /etc/cron.daily/ logrotate makewhatis.cron rhsm-complianced [root@client01 ~]# cat/etc/cron.daily/logrotate #!/bin/sh /usr/sbin/logrotate /etc/logrotate.conf>/dev/null 2>&1 EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with[$EXITVALUE]" fi exit 0 [root@client01 ~]# cat /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files afterrotating old ones create # use date as a suffix of the rotated file dateext # uncomment this if you want your log filescompressed #compress # RPM packages drop log rotationinformation into this directory include /etc/logrotate.d # no packages own wtmp and btmp -- we'llrotate them here /var/log/wtmp { monthly create 0664 root utmp minsize1M rotate 1 } /var/log/btmp { missingok monthly create 0600 root utmp rotate 1 } /opt/hongyi.log { monthly rotate 2 olddir /opt/old missingok create 0600 root hongyi nocompress } # system-specific logs may be also beconfigured here. [root@client01 ~]# cd /etc/lo localtime login.defs logrotate.conf logrotate.d/ [root@client01 ~]# cd /etc/logrotate.d/ [root@client01 logrotate.d]# ll total 24 -rw-r--r--. 1 root root 103 Apr 27 2011 dracut -rw-r--r--. 1 root root 185 Jun 24 2010 httpd -rw-r--r--. 1 root root 71 May 5 2011 subscription-manager -rw-r--r--. 1 root root 228 May 20 2009 syslog -rw-r--r--. 1 root root 32 Apr 8 2010 up2date -rw-r--r--. 1 root root 100 Apr 29 2011 yum #程序切換 日志切換 #日志：很重要 #設置日期 [root@client01 opt]# date -s"2013-08-07" Wed Aug 7 00:00:00 CST 2013 #強制使文件生效，v顯示過程 [root@client01 opt]# logrotate -fv/etc/logrotate.conf reading config file /etc/logrotate.conf including /etc/logrotate.d reading config file dracut reading config info for /var/log/dracut.log reading config file httpd reading config info for /var/log/httpd/*log reading config file subscription-manager reading config info for /var/log/rhsm/*.log reading config file syslog reading config info for /var/log/messages/var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log/var/log/cron reading config file up2date reading config info for /var/log/up2date reading config file yum reading config info for /var/log/yum.log reading config info for /var/log/wtmp reading config info for /var/log/btmp reading config info for /opt/hongyi.log olddir is now /opt/old Handling 9 logs rotating pattern: /var/log/dracut.log forced from command line (4 rotations) empty log files are not rotated, old logsare removed considering log /var/log/dracut.log logdoes not need rotating rotating pattern: /var/log/httpd/*log forced from command line (4 rotations) empty log files are not rotated, old logsare removed considering log /var/log/httpd/access_log logdoes not need rotating considering log /var/log/httpd/error_log logdoes not need rotating not running postrotate script, since nologs were rotated rotating pattern: /var/log/rhsm/*.log forced from command line (4 rotations) empty log files are not rotated, old logsare removed considering log /var/log/rhsm/rhsmcertd.log logdoes not need rotating considering log /var/log/rhsm/rhsm.log logdoes not need rotating rotating pattern: /var/log/messages/var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log/var/log/cron forced from command line(4 rotations) empty log files are rotated, old logs areremoved considering log /var/log/messages logneeds rotating considering log /var/log/secure logneeds rotating considering log /var/log/maillog logneeds rotating considering log /var/log/spooler logneeds rotating considering log /var/log/boot.log logneeds rotating considering log /var/log/cron logneeds rotating rotating log /var/log/messages,log->rotateCount is 4 dateext suffix '-20130807' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' rotating log /var/log/secure,log->rotateCount is 4 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' rotating log /var/log/maillog,log->rotateCount is 4 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' rotating log /var/log/spooler,log->rotateCount is 4 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' rotating log /var/log/boot.log,log->rotateCount is 4 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' rotating log /var/log/cron,log->rotateCount is 4 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' fscreate context set to system_u:object_r:var_log_t:s0 renaming /var/log/messages to/var/log/messages-20130807 creating new /var/log/messages mode = 0600uid = 0 gid = 0 fscreate context set tosystem_u:object_r:var_log_t:s0 renaming /var/log/secure to/var/log/secure-20130807 creating new /var/log/secure mode = 0600uid = 0 gid = 0 fscreate context set tosystem_u:object_r:var_log_t:s0 renaming /var/log/maillog to/var/log/maillog-20130807 creating new /var/log/maillog mode = 0600uid = 0 gid = 0 fscreate context set tosystem_u:object_r:var_log_t:s0 renaming /var/log/spooler to/var/log/spooler-20130807 creating new /var/log/spooler mode = 0600uid = 0 gid = 0 fscreate context set tosystem_u:object_r:var_log_t:s0 renaming /var/log/boot.log to/var/log/boot.log-20130807 creating new /var/log/boot.log mode = 0644uid = 0 gid = 0 fscreate context set tosystem_u:object_r:var_log_t:s0 renaming /var/log/cron to/var/log/cron-20130807 creating new /var/log/cron mode = 0600 uid= 0 gid = 0 running postrotate script rotating pattern: /var/log/up2date forced from command line (4 rotations) empty log files are rotated, old logs areremoved considering log /var/log/up2date log/var/log/up2date does not exist -- skipping rotating pattern: /var/log/yum.log forced from command line (4 rotations) empty log files are not rotated, old logsare removed considering log /var/log/yum.log logdoes not need rotating rotating pattern: /var/log/wtmp forced from command line (1 rotations) empty log files are rotated, only log files>= 1048576 bytes are rotated, old logs are removed considering log /var/log/wtmp logneeds rotating rotating log /var/log/wtmp,log->rotateCount is 1 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' fscreate context set to system_u:object_r:wtmp_t:s0 renaming /var/log/wtmp to/var/log/wtmp-20130807 creating new /var/log/wtmp mode = 0664 uid= 0 gid = 22 removing old log /var/log/wtmp-20130806 rotating pattern: /var/log/btmp forced from command line (1 rotations) empty log files are rotated, old logs areremoved considering log /var/log/btmp logneeds rotating rotating log /var/log/btmp,log->rotateCount is 1 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' fscreate context set to system_u:object_r:faillog_t:s0 renaming /var/log/btmp to/var/log/btmp-20130807 creating new /var/log/btmp mode = 0600 uid= 0 gid = 22 removing old log /var/log/btmp-20130806 rotating pattern: /opt/hongyi.log forced from command line (2 rotations) olddir is /opt/old, empty log files arerotated, old logs are removed considering log /opt/hongyi.log logneeds rotating rotating log /opt/hongyi.log,log->rotateCount is 2 dateext suffix '-20130807' glob pattern'-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' fscreate context set tounconfined_u:object_r:usr_t:s0 renaming /opt/hongyi.log to/opt/old/hongyi.log-20130807 creating new /opt/hongyi.log mode = 0600uid = 0 gid = 500 removing old log/opt/old/hongyi.log-20130805 #可以查看old目錄下的文件 [root@client01 opt]# ls old/ hongyi.log-20130806 hongyi.log-20130807 [root@client01 opt]# cat hongyi.log #查看文件的權限 [root@client01 opt]# ll total 8 -rw-r--r--. 1 root root 2436 Aug 7 00:01 aa03.txt -rw-------. 1 root hongyi 0 Aug 7 00:00 hongyi.log drwxr-xr-x. 2 root root 4096 Aug 7 00:00 old 六 crontab——定時任務 [plain] #延時執行，系統啟動後，檢測還沒有執行的任務。計劃任務 #什麼時候啟動機器，什麼時候檢測 [root@client01 opt]# cat /etc/anacrontab # /etc/anacrontab: configuration file foranacron # See anacron(8) and anacrontab(5) fordetails. SHELL=/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # the maximal random delay added to thebase delay of the jobs RANDOM_DELAY=45 # the jobs will be started during thefollowing hours only START_HOURS_RANGE=3-22 #period in days delay in minutes job-identifier command 1 5 cron.daily nicerun-parts /etc/cron.daily 7 25 cron.weekly nicerun-parts /etc/cron.weekly @monthly 45 cron.monthly nice run-parts /etc/cron.monthly #crontab：列出和刪除 [root@client01 opt]# crontab -l * * * * * echo `date` >>/opt/aa03.txt 30 18 * * * init 0 [root@client01 opt]# crontab --help crontab: invalid option -- '-' crontab: usage error: unrecognized option usage: crontab[-u user] file crontab[-u user] [ -e | -l | -r ] (defaultoperation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) -s (selinux context) [root@client01 opt]# crontab -r [root@client01 opt]# crontab -l no crontab for root