分享交流
合作共赢!

CentOS 7日志分析详解【二】

一、日志文件

1.日志的功能

  • 用于记录系统、程序运行中发生的各种事件
  • 通过阅读日志,有助于诊断和解决系统故障

2.日志文件的分类

  • 内核及系统日志
    • 由系统服务syslog统一进行管理,日志格式基本相似
  • 用户日志
    • 记录系统用户登录及退出系统的相关信息
  • 程序日志
    • 由各种应用程序独立管理的日志文件,记录格式不统一

3.日志保存位置

  • 默认位于/var/log目录下

4.主要日志文件介绍

  • 内核及公共消息日志:/var/log/messages
  • 计划任务日志:/var/log/cron
  • 系统引导日志:/var/log/dmesg
  • 邮件系统日志:/var/log/maillog
  • 用户登录日志:/var/log/lastlog、 /var/log/secure、 /var/log/wtmp、 /var/run/btmp

5.日志的管理

  • 由系统服务rsyslogd统一管理
    • 软件包:reyelog-7.4.7-16.el7.x86_64
    • 主要程序:/sbin/rsyslogd
    • 配置文件:/etc/rsyslog.conf
[root@localhost ~]# vim /etc/rsyslog.conf //查看日志文件配置信息
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
...//省略部分内容...
[root@localhost ~]# cd /var/log //查看日志文件目录
[root@localhost log]# ls
anaconda dmesg libvirt rhsm tallylog Xorg.0.log
audit dmesg.old maillog sa tuned Xorg.0.log.old
boot.log firewalld messages samba vmware-vgauthsvc.log.0 Xorg.1.log
btmp gdm ntpstats secure vmware-vmsvc.log Xorg.9.log
chrony glusterfs pluto speech-dispatcher vmware-vmusr.log yum.log
cron grubby_prune_debug ppp spooler wpa_supplicant.log
cups lastlog qemu-ga sssd wtmp
查看系统日志文件
[root@localhost log]# vim messages //查看系统日志文件
Aug 10 03:53:40 localhost journal: Runtime journal is using 8.0M (max allowed 91.1M, trying to leave 136.7M free of 903.6M available → current limit 91.1M).
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuset
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpu
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuacct
Aug 10 03:53:40 localhost kernel: Linux version 3.10.0-693.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Aug 22 21:09:27 UTC 2017
Aug 10 03:53:40 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-693.el7.x86_64 root=UUID=729c9a26-dfdc-40f9-ae91-1ade55be51bb ro crashkernel=auto rhgb quiet LANG=zh_CN.UTF-8
Aug 10 03:53:40 localhost kernel: Disabled fast string operations
Aug 10 03:53:40 localhost kernel: e820: BIOS-provided physical RAM map:
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved
...//省略部分内容...
  • last命令查看用户登录日志
[root@localhost log]# last
root pts/0 192.168.144.1 Mon Sep 2 05:17 still logged in
reboot system boot 3.10.0-693.el7.x Mon Sep 2 05:17 - 05:58 (00:40)
root pts/0 192.168.144.1 Mon Sep 2 04:11 - crash (01:05)
root :0 :0 Mon Sep 2 04:11 - crash (01:05)
reboot system boot 3.10.0-693.el7.x Mon Sep 2 04:10 - 05:58 (01:47)
root pts/0 :0 Sun Aug 25 01:10 - 01:10 (00:00)
root :0 :0 Sun Aug 25 01:10 - crash (8+03:00)

…//省略部分内容…

  • lastb查看用户登录次数日志
[root@localhost log]# lastb
root :0 :0 Sun Aug 25 01:10 - 01:10 (00:00)
root :1 :1 Sat Aug 10 06:26 - 06:26 (00:00)
btmp begins Sat Aug 10 06:26:22 2019
  • 查看程序日志文件

1、安装httpd服务,搭建Apache网站服务;然后关闭防火墙,使宿主机可以访问

[root@localhost ~]# yum install httpd -y //安装httpd服务
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 httpd.x86_64.0.2.4.6-89.el7.centos.1 将被 安装
...//省略部分内容...
[root@localhost ~]# systemctl start httpd //开启服务
[root@localhost ~]# systemctl stop firewalld.service //关闭防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# cd /var/log //查看日志文件目录,看是否生成httpd日志闻文件目录
[root@localhost log]# ls
anaconda dmesg lastlog qemu-ga sssd wtmp
audit dmesg.old libvirt rhsm tallylog Xorg.0.log
boot.log firewalld maillog sa tuned Xorg.0.log.old
btmp gdm messages samba vmware-vgauthsvc.log.0 Xorg.1.log
chrony glusterfs ntpstats secure vmware-vmsvc.log Xorg.9.log
cron grubby_prune_debug pluto speech-dispatcher vmware-vmusr.log yum.log
cups httpd ppp spooler wpa_supplicant.log

2、通过宿主机访问搭建的网站后,查看系统程序的日志文件

关于CentOS 7文件系统与日志分析

[root@localhost log]# cd httpd //进入httpd程序目录
[root@localhost httpd]# ls
access_log error_log
[root@localhost httpd]# vim access_log //查看程序日志文件
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/bootstrap.min.css HTTP/1.1" 200 19341 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/open-sans.css HTTP/1.1" 200 5081 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)

6.日志消息的级别

  • 0 EMERG(紧急):会导致主机系统不可用的情况
  • 1 ALERT(警告):必须马上采取措施解决问题
  • 2 CRIT (严重):比较严重的情况
  • 3 ERR (错误):运行出现错误
  • 4 WARNING(提醒):可能会影响系统功能的事件
  • 5 NOTICE (注意):不会影响系统但值得注意
  • 6 INFO(信息):一般信息
  • 7 DEBUG (调试):程序员调试信息

7.日志管理策略

  • 及时做好备份和归档
  • 延长日志保存期限
  • 控制日志访问权限
  • 日志中可能会包含各类敏感信息,如账户、口令等

8.集中管理日志

  • 将服务器的日志文件发到统一的日志文件服务器
  • 便于日志信息的同一收集、整理和分析
  • 杜绝日志信息的意外丢失、恶意篡改或删除

参考琼杰笔记:

Linux系统日志分析详解【一】

赞(1) 打赏
未经允许不得转载:琼杰笔记 » CentOS 7日志分析详解【二】

评论 抢沙发

评论前必须登录!

 

分享交流,合作共赢!

联系我们加入QQ群

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续给力更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏