一、日志文件
1.日志的功能
- 用于记录系统、程序运行中发生的各种事件
- 通过阅读日志,有助于诊断和解决系统故障
2.日志文件的分类
- 内核及系统日志
- 由系统服务syslog统一进行管理,日志格式基本相似
- 用户日志
- 记录系统用户登录及退出系统的相关信息
- 程序日志
- 由各种应用程序独立管理的日志文件,记录格式不统一
3.日志保存位置
- 默认位于/var/log目录下
4.主要日志文件介绍
- 内核及公共消息日志:/var/log/messages
- 计划任务日志:/var/log/cron
- 系统引导日志:/var/log/dmesg
- 邮件系统日志:/var/log/maillog
- 用户登录日志:/var/log/lastlog、 /var/log/secure、 /var/log/wtmp、 /var/run/btmp
5.日志的管理
- 由系统服务rsyslogd统一管理
- 软件包:reyelog-7.4.7-16.el7.x86_64
- 主要程序:/sbin/rsyslogd
- 配置文件:/etc/rsyslog.conf
[root@localhost ~]# vim /etc/rsyslog.conf //查看日志文件配置信息 # rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat ...//省略部分内容... [root@localhost ~]# cd /var/log //查看日志文件目录 [root@localhost log]# ls anaconda dmesg libvirt rhsm tallylog Xorg.0.log audit dmesg.old maillog sa tuned Xorg.0.log.old boot.log firewalld messages samba vmware-vgauthsvc.log.0 Xorg.1.log btmp gdm ntpstats secure vmware-vmsvc.log Xorg.9.log chrony glusterfs pluto speech-dispatcher vmware-vmusr.log yum.log cron grubby_prune_debug ppp spooler wpa_supplicant.log cups lastlog qemu-ga sssd wtmp 查看系统日志文件 [root@localhost log]# vim messages //查看系统日志文件 Aug 10 03:53:40 localhost journal: Runtime journal is using 8.0M (max allowed 91.1M, trying to leave 136.7M free of 903.6M available → current limit 91.1M). Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuset Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpu Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuacct Aug 10 03:53:40 localhost kernel: Linux version 3.10.0-693.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Aug 22 21:09:27 UTC 2017 Aug 10 03:53:40 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-693.el7.x86_64 root=UUID=729c9a26-dfdc-40f9-ae91-1ade55be51bb ro crashkernel=auto rhgb quiet LANG=zh_CN.UTF-8 Aug 10 03:53:40 localhost kernel: Disabled fast string operations Aug 10 03:53:40 localhost kernel: e820: BIOS-provided physical RAM map: Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved ...//省略部分内容...
- last命令查看用户登录日志
[root@localhost log]# last root pts/0 192.168.144.1 Mon Sep 2 05:17 still logged in reboot system boot 3.10.0-693.el7.x Mon Sep 2 05:17 - 05:58 (00:40) root pts/0 192.168.144.1 Mon Sep 2 04:11 - crash (01:05) root :0 :0 Mon Sep 2 04:11 - crash (01:05) reboot system boot 3.10.0-693.el7.x Mon Sep 2 04:10 - 05:58 (01:47) root pts/0 :0 Sun Aug 25 01:10 - 01:10 (00:00) root :0 :0 Sun Aug 25 01:10 - crash (8+03:00)
…//省略部分内容…
- lastb查看用户登录次数日志
[root@localhost log]# lastb root :0 :0 Sun Aug 25 01:10 - 01:10 (00:00) root :1 :1 Sat Aug 10 06:26 - 06:26 (00:00) btmp begins Sat Aug 10 06:26:22 2019
- 查看程序日志文件
1、安装httpd服务,搭建Apache网站服务;然后关闭防火墙,使宿主机可以访问
[root@localhost ~]# yum install httpd -y //安装httpd服务 已加载插件:fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.ustc.edu.cn * extras: centos.ustc.edu.cn * updates: centos.ustc.edu.cn 正在解决依赖关系 --> 正在检查事务 ---> 软件包 httpd.x86_64.0.2.4.6-89.el7.centos.1 将被 安装 ...//省略部分内容... [root@localhost ~]# systemctl start httpd //开启服务 [root@localhost ~]# systemctl stop firewalld.service //关闭防火墙 [root@localhost ~]# setenforce 0 [root@localhost ~]# cd /var/log //查看日志文件目录,看是否生成httpd日志闻文件目录 [root@localhost log]# ls anaconda dmesg lastlog qemu-ga sssd wtmp audit dmesg.old libvirt rhsm tallylog Xorg.0.log boot.log firewalld maillog sa tuned Xorg.0.log.old btmp gdm messages samba vmware-vgauthsvc.log.0 Xorg.1.log chrony glusterfs ntpstats secure vmware-vmsvc.log Xorg.9.log cron grubby_prune_debug pluto speech-dispatcher vmware-vmusr.log yum.log cups httpd ppp spooler wpa_supplicant.log
2、通过宿主机访问搭建的网站后,查看系统程序的日志文件
[root@localhost log]# cd httpd //进入httpd程序目录 [root@localhost httpd]# ls access_log error_log [root@localhost httpd]# vim access_log //查看程序日志文件 192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/bootstrap.min.css HTTP/1.1" 200 19341 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/open-sans.css HTTP/1.1" 200 5081 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
6.日志消息的级别
- 0 EMERG(紧急):会导致主机系统不可用的情况
- 1 ALERT(警告):必须马上采取措施解决问题
- 2 CRIT (严重):比较严重的情况
- 3 ERR (错误):运行出现错误
- 4 WARNING(提醒):可能会影响系统功能的事件
- 5 NOTICE (注意):不会影响系统但值得注意
- 6 INFO(信息):一般信息
- 7 DEBUG (调试):程序员调试信息
7.日志管理策略
- 及时做好备份和归档
- 延长日志保存期限
- 控制日志访问权限
- 日志中可能会包含各类敏感信息,如账户、口令等
8.集中管理日志
- 将服务器的日志文件发到统一的日志文件服务器
- 便于日志信息的同一收集、整理和分析
- 杜绝日志信息的意外丢失、恶意篡改或删除
参考琼杰笔记:
评论前必须登录!
注册