一、日志文件

1.日志的功能

• 用于记录系统、程序运行中发生的各种事件
• 通过阅读日志，有助于诊断和解决系统故障

2.日志文件的分类

• 内核及系统日志
  • 由系统服务syslog统一进行管理，日志格式基本相似
• 用户日志
  • 记录系统用户登录及退出系统的相关信息
• 程序日志
  • 由各种应用程序独立管理的日志文件，记录格式不统一

3.日志保存位置

• 默认位于/var/log目录下

4.主要日志文件介绍

• 内核及公共消息日志：/var/log/messages
• 计划任务日志：/var/log/cron
• 系统引导日志：/var/log/dmesg
• 邮件系统日志：/var/log/maillog
• 用户登录日志：/var/log/lastlog、 /var/log/secure、 /var/log/wtmp、 /var/run/btmp

5.日志的管理

• 由系统服务rsyslogd统一管理
  • 软件包：reyelog-7.4.7-16.el7.x86_64
  • 主要程序：/sbin/rsyslogd
  • 配置文件：/etc/rsyslog.conf

[root@localhost ~]# vim /etc/rsyslog.conf //查看日志文件配置信息
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
...//省略部分内容...
[root@localhost ~]# cd /var/log //查看日志文件目录
[root@localhost log]# ls
anaconda dmesg libvirt rhsm tallylog Xorg.0.log
audit dmesg.old maillog sa tuned Xorg.0.log.old
boot.log firewalld messages samba vmware-vgauthsvc.log.0 Xorg.1.log
btmp gdm ntpstats secure vmware-vmsvc.log Xorg.9.log
chrony glusterfs pluto speech-dispatcher vmware-vmusr.log yum.log
cron grubby_prune_debug ppp spooler wpa_supplicant.log
cups lastlog qemu-ga sssd wtmp
查看系统日志文件
[root@localhost log]# vim messages //查看系统日志文件
Aug 10 03:53:40 localhost journal: Runtime journal is using 8.0M (max allowed 91.1M, trying to leave 136.7M free of 903.6M available → current limit 91.1M).
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuset
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpu
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuacct
Aug 10 03:53:40 localhost kernel: Linux version 3.10.0-693.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Aug 22 21:09:27 UTC 2017
Aug 10 03:53:40 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-693.el7.x86_64 root=UUID=729c9a26-dfdc-40f9-ae91-1ade55be51bb ro crashkernel=auto rhgb quiet LANG=zh_CN.UTF-8
Aug 10 03:53:40 localhost kernel: Disabled fast string operations
Aug 10 03:53:40 localhost kernel: e820: BIOS-provided physical RAM map:
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved
...//省略部分内容...

• last命令查看用户登录日志

[root@localhost log]# last
root pts/0 192.168.144.1 Mon Sep 2 05:17 still logged in
reboot system boot 3.10.0-693.el7.x Mon Sep 2 05:17 - 05:58 (00:40)
root pts/0 192.168.144.1 Mon Sep 2 04:11 - crash (01:05)
root :0 :0 Mon Sep 2 04:11 - crash (01:05)
reboot system boot 3.10.0-693.el7.x Mon Sep 2 04:10 - 05:58 (01:47)
root pts/0 :0 Sun Aug 25 01:10 - 01:10 (00:00)
root :0 :0 Sun Aug 25 01:10 - crash (8+03:00)

…//省略部分内容…

• lastb查看用户登录次数日志

[root@localhost log]# lastb
root :0 :0 Sun Aug 25 01:10 - 01:10 (00:00)
root :1 :1 Sat Aug 10 06:26 - 06:26 (00:00)
btmp begins Sat Aug 10 06:26:22 2019

• 查看程序日志文件

1、安装httpd服务，搭建Apache网站服务；然后关闭防火墙，使宿主机可以访问

[root@localhost ~]# yum install httpd -y //安装httpd服务
已加载插件：fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 httpd.x86_64.0.2.4.6-89.el7.centos.1 将被 安装
...//省略部分内容...
[root@localhost ~]# systemctl start httpd //开启服务
[root@localhost ~]# systemctl stop firewalld.service //关闭防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# cd /var/log //查看日志文件目录,看是否生成httpd日志闻文件目录
[root@localhost log]# ls
anaconda dmesg lastlog qemu-ga sssd wtmp
audit dmesg.old libvirt rhsm tallylog Xorg.0.log
boot.log firewalld maillog sa tuned Xorg.0.log.old
btmp gdm messages samba vmware-vgauthsvc.log.0 Xorg.1.log
chrony glusterfs ntpstats secure vmware-vmsvc.log Xorg.9.log
cron grubby_prune_debug pluto speech-dispatcher vmware-vmusr.log yum.log
cups httpd ppp spooler wpa_supplicant.log

2、通过宿主机访问搭建的网站后，查看系统程序的日志文件

[root@localhost log]# cd httpd //进入httpd程序目录
[root@localhost httpd]# ls
access_log error_log
[root@localhost httpd]# vim access_log //查看程序日志文件
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/bootstrap.min.css HTTP/1.1" 200 19341 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/open-sans.css HTTP/1.1" 200 5081 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)

6.日志消息的级别

• 0 EMERG（紧急）：会导致主机系统不可用的情况
• 1 ALERT（警告）：必须马上采取措施解决问题
• 2 CRIT （严重）：比较严重的情况
• 3 ERR （错误）：运行出现错误
• 4 WARNING（提醒）：可能会影响系统功能的事件
• 5 NOTICE （注意）：不会影响系统但值得注意
• 6 INFO（信息）：一般信息
• 7 DEBUG (调试)：程序员调试信息

7.日志管理策略

• 及时做好备份和归档
• 延长日志保存期限
• 控制日志访问权限
• 日志中可能会包含各类敏感信息，如账户、口令等

8.集中管理日志

• 将服务器的日志文件发到统一的日志文件服务器
• 便于日志信息的同一收集、整理和分析
• 杜绝日志信息的意外丢失、恶意篡改或删除

参考琼杰笔记：

Linux系统日志分析详解【一】