日志管理
Linux 十月 11th, 2009日志服务:syslog
分为:kernel logger 内核日志;
system logger 系统日志。
[root@vm5: ~]#service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
查看内核日志用dmesg命令。
[root@vm5: ~]#dmesg
Linux version 2.6.18-8.el5 (brewbuilder@ls20-bc2-14.build.redhat.com) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Fri Jan 26 14:15:21 EST 2007
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 – 000000000009f800 (usable)
BIOS-e820: 000000000009f800 – 00000000000a0000 (reserved)
BIOS-e820: 00000000000ca000 – 00000000000cc000 (reserved)
BIOS-e820: 00000000000dc000 – 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 – 000000000fef0000 (usable)
BIOS-e820: 000000000fef0000 – 000000000feff000 (ACPI data)
BIOS-e820: 000000000feff000 – 000000000ff00000 (ACPI NVS)
BIOS-e820: 000000000ff00000 – 0000000010000000 (usable)
BIOS-e820: 00000000fec00000 – 00000000fec10000 (reserved)
BIOS-e820: 00000000fee00000 – 00000000fee01000 (reserved)
BIOS-e820: 00000000fffe0000 – 0000000100000000 (reserved)
0MB HIGHMEM available.
256MB LOWMEM available.
found SMP MP-table at 000f6cd0
Using x86 segment limits to approximate NX protection
On node 0 totalpages: 65536
DMA zone: 4096 pages, LIFO batch:0
Normal zone: 61440 pages, LIFO batch:15
DMI present.
Using APIC driver default
ACPI: RSDP (v000 PTLTD ) @ 0×000f6c60
ACPI: RSDT (v001 PTLTD RSDT 0×06040000 LTP 0×00000000) @ 0×0fefab5a
—————————————后面内容省略了,太多了—————————————
/var/log/:登录文件放置的目录。
/var/log/messages:是总管所有登录文件的文件(即:日志文件)。
syslog日志服务的配置文件:/etc/syslog.conf 。
[root@vm5: ~]#vim /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
注:-表示异步磁盘数据,有用缓存。
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
说明:
日志有:对象.等级
对象.
邮件mail.
内核kern.
打印lpr.
新闻组mark.
news.
安全security. 同于auth.
日志本身syslog.
用户user.
uucp.
用户自定义local0.
…
local7.
.等级
.debug 问题信息 (低级)
.info 正常信息
.notice 通知(友好提示)
.warning
.warn 警告信息
.err
.error 错误信息
.crit 应急信息
.alert 比warning更警告
.emerg
.panic 很紧急,不解决不行了
(高级)
news.=crit 就这一级的信息;不加“=”就从本级到最高级。
news.!crit “!”:取反,除了crit级的信息。
news.*;news.crit;news.err “;”:排除等一个“分号;”后的信息。
*.info;mail.none .none表示不记。
-/var/log/maillog 注:-表示异步磁盘数据,有用缓存。
日志可写到设备上:如:/dev/tty12
日志可写给用户:(三种)
⑴ “用户名”,如:root
⑵ @IP地址,如:@192.168.0.66 表示接收来自192.168.0.66发来的日志,要开启远程管理(加-r) (在客户端)
⑶ *,表示给所有用户。
开启日志服务的远程管理功能,在/etc/sysconfig/syslog文件中设置。
[root@vm5: ~]#vim /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables ‘MARK’ messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS=”-m 0 -r -x” 注:-m:MAC -r:开启远程日志 -x:不DNS
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with ‘ksymoops’
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS=”-x”
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for “group” and “other”.
可以用ps aux | grep syslog 来查看是否开启“日志远程管理”功能。
[root@vm5: ~]#ps aux | grep syslog
root 4338 0.0 0.2 1688 576 ? Ss 05:00 0:00 syslogd -m 0 -r -x
root 4354 0.0 0.2 3884 680 pts/4 S+ 05:01 0:00 grep syslog
例:找本局域网内日志最多的机器。
[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c
297 10.0.4.4 sort:排序 –n:按数字排
413 localhost
1375 vm5
[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | uniq -c | sort -n
52 vm5 uniq:去除重复行 -c:计数
297 10.0.4.4
413 localhost
544 vm5
779 vm5
[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c | sort -n
297 10.0.4.4
413 localhost
1375 vm5
[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c | sort -nr
1375 vm5
413 localhost
297 10.0.4.4
[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c | sort -nr | head -1
1375 vm5
在/etc/logrotate.d/下,是日志记录的信息。
[root@vm5: /etc/logrotate.d]#ls
acpid cups mgetty ppp rpm sa-update squid tux vsftpd.log
conman httpd named psacct samba setroubleshoot syslog up2date yum
[root@vm5: /etc/logrotate.d]#cat httpd
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
配置文件在/etc/logrotate.conf中,用来设置日志来如何记录。
[root@vm5: ~]#vim /etc/logrotate.conf
# see “man logrotate” for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
在计划任务中有:/etc/cron.daily/logrotate文件。
[root@vm5: ~]#vim /etc/cron.daily/logrotate
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate “ALERT exited abnormally with [$EXITVALUE]”
fi
exit 0
logger命令,常在脚本中用,使用脚本进入日志。
[root@vm5: ~]#logger -p local0.info “aaaaaa” 注:-p:加对象.级别
[root@vm5: ~]#tail -1 /var/log/messages
Feb 6 05:49:07 vm5 root: aaaaaa
用户名
[root@vm5: ~]#logger -p local.info -t abc “bbbbbb” 注:-t:加标签。
[root@vm5: ~]#tail -1 /var/log/messages
Feb 6 05:51:25 vm5 abc: bbbbbb
标签
日志相关:用iptables记日志。
-j后加LOG –log-level info
日志级别
例:
[root@vm5: ~]#iptables -A INPUT -s 192.168.0.0/24 -p tcp –dport 80 -j LOG –log-level info
[root@vm5: ~]#tail -1 /var/log/messages
Feb 6 05:54:02 vm5 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
对象名
∵iptables是由内核直接的,只是kernel对象。
∴iptables只能指定其级别。
Post Footer automatically generated by wp-posturl plugin for wordpress.
Recent Comments