TQ 试用 WP » log manager http://tq.freehostia.com.freehostia.com TQ 试用中... ... Fri, 19 Mar 2010 06:07:08 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 日志管理 http://tq.freehostia.com.freehostia.com/2009/10/log-manage.html http://tq.freehostia.com.freehostia.com/2009/10/log-manage.html#comments Sun, 11 Oct 2009 03:50:00 +0000 TQ http://tq.freehostia.com.freehostia.com/2009/10/log-manage.html 日志服务:syslog

分为:kernel logger 内核日志;

system logger 系统日志。

[root@vm5: ~]#service syslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

查看内核日志用dmesg命令。

[root@vm5: ~]#dmesg

Linux version 2.6.18-8.el5 (brewbuilder@ls20-bc2-14.build.redhat.com) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Fri Jan 26 14:15:21 EST 2007

BIOS-provided physical RAM map:

BIOS-e820: 0000000000000000 – 000000000009f800 (usable)

BIOS-e820: 000000000009f800 – 00000000000a0000 (reserved)

BIOS-e820: 00000000000ca000 – 00000000000cc000 (reserved)

BIOS-e820: 00000000000dc000 – 0000000000100000 (reserved)

BIOS-e820: 0000000000100000 – 000000000fef0000 (usable)

BIOS-e820: 000000000fef0000 – 000000000feff000 (ACPI data)

BIOS-e820: 000000000feff000 – 000000000ff00000 (ACPI NVS)

BIOS-e820: 000000000ff00000 – 0000000010000000 (usable)

BIOS-e820: 00000000fec00000 – 00000000fec10000 (reserved)

BIOS-e820: 00000000fee00000 – 00000000fee01000 (reserved)

BIOS-e820: 00000000fffe0000 – 0000000100000000 (reserved)

0MB HIGHMEM available.

256MB LOWMEM available.

found SMP MP-table at 000f6cd0

Using x86 segment limits to approximate NX protection

On node 0 totalpages: 65536

DMA zone: 4096 pages, LIFO batch:0

Normal zone: 61440 pages, LIFO batch:15

DMI present.

Using APIC driver default

ACPI: RSDP (v000 PTLTD ) @ 0×000f6c60

ACPI: RSDT (v001 PTLTD RSDT 0×06040000 LTP 0×00000000) @ 0×0fefab5a

—————————————后面内容省略了,太多了—————————————

/var/log/:登录文件放置的目录。

/var/log/messages:是总管所有登录文件的文件(即:日志文件)。

syslog日志服务的配置文件:/etc/syslog.conf 。

[root@vm5: ~]#vim /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don’t log private authentication messages!

*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

注:-表示异步磁盘数据,有用缓存。

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

#

# INN

#

news.=crit /var/log/news/news.crit

news.=err /var/log/news/news.err

news.notice /var/log/news/news.notice

说明:

日志有:对象.等级

对象.

邮件mail.

内核kern.

打印lpr.

新闻组mark.

news.

安全security. 同于auth.

日志本身syslog.

用户user.

uucp.

用户自定义local0.

local7.

.等级

.debug 问题信息 (低级)

.info 正常信息

.notice 通知(友好提示)

.warning

.warn 警告信息

.err

.error 错误信息

.crit 应急信息

.alert 比warning更警告

.emerg

.panic 很紧急,不解决不行了

(高级)

news.=crit 就这一级的信息;不加“=”就从本级到最高级。

news.!crit “!”:取反,除了crit级的信息。

news.*;news.crit;news.err “;”:排除等一个“分号;”后的信息。

*.info;mail.none .none表示不记。

-/var/log/maillog 注:-表示异步磁盘数据,有用缓存。

日志可写到设备上:如:/dev/tty12

日志可写给用户:(三种)

⑴ “用户名”,如:root

⑵ @IP地址,如:@192.168.0.66 表示接收来自192.168.0.66发来的日志,要开启远程管理(加-r) (在客户端)

⑶ *,表示给所有用户。

开启日志服务的远程管理功能,在/etc/sysconfig/syslog文件中设置。

[root@vm5: ~]#vim /etc/sysconfig/syslog

# Options to syslogd

# -m 0 disables ‘MARK’ messages.

# -r enables logging from remote machines

# -x disables DNS lookups on messages recieved with -r

# See syslogd(8) for more details

SYSLOGD_OPTIONS=”-m 0 -r -x注:-mMAC -r:开启远程日志 -x:不DNS

# Options to klogd

# -2 prints all kernel oops messages twice; once for klogd to decode, and

# once for processing with ‘ksymoops’

# -x disables all klogd processing of oops messages entirely

# See klogd(8) for more details

KLOGD_OPTIONS=”-x”

#

SYSLOG_UMASK=077

# set this to a umask value to use for all log files as in umask(1).

# By default, all permissions are removed for “group” and “other”.

可以用ps aux | grep syslog 来查看是否开启“日志远程管理”功能。

[root@vm5: ~]#ps aux | grep syslog

root 4338 0.0 0.2 1688 576 ? Ss 05:00 0:00 syslogd -m 0 -r -x

root 4354 0.0 0.2 3884 680 pts/4 S+ 05:01 0:00 grep syslog

例:找本局域网内日志最多的机器。

[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c

297 10.0.4.4 sort:排序 –n:按数字排

413 localhost

1375 vm5

[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | uniq -c | sort -n

52 vm5 uniq:去除重复行 -c:计数

297 10.0.4.4

413 localhost

544 vm5

779 vm5

[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c | sort -n

297 10.0.4.4

413 localhost

1375 vm5

[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c | sort -nr

1375 vm5

413 localhost

297 10.0.4.4

[root@vm5: ~]#awk ‘{print $4}’ /var/log/messages | sort | uniq -c | sort -nr | head -1

1375 vm5

/etc/logrotate.d/下,是日志记录的信息。

[root@vm5: /etc/logrotate.d]#ls

acpid cups mgetty ppp rpm sa-update squid tux vsftpd.log

conman httpd named psacct samba setroubleshoot syslog up2date yum

[root@vm5: /etc/logrotate.d]#cat httpd

/var/log/httpd/*log {

missingok

notifempty

sharedscripts

postrotate

/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true

endscript

}

配置文件在/etc/logrotate.conf中,用来设置日志来如何记录。

[root@vm5: ~]#vim /etc/logrotate.conf

# see “man logrotate” for details

# rotate log files weekly

weekly

# keep 4 weeks worth of backlogs

rotate 4

# create new (empty) log files after rotating old ones

create

# uncomment this if you want your log files compressed

#compress

# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

# no packages own wtmp — we’ll rotate them here

/var/log/wtmp {

monthly

create 0664 root utmp

rotate 1

}

# system-specific logs may be also be configured here.

在计划任务中有:/etc/cron.daily/logrotate文件。

[root@vm5: ~]#vim /etc/cron.daily/logrotate

#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf

EXITVALUE=$?

if [ $EXITVALUE != 0 ]; then

/usr/bin/logger -t logrotate “ALERT exited abnormally with [$EXITVALUE]”

fi

exit 0

logger命令,常在脚本中用,使用脚本进入日志。

[root@vm5: ~]#logger -p local0.info “aaaaaa” 注:-p:加对象.级别

[root@vm5: ~]#tail -1 /var/log/messages

Feb 6 05:49:07 vm5 root: aaaaaa

用户名

[root@vm5: ~]#logger -p local.info -t abc “bbbbbb” 注:-t:加标签。

[root@vm5: ~]#tail -1 /var/log/messages

Feb 6 05:51:25 vm5 abc: bbbbbb

标签

日志相关:用iptables记日志。

-j后加LOG –log-level info

日志级别

例:

[root@vm5: ~]#iptables -A INPUT -s 192.168.0.0/24 -p tcp –dport 80 -j LOG –log-level info

[root@vm5: ~]#tail -1 /var/log/messages

Feb 6 05:54:02 vm5 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team

对象名

∵iptables是由内核直接的,只是kernel对象。

∴iptables只能指定其级别。

]]> http://tq.freehostia.com.freehostia.com/2009/10/log-manage.html/feed 0