Linux系统的日志管理

举报
江湖有缘 发表于 2023/01/09 22:41:51 2023/01/09
【摘要】 Linux系统的日志管理

@TOC

一、systemd-journald服务

1.systemd-journald介绍

# 系统时间日志的核心服务
# 收集包括来自内核,早期引导阶段啊,进程启动,运行时的标准输出和错误输出,以及syslog时间等
# 保存在二进制的日志文件中,具有易失性,重启后不保存

2.系统日志默认保存路径

保存目录为/run/log/journal

[root@tianyi 4f596c775d924b618367d1c448fd5578]# pwd
/run/log/journal/4f596c775d924b618367d1c448fd5578
[root@tianyi 4f596c775d924b618367d1c448fd5578]# ls
system@f51ef91c90ff4fd48133fe727841edb8-000000000011b8bf-0005c7be331e995d.journal
system@f51ef91c90ff4fd48133fe727841edb8-000000000011d6a0-0005c7c4724c57e6.journal
system@f51ef91c90ff4fd48133fe727841edb8-000000000011f42f-0005c7cab33cc55b.journal
system@f51ef91c90ff4fd48133fe727841edb8-0000000000121201-0005c7cf0099fa95.journal
system@f51ef91c90ff4fd48133fe727841edb8-0000000000122fca-0005c7db1bc72be2.journal
system@f51ef91c90ff4fd48133fe727841edb8-0000000000124d63-0005c7e173a7688d.journal
system@f51ef91c90ff4fd48133fe727841edb8-0000000000126bf3-0005c7e70d3d55d0.journal
system@f51ef91c90ff4fd48133fe727841edb8-0000000000128a4c-0005c7ebf2c2f08f.journal
system@f51ef91c90ff4fd48133fe727841edb8-000000000012a845-0005c7ef788f2d0b.journal
system@f51ef91c90ff4fd48133fe727841edb8-000000000012c602-0005c7f31a53c98f.journal
system@f51ef91c90ff4fd48133fe727841edb8-000000000012e3d8-0005c7f8cdf9eace.journal
system.journal

3.systemd-journald的配置文件修改

①配置文件目录

/etc/systemd/journald.conf

②配置文件修改

persistent: 将日志存储在/var/log/journal目录中,若该目录不存在,则systemd-journald服务自动创建。
volatile: 将日志存储在易失性的目录/run/log/journal目录中,若该目录不存在,则systemd-journald服务自动创建。
auto: 如果/var/log/journal目录存在,那么rsyslog会使用持久存储,否则为易失性存储,此为默认配置。

[root@tianyi systemd]# grep auto journald.conf 
#Storage=auto

4.检索日志消息

①journalctl命令的相关选项

-n 指定显示末尾几条消息,默认最后10条日志消息
-f 与tail -f 命令相似
-p 指定显示某个优先级以上的日志
--since或者--until   限制特定的时间段,时间格式为“YYYY-MM-DD hh:mm:ss”等
-o verbose 查看日志的详细信息
_PID 进程的PID
_UID  运行该进程的用户ID
_SYSTEMD_UNIT  启动该进程的systemd单元
_COMM 指定命令的名称
_EXE 京城的可执行文件的路径


②示例

[root@tianyi systemd]# journalctl -n 5  _SYSTEMD_UNIT=sshd.service
-- Logs begin at Fri 2021-07-23 06:56:38 CST, end at Mon 2021-07-26 23:20:45 CST. --
Jul 26 23:20:33 tianyi sshd[10011]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 23:20:33 tianyi sshd[10011]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.117.46.219
Jul 26 23:20:36 tianyi sshd[10011]: Failed password for invalid user vbox from 1.117.46.219 port 41028 ssh2
Jul 26 23:20:36 tianyi sshd[10011]: Received disconnect from 1.117.46.219 port 41028:11: Bye Bye [preauth]
Jul 26 23:20:36 tianyi sshd[10011]: Disconnected from invalid user vbox 1.117.46.219 port 41028 [preauth

二、rsyslog服务

1.日志保存相关路径

/var/log/message 系统绝大多数的日志文件都会记录在该文件中
/var/log/secure 记录与安全相关的日志,比如创建用户,修改密码,切换用户等操作
/var/log/cron 记录与计划任务相关
/var/log/maillog 记录与邮件相关的日志
/var/log/boot.log 记录与启动相关的

2.日志消息的类型

lpr: 打印相关的日志
auth:认证相关的日志
user:用户相关的日志
cron:计划任务相关的日志
kern:内核相关的日志
mail:邮件相关的日志
daemon:系统服务相关的日志
authpri:授权相关的日志
security:安全相关的日志
local0-local7:自定义相关的日志信息

3.日志消息优先级

优先级 代码 严重性
none 不记录任何信息
emerg 0 内核崩溃等严重信息
alert 1 需要立即修改的信息
crit 2 严重错误级别
err 3 错误级别
warning 4 警告级别
notice 5 具有重要性的普通信息
info 6 一般信息
warning 7 调试信息

4.自定义日志规则

①日志定义的格式

facility.priority Target

mail.info /var/log/maillog 比指定级别更高的日志级别,包括级别自身,保存到 /var/log/maillog
mail.=info /var/log/maillog 明确指定级别为info,保存到/var/log/maillog 
mail.!info /var/log/maillog 除了指定的日志级别以外的级别,都保存到/var/log/maillog 
*.info info /var/log/maillog 所有类型的info级别都保存到/var/log/maillog
mail.*  /var/log/maillog mail类型的所有级别日志都保存到/var/log/maillog

三、日志查看

[root@tianyi log]# grep -E -C 5 '(err|not|no)' messages
Jul 25 05:44:39 tianyi systemd[1]: dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device: Job dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device/start timed out.
Jul 25 05:44:39 tianyi systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device.
Jul 25 05:44:39 tianyi systemd[1]: Dependency failed for /dev/disk/by-uuid/c30fcda5-d830-4c90-b818-831e33389b2e.
Jul 25 05:44:39 tianyi systemd[1]: dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.swap: Job dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.swap/start failed with result 'dependency'.
Jul 25 05:44:39 tianyi systemd[1]: dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device: Job dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device/start failed with result 'timeout'.
Jul 25 07:40:57 tianyi rsyslogd[1750]: imjournal: sd_journal_get_cursor() failed: Cannot assign requested address [v8.37.0-9.el8]
Jul 25 07:40:57 tianyi rsyslogd[1750]: imjournal: journal reloaded... [v8.37.0-9.el8 try http://www.rsyslog.com/e/0 ]
Jul 25 07:41:56 tianyi systemd[1]: Starting dnf makecache...
Jul 25 07:42:02 tianyi dnf[6483]: Docker CE Stable - x86_64                       690  B/s | 3.5 kB     00:05
Jul 25 07:42:07 tianyi dnf[6483]: Zabbix                                          590  B/s | 2.9 kB     00:05
Jul 25 07:42:12 tianyi dnf[6483]: huawei-AppStream                                875  B/s | 4.3 kB     00:05
--
Jul 25 13:17:42 tianyi NetworkManager[1936]: <info>  [1627190262.1609] dhcp4 (eth0):   hostname 'host-192-168-1-209'
Jul 25 13:17:42 tianyi NetworkManager[1936]: <info>  [1627190262.1609] dhcp4 (eth0):   gateway 192.168.1.1
Jul 25 13:17:42 tianyi NetworkManager[1936]: <info>  [1627190262.1609] dhcp4 (eth0):   static route 169.254.169.254/32 gw 192.168.1.254
Jul 25 13:17:42 tianyi NetworkManager[1936]: <info>  [1627190262.1609] dhcp4 (eth0):   mtu 1500
Jul 25 13:17:42 tianyi NetworkManager[1936]: <info>  [1627190262.1611] dhcp4 (eth0): state changed bound -> bound
Jul 25 13:17:42 tianyi dbus-daemon[614]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.33' (uid=0 pid=1936 comm="/usr/sbin/NetworkManager --no-daemon ")
Jul 25 13:17:42 tianyi systemd[1]: Starting Network Manager Script Dispatcher Service...
Jul 25 13:17:42 tianyi dbus-daemon[614]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jul 25 13:17:42 tianyi systemd[1]: Started Network Manager Script Dispatcher Service.
Jul 25 13:17:42 tianyi nm-dispatcher[11673]: req:1 'dhcp4-change' [eth0]: new request (5 scripts)
Jul 25 13:17:42 tianyi nm-dispatcher[11673]: req:1 'dhcp4-change' [eth0]: start running ordered scripts...
Jul 25 13:19:12 tianyi systemd[1]: dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device: Job dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device/start timed out.
Jul 25 13:19:12 tianyi systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-c30fcda5\x2dd830\x2d4c90\x2db818\x2d831e33389b2e.device.

四、日志服务器搭建

1.日志服务器介绍

rstslog是一个C/S架构,可以基于TCP和UDP工作,默认监听端口为514

2.服务端配置

①修改服务端配置文件

[root@IT-01 log]# vim  /etc/rsyslog.conf 
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")


②重启服务及防火墙关闭

[root@IT-01 log]# systemctl restart rsyslog.service 
[root@IT-01 log]# systemctl stop firewalld

3.客户端配置

①修改配置文件

 vim  /etc/rsyslog.conf 

*.info                        @192.168.200.129


②重启服务

[root@node1 ~]# systemctl restart rsyslog.service 

4.测试日志

服务端查看

[root@IT-01 log]# tail -n 5 /var/log/messages
Jul 27 00:03:02 node1 dnf[3099]: Repository AppStream is listed more than once in the configuration
Jul 27 00:03:02 node1 dnf[3099]: Repository BaseOS is listed more than once in the configuration
Jul 27 00:03:02 node1 dnf[3099]: Repository AppStream is listed more than once in the configuration
Jul 27 00:03:02 node1 dnf[3099]: Repository BaseOS is listed more than once in the configuration
Jul 27 00:03:13 node1 dnf[3099]: CentOS-8 - AppStream - mirrors.aliyun.com       0.0  B/s |   0  B     00:10

五、日志轮询

1.logrotate介绍

logrotate工具会轮询日志文件,防止日志文件占用过多的系统空间。

配置文件
[root@IT-01 log]# /etc/logrotate.d/*
[root@IT-01 log]# /etc/logrotate.conf

2.日志目录查看

[root@IT-01 log]# ls
anaconda           cron                      firewalld            maillog-20210623   qemu-ga            spooler-20210725      vmware-network.9.log
audit              cron-20210623             gdm                  maillog-20210707   rhsm               sssd                  vmware-network.log
boot.log           cron-20210707             glusterfs            maillog-20210717   samba              swtpm                 vmware-vgauthsvc.log.0
boot.log-20210506  cron-20210717             hawkey.log           maillog-20210725   secure             tuned                 vmware-vmsvc-root.log
boot.log-20210507  cron-20210725             hawkey.log-20210623  messages           secure-20210623    vmware                vmware-vmtoolsd-root.log
boot.log-20210508  cups                      hawkey.log-20210707  messages-20210623  secure-20210707    vmware-network.1.log  vmware-vmusr-root.log
boot.log-20210511  dnf.librepo.log           hawkey.log-20210717  messages-20210707  secure-20210717    vmware-network.2.log  wtmp
boot.log-20210531  dnf.librepo.log-20210623  hawkey.log-20210725  messages-20210717  secure-20210725    vmware-network.3.log  zabbix
boot.log-20210613  dnf.librepo.log-20210707  httpd                messages-20210725  speech-dispatcher  vmware-network.4.log
boot.log-20210722  dnf.librepo.log-20210717  lastlog              mysql              spooler            vmware-network.5.log
btmp               dnf.librepo.log-20210725  libvirt              php-fpm            spooler-20210623   vmware-network.6.log
btmp-20210707      dnf.log                   mail                 ppp                spooler-20210707   vmware-network.7.log
chrony             dnf.rpm.log               maillog              private            spooler-20210717   vmware-network.8.log

【版权声明】本文为华为云社区用户原创内容,未经允许不得转载,如需转载请自行联系原作者进行授权。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。