日誌管理:
syslogd: system application 記錄應用日誌
klogd: linux kernel 記錄內核日誌
rsyslog:
程序包:rsyslog 主程序:/usr/sbin/rsyslogd
CentOS 6:service rsyslog {start|stop|restart|status} CentOS 7:/usr/lib/systemd/system/rsyslog.service
配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/.conf 庫文件: /lib64/rsyslog/.so
target: 文件路徑:通常在/var/log/,文件路徑前的-表示異步寫入 用戶:將日誌事件通知給指定的用戶,* 表示登錄的所有用戶
日誌服務器:@host,把日誌送往至指定的遠程服務器記錄 管道: | COMMAND,轉發給其它命令處理
[root@centos7 ~]#systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-03-05 21:09:44 CST; 23h ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 6666 (rsyslogd)
Tasks: 3
CGroup: /system.slice/rsyslog.service
└─6666 /usr/sbin/rsyslogd -n
實驗:自定義日誌:
1、[root@centos7 ~]#vim /etc/ssh/sshd_config 該文件定義日誌記錄的信息
#SyslogFacility AUTHPRIV
SyslogFacility local0
2、[root@centos7 ~]#vim /etc/rsyslog.conf
local0.* /var/log/sshd.log
[root@centos7 ~]#systemctl restart sshd
[root@centos7 ~]#tail -f /var/log/sshd.log
Mar 6 20:29:44 centos7 sshd[43542]: Server listening on 0.0.0.0 port 22.
Mar 6 20:29:44 centos7 sshd[43542]: Server listening on :: port 22. 端口已經出現,該文件已生成。
3、[root@centos6 ~]#ssh 192.168.141.200 當另一臺主機ssh連上200時,
[email protected]'s password:
Last login: Wed Mar 6 20:28:35 2019 from 192.168.141.253
[root@centos7 ~]#tail -f /var/log/sshd.log
Mar 6 20:29:44 centos7 sshd[43542]: Server listening on 0.0.0.0 port 22.
Mar 6 20:29:44 centos7 sshd[43542]: Server listening on :: port 22.
Mar 6 20:30:54 centos7 sshd[43578]: Accepted password for root from 192.168.141.253 port 39224 ssh2 此新紀錄會出現。實驗:利用日誌基於網絡,把日誌發往遠程主機,把很多臺主機日誌集中於一臺主機
準備:2臺主機,150,200,centos6做測試
這個實驗的原理是:把200主機的日誌發往150的遠程主機,當有人ssh連接200主機時,在150主機上即可查看到200主機的日誌。
1、在150主機上:
[root@centos7 ~]#vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514 取消註釋,
local0.* /var/log/test.log 設爲test.log文件
[root@centos7 ~]#systemctl restart rsyslog
[root@centos7 ~]#ss -ntua
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:514 *:* 514端口已開,此時就可以接收遠程發日誌了。
現在在200上加以配置,把日誌往150上發:
[root@xingxiaoya ~]#vim /etc/rsyslog.conf
local0.* @192.168.141.150 local0記錄ssh的日誌
[root@200 ~]#vim /etc/ssh/sshd_config
#SyslogFacility AUTHPRIV
SyslogFacility local0 local0對應的是這些
[root@xingxiaoya ~]#systemctl restart rsyslog
[root@xingxiaoya ~]#systemctl restart sshd
2、這時去centos6上ssh200:
[root@centos6 ~]#ssh 192.168.141.200
[email protected]'s password:
Last login: Wed Mar 6 20:42:01 2019 from 192.168.141.200
[root@xingxiaoya ~]#
150主機上的記錄爲:[root@xingxiaoya ~]#tail /var/log/test.log
Mar 6 20:56:21 xingxiaoya sshd[44189]: Accepted password for root from 192.168.141.253 port 39226 ssh2 該記錄顯示6的IP號,7的主機 走的是udp協議
3、若想要做tcp(它穩定)就要修改配置文件:
[root@xingxiaoya ~]#vim /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
local0.* @@192.168.141.150
[root@xingxiaoya ~]#systemctl restart rsyslog
[root@xingxiaoya ~]#ss -ntua
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 :::514 :::*
tcp LISTEN 0 25 *:514 *:*
此時2種端口都具備了。該實驗結束。其它的日誌文件:
/var/log/secure:系統安裝日誌,文本格式,應週期性分析
/var/log/btmp:當前系統上,用戶的失敗嘗試登錄相關的日誌信息,二進制格式,lastb命令進行查看
/var/log/wtmp:當前系統上,用戶正常登錄系統的相關日誌信息,二進制格式,last命令可以查看
/var/log/lastlog:每一個用戶最近一次的登錄信息,二進制格式,lastlog命令可以查看
/var/log/dmesg:系統引導過程中的日誌信息,文本格式 文本查看工具查看 專用命令dmesg查看
/var/log/messages :系統中大部分的信息 /var/log/anaconda : anaconda的日誌
日誌管理journalctl
Systemd 統一管理所有 Unit 的啓動日誌。帶來的好處就是,可以只用journalctl一個命令,查看所有日誌(內核日誌和應用日誌)。日誌的配置文件/etc/systemd/journald.conf
journalctl用法 1、查看所有日誌(默認情況下 ,只保存本次啓動的日誌):journalctl 2、查看內核日誌(不顯示應用日誌) :journalctl -k
3、查看系統本次啓動的日誌 :journalctl -b :journalctl -b -0 4、查看上一次啓動的日誌(需更改設置):journalctl -b -1
5、顯示尾部的最新10行日誌 :journalctl -n 6、顯示尾部指定行數的日誌 :journalctl -n 20 7、實時滾動顯示最新日誌 :journalctl -f
實驗:rsyslog將日誌記錄於MYSQL中
準備:150做數據庫,200做服務器 centos6
在200主機:[root@xingxiaoya ~]#yum install rsyslog-mysql
[root@xingxiaoya ~]#rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
[root@xingxiaoya ~]#cat /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
CREATE DATABASE Syslog;
USE Syslog;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
ID int unsigned not null auto_increment primary key,
SystemEventID int NULL ,
ParamName varchar(255) NULL ,
ParamValue text NULL
);
在150主機:一、[root@centos7 ~]#vim rsyslog.sql
CREATE DATABASE Syslog;
USE Syslog;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
ID int unsigned not null auto_increment primary key,
SystemEventID int NULL ,
ParamName varchar(255) NULL ,
ParamValue text NULL
); 該腳本要在mysql數據庫中運行
二、[root@centos7 ~]#mysql -uroot -p123gxy < rsyslog.sql
[root@centos7 ~]#mysql -uroot -p123gxy
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Syslog | 該數據庫已被搭好。
| mysql |
| performance_schema |
| wordpress |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]> use Syslog
Database changed
MariaDB [Syslog]> show tables;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec) 此時,表已生成。
三、創建用戶 MariaDB [Syslog]> grant all on Syslog.* to loguser@'192.168.141.%' identified by '123gxy';
Query OK, 0 rows affected (0.01 sec)
四、在200主機:[root@centos7 ~]#vim /etc/rsyslog.conf 該配置文件需要修改的是下面2項
$ModLoad ommysql
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
local7.* /var/log/boot.log
local0.* :ommysql:192.168.141.150,Syslog,loguser,123gxy
[root@200 ~]#vim /etc/ssh/sshd_config
#SyslogFacility AUTHPRIV
SyslogFacility local0 local0對應的是這些
[root@200 ~]#systemctl restart rsyslog
[root@200 ~]#systemctl restart sshd
五、下面,我們去測試:在centos6上ssh200主機:[root@centos6 ~]#ssh 192.168.141.200
[email protected]'s password:
Last login: Thu Mar 7 08:20:58 2019 from 192.168.141.253
六、150主機立刻會有記錄生成:MariaDB [Syslog]> select * from SystemEvents;
+----+------------+---------------------+---------------------+----------+----------+----------+-----------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+--------------+--------------+-----------------+----------+
| ID | CustomerID | ReceivedAt | DeviceReportedTime | Facility | Priority | FromHost | Message | NTSeverity | Importance | EventSource | EventUser | EventCategory | EventID | EventBinaryData | MaxAvailable | CurrUsage | MinUsage | MaxUsage | InfoUnitID | SysLogTag | EventLogType | GenericFileName | SystemID |
+----+------------+---------------------+---------------------+----------+----------+----------+-----------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+--------------+--------------+-----------------+----------+
| 1 | NULL | 2019-03-07 08:36:14 | 2019-03-07 08:36:14 | 16 | 6 | centos7 | Accepted password for root from 192.168.141.253 port 39230 ssh2 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | sshd[17021]: | NULL | NULL | NULL |
+----+------------+---------------------+---------------------+----------+----------+----------+-----------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+--------------+--------------+-----------------+----------+
1 row in set (0.00 sec) 此實驗結束!實驗:搭建LAP
準備:200做日誌服務器和LAP 150做mysql數據庫
1、[root@200 ~]#yum install httpd php php-mysql :php爲模塊方式,php-mysql爲了連數據庫 我的httpd已安裝,此處可以不裝
2、將官網的軟件包傳到200主機:[root@200 ~]#ls
loganalyzer-4.1.7.tar.gz (官網下載地址:https://loganalyzer.adiscon.com/download/)
[root@200 ~]#tar xf loganalyzer-4.1.7.tar.gz
[root@200 ~]#cd loganalyzer-4.1.7/
[root@200 loganalyzer-4.1.7]#ls
ChangeLog contrib COPYING doc INSTALL src
[root@200 src]#mv /root/loganalyzer-4.1.7/src /var/www/html/log
[root@200 src]#cd /var/www/html/log 此文件夾爲了存放php程序包
[root@200 log]#ls
admin classes details.php include lang search.php userchange.php
asktheoracle.php convert.php export.php index.php login.php statistics.php
BitstreamVeraFonts cron favicon.ico install.php reportgenerator.php templates
chartgenerator.php css images js reports.php themes
3、[root@200 ~]#cd loganalyzer-4.1.7/
[root@200 loganalyzer-4.1.7]#ls
ChangeLog contrib COPYING doc INSTALL
[root@200 loganalyzer-4.1.7]#cd contrib/
[root@200 contrib]#ls
config.php configure.sh secure.sh
[root@200 contrib]#cat configure.sh
#!/bin/sh
touch config.php
chmod 666 config.php
[root@200 contrib]#cat secure.sh
#!/bin/sh
chmod 644 config.php
4、[root@200 loganalyzer-4.1.7]#touch /var/www/html/log/config.php
[root@200 loganalyzer-4.1.7]#chmod 666 /var/www/html/log/config.php
5、開啓fastcgi端口,[root@200 conf.d]#service php-fpm start
Redirecting to /bin/systemctl start php-fpm.service
[root@200 conf.d]#chkconfig php-fpm on
Note: Forwarding request to 'systemctl enable php-fpm.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/php-fpm.service to /usr/lib/systemd/system/php-fpm.service.
6、訪問網站會有如下頁面彈出:
此時既然包已經生成,就把權限收回:[root@200 contrib]#chmod 644 /var/www/html/log/config.php
7、現在我們要去安裝能夠畫圖的工具包:
[root@200 contrib]#yum install php-gd
[root@200 contrib]#rpm -ql php-gd
/etc/php.d/gd.ini
/usr/lib64/php/modules/gd.so
/usr/share/doc/php-gd-5.4.16
/usr/share/doc/php-gd-5.4.16/libgd_COPYING
/usr/share/doc/php-gd-5.4.16/libgd_README
該包是模塊方式的,要重啓httpd服務。[root@200 contrib]#systemctl restart httpd
8、 彈出的頁面如下:
因爲我的軟件版本問題,沒顯示出來餅狀圖。此實驗結束。
Logrotate日誌
logrotate 程序是一個日誌文件管理工具。用來把舊的日誌文件刪除,並創建新的日誌文件,稱爲日誌轉儲或滾動。可以根據日誌文件的大小,也可以根據其天數來轉儲,這個過程一般通過 cron 程序來執行
配置文件是 /etc/logrotate.conf