Linux操作系统的日志管理之rsyslog实战案例
Linux操作系统的日志管理之rsyslog实战案例
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.日志介绍
1>.什么是日志
历史事件:
时间,地点,人物,事件 日志级别:
事件的关键性程度,Loglevel
2>.常见的系统日志服务
sysklogd日志服务(CentOS 5及之前版本使用)
syslogd:
system application 记录应用日志
klogd:
linux kernel 记录内核日志
事件记录格式:
日期时间 主机 进程[pid]: 事件内容
C/S架构:
通过TCP或UDP协议的服务完成日志记录传送,将分布在不同主 机的日志实现集中管理 rsyslog日志服务(CentOS6和7版本使用),其主要特性如下所示:
多线程
UDP, TCP, SSL, TLS, RELP
MySQL, PGSQL, Oracle实现日志存储
强大的过滤器,可实现过滤记录日志信息中任意部分
自定义输出格式 ELK(elasticsearch, logstash, kibana)
非关系型分布式数据库
基于apache软件基金会jakarta项目组的项目lucene
Elasticsearch是个开源分布式搜索引擎
Logstash对日志进行收集、分析,并将其存储供以后使用
kibana 可以提供的日志分析友好的 Web 界面
3>.博主推荐阅读
https://www.cnblogs.com/yinzhengjie/p/7745560.html
二.rsyslog介绍
1>.常见术语
[root@node101.yinzhengjie.org.cn ~]# man logger
LOGGER() User Commands LOGGER() NAME
logger - a shell command interface to the syslog() system log module SYNOPSIS
logger [options] [message] DESCRIPTION
logger makes entries in the system log. It provides a shell command interface to the syslog() system log module. OPTIONS
-n, --server server
Write to the specified remote syslog server instead of to the builtin syslog routines. Unless --udp or --tcp is
specified the logger will first try to use UDP, but if it fails a TCP connection is attempted. -d, --udp
Use datagram (UDP) only. By default the connection is tried to syslog port defined in /etc/services, which is
often . -T, --tcp
Use stream (TCP) only. By default the connection is tried to syslog-conn port defined in /etc/services, which is
often . -P, --port port
Use the specified port. When this option is not specified, the port defaults to syslog for udp and to syslog-
conn for tcp connections. -i, --id
Log the process ID of the logger process with each line. -f, --file file
Log the contents of the specified file. This option cannot be combined with a command-line message. -h, --help
Display a help text and exit. -p, --priority priority
Enter the message into the log with the specified priority. The priority may be specified numerically or as a
facility.level pair. For example, -p local3.info logs the message as informational in the local3 facility. The
default is user.notice. -S, --size size
Sets the maximum permitted message size. The default is 1KiB, which is the limit traditionally used and specified
in RFC . When selecting a maximum message size, it is important to ensure that the receiver supports the max
size as well, otherwise messages may become truncated. -s, --stderr
Output the message to standard error as well as to the system log. -t, --tag tag
Mark every line to be logged with the specified tag. The default tag is the name of the user logged in on the
terminal (or a user name based on effective user ID). -u, --socket socket
Write to the specified socket instead of to the builtin syslog routines. -V, --version
Display version information and exit. -- End the argument list. This is to allow the message to start with a hyphen (-). message
Write the message to log; if not specified, and the -f flag is not provided, standard input is logged. The logger utility exits on success, and > if an error occurs. FACILITIES AND LEVELS
Valid facility names are: auth
authpriv for security information of a sensitive nature
cron
daemon
ftp
kern cannot be generated from userspace process, automatically converted to user
lpr
news
syslog
user
uucp
local0
to
local7
security deprecated synonym for auth Valid level names are: emerg
alert
crit
err
warning
notice
info
debug
panic deprecated synonym for emerg
error deprecated synonym for err
warn deprecated synonym for warning For the priority order and intended purposes of these facilities and levels, see syslog(). EXAMPLES
logger System rebooted
logger -p local0.notice -t HOSTIDM -f /dev/idmc
logger -n loghost.example.com System rebooted SEE ALSO
syslog(), syslogd() STANDARDS
The logger command is expected to be IEEE Std 1003.2 ("POSIX.2") compatible. AVAILABILITY
The logger command is part of the util-linux package and is available from Linux Kernel Archive ⟨ftp://ftp.kernel.org
/pub/linux/utils/util-linux/⟩. util-linux April LOGGER()
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# man logger
2>.facility(从功能或程序上对日志进行归类)
Valid facility names are:
auth
authpriv for security information of a sensitive nature
cron
daemon
ftp
kern cannot be generated from userspace process, automatically converted to user
lpr
news
syslog
user
uucp
local0
to
local7
security deprecated synonym for auth
3>.Priority(优先级别,从低到高排序)
Valid level names are:
debug
info
notice
warning
warn deprecated synonym for warning
err
error deprecated synonym for err
crit
alert
emerg
panic deprecated synonym for emerg
4>.可参考帮助信息
[root@node101.yinzhengjie.org.cn ~]# man syslog
三.rsyslog系统日志服务
1>.安装rsyslog软件
[root@node101.yinzhengjie.org.cn ~]# yum -y install syslog
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 7.6 kB ::
* base: mirrors.aliyun.com
* epel: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.aliyun.com
* updates: mirror.bit.edu.cn
base | 3.6 kB ::
epel | 5.4 kB ::
extras | 2.9 kB ::
updates | 2.9 kB ::
(/): epel/x86_64/updateinfo | 1.0 MB ::
(/): updates//x86_64/primary_db | 5.8 MB ::
(/): epel/x86_64/primary_db | 6.9 MB ::
Resolving Dependencies
--> Running transaction check
---> Package rsyslog.x86_64 :8.24.-.el7 will be updated
---> Package rsyslog.x86_64 :8.24.-.el7_7. will be an update
--> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================
Updating:
rsyslog x86_64 8.24.-.el7_7. updates k Transaction Summary
===================================================================================================================================
Upgrade Package Total download size: k
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
rsyslog-8.24.-.el7_7..x86_ FAILED ] 0.0 B/s | kB --:--:-- ETA
http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: [Errno 12] Timeout on http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds')
Trying other mirror.
rsyslog-8.24.-.el7_7..x86_64.rpm | kB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : rsyslog-8.24.-.el7_7..x86_64 /
Cleanup : rsyslog-8.24.-.el7.x86_64 /
Verifying : rsyslog-8.24.-.el7_7..x86_64 /
Verifying : rsyslog-8.24.-.el7.x86_64 / Updated:
rsyslog.x86_64 :8.24.-.el7_7. Complete!
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install syslog
[root@node101.yinzhengjie.org.cn ~]# rpm -qi rsyslog
Name : rsyslog
Version : 8.24.
Release : .el7_7.
Architecture: x86_64
Install Date: Thu Dec :: PM EST
Group : System Environment/Daemons
Size :
License : (GPLv3+ and ASL 2.0)
Signature : RSA/SHA256, Mon Oct :: AM EDT, Key ID 24c6a8a7f4a80eb5
Source RPM : rsyslog-8.24.-.el7_7..src.rpm
Build Date : Fri Oct :: PM EDT
Build Host : x86-.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.rsyslog.com/
Summary : Enhanced system logging and kernel message trapping daemon
Description :
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC , permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -qi rsyslog #可以查看相应的日志版本
[root@node101.yinzhengjie.org.cn ~]# rpm -ql rsyslog
/etc/logrotate.d/syslog
/etc/pki/rsyslog
/etc/rsyslog.conf
/etc/rsyslog.d
/etc/sysconfig/rsyslog
/usr/bin/rsyslog-recover-qi.pl
/usr/lib/systemd/system/rsyslog.service
/usr/lib64/rsyslog
/usr/lib64/rsyslog/imdiag.so
/usr/lib64/rsyslog/imfile.so
/usr/lib64/rsyslog/imjournal.so
/usr/lib64/rsyslog/imklog.so
/usr/lib64/rsyslog/immark.so
/usr/lib64/rsyslog/impstats.so
/usr/lib64/rsyslog/imptcp.so
/usr/lib64/rsyslog/imtcp.so
/usr/lib64/rsyslog/imudp.so
/usr/lib64/rsyslog/imuxsock.so
/usr/lib64/rsyslog/lmnet.so
/usr/lib64/rsyslog/lmnetstrms.so
/usr/lib64/rsyslog/lmnsd_ptcp.so
/usr/lib64/rsyslog/lmregexp.so
/usr/lib64/rsyslog/lmstrmsrv.so
/usr/lib64/rsyslog/lmtcpclt.so
/usr/lib64/rsyslog/lmtcpsrv.so
/usr/lib64/rsyslog/lmzlibw.so
/usr/lib64/rsyslog/mmanon.so
/usr/lib64/rsyslog/mmcount.so
/usr/lib64/rsyslog/mmexternal.so
/usr/lib64/rsyslog/mmutf8fix.so
/usr/lib64/rsyslog/omjournal.so
/usr/lib64/rsyslog/ommail.so
/usr/lib64/rsyslog/omprog.so
/usr/lib64/rsyslog/omruleset.so
/usr/lib64/rsyslog/omstdout.so
/usr/lib64/rsyslog/omtesting.so
/usr/lib64/rsyslog/omuxsock.so
/usr/lib64/rsyslog/pmaixforwardedfrom.so
/usr/lib64/rsyslog/pmcisconames.so
/usr/lib64/rsyslog/pmlastmsg.so
/usr/lib64/rsyslog/pmrfc3164sd.so
/usr/lib64/rsyslog/pmsnare.so
/usr/sbin/rsyslogd
/usr/share/doc/rsyslog-8.24.
/usr/share/doc/rsyslog-8.24./AUTHORS
/usr/share/doc/rsyslog-8.24./COPYING
/usr/share/doc/rsyslog-8.24./COPYING.ASL20
/usr/share/doc/rsyslog-8.24./COPYING.LESSER
/usr/share/doc/rsyslog-8.24./ChangeLog
/usr/share/man/man5/rsyslog.conf..gz
/usr/share/man/man8/rsyslogd..gz
/var/lib/rsyslog
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -ql rsyslog #查看安装的文件列表
2>.rsyslog服务概述
程序包:
rsyslog 主程序:
/usr/sbin/rsyslogd CentOS :
service rsyslog {start|stop|restart|status} CentOS :
/usr/lib/systemd/system/rsyslog.service 配置文件:
/etc/rsyslog.conf,/etc/rsyslog.d/*.conf 库文件:
/lib64/rsyslog/*.so
[root@node101.yinzhengjie.org.cn ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu -- :: EST; 16min ago
Docs: man:rsyslogd()
http://www.rsyslog.com/doc/
Main PID: (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─ /usr/sbin/rsyslogd -n Dec :: node101.yinzhengjie.org.cn systemd[]: Starting System Logging Service...
Dec :: node101.yinzhengjie.org.cn rsyslogd[]: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pi...start
Dec :: node101.yinzhengjie.org.cn systemd[]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status rsyslog
3>./etc/rsyslog.conf的配置文件格式
/etc/rsyslog.conf的配置文件格式是由三部分组成,如下所示:
MODULES:
相关模块配置
GLOBAL DIRECTIVES:
全局配置
RULES:
日志记录相关的规则配置 默认配置文件参数说明(红色的表示MODULES相关配置,蓝色的表示全局配置,粉色的表示日志记录相关规则配置):
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^#|^$" /etc/rsyslog.conf
$ModLoad imuxsock #支持本地系统日志记录
$ModLoad imjournal #提供对系统日志的访问
$WorkDirectory /var/lib/rsyslog #指定日志存放为止
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat #使用默认时间戳格式
$IncludeConfig /etc/rsyslog.d/*.conf #加载"/etc/rsyslog.d/*.conf "配置文件
$OmitLocalLogging on #通过本地日志套接字关闭消息接收,本地消息现在通过imjournal检索。
$IMJournalStateFile imjournal.state #在日志中存储位置的文件
*.info;mail.none;authpriv.none;cron.none /var/log/messages #记录info级别或更高级别的任何内容(邮件,身份验证,周期性任务日志除外,因为下面已经有单独将他们存放在指定的配置文件啦),不要记录私人身份验证消息哟,系统默认记录在"/var/log/messages"
authpriv.* /var/log/secure #把权限认证的所有日志级别均记录到"/var/log/secure"文件中。
mail.* -/var/log/maillog #有邮件所有日志级别均记录到"/var/log/maillog"文件中,其中前面的"-"表示异步写入文件。
cron.* /var/log/cron #记录cron服务的所有日志级别到"/var/log/cron"文件中。
*.emerg :omusrmsg:* #每个人都会收到紧急(emerg)信息
uucp,news.crit /var/log/spooler #将crit及更高级别的新闻错误保存在"/var/log/spooler"
local7.* /var/log/boot.log #将启动消息也保存到"/var/log/boot.log"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/rsyslog.conf
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun # Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun #### GLOBAL DIRECTIVES #### # Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog # Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on # File to store the position in the journal
$IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console # Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access.
authpriv.* /var/log/secure # Log all the mail messages in one place.
mail.* -/var/log/maillog # Log cron stuff
cron.* /var/log/cron # Everybody gets emergency messages
*.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler # Save boot messages also to boot.log
local7.* /var/log/boot.log # ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/rsyslog.conf
4>.RULES配置格式
RULES配置格式:
facility.priority; facility.priority... target facility:
*: 所有的facility
facility1,facility2,facility3,...:指定的facility列表 priority:
*: 所有级别
none:没有级别,即不记录
PRIORITY:指定级别(含)以上的所有级别
=PRIORITY:仅记录指定级别的日志信息 target:
文件路径:通常在/var/log/,文件路径前的-表示异步写入,一般不推荐将重要的日志异步写入,所谓的异步写入是指先将数据库写入buffer,间隔时间断后才真正写入磁盘,可能存在丢失日志的风险,但写入效率高。
用户:将日志事件通知给指定的用户,* 表示登录的所有用户
日志服务器:@host,把日志送往至指定的远程服务器记录
管道: | COMMAND,转发给其它命令处理
四.配置sshd服务的日志案例(前提是sshd服务有调用rsyslog服务的日志接口,如果你自己开发的软件不支持则rsyslog就管不着啦,比如apache,nginx均有自己的日志实现方式,它们不用系统日志记录)
1>.修改sshd服务默认的日志类型并通过rsyslog服务记录
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config |grep SyslogFacility #我们直到sshd服务将日志类别定义为"AUTHPRIV"
SyslogFacility AUTHPRIV
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/rsyslog.conf |grep authpriv #我们查看rsyslog服务将"AUTHPRIV"类别的日志单独记录到"/var/log/secure"文件中
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail - /var/log/secure #的确如此,我们在该日志文件中找到了有关sshd服务的日志,但除了sshd日志外还有其他服务对应"AUTHPRIV"日志级别的信息也保存到该文件啦。
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
Dec :: node101 su: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Dec :: node101 su: PAM adding faulty module: /usr/lib64/security/pam_fprintd.so
Dec :: node101 su: pam_unix(su-l:session): session opened for user yinzhengjie by root(uid=)
Dec :: node101 su: pam_unix(su-l:session): session closed for user yinzhengjie
Dec :: node101 sshd[]: pam_systemd(sshd:session): Failed to release session: Interrupted system call
Dec :: node101 sshd[]: pam_unix(sshd:session): session closed for user root
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
Dec :: node101 useradd[]: new group: name=jason, GID=
Dec :: node101 useradd[]: new user: name=jason, UID=, GID=, home=/home/jason, shell=/bin/bash
Dec :: node101 userdel[]: delete user 'jason'
Dec :: node101 userdel[]: removed group 'jason' owned by 'jason'
Dec :: node101 userdel[]: removed shadow group 'jason' owned by 'jason'
Dec :: node101 sshd[]: pam_unix(sshd:session): session closed for user root
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -20 /var/log/secure #我们在该日志文件中找到了有关sshd服务的日志,但除了sshd服务的日志外还有其他服务对应"AUTHPRIV"日志级别的信息也保存到该文件啦。因此我们可以把sshd服务的日志单独抽出来保存
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config |grep SyslogFacility #默认sshd的日志类别为AUTHPRIV
SyslogFacility AUTHPRIV
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# vim /etc/ssh/sshd_config
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config |grep SyslogFacility #我们将默认的日志类注释掉,我们直到local0-7是可以自定义的日志类别,而local7已经被保存boot日志了,因此我们可用的只有local0-6啦,于是我这里将sshd服务日志类型定义为自定义类型local0。
SyslogFacility local0
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# grep local0 /etc/rsyslog.conf #我们将自定义日志类型local0对应的所有日志级别日志记录到"/var/log/sshd.log"中
local0.* /var/log/sshd.log
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log #我们发现修改了配置文件后并没有生成"/var/log/sshd.log"文件,那是因为配置还没有生效,需要重启服务
ls: cannot access /var/log/sshd.log: No such file or directory
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl restart sshd rsyslog #注意,咱们修改了sshd服务和rsyslog服务的配置文件,因此我们需要重启这2个服务
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log #我们重启服务后就存在该文件啦
-rw------- root root Dec : /var/log/sshd.log
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log #重启后发现文件立即就记录类容啦
Dec :: node101 sshd[]: Server listening on 0.0.0.0 port .
Dec :: node101 sshd[]: Server listening on :: port .
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ssh 127.0.0.1 #于是我们使用ssh连接一下本机在观察日志是否有记录
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:uv+7B8M+Muy0u0bnGOplDlSUE4lRiinkGDgEdRk7ChA.
ECDSA key fingerprint is MD5:b8::3f:d7:e2:7d:::f5:bf:d2:d0:0c:af:db:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
root@127.0.0.1's password:
Last login: Thu Dec :: from 172.30.1.2
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# exit
logout
Connection to 127.0.0.1 closed.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log #果不其然,的确有日志记录啦~
Dec :: node101 sshd[]: Server listening on 0.0.0.0 port .
Dec :: node101 sshd[]: Server listening on :: port .
Dec :: node101 sshd[]: Accepted password for root from 127.0.0.1 port ssh2
Dec :: node101 sshd[]: Received disconnect from 127.0.0.1 port :: disconnected by user
Dec :: node101 sshd[]: Disconnected from 127.0.0.1 port
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.logger命令使用案例
[root@node101.yinzhengjie.org.cn ~]# logger -p local0.info "ssh event start" #我们往local0日志类型发一条info级别信息,消息内容为"ssh event start"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail - /var/log/sshd.log #很显然,上面的日志被rsyslog服务记录到local0类型所对应存储的位置了
Dec :: node101 root: ssh event start
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
五.远程日志收集
1>.启用网络日志服务
2>.
3>.
Linux操作系统的日志管理之rsyslog实战案例的更多相关文章
- 项目实战6—Mysql实现企业级日志管理、备份与恢复实战
Mysql实现企业级日志管理.备份与恢复实战 环境背景:随着业务的发展,公司业务和规模不断扩大,网站积累了大量的用户信息和数据,对于一家互联网公司来说,用户和业务数据是根基.一旦公司的数据错乱或者丢失 ...
- Linux操作系统的进程管理和作业管理
Linux操作系统的进程管理和信号 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.lsof命令详解 1>.lsof概述 list open files查看当前系统文件的工 ...
- Linux操作系统的进程管理
Linux操作系统的进程管理 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.进程相关概念 1>.进程概述 内核的功用: 进程管理.文件系统.网络功能.内存管理.驱动程序. ...
- Linux的日志管理
Linux日志的管理 日志:记录了你几乎所有的操作记录,用于系统的审核,故障的排除.日志文件永久存放在日志目录中,系统日志保存在/var/log中 rsyslog 按照日志类型分类,把所有日志记录到/ ...
- Linux之日志管理
日志介绍日志配置日志管理远程日志基于MYSQL的日志 日志介绍日志:历史事件:时间,地点,人物,事件日志级别:事件的关键性程度,Loglevel系统日志服务:sysklogd :CentOS 5之前版 ...
- 【linux】日志管理
1.日志文件内容的一般格式 (1)事件发生的日期与时间: (2)发生此事件的主机名: (3)启动此事件的服务名称或函数名称: (4)该信息的实际数据内容. 例如:Mar 14 15:38:00 www ...
- Linux学习 -- 日志管理
日志服务 rsyslogd CentOS6 取代了原来的syslog rsyslogd 默认启动.自启动 常用命令:lastb.lastlog.last.w.who.users. 系统默认日志 和 ...
- Mysql实现企业级日志管理、备份与恢复实战
背景 随着业务的发展,公司业务和规模不断扩大,网站积累了大量的用户信息和数据,对于一家互联网公司来说,用户和业务数据是根基.一旦公司的数据错乱或者丢失,对于互联网公司而言就等于说是灭顶之灾,为防止系统 ...
- Linux运维企业架构项目实战系列
Linux运维企业架构项目实战系列 项目实战1—LNMP的搭建.nginx的ssl加密.权限控制的实现 项目实战2—LVS.nginx实现负载均衡系列2.1 项目实战2.1—实现基于LVS负载均衡集群 ...
随机推荐
- 戴尔灵越14燃5488安装LTSC2019
戴尔笔记本应该改成ahci模式之后再进行分区和重装系统操作,否则很难折腾的 戴尔灵越14燃5488不能安装LTSB2016,因为显卡驱动不支持,安装LTSC2019可以,亲测. 这款笔本似乎NVME ...
- [LeetCode] 547. Friend Circles 朋友圈
There are N students in a class. Some of them are friends, while some are not. Their friendship is t ...
- java8之行为参数化
今天看到一块switch代码,觉得又臭又长,可以优化一下,只需要将函数名作为入参进行改造,有点类似于策略模式. 以下是使用Java8进行行为参数化的简单案例: User.java import lom ...
- Qt Quick小项目 - 登陆界面
开发环境: win8 + Qt5.11.2 说明: 用 QML 设计一个应用的登陆界面. 效果图: 新建一个 "Qt Quick Application - empty" 工程,分 ...
- firefly rk3399 增加 HL-340 驱动(编译内核)
前言:新下载了firefly rk3399 ubuntu固件16.04,但是发现没有HL-340 USB转串口的驱动,而机器人底盘驱动是HL-340的,所以一直提示无法找到设备驱动. 由于没有技术支持 ...
- fiddler抓包-1-安装与快速上手
前言 fiddler作为一个中间商协议代理,众所周知,有请求就会有响应,那没有响应呢?那就是哪个环节出现问题了.通过代理就可以查看到所有请求信息.与响应信息.举个例子,以前上学时有没有写过情书?或者给 ...
- 用Java编程能给物联网(IoT)带来什么优势与不同?
用Java编程能给物联网(IoT)带来什么优势与不同? 这是一个不太容易回答的问题,也是一个适合拿出来与大家讨论的一个话题~首先需要聊聊物联网硬件与嵌入式设备有什么不同.嵌入式设备通常是一个软件一体的 ...
- luogu P1533 可怜的狗狗 |莫队+二分
题目背景 小卡由于公务需要出差,将新家中的狗狗们托付给朋友嘉嘉,但是嘉嘉是一个很懒的人,他才没那么多时间帮小卡喂狗狗. 题目描述 小卡家有N只狗,由于品种.年龄不同,每一只狗都有一个不同的漂亮值.漂亮 ...
- 轻量级搜索工具【Everything】的设置
下面是我对 轻量级搜索工具[Everything]的设置 Everything 下载地址:http://www.voidtools.com/downloads/ 1. 排除 Windows => ...
- MySQL使用现状分析与优化
前言 再紧张的裁员氛围,也不该影响你学习的心态.不要本末倒置,技术永远不会落后,只要你还在学习的道路上,没有后退. 数据库架构 目前生产环境RDS是多区可用架构.数据库实例发生计划内或计划外的中断时, ...