linux日志管理方法 linux日志管理实例

#很关键 
[root@client01 ~]# ls /var/log/ 
anaconda.ifcfg.log    anaconda.xlog      btmp           dmesg       maillog            secure            wtmp 
anaconda.log          anaconda.yum.log   btmp-20130805  dmesg.old  maillog-20130805  secure-20130805   yum.log 
anaconda.program.log  audit              ConsoleKit     dracut.log messages           spooler 
anaconda.storage.log  boot.log           cron          httpd       messages-20130805  spooler-20130805 
anaconda.syslog       boot.log-20130805  cron-20130805 lastlog     rhsm               tallylog 
  
#关键日志，大部分记录在里面 
[root@client01 ~]# ls /var/log/messages 
/var/log/messages 
       
#系统启动，硬件相关日志 
[root@client01 ~]# ls /var/log/dmesg* 
/var/log/dmesg  /var/log/dmesg.old 
  
#登录安全相关日志 
[root@client01 ~]# ls /var/log/secure 
/var/log/secure 
  
#使用ssh登录，输入错误密码 
[root@larrywen opt]# ssh 192.168.1.11 
root@192.168.1.11's password: 
Permission denied, please try again. 
root@192.168.1.11's password: 
Permission denied, please try again. 
  
#监控文件，可以看到刚才输入的错误密码已经记录下来了 
[root@client01 ~]# tail -f /var/log/secure 
[root@client01 ~]# tail -n 4/var/log/secure 
Aug 5 14:46:13 client01 sshd[2796]: pam_unix(sshd:auth): authenticationfailure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1  user=root 
Aug 5 14:46:15 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2 
Aug 5 14:46:23 client01 unix_chkpwd[2800]: password check failed for user(root) 
Aug 5 14:46:25 client01 sshd[2796]: Failed password for root from192.168.1.1 port 50116 ssh2 
  
#邮件相关日志 
[root@larrywen opt]# ls /var/log/maillog 
/var/log/maillog 
  
#登录信息日志 
[root@client01 ~]# ls /var/log/lastlog 
#最后登录的信息 
[root@client01 ~]# ls /var/log/lastlog 
/var/log/lastlog 
[root@client01 ~]# last 
#最后登录错误的信息 
[root@client01 ~]# lastb 
  
#selinux相关日志 
[root@client01 ~]# ls /var/log/audit/ 
audit.log 
  
[root@client01 ~]# ls /var/log/maillog* 
/var/log/maillog  /var/log/maillog-20130805 
#之前日志的备份，一个星期切换一次，会自动备份 
maillog-20130805 
  
[root@larrywen 0805]# ls /var/log/maillog* 
/var/log/maillog  /var/log/maillog-20130729  /var/log/maillog-20130805 
[root@larrywen 0805]# ls /var/log/boot.log* 
/var/log/boot.log  /var/log/boot.log-20130729  /var/log/boot.log-20130805 

[root@client01 ~]# ps -ef|grep log 
#系统日志服务 
root      959     1  0 08:49 ?        00:00:00 /sbin/rsyslogd -c 4 
root     1133     1  0 08:49 ?        00:00:00 login -- root     
root     2811  2776  0 14:54 pts/0    00:00:00 grep log 
  
[root@client01 ~]# /etc/init.d/rsyslogrestart 
Shutting down system logger:                               [  OK  ] 
Starting system logger:                                    [  OK  ] 
  
#rsyslog：日志记录的位置，指定输出文件 
#日志级别：Debug Warning 

[root@client01 ~]# ls /etc/*log* 
/etc/csh.login  /etc/login.defs  /etc/logrotate.conf  /etc/rsyslog.conf 
  
/etc/logrotate.d: 
dracut httpd  subscription-manager  syslog up2date  yum 
[root@client01 ~]# ls /etc/rsyslog.conf 
/etc/rsyslog.conf 
[root@client01 ~]# vim /etc/rsyslog.conf 
  
#模块：实现某个功能的程序 
  
#不要急着写，支持异步写。等到一定量的时候才写，延迟写（负号的含义） 
-/var/log/maillog 
  
#修改文件 
[root@client01 ~]# vim /etc/rsyslog.conf 
  
[root@client01 ~]# grep "hongyi"/etc/rsyslog.conf -n 
60:local3.*                                      /var/log/hongyi.log 
#重启服务 
[root@client01 ~]# /etc/init.d/rsyslogrestart 
Shutting down system logger:                               [  OK  ] 
Starting system logger:                                    [  OK  ] 
#可以查看到生成了这个文件 
[root@client01 ~]# ls /var/log/hongyi.log 
/var/log/hongyi.log 
#写日志 
[root@client01 ~]# logger -p"local3.info" "this is test" 
[root@client01 ~]# cat /var/log/hongyi.log 
Aug 5 15:17:00 client01 root: this is test 
#我们写local2.info，发现没有记录 
[root@client01 ~]# logger -p"local2.info" "this is test" 
[root@client01 ~]# cat /var/log/hongyi.log 
Aug 5 15:17:00 client01 root: this is test 
  
[root@client01 ~]# logger --help 
logger: invalid option -- '-' 
usage: logger [-is] [-f file] [-p pri] [-ttag] [-u socket] [ message ... ] 
  
#性能 
  
#一台机器上的文件保存到另一台机器上 
[root@serv02 ~]# grep "UDP" /etc/rsyslog.conf  -n -A1 
12:# Provides UDP syslog reception 
13-$ModLoad imudp.so 
14:$UDPServerRun 514 
15- 
[root@serv02 ~]# grep "local3.*"/etc/rsyslog.conf  -n 
59:local3.*                                      /tmp/up.log 
[root@larrywen 0805]# man rsyslog.conf 

#rsyslog.conf做如下配置 
[root@serv01 ~]# grep local3/etc/rsyslog.conf -n 
#192.168.1.12是serv02的IP 
#@：UDP 服务 
#@@：TCP服务 
60:local3.*     @192.168.1.12 
#重启服务 
[root@serv01 ~]# /etc/init.d/rsyslogrestart 
Shutting down system logger:                               [  OK  ] 
Starting system logger:                                    [  OK  ] 
#Serv02配置完后，输出日志到第二台机器 
[root@serv01 ~]# logger -p"local3.info" "hello,world" 

#rsyslog.conf文件做如下配置 
[root@serv02 ~]# cat -n/etc/rsyslog.conf|sed "8,9p;/local3/p"  -n 
    8  $ModLoad imuxsock.so    # provides support for local system logging(e.g. via logger command) 
    9  $ModLoad imklog.so # provides kernel logging support (previouslydone by rklogd) 
59   local3.*     /tmp/up.log 
#重启服务 
[root@serv02 ~]# /etc/init.d/rsyslogrestart 
Shutting down system logger:                               [  OK  ] 
Starting system logger:                                    [  OK  ] 
#查看文件可以看到 
[root@serv02 ~]# cat /tmp/up.log 
Aug 5 15:31:38 serv01 root: hello,world 
  
#日志备份 

[root@client01 ~]# yum install at -y 
[root@client01 ~]# at now +3 minutes 
at> echo "hello,wolrd" >/opt/aa01.txt 
at> <EOT> 
job 2 at 2013-08-05 16:20 
Can't open /var/run/atd.pid to signal atd.No atd running? 
[root@client01 ~]# /etc/init.d/atd start 
Starting atd:                                              [  OK  ] 
#相对当前时间 
[root@client01 ~]# at now +3 minutes 
at> echo "hello,wolrd" >/opt/aa01.txt 
at> <EOT> 
job 3 at 2013-08-05 16:21 
[root@client01 ~]# at -l 
3     2013-08-0516:21 a root：   
2     2013-08-0516:20 a root 
root@client01 opt]# ll 
total 20 
-rw-r--r--. 1 root root    12 Aug 5 16:20 aa01.txt 
drwx------. 2 root root 16384 Jul 23 00:54lost+found 
  
#支持分钟 小时 天 
[root@client01 ~]# at now +1 days 
  
  
[root@client01 opt]# at 16:28 08/05/2013 
at> echo "hello,uplooking"> /opt/aa02.txt 
at> <EOT> 
job 4 at 2013-08-05 16:28 
[root@client01 opt]# at -l 
4     2013-08-0516:28 a root 
  
[root@client01 opt]# at 18:20 08/06/2013 
at> rm -rf /*<EOT> 
job 5 at 2013-08-06 18:20 
[root@client01 opt]# at -l 
5     2013-08-0618:20 a root 
4     2013-08-0516:28 a root 
  
[root@client01 opt]# at --help 
at: invalid option -- '-' 
Usage: at [-V] [-q x] [-f file] [-mldbv]time 
      at -c job ... 
      atq [-V] [-q x] 
      atrm [-V] job ... 
      batch 
#移除 
[root@client01 opt]# atrm 5 
#列出详细的任务 
[root@client01 opt]# at -l 
4     2013-08-0516:28 a root 
  
#执行完后自动清除，本次有效 
  
#crontab：循环有效 
[root@client01 opt]# vim /etc/crontab 
?   ** * * * echo `date` >> /opt/aa03.txt 
#添加规则 
[root@client01 opt]# crontab -e 
no crontab for root - using an empty one 
crontab: installing new crontab 
  
30 18 * * * init 0 
1 */2 10-20 7,8 5 wall "Have aholiday" 
#列出所有的任务 
[root@client01 opt]# crontab -l 
* * * * * echo `date` >>/opt/aa03.txt 
30 18 * * * init 0 
[root@client01 opt]# crontab --help 
crontab: invalid option -- '-' 
crontab: usage error: unrecognized option 
usage:    crontab[-u user] file 
       crontab[-u user] [ -e | -l | -r ] 
              (defaultoperation is replace, per 1003.2) 
       -e    (edit user's crontab) 
       -l     (list user's crontab) 
       -r    (delete user's crontab) 
       -i     (prompt before deleting user's crontab) 
       -s    (selinux context) 
  
#查看编写的文件 
[root@client01 opt]# cd /var/spool/ 
[root@client01 spool]# ls 
anacron at  cron  lpd mail  plymouth  postfix up2date 
[root@client01 spool]# cd cron/ 
[root@client01 cron]# ll 
total 4 
-rw-------. 1 root root 58 Aug  5 16:37 root 
[root@client01 cron]# cat root 
* * * * * echo `date` >>/opt/aa03.txt 
30 18 * * * init 0 
[root@client01 cron]# cd /etc/cron. 
cron.d/       cron.daily/   cron.deny    cron.hourly/  cron.monthly/cron.weekly/ 
       
#每天执行的 
[root@client01 cron]# cat/etc/cron.d/0hourly 
shell=/bin/bash 
PATH=/sbin:/bin:/usr/sbin:/usr/bin 
MAILTO=root 
HOME=/ 
01 * * * * root run-parts /etc/cron.hourly 
  
#每个小时执行的 
[root@client01 cron]# cat/etc/cron.hourly/0anacron 
#!/bin/bash 
#in case file doesn't exist 
if test -r /var/spool/anacron/cron.daily;then 
   day=`cat /var/spool/anacron/cron.daily` 
fi 
if [ `date +%Y%m%d` = "$day" ];then 
   exit 0; 
fi 
  
# in case anacron is already running, 
# there will be log (daemon won't berunning twice). 
if test -x /usr/bin/on_ac_power; then 
   /usr/bin/on_ac_power &> /dev/null 
   if test $? -eq 1; then 
   exit 0 
   fi 
fi 
/usr/sbin/anacron -s 
  
#查看每天执行的配置文件 
[root@client01 cron]# cat/etc/cron.daily/logrotate 
#!/bin/sh 
  
/usr/sbin/logrotate /etc/logrotate.conf>/dev/null 2>&1 
EXITVALUE=$? 
if [ $EXITVALUE != 0 ]; then 
   /usr/bin/logger -t logrotate "ALERT exited abnormally with[$EXITVALUE]" 
fi 
exit 0 
  
#查看syslog文件，可以看到日志的创建过程 
[root@client01 logrotate.d]# cat syslog 
/var/log/messages /var/log/secure/var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { 
   sharedscripts 
   postrotate 
       /bin/kill-HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true 
   endscript 
} 
  
#可以对日志的相关文件进行配置 
[root@client01 cron]# cat/etc/logrotate.conf 
# see "man logrotate" for details 
# rotate log files weekly 
weekly 
  
# keep 4 weeks worth of backlogs 
rotate 4 
  
# create new (empty) log files afterrotating old ones 
create 
  
# use date as a suffix of the rotated file 
dateext 
  
# uncomment this if you want your log filescompressed 
#compress 
  
# RPM packages drop log rotationinformation into this directory 
include /etc/logrotate.d 
  
# no packages own wtmp and btmp -- we'llrotate them here 
/var/log/wtmp { 
   monthly 
   create 0664 root utmp 
       minsize1M 
   rotate 1 
} 
  
/var/log/btmp { 
   missingok 
   monthly 
   create 0600 root utmp 
   rotate 1 
} 
  
# system-specific logs may be also beconfigured here.