日志等级
等级名称 | 说 明 |
---|---|
debug (LOG_DEBUG) | 一般的调试信息说明 |
info (LOG_INFO) | 基本的通知信息 |
notice (LOG_NOTICE) | 普通信息,但是有一定的重要性 |
warning(LOG_WARNING) | 警吿信息,但是还不会影响到服务或系统的运行 |
error(LOG_ERR) | 错误信息, 一般达到err等级的信息已经可以影响到服务成系统的运行了 |
crit (LOG_CRIT) | 临界状况信思,比err等级还要严® |
alert (LOG_ALERT) | 状态信息,比crit等级还要严重,必须立即采取行动 |
emerg (LOG_EMERG) | 疼痛等级信息,系统已经无法使用了 |
* | 代表所有日志等级。比如,“authpriv.*”代表amhpriv认证信息服务产生的日志,所有的日志等级都记录 |
none | 不记录日志 |
rsyslog管理
查看本机rsyslog信息
[root@localhost ~]# rpm -qi rsyslog
Name : rsyslog
Version : 8.24.0
Release : 12.el7
Architecture: x86_64
Install Date: 2024年03月11日 星期一 18时34分03秒
Group : System Environment/Daemons
Size : 2001814
License : (GPLv3+ and ASL 2.0)
Signature : RSA/SHA256, 2017年08月11日 星期五 03时43分05秒, Key ID 24c6a8a7f4a80eb5
Source RPM : rsyslog-8.24.0-12.el7.src.rpm
Build Date : 2017年08月07日 星期一 08时56分12秒
Build Host : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.rsyslog.com/
Summary : Enhanced system logging and kernel message trapping daemon
Description :
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.
#日志存放位置/var/log/软件默认配置
[root@localhost ~]# ls /var/log/
anaconda chrony httpd rhsm vmware-vgauthsvc.log.0
audit cron lastlog sa vmware-vmsvc.log
boot.log cups libvirt samba vmware-vmusr.log
boot.log-20240416 dmesg maillog secure wpa_supplicant.log
boot.log-20240417 dmesg.old messages speech-dispatcher wtmp
boot.log-20240418 firewalld ntpstats spooler Xorg.0.log
boot.log-20240419 gdm pluto sssd Xorg.0.log.old
boot.log-20240422 glusterfs ppp tallylog Xorg.9.log
btmp grubby_prune_debug qemu-ga tuned yum.log
主要日志文件
日志 | 位置 | 作用 |
---|---|---|
内核及公共消息日志 | /var/log/messages | 绝大多数日志位置 |
系统启动服务 | /var/log/boot.log | 系统服务启动相关信息 |
安装系统日志 | /var/log/anaconda/anaconda.log | 系统安装时的相关信息 |
计划任务日志 | /var/log/cron | 计划信息的日志 |
系统引导日志 | /var/log/dmesg | 硬件信息日志(文本文件一般用dmesg命令打开) |
邮件系统日志 | /var/log/maillog | 系统收到邮件的日志 |
用户登录日志 | 1./var/log/lastlog 2./varllog/secure 3./var/log/wtmp 4./var/run/btmp |
1.用户最后一次登录日志(lastlog) 2.系统安全日志(登录失败文本文件) 3.登录成功日志(last) 4.登录失败文件(lastb) |
日志格式
[[root@localhost ~]# tail -f /var/log/messages
Apr 22 17:40:02 localhost systemd: Started Session 68 of user root.
Apr 22 17:40:02 localhost systemd: Starting Session 68 of user root.
Apr 22 17:50:01 localhost systemd: Started Session 69 of user root.
Apr 22 17:50:01 localhost systemd: Starting Session 69 of user root.
Apr 22 18:00:01 localhost systemd: Started Session 70 of user root.
Apr 22 18:00:01 localhost systemd: Starting Session 70 of user root.
Apr 22 18:01:01 localhost systemd: Started Session 71 of user root.
Apr 22 18:01:01 localhost systemd: Starting Session 71 of user root.
Apr 22 18:10:01 localhost systemd: Started Session 72 of user root.
Apr 22 18:10:01 localhost systemd: Starting Session 72 of user root.
Apr 22 18:12:39 localhost systemd-logind: New session 73 of user root.
Apr 22 18:12:39 localhost systemd: Started Session 73 of user root.
Apr 22 18:12:39 localhost systemd: Starting Session 73 of user root.
Apr 22 18:12:39 localhost dbus[725]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Apr 22 18:12:39 localhost dbus-daemon: dbus[725]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Apr 22 18:12:39 localhost dbus-daemon: dbus[725]: [system] Successfully activated service 'org.freedesktop.problems'
Apr 22 18:12:39 localhost dbus[725]: [system] Successfully activated service 'org.freedesktop.problems'
# 时间标签 主机名 子系统名 消息
修改rsyslog配置文件
[root@localhost ~]# vim /etc/rsyslog.conf
由三部分组成
- MODULES:相关模块配置
- GLOBAL DIRECTIVES:全局配置
- RULES:日志记录相关的规则配置(大部分情况更改此项)
##RULES##
程序类型:需记录的级别 记录的日志位置(绝对路径)
#例:ssh程序error级别以上记录记录在/data/sshd/
sshd.error /data/sshd/
例:将ssh的日志文件改到/data下取名为sshd.log
#更改/etc/ssh/sshd_config配置文件将AUTHPRIV改为local6
[root@localhost ~]# vim /etc/ssh/sshd_config
31 #SyslogFacility AUTH
32 SyslogFacility local6
#更改/etc/rsyslog.conf配置文件在rules下添加local6
[root@localhost ~]# vim /etc/rsyslog.conf
72 # Save boot messages also to boot.log
73 local7.* /var/log/boot.log
74 local6.* /data/sshd.log
#重启两个配置
[root@localhost ~]# systemctl restart sshd rsyslog.service
[root@localhost ~]# ls /data
htop-2.2.0-3.el7.x86_64.rpm john-1.8.0.tar.gz nmap-7.93-setup.exe
iftop-1.0-0.pre3.el7.rf.x86_64.rpm nginx-1.18.0 sshd.log ----日志文件
john-1.8.0 nginx-1.18.0.tar.gz webmin-2.100-1.noarch.rpm
#测试
[root@localhost ~]# tail -f /data/sshd.log
Apr 22 18:53:00 localhost sshd[8922]: Server listening on 0.0.0.0 port 22.
Apr 22 18:53:00 localhost sshd[8922]: Server listening on :: port 22.
Apr 22 18:53:59 localhost sshd[8975]: Accepted password for root from 172.16.87.1 port 59868 ssh2
Apr 22 18:55:38 localhost sshd[9041]: Accepted password for root from 172.16.87.10 port 39884 ssh2
将日志文件保存到其他服务器上
#关闭所有主机的防火墙
[root@7_1 ~]#systemctl stop firewalld
[root@7_1 ~]#setenforce 0
#打开所有主机的TCP514端口
[root@7_2 ~]# vim /etc/rsyslog.conf ----去除前面的#即可
18 # Provides TCP syslog reception
19 $ModLoad imtcp
20 $InputTCPServerRun 514
#将需要转存的主机
[root@7_1 ~]# vim /etc/rsyslog.conf ----复制54行将地址改为转存服务器IP
53 # Don't log private authentication messages!
54 *.info;mail.none;authpriv.none;cron.none /var/log/messages
55 *.info;mail.none;authpriv.none;cron.none @@172.16.87.20 ----@@代表tcp
#监控服务器的/var/log/messages文件
[root@7_2 ~]# tail -f /var/log/messages
Apr 23 08:52:05 7_3 root: abc 123
Apr 23 08:52:05 7_3 rsyslogd: action 'action 1' resumed (module 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]
Apr 23 08:52:05 7_3 rsyslogd: action 'action 1' resumed (module 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]
Apr 23 08:52:27 7_1 root: abc 123
Apr 23 08:52:27 7_1 rsyslogd: action 'action 1' resumed (module 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]
Apr 23 08:52:27 7_1 rsyslogd: action 'action 1' resumed (module 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]
Apr 23 09:00:01 7_1 systemd: Started Session 9 of user root.
Apr 23 09:00:01 7_1 systemd: Starting Session 9 of user root.
Apr 23 09:00:01 7_2 systemd: Started Session 8 of user root.
Apr 23 09:00:01 7_2 systemd: Starting Session 8 of user root.
Apr 23 09:00:01 7_3 systemd: Started Session 8 of user root.
Apr 23 09:00:01 7_3 systemd: Starting Session 8 of user root.
标签:log,22,Apr,日志,root,localhost
From: https://www.cnblogs.com/GrandOB/p/18152077