您的位置: 首页  >  文章  >  日志

日志

分类: 文章 2024-02-16 08:10:16

日志文件

日志的功能

  • 用于记录系统、程序运行中发生的各种事件
  • 通过阅读日志,有助于诊断和解决系统故障

日志文件的分类

  • 内核及系统日志

    • 由系统服务syslog统一进行管理,日志格式基本相似

  • 用户日志

    • 记录系统用户登录及退出系统的相关信息
  • 程序日志
    • 由各种应用程序独立管理的日志文件,记录格式不统一

日志保存位置

  • 默认位于/var/log目录下

主要日志文件介绍

  • 内核及公共消息日志:/var/log/messages

  • 计划任务日志:/var/log/cron

  • 系统引导日志:/var/log/dmesg

  • 邮件系统日志:/var/log/maillog

  • 用户登录日志:/var/log/lastlog、 /var/log/secure、 /var/log/wtmp、 /var/run/btmp

日志的管理

  • 由系统服务rsyslogd统一管理
    • 软件包:reyelog-7.4.7-16.el7.x86_64
    • 主要程序:/sbin/rsyslogd
    • 配置文件:/etc/rsyslog.conf
[[email protected] ~]# vim /etc/rsyslog.conf      //查看日志文件配置信息

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
...//省略部分内容...
[[email protected] ~]# cd /var/log         //查看日志文件目录
[[email protected] log]# ls
anaconda  dmesg               libvirt   rhsm               tallylog                Xorg.0.log
audit     dmesg.old           maillog   sa                 tuned                   Xorg.0.log.old
boot.log  firewalld           messages  samba              vmware-vgauthsvc.log.0  Xorg.1.log
btmp      gdm                 ntpstats  secure             vmware-vmsvc.log        Xorg.9.log
chrony    glusterfs           pluto     speech-dispatcher  vmware-vmusr.log        yum.log
cron      grubby_prune_debug  ppp       spooler            wpa_supplicant.log
cups      lastlog             qemu-ga   sssd               wtmp

  • 查看系统日志文件

    [[email protected] log]# vim messages                  //查看系统日志文件

Aug 10 03:53:40 localhost journal: Runtime journal is using 8.0M (max allowed 91.1M, trying to leave 136.7M free of 903.6M available → current limit 91.1M).
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuset
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpu
Aug 10 03:53:40 localhost kernel: Initializing cgroup subsys cpuacct
Aug 10 03:53:40 localhost kernel: Linux version 3.10.0-693.el7.x86_64 ([email protected]) (gcc  version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Aug 22 21:09:27 UTC 2017
Aug 10 03:53:40 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-693.el7.x86_64   root=UUID=729c9a26-dfdc-40f9-ae91-1ade55be51bb ro crashkernel=auto rhgb quiet LANG=zh_CN.UTF-8
Aug 10 03:53:40 localhost kernel: Disabled fast string operations
Aug 10 03:53:40 localhost kernel: e820: BIOS-provided physical RAM map:
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved
Aug 10 03:53:40 localhost kernel: BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved
...//省略部分内容...
  • last命令查看用户登录日志
[[email protected] log]# last
root     pts/0        192.168.144.1    Mon Sep  2 05:17   still logged in   
reboot   system boot  3.10.0-693.el7.x Mon Sep  2 05:17 - 05:58  (00:40)    
root     pts/0        192.168.144.1    Mon Sep  2 04:11 - crash  (01:05)    
root     :0           :0               Mon Sep  2 04:11 - crash  (01:05)    
reboot   system boot  3.10.0-693.el7.x Mon Sep  2 04:10 - 05:58  (01:47)    
root     pts/0        :0               Sun Aug 25 01:10 - 01:10  (00:00)    
root     :0           :0               Sun Aug 25 01:10 - crash (8+03:00)   
...//省略部分内容...
  • lastb查看用户登录次数日志
[[email protected] log]# lastb
root     :0           :0               Sun Aug 25 01:10 - 01:10  (00:00)    
root     :1           :1               Sat Aug 10 06:26 - 06:26  (00:00)    

btmp begins Sat Aug 10 06:26:22 2019

  • 查看程序日志文件

    1、安装httpd服务,搭建Apache网站服务;然后关闭防火墙,使宿主机可以访问

[[email protected] ~]# yum install httpd -y   //安装httpd服务
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.ustc.edu.cn
 * extras: centos.ustc.edu.cn
 * updates: centos.ustc.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 httpd.x86_64.0.2.4.6-89.el7.centos.1 将被 安装
...//省略部分内容...
[[email protected] ~]# systemctl start httpd              //开启服务
[[email protected] ~]# systemctl stop firewalld.service    //关闭防火墙
[[email protected] ~]# setenforce 0                       
[[email protected] ~]# cd /var/log               //查看日志文件目录,看是否生成httpd日志闻文件目录
[[email protected] log]# ls
anaconda  dmesg               lastlog   qemu-ga            sssd                    wtmp
audit     dmesg.old           libvirt   rhsm               tallylog                Xorg.0.log
boot.log  firewalld           maillog   sa                 tuned                   Xorg.0.log.old
btmp      gdm                 messages  samba              vmware-vgauthsvc.log.0  Xorg.1.log
chrony    glusterfs           ntpstats  secure             vmware-vmsvc.log        Xorg.9.log
cron      grubby_prune_debug  pluto     speech-dispatcher  vmware-vmusr.log        yum.log
cups      httpd               ppp       spooler            wpa_supplicant.log

2、通过宿主机访问搭建的网站后,查看系统程序的日志文件

日志

[[email protected] log]# cd httpd    //进入httpd程序目录
[[email protected] httpd]# ls 
access_log  error_log
[[email protected] httpd]# vim access_log     //查看程序日志文件

192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/bootstrap.min.css HTTP/1.1" 200 19341 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/open-sans.css HTTP/1.1" 200 5081 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://192.168.144.133/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
192.168.144.1 - - [02/Sep/2019:06:12:48 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://192.168.144.133/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)

日志消息的级别

  • 0 EMERG(紧急):会导致主机系统不可用的情况
  • 1 ALERT(警告):必须马上采取措施解决问题
  • 2 CRIT (严重):比较严重的情况
  • 3 ERR (错误):运行出现错误
  • 4 WARNING(提醒):可能会影响系统功能的事件
  • 5 NOTICE (注意):不会影响系统但值得注意
  • 6 INFO(信息):一般信息
  • 7 DEBUG (调试):程序员调试信息

日志管理策略

  • 及时做好备份和归档
  • 延长日志保存期限
  • 控制日志访问权限
  • 日志中可能会包含各类敏感信息,如账户、口令等

集中管理日志

  • 将服务器的日志文件发到统一的日志文件服务器

  • 便于日志信息的同一收集、整理和分析
  • 杜绝日志信息的意外丢失、恶意篡改或删除

相关推荐