Linux 系统日志
查看日志服务
大部分Linux发行版默认的日志守护进程为 syslog,位于 /etc/syslog 或 /etc/syslogd 或/etc/rsyslog.d,默认配置文件为 /etc/syslog.conf 或 rsyslog.conf,任何希望生成日志的程序都可以向 syslog 发送信息。
查看日志守护进程
命令: ps aux | grep syslog
root 921 0.0 0.1 35976 928 ? Sl Jan22 0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
- 注:系统centos6,rsyslogd r带有网络的性质。
- 注:centos5服务名为syslogd。本地的性质。
- 注:日志会根据大小或者日期 切换到另外一个文件,新日志还叫原名
日志类型
| 类型 | 说明 |
|---|---|
| auth | 用户认证时产生的日志,如login命令、su命令。 |
| authpriv | 与 auth 类似,但是只能被特定用户查看。 |
| console | 针对系统控制台的消息。 |
| cron | 系统定期执行计划任务时产生的日志。 |
| daemon | 某些守护进程产生的日志。 |
| ftp | FTP服务。 |
| kern | 系统内核消息。 |
| local0.local7 | 由自定义程序使用。 |
| lpr | 与打印机活动有关。 |
| 邮件日志。 | |
| mark | 产生时间戳。系统每隔一段时间向日志文件中输出当前时间,每行的格式类似于 May 26 11:17:09 rs2 -- MARK --,可以由此推断系统发生故障的大概时间。 |
| news | 网络新闻传输协议(nntp)产生的消息。 |
| ntp | 网络时间协议(ntp)产生的消息。 |
| user | 用户进程。 |
| uucp | UUCP子系统。 |
日志优先级
| 优先级 | 说明 |
|---|---|
| emerg | 紧急情况,系统不可用(例如系统崩溃),一般会通知所有用户。 |
| alert | 需要立即修复,例如系统数据库损坏。 |
| crit | 危险情况,例如硬盘错误,可能会阻碍程序的部分功能。 |
| err | 一般错误消息。 |
| warning | 警告。 |
| notice | 不是错误,但是可能需要处理。 |
| info | 通用性消息,一般用来提供有用信息。 |
| debug | 调试程序产生的信息。 |
| none | 没有优先级,不记录任何日志消息。 |
简要说明
常用日志
/var/log/messages # 记录Linux操作系统常见的系统和服务错误信息
/var/log/secure # Linux系统安全日志,记录用户和工作组变坏情况、用户登陆认证情况
/var/log/maillog # 邮件相关的日志
/var/log/dmesg # 系统启动时显示的硬件内核信息
/var/log/boot.log # 记录了系统在引导过程中发生的事件,就是Linux系统开机自检过程显示的信息
二进制日志
/var/log/wtmp # 该日志文件永久记录每个用户登录、注销及系统的启动、停机的事件,使用last命令查看。
/var/log/btmp # 记录Linux登陆失败的用户、时间以及远程IP地址,lastb命令查看。
/var/log/lastlog # 记录最后一次用户成功登陆的时间、登陆IP等信息使用lastlog查看。。
/var/run/utmp # 该日志文件记录有关当前登录的每个用户的信息。
日志配置文件
/etc/rsyslog.conf # 系统日志配置文件
/etc/logrotate.conf # 定义日志切割归档
/etc/logrotate.d/syslog # 定义日志格式文件
/etc/logrotate.d/* # 是一些日志自定义的服务
/etc/rsyslog.d/*.conf # 自定义日志添加路径,记录日志格式
日志访问命令
命令:dmesg # 查看硬件相关的日志
命令:last # 查看用户登陆信息
命令:lastlog # 查看系统所有用户最近登陆情况
命令:lastb # 查看无效登陆的历史
详细说明
/var/log/messages
messages 日志是核心系统日志文件。 包含了系统启动时的引导消息,以及系统运行时的其他状态消息。 IO 错误、网络错误和其他系统错误都会记录到这个文件中。 其他信息,比如某个人的身份切换为 root,也在这里列出。 如果服务正在运行,比如 DHCP 服务器,您可以在 messages 文件中观察它的活动。 通常/var/log/messages 是您在做故障诊断时首先要查看的文件。
Jan 23 03:03:04 localhost dhclient[30603]: DHCPOFFER from 192.168.1.1 Jan 23 03:03:04 localhost dhclient[30603]: DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x2c3377ff) Jan 23 03:03:05 localhost dhclient[30603]: DHCPACK from 192.168.1.1 (xid=0x2c3377ff) Jan 23 03:03:07 localhost NET[30879]: /sbin/dhclient-script : updated /etc/resolv.conf Jan 23 03:03:07 localhost dhclient[30603]: bound to 192.168.1.107 -- renewal in 3569 seconds. Jan 23 03:26:40 localhost kernel: e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None Jan 23 03:26:40 localhost kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready Jan 23 03:26:40 localhost kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
/var/log/btmp
root ssh:notty 192.168.1.106 Tue Jan 23 04:56 - 04:56 (00:00) root ssh:notty 192.168.1.106 Tue Jan 23 04:56 - 04:56 (00:00) *[A*[B** ssh:notty 192.168.1.154 Mon Jan 22 14:21 - 14:21 (00:00) btmp begins Mon Jan 22 14:21:36 2018
/var/log/wtmp
root pts/0 192.168.1.106 Tue Jan 23 04:44 still logged in root pts/4 192.168.1.150 Tue Jan 23 03:14 still logged in root pts/3 192.168.1.150 Tue Jan 23 03:02 still logged in root pts/2 192.168.1.107 Tue Jan 23 02:01 still logged in root pts/0 192.168.1.150 Tue Jan 23 01:34 - 04:08 (02:34) root pts/1 192.168.1.150 Tue Jan 23 00:26 - 03:34 (03:08) root pts/0 192.168.1.150 Mon Jan 22 21:59 - 00:26 (02:27) root pts/1 192.168.1.150 Mon Jan 22 19:47 - 23:03 (03:16) root pts/0 192.168.1.150 Mon Jan 22 18:58 - 21:51 (02:53) root pts/3 192.168.1.150 Mon Jan 22 14:22 - 20:58 (06:36) root pts/2 192.168.1.154 Mon Jan 22 14:21 - 14:24 (00:02) root pts/1 192.168.1.150 Mon Jan 22 14:20 - 15:22 (01:01) root tty1 Mon Jan 22 13:56 still logged in root pts/1 192.168.1.150 Mon Jan 22 11:26 - 13:54 (02:28) root pts/1 192.168.1.150 Mon Jan 22 11:24 - 11:26 (00:01) root pts/0 192.168.1.150 Mon Jan 22 11:22 - 16:08 (04:45) reboot system boot 2.6.32-431.el6.i Mon Jan 22 11:09 - 04:50 (17:41) root tty1 Mon Jan 22 10:55 - down (00:13) root pts/1 192.168.1.150 Mon Jan 22 10:47 - 10:47 (00:00) root pts/0 192.168.1.150 Mon Jan 22 10:19 - down (00:49) reboot system boot 2.6.32-431.el6.i Mon Jan 22 10:17 - 11:09 (00:51) root pts/0 192.168.1.103 Tue Dec 26 10:15 - crash (27+00:02) root pts/1 192.168.1.151 Sun Dec 24 00:33 - down (08:31) root pts/0 192.168.1.151 Sun Dec 24 00:07 - 00:42 (00:34) root tty1 Sat Dec 23 23:36 - down (09:28) root pts/0 192.168.1.151 Sat Dec 23 23:31 - 00:06 (00:35) reboot system boot 2.6.32-431.el6.i Sat Dec 23 23:29 - 09:05 (09:35) root pts/0 192.168.1.151 Sat Dec 23 20:46 - crash (02:43) root tty1 Sat Dec 23 20:45 - crash (02:44) reboot system boot 2.6.32-431.el6.i Sat Dec 23 20:44 - 09:05 (12:20) wtmp begins Sat Dec 23 20:44:29 2017
/var/log/dmesg
EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: dracut: Mounted root filesystem /dev/mapper/VolGroup-lv_root SELinux: Disabled at runtime. SELinux: Unregistering netfilter hooks type=1404 audit(1516590558.341:2): selinux=0 auid=4294967295 ses=4294967295 dracut: dracut: Switching root udev: starting version 147 sr 1:0:0:0: Attached scsi generic sg0 type 5 sd 2:0:0:0: Attached scsi generic sg1 type 0 piix4_smbus 0000:00:07.3: Host SMBus controller not enabled! e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI e1000: Copyright (c) 1999-2006 Intel Corporation. alloc irq_desc for 18 on node -1 alloc kstat_irqs on node -1 e1000 0000:02:00.0: PCI INT A -> GSI 18 (level, low) -> IRQ 18 e1000 0000:02:00.0: setting latency timer to 64 e1000 0000:02:00.0: eth0: (PCI:66MHz:32-bit) 00:0c:29:07:2a:e3 e1000 0000:02:00.0: eth0: Intel(R) PRO/1000 Network Connection parport_pc 00:09: reported by Plug and Play ACPI parport0: PC-style at 0x378, irq 7 [PCSPP,TRISTATE] ppdev: user-space parallel port driver EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: Adding 2064376k swap on /dev/mapper/VolGroup-lv_swap. Priority:-1 extents:1 across:2064376k
dmesg
device eth0 entered promiscuous mode device eth0 left promiscuous mode e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None device eth0 entered promiscuous mode device eth0 left promiscuous mode ADDRCONF(NETDEV_UP): eth0: link is not ready e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready eth0: no IPv6 routers present e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None e1000: eth0 NIC Link is Down e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None ADDRCONF(NETDEV_UP): eth0: link is not ready ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready eth0: no IPv6 routers present device eth0 entered promiscuous mode device eth0 left promiscuous mode device eth0 entered promiscuous mode device eth0 left promiscuous mode device eth0 entered promiscuous mode device eth0 left promiscuous mode device eth0 entered promiscuous mode device eth0 left promiscuous mode device eth0 entered promiscuous mode device eth0 left promiscuous mode device eth0 entered promiscuous mode device eth0 left promiscuous mode ip_tables: (C) 2000-2006 Netfilter Core Team e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None ADDRCONF(NETDEV_UP): eth0: link is not ready ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready eth0: no IPv6 routers present
/var/log/maillog
Jan 22 11:09:04 localhost postfix/postfix-script[1547]: stopping the Postfix mail system Jan 22 11:09:04 localhost postfix/master[1234]: terminating on signal 15 Jan 22 11:09:38 localhost postfix/postfix-script[1258]: starting the Postfix mail system Jan 22 11:09:39 localhost postfix/master[1259]: daemon started -- version 2.6.6, configuration /etc/postfix
/var/log/secure
Jan 23 01:40:58 localhost groupadd[30688]: group added to /etc/group: name=wireshark, GID=499 Jan 23 01:40:58 localhost groupadd[30688]: group added to /etc/gshadow: name=wireshark Jan 23 01:40:58 localhost groupadd[30688]: new group: name=wireshark, GID=499 Jan 23 02:01:22 localhost sshd[30737]: Accepted password for root from 192.168.1.107 port 64568 ssh2 Jan 23 02:01:22 localhost sshd[30737]: pam_unix(sshd:session): session opened for user root by (uid=0) Jan 23 03:02:53 localhost sshd[30806]: Accepted password for root from 192.168.1.150 port 49527 ssh2 Jan 23 03:02:53 localhost sshd[30806]: pam_unix(sshd:session): session opened for user root by (uid=0) Jan 23 03:14:23 localhost sshd[30895]: Accepted password for root from 192.168.1.150 port 49614 ssh2 Jan 23 03:14:23 localhost sshd[30895]: pam_unix(sshd:session): session opened for user root by (uid=0) Jan 23 03:34:34 localhost sshd[29549]: pam_unix(sshd:session): session closed for user root Jan 23 04:08:38 localhost sshd[30655]: pam_unix(sshd:session): session closed for user root Jan 23 04:44:15 localhost sshd[31336]: Accepted password for root from 192.168.1.106 port 63088 ssh2 Jan 23 04:44:15 localhost sshd[31336]: pam_unix(sshd:session): session opened for user root by (uid=0) Jan 23 04:55:46 localhost sshd[31364]: Accepted password for root from 192.168.1.106 port 63150 ssh2 Jan 23 04:55:46 localhost sshd[31364]: pam_unix(sshd:session): session opened for user root by (uid=0) Jan 23 04:55:49 localhost sshd[31364]: pam_unix(sshd:session): session closed for user root Jan 23 04:56:11 localhost sshd[31384]: Accepted password for root from 192.168.1.106 port 63153 ssh2 Jan 23 04:56:11 localhost sshd[31384]: pam_unix(sshd:session): session opened for user root by (uid=0) Jan 23 04:56:13 localhost sshd[31384]: pam_unix(sshd:session): session closed for user root Jan 23 04:56:34 localhost sshd[31401]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.106 user=root Jan 23 04:56:36 localhost sshd[31401]: Failed password for root from 192.168.1.106 port 63156 ssh2 Jan 23 04:56:40 localhost sshd[31401]: Failed password for root from 192.168.1.106 port 63156 ssh2 Jan 23 04:56:44 localhost sshd[31402]: Received disconnect from 192.168.1.106: 0: Jan 23 04:56:44 localhost sshd[31401]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.106 user=root Jan 23 05:13:37 localhost sshd[30737]: pam_unix(sshd:session): session closed for user root Jan 23 05:14:13 localhost sshd[30806]: pam_unix(sshd:session): session closed for user root
/var/log/lastlog
默认Centos,Fedora不生成该日志文件,但可以配置/etc/syslog.conf让系统生成该日志文件。 它和/etc/log/messages日志文件不同,它只记录警告信息,常常是系统出问题的信息,所以更应该关注该文件。 该日志文件记录最近成功登录的事件和最后一次不成功的登录事件,由login生成。 在每次用户登录时被查询,该文件是二进制文件,需要使用lastlog命令查看,根据UID排序显示登录名、端口号和上次登录时间。 如果某用户从来没有登录过,就显示为"**Never logged in**"。该命令只能以root权限执行。
Username Port From Latest root pts/0 110.87.109.232 Wed Nov 2 10:34:20 +0800 2016 bin **Never logged in** daemon **Never logged in** adm **Never logged in** lp **Never logged in** sync **Never logged in** shutdown **Never logged in** halt **Never logged in** mail **Never logged in** uucp **Never logged in** operator **Never logged in** games **Never logged in** gopher **Never logged in** ftp **Never logged in** nobody **Never logged in** vcsa **Never logged in** saslauth **Never logged in** postfix **Never logged in** sshd **Never logged in** ntp **Never logged in** suda pts/2 222.79.79.120 Tue Oct 25 16:00:01 +0800 2016
/var/log/wtmp
该日志文件永久记录每个用户登录、注销及系统的启动、停机的事件。
因此随着系统正常运行时间的增加,该文件的大小也会越来越大,增加的速度取决于系统用户登录的次数。
该日志文件可以用来查看用户的登录记录,last命令就通过访问这个文件获得这些信息,并以反序从后向前显示用户的登录记录,last也能根据用户、终端tty或时间显示相应的记录。
reboot system boot 2.6.32-431.el6.i Sun Dec 24 13:43 - 11:09 (28+21:25) root pts/0 192.168.1.151 Sun Dec 24 10:06 - down (03:36) root pts/0 192.168.1.151 Sun Dec 24 09:05 - 10:06 (01:00) reboot system boot 2.6.32-431.el6.i Sun Dec 24 09:05 - 13:43 (04:37) root pts/0 192.168.1.151 Sun Dec 24 08:39 - down (00:25) root pts/1 192.168.1.151 Sun Dec 24 00:33 - down (08:31) root pts/0 192.168.1.151 Sun Dec 24 00:07 - 00:42 (00:34) root tty1 Sat Dec 23 23:36 - down (09:28) root pts/0 192.168.1.151 Sat Dec 23 23:31 - 00:06 (00:35) reboot system boot 2.6.32-431.el6.i Sat Dec 23 23:29 - 09:05 (09:35) root pts/0 192.168.1.151 Sat Dec 23 20:46 - crash (02:43) root tty1 Sat Dec 23 20:45 - crash (02:44) reboot system boot 2.6.32-431.el6.i Sat Dec 23 20:44 - 09:05 (12:20) wtmp begins Sat Dec 23 20:44:29 2017
/var/run/utmp
该日志文件记录有关当前登录的每个用户的信息。因此这个文件会随着用户登录和注销系统而不断变化,它只保留当时联机的用户记录,不会为用户保留永久的记录。
系统中需要查询当前用户状态的程序,如 who、w、users、finger等就需要访问这个文件。
该日志文件并不能包括所有精确的信息,因为某些突发错误会终止用户登录会话,而系统没有及时更新 utmp记录,因此该日志文件的记录不是百分之百值得信赖的。
/etc/rsyslog.conf
- # 不打印 带#行 与空行。
- 命令:grep -v '^$' /etc/rsyslog.conf | grep -v '^#'
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf # 定义级别 *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log
/etc/logrotate.conf
# see "man logrotate" for details # rotate log files weekly # 旋转每周日志文件 weekly # keep 4 weeks worth of backlogs # 保留4周的积压订单。 rotate 4 # create new (empty) log files after rotating old ones # 在旋转旧日志文件后创建新的(空)日志文件。 create # use date as a suffix of the rotated file 使用日期作为旋转文件的后缀。 dateext # 如果想要压缩日志文件,请取消注释。 # uncomment this if you want your log files compressed # 参见“man logrotate”查看详细信息。 # see "man logrotate" for details # rotate log files weekly # 每周旋转日志文件。 weekly # keep 4 weeks worth of backlogs 保留4周的积压订单。 rotate 4 # create new (empty) log files after rotating old ones # 创建新的(空)日志文件在旋转旧文件之后。 create # use date as a suffix of the rotated file # 使用日期作为旋转文件的后缀。 dateext # uncomment this if you want your log files compressed # 如果想要压缩日志文件,请取消注释。 #compress # RPM packages drop log rotation information into this directory # # RPM包将日志旋转信息放入这个目录中。 include /etc/logrotate.d # no packages own wtmp and btmp -- we'll rotate them here # 没有包自己的wtmp和btmp——我们将在这里旋转它们。 /var/log/wtmp { # 每月去归档一次 monthly # create创建新文件 0664umask值 root谁的权限 utmep create 0664 root utmp # 日志最小的多大 minsize 1M # route旋转 1 rotate 1 } /var/log/btmp { missingok monthly create 0600 root utmp rotate 1 } # system-specific logs may be also be configured here. # 也可以在这里配置特定于系统的日志。
/etc/logrotate.d/syslog
# 定义的日志 /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { # 开始设置 sharedscripts postrotate # 上述几个日志目录都会按照下列脚本生成 /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true # 结束设置 endscript } # 当新生成了一个日志文件后,需要重新加载一遍配置文件,生成新的日志。 /bin/kill -HUP
