linux-日志管理

linux-日志管理

 

常见日志文件的作用

2  日志的记录方式

3 日志切割

在centos7中,系统日志消息由两个服务负责处理:systemd-journald和rsyslog       

系统日志文件概述:/var/log目录保管由rsyslog维护的,里面存放的一些特定于系统和服务的日志文件

日志文件

用途

/var/log/message

大多数系统日志消息记录在此处。有也例外的:如与身份验证,电子邮件处理相关的定期作业任务等

/var/log/secure

安全和身份验证相关的消息和登录失败的日志文件。  ssh远程连接产生的日志

/var/log/maillog

与邮件服务器相关的消息日志文件

/var/log/cron

与定期执行任务相关的日志文件

/var/log/boot.log

与系统启动相关的消息记录

/var/log/dmesg

与系统启动相关的消息记录

 

 

 

 

 

 

 

 

 

 

 

 

 

[root@localhost ~]# grep password /var/log/secure
Mar  8 14:31:15 localhost sshd[1706]: Accepted password for root from 192.168.1.4 port 56696 ssh2
Mar  8 15:46:06 localhost sshd[1086]: Accepted password for root from 192.168.1.4 port 57583 ssh2
Mar  8 23:28:33 localhost sshd[1811]: Accepted password for root from 192.168.1.4 port 50705 ssh2
Mar  9 10:58:05 localhost sshd[2529]: Accepted password for root from 192.168.1.4 port 63197 ssh2
Mar 10 22:32:26 localhost sshd[3268]: Accepted password for root from 192.168.1.4 port 61017 ssh2
Mar 10 23:01:48 localhost sshd[3486]: Failed password for root from 192.168.1.9 port 51062 ssh2
Mar 10 23:01:51 localhost sshd[3486]: Failed password for root from 192.168.1.9 port 51062 ssh2
Mar 10 23:01:54 localhost sshd[3486]: Failed password for root from 192.168.1.9 port 51062 ssh2

 (1) /var/log/wtmp文件的作用     #记录每个用户的登录次数和持续时间等信息。

last

 last -f /var/log/wtmp

(2)使用 /var/log/btmp文件查看暴力破解系统的用户

 lastb

 

发现后,使用防火墙,拒绝掉:命令如下:
iptables -A INPUT -i ens33 -s 192.168.1.9 -j DROP

查看恶意ip试图登录次数:
lastb | awk  '{ print $3}'  | sort | uniq -c | sort -n

清空日志:

> /var/log/btmp

日志的记录方式

2.1   分类---级别

日志的分类:

daemon  后台进程相关 

kern      内核产生的信息

lpr         打印系统产生的

authpriv  安全认证

cron       定时相关

mail        邮件相关

syslog  日志服务本身的

news       新闻系统

local0~7  自定义的日志设备

日志的级别:  轻

编码

优先级

严重性

7

debug

信息对开发人员调试应用程序有用,在操作过程中无用

6

info

正常的操作信息,可以收集报告,测量吞吐量等

5

notice

注意,正常但重要的事件,

4

warning

警告,提示如果不采取行动。将会发生错误。比如文件系统使用90%

3

err

错误,阻止某个模块或程序的功能不能正常使用

2

crit

关键的错误,已经影响了整个系统或软件不能正常工作的信息

1

alert

警报,需要立刻修改的信息

0

emerg

紧急,内核崩溃等严重信息

 

 

 

 

 

 

 

 

 

 

 

 

 

2.2  rsyslog日志服务

rhel5    ->服务名称syslog  ->配置文件  /etc/syslog.conf

rhel6-7  ->服务名称rsyslog ->配置文件  /etc/rsyslog.conf

编辑配置文件  vim /etc/rsyslog.conf

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 :omusrmsg:*

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

“- ”号: 邮件的信息比较多,现将数据存储到内存,达到一定大小,全部写到硬盘.有利于减少I/O进程的开销

数据存储在内存,如果关机不当数据消失

 

2.3 日志输入的规则

. info      大于等于info级别的信息全部记录到某个文件

.=级别    仅记录等于某个级别的日志

例:.=info  只记录info级别的日志 

.! 级别     除了某个级别以外,记录所有的级别信息

 例.!err  除了err外记录所有

.none  指的是排除某个类别  例: mail.none  所有mail类别的日志都不记录

3 日志切割

Logrotate支持按时间和大小来自动切分,以防止日志文件太大。

也可以使用split工具进行切割

logrotate配置文件主要有:

/etc/logrotate.conf 以及 /etc/logrotate.d/ 这个子目录下的明细配置文件。

logrotate的执行由crond服务调用的。

ogrotate程序每天由cron在指定的时间(/etc/crontab)启动

编辑配置文件

[root@localhost ~]# vim /etc/logrotate.conf

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
        minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

(全局参数)

weekly :         每周执行回滚,或者说每周执行一次日志回滚

rotate:   表示日志切分后历史文件最多保存离现在最近的多少份  

create :   指定新创建的文件的权限与所属主与群组

dateext :  使用日期为后缀的回滚文件  #可以去/var/log目录下

 

单独配置信息

/var/log/btmp {                      指定的日志文件的名字和路径

    missingok                            如果文件丢失,将不报错

monthly                              每月轮换一次

    create 0664 root utmp         设置btmp这个日志文件的权限,属主,属组

    minsize 1M                         文件超过1Mà进行回滚,所以大家要知道它不一定每个月都会进行分割,要看这个文件大小来定

rotate 1                               日志切分后历史文件最多保存1份,不含当前使用的日志

其它参数说明:

monthly: 日志文件将按月轮循。其它可用值为‘daily’,‘weekly’或者‘yearly’。

rotate 5: 一次将存储5个归档日志。对于第六个归档,时间最久的归档将被删除。

compress: 在轮循任务完成后,已轮循的归档将使用gzip进行压缩。

delaycompress: 总是与compress选项一起用,delaycompress选项指示logrotate不要将最近的归档压缩,压缩将在下一次轮循周期进行。这在你或任何软件仍然需要读取最新归档时很有用。

  missingok: 在日志轮循期间,任何错误将被忽略,例如“文件无法找到”之类的错误。

  notifempty: 如果日志文件为空,轮循不会进行。

  create 644 root root: 以指定的权限创建全新的日志文件,同时logrotate也会重命名原始日志文件。

  postrotate/endscript: 在所有其它指令完成后,postrotate和endscript里面指定的命令将被执行。在这种情况下,rsyslogd 进程将立即再次读取其配置并继续运行。

/var/lib/logrotate/status中默认记录logrotate上次轮换日志文件的时间

案例:

使用 logrotate 进行ssh日志分割

 

[root@localhost ~]# vim /etc/logrotate.d/sshd

/var/log/sshd.log{
missingok
weekly
create 0600 root root
minsize 1M
rotate3
}




[root@localhost ~]# systemctl restart rsyslog.service  
[root@localhost ~]# logrotate -d /etc/logrotate.d/sshd 
reading config file /etc/logrotate.d/sshd
Allocating hash table for state file, size 15360 B

Handling 1 logs

rotating pattern: /var/log/sshd.log weekly (3 rotations)
empty log files are rotated, only log files >= 1048576 bytes are rotated, old logs are removed
considering log /var/log/sshd.log
  log does not need rotating (log has been already rotated)[root@localhost ~]# log
logger      login       loginctl    logname     logout      logresolve  logrotate   logsave     
[root@localhost ~]# log
logger      login       loginctl    logname     logout      logresolve  logrotate   logsave     
[root@localhost ~]# logrotate -vf /etc/log
login.defs      logrotate.conf  logrotate.d/    
[root@localhost ~]# logrotate -vf /etc/log
login.defs      logrotate.conf  logrotate.d/    
[root@localhost ~]# logrotate -vf /etc/logrotate.d/sshd 
reading config file /etc/logrotate.d/sshd
Allocating hash table for state file, size 15360 B

Handling 1 logs

rotating pattern: /var/log/sshd.log forced from command line (3 rotations)
empty log files are rotated, only log files >= 1048576 bytes are rotated, old logs are removed
considering log /var/log/sshd.log
  log needs rotating
rotating log /var/log/sshd.log, log->rotateCount is 3
dateext suffix '-20200311'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/sshd.log.3 to /var/log/sshd.log.4 (rotatecount 3, logstart 1, i 3), 
old log /var/log/sshd.log.3 does not exist
renaming /var/log/sshd.log.2 to /var/log/sshd.log.3 (rotatecount 3, logstart 1, i 2), 
old log /var/log/sshd.log.2 does not exist
renaming /var/log/sshd.log.1 to /var/log/sshd.log.2 (rotatecount 3, logstart 1, i 1), 
old log /var/log/sshd.log.1 does not exist
renaming /var/log/sshd.log.0 to /var/log/sshd.log.1 (rotatecount 3, logstart 1, i 0), 
old log /var/log/sshd.log.0 does not exist
log /var/log/sshd.log.4 doesn't exist -- won't try to dispose of it
renaming /var/log/sshd.log to /var/log/sshd.log.1
creating new /var/log/sshd.log mode = 0600 uid = 0 gid = 0
[root@localhost ~]# ll -h /var/log/sshd*
-rw------- 1 root root   0 Mar 11 01:04 /var/log/sshd.log
-rw------- 1 root root 145 Mar 11 00:25 /var/log/sshd.log.1
[root@localhost ~]# logrotate -vf /etc/logrotate.d/sshd 
reading config file /etc/logrotate.d/sshd
Allocating hash table for state file, size 15360 B

Handling 1 logs

rotating pattern: /var/log/sshd.log forced from command line (3 rotations)
empty log files are rotated, only log files >= 1048576 bytes are rotated, old logs are removed
considering log /var/log/sshd.log
  log needs rotating
rotating log /var/log/sshd.log, log->rotateCount is 3
dateext suffix '-20200311'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/sshd.log.3 to /var/log/sshd.log.4 (rotatecount 3, logstart 1, i 3), 
old log /var/log/sshd.log.3 does not exist
renaming /var/log/sshd.log.2 to /var/log/sshd.log.3 (rotatecount 3, logstart 1, i 2), 
old log /var/log/sshd.log.2 does not exist
renaming /var/log/sshd.log.1 to /var/log/sshd.log.2 (rotatecount 3, logstart 1, i 1), 
renaming /var/log/sshd.log.0 to /var/log/sshd.log.1 (rotatecount 3, logstart 1, i 0), 
old log /var/log/sshd.log.0 does not exist
log /var/log/sshd.log.4 doesn't exist -- won't try to dispose of it
renaming /var/log/sshd.log to /var/log/sshd.log.1
creating new /var/log/sshd.log mode = 0600 uid = 0 gid = 0
[root@localhost ~]# logrotate -vf /etc/logrotate.d/sshd 
reading config file /etc/logrotate.d/sshd
Allocating hash table for state file, size 15360 B

Handling 1 logs

rotating pattern: /var/log/sshd.log forced from command line (3 rotations)
empty log files are rotated, only log files >= 1048576 bytes are rotated, old logs are removed
considering log /var/log/sshd.log
  log needs rotating
rotating log /var/log/sshd.log, log->rotateCount is 3
dateext suffix '-20200311'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/sshd.log.3 to /var/log/sshd.log.4 (rotatecount 3, logstart 1, i 3), 
old log /var/log/sshd.log.3 does not exist
renaming /var/log/sshd.log.2 to /var/log/sshd.log.3 (rotatecount 3, logstart 1, i 2), 
renaming /var/log/sshd.log.1 to /var/log/sshd.log.2 (rotatecount 3, logstart 1, i 1), 
renaming /var/log/sshd.log.0 to /var/log/sshd.log.1 (rotatecount 3, logstart 1, i 0), 
old log /var/log/sshd.log.0 does not exist
log /var/log/sshd.log.4 doesn't exist -- won't try to dispose of it
renaming /var/log/sshd.log to /var/log/sshd.log.1
creating new /var/log/sshd.log mode = 0600 uid = 0 gid = 0
[root@localhost ~]# ll -h /var/log/sshd*
-rw------- 1 root root   0 Mar 11 01:05 /var/log/sshd.log
-rw------- 1 root root   0 Mar 11 01:05 /var/log/sshd.log.1
-rw------- 1 root root   0 Mar 11 01:04 /var/log/sshd.log.2
-rw------- 1 root root 145 Mar 11 00:25 /var/log/sshd.log.3

 

posted @ 2020-03-10 22:40  科子  阅读(233)  评论(0)    收藏  举报