日志管理-rsyslog

日志:

猇亭網(wǎng)站制作公司哪家好,找創(chuàng)新互聯(lián)建站!從網(wǎng)頁設(shè)計、網(wǎng)站建設(shè)、微信開發(fā)、APP開發(fā)、響應(yīng)式網(wǎng)站設(shè)計等網(wǎng)站項目制作,到程序開發(fā),運營維護。創(chuàng)新互聯(lián)建站成立于2013年到現(xiàn)在10年的時間,我們擁有了豐富的建站經(jīng)驗和運維經(jīng)驗,來保證我們的工作的順利進(jìn)行。專注于網(wǎng)站建設(shè)就選創(chuàng)新互聯(lián)建站。

歷史事件:時間,地點,人物,事件日期時間

事件記錄格式:
日期時間 主機 進(jìn)程[pid]: 事件內(nèi)容

C/S架構(gòu):通過TCP或UDP協(xié)議的服務(wù)完成日志記錄傳送,將分布在不同主機的日志實現(xiàn)集中管理

rsyslog
?rsyslog特性:CentOS6和7 ?多線程
?UDP, TCP, SSL, TLS, RELP
?MySQL, PGSQL, Oracle實現(xiàn)日志存儲
?強大的過濾器,可實現(xiàn)過濾記錄日志信息中任意部分
?自定義輸出格式

[root@node4~]#rpm?-q?rsyslog???#查詢rsyslog日志包
rsyslog-8.24.0-12.el7.x86_64
[root@node4~]#rpm?-ql?rsyslog
/etc/logrotate.d/syslog
/etc/pki/rsyslog
/etc/rsyslog.conf
/etc/rsyslog.d
/etc/sysconfig/rsyslog
/usr/bin/rsyslog-recover-qi.pl
/usr/lib/systemd/system/rsyslog.service

ELK:elasticsearch, logstash, kibana
?非關(guān)系型分布式數(shù)據(jù)庫
?基于apache軟件基金會jakarta項目組的項目lucene
?Elasticsearch是個開源分布式搜索引擎
?Logstash對日志進(jìn)行收集、分析,并將其存儲供以后使用
?kibana 可以提供的日志分析友好的 Web 界面

rsyslog 介紹

術(shù)語,參見man logger
facility:設(shè)施,從功能或程序上對日志進(jìn)行歸類
?????auth, authpriv, cron, daemon,ftp,kern, lpr, mail, news, security(auth), user, uucp, local0-local7, syslog
Priority 優(yōu)先級別,從低到高排序
? ? debug, info, notice, warn(warning), err(error), crit(critical), alert, emerg(panic)
? 參看幫助: man 3 syslog

rsyslog
?程序包:rsyslog
?主程序:/usr/sbin/rsyslogd
?CentOS 6:service rsyslog {start|stop|restart|status} ?CentOS 7:/usr/lib/systemd/system/rsyslog.service
?配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf
?庫文件: /lib64/rsyslog/*.so
配置文件格式:由三部分組成
MODULES:相關(guān)模塊配置
GLOBAL DIRECTIVES:全局配置
RULES:日志記錄相關(guān)的規(guī)則配置

rsyslog
? RULES配置格式: facility.priority; facility.priority… target
? facility:*: 所有的facility
facility1,facility2,facility3,...:指定的facility列表
? priority: *: 所有級別
none:沒有級別,即不記錄
PRIORITY:指定級別(含)以上的所有級別
=PRIORITY:僅記錄指定級別的日志信息
? target:
文件路徑:通常在/var/log/,文件路徑前的-表示異步寫入
用戶:將日志事件通知給指定的用戶,* 表示登錄的所有用戶
日志服務(wù)器:@host,把日志送往至指定的遠(yuǎn)程服務(wù)器記錄
管道: | COMMAND,轉(zhuǎn)發(fā)給其它命令處理

出發(fā)日志工具:logger?
[root@node4~]#logger?"this?is?a?test?log"
[root@node4~]#tail?/var/log/messages?
Jan?18?17:40:01?node4?systemd:?Starting?Session?27?of?user?root.
Jan?18?17:46:26?node4?dbus[626]:?[system]?Activating?via?systemd:?service?name='org.freedesktop.PackageKit'?unit='packagekit.service'
Jan?18?17:46:26?node4?dbus-daemon:?dbus[626]:?[system]?Activating?via?systemd:?service?name='org.freedesktop.PackageKit'?unit='packagekit.service'
Jan?18?17:46:26?node4?systemd:?Starting?PackageKit?Daemon...
Jan?18?17:46:26?node4?dbus[626]:?[system]?Successfully?activated?service?'org.freedesktop.PackageKit'
Jan?18?17:46:26?node4?dbus-daemon:?dbus[626]:?[system]?Successfully?activated?service?'org.freedesktop.PackageKit'
Jan?18?17:46:26?node4?systemd:?Started?PackageKit?Daemon.
Jan?18?17:50:01?node4?systemd:?Started?Session?28?of?user?root.
Jan?18?17:50:01?node4?systemd:?Starting?Session?28?of?user?root.
Jan?18?17:51:03?node4?root:?this?is?a?test?log
[root@node4~]#egrep?-v?'^$|#'?/etc/rsyslog.conf???#查看配置文件相關(guān)的日志路徑
$WorkDirectory?/var/lib/rsyslog
$ActionFileDefaultTemplate?RSYSLOG_TraditionalFileFormat
$IncludeConfig?/etc/rsyslog.d/*.conf
$OmitLocalLogging?on
$IMJournalStateFile?imjournal.state
*.info;mail.none;authpriv.none;cron.none????????????????/var/log/messages
authpriv.*??????????????????????????????????????????????/var/log/secure
mail.*??????????????????????????????????????????????????-/var/log/maillog
cron.*??????????????????????????????????????????????????/var/log/cron
*.emerg?????????????????????????????????????????????????:omusrmsg:*
uucp,news.crit??????????????????????????????????????????/var/log/spooler
local7.*????????????????????????????????????????????????/var/log/boot.log

ssh 的相關(guān)日志記錄在secure 日志里

[root@node4~]#ssh?192.168.137.47???????????????
root@192.168.137.47's?password:?

[root@node4~]#tail?/var/log/secure
Jan?18?18:14:56?node4?sshd[4090]:?pam_unix(sshd:auth):?authentication?failure;?logname=?uid=0?euid=0?tty=ssh?ruser=?rhost=192.168.137.47??user=root
Jan?18?18:14:56?node4?sshd[4090]:?pam_succeed_if(sshd:auth):?requirement?"uid?>=?1000"?not?met?by?user?"root"
Jan?18?18:14:58?node4?sshd[4090]:?Failed?password?for?root?from?192.168.137.47?port?52894?ssh3

[root@node4~]#egrep?-v?"^$|^#"?/etc/ssh/sshd_config?|grep??SyslogFacility?

SyslogFacility?AUTHPRIV

定義log日志路徑;

[root@node4~]#vim?+33?/etc/ssh/sshd_config?

?33?SyslogFacility?local7
?34?LogLevel?INFO
?
?[root@node4~]#vim?/etc/rsyslog.d/sshd.conf?
??1?local7.*??????/var/log/sshd.log
??
[root@node4~]#systemctl?restart?rsyslog?sshd???
?
[root@node4~]#ps?aux?|grep?rsyslogd??(rpm?-q?rsyslog?/rpm?-ql?rsyslog.$packet?)
root???????4665??0.0??0.2?275560??2668??????????Ssl??18:49???0:00?/usr/sbin/rsyslogd?-n
root???????4700??0.0??0.0?112660???968?pts/1????S+???18:50???0:00?grep?--color=auto?rsyslogd


[root@node4~]#?ssh??192.168.137.47
root@192.168.137.47's?password:?
Permission?denied,?please?try?again.
root@192.168.137.47's?password:?
Permission?denied,?please?try?again.
root@192.168.137.47's?password:?
Permission?denied?(publickey,password).
[root@node4~]#tail?/var/log/sshd.log
Jan?18?18:49:08?node4?sshd[4664]:?Server?listening?on?0.0.0.0?port?22.
Jan?18?18:49:08?node4?sshd[4664]:?Server?listening?on?::?port?22.
Jan?18?18:49:46?node4?sshd[4681]:?Failed?password?for?root?from?192.168.137.47?port?52900?ssh3
Jan?18?18:49:46?node4?sshd[4681]:?Failed?password?for?root?from?192.168.137.47?port?52900?ssh3
Jan?18?18:49:46?node4?sshd[4681]:?Connection?closed?by?192.168.137.47?port?52900?[preauth]

事件記錄格式:
日期時間?主機?進(jìn)程[pid]:?事件內(nèi)容

centos7:修改主機名:

[root@node3~]#hostnamectl set-hostname $hostname?
[root@node3~]#/etc/host

日志服務(wù)器:@host,把日志送往至指定的遠(yuǎn)程服務(wù)器記錄

啟用網(wǎng)絡(luò)日志服務(wù)
?通常的日志格式:
事件產(chǎn)生的日期時間 主機 進(jìn)程(pid):事件內(nèi)容
如: /var/log/messages,cron,secure等 ?配置rsyslog成為日志服務(wù)器
#### MODULES ####
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

日志服務(wù)器:@host,把日志送往至指定的遠(yuǎn)程服務(wù)器記錄

源主機:192.168.137.47????node4
目標(biāo)主機:192.168.137.37??node3?

[root@node4~]#cat?/etc/rsyslog.d/sshd.conf?
local7.*??????/var/log/sshd.log
#udp
local2.*??????@192.168.137.37
#tcp
#local7.*?????@@192.168.137.37

[root@node3~]#cat?/etc/rsyslog.conf???|grep?-A1??$ModLoad?imudp??
$ModLoad?imudp
$UDPServerRun?514

[root@node3~]#cat?/etc/rsyslog.conf??|grep?local2.*??
local2.*????????????????????????????????????????????????/var/log/udp.log

測試:
[root@node4~]#ssh??192.168.137.47
root@192.168.137.47's?password:?


[root@node3~]#tail?/var/log/udp.log?-f???????????????
Jan?18?22:00:59?node4?sshd[7903]:?Accepted?password?for?root?from?192.168.137.47?port?52916?ssh3
Jan?18?22:01:24?node4?sshd[7903]:?Received?disconnect?from?192.168.137.47?port?52916:11:?disconnected?by?user
Jan?18?22:01:24?node4?sshd[7903]:?Disconnected?from?192.168.137.47?port?52916
Jan?18?22:19:09?node4?sshd[8172]:?Failed?password?for?root?from?192.168.137.47?port?52920?ssh3
Jan?18?22:19:12?node4?sshd[8172]:?Accepted?password?for?root?from?192.168.137.47?port?52920?ssh3

其它日志
其它的日志文件
#/var/log/secure:系統(tǒng)安裝日志,文本格式,應(yīng)周期性分析
#/var/log/btmp:當(dāng)前系統(tǒng)上,用戶的失敗嘗試登錄相關(guān)的日志信息,二進(jìn)制格
式,lastb命令進(jìn)行查看
#/var/log/wtmp:當(dāng)前系統(tǒng)上,用戶正常登錄系統(tǒng)的相關(guān)日志信息,二進(jìn)制格
式,last命令可以查看
#/var/log/lastlog:每一個用戶最近一次的登錄信息,二進(jìn)制格式,lastlog命令
可以查看
#/var/log/dmesg:系統(tǒng)引導(dǎo)過程中的日志信息,文本格式
文本查看工具查看
專用命令dmesg查看
#/var/log/messages :系統(tǒng)中大部分的信息
#/var/log/anaconda : anaconda的日志

[root@node4/var/log]#lastb??|head?|awk?'{print?$3}'?|sort?|uniq?-c?
?????10?192.168.137.47
?????
[root@node4/var/log]#lastb?|head?|awk?'{ip?[$3]++}END?{for?(i?in?ip?)?{print?ip?[i]?,i?}}'?
10?192.168.137.47

網(wǎng)頁題目:日志管理-rsyslog
新聞來源:http://bm7419.com/article34/jjespe.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供網(wǎng)站改版、網(wǎng)站維護品牌網(wǎng)站制作、自適應(yīng)網(wǎng)站域名注冊、靜態(tài)網(wǎng)站

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時需注明來源: 創(chuàng)新互聯(lián)

微信小程序開發(fā)