Shulou(Shulou.com)06/01 Report--

This article introduces you how to analyze the Linux log system, the content is very detailed, interested friends can refer to, hope to be helpful to you.

1. Log concept

The log file records in detail all kinds of events that occur in the system every day. Users can check the cause of the error through the log file, or track the trail of the person who has received * * and * *. Two more important functions of logs are auditing and monitoring.

There are two main types of logs for Linux systems:

1. Log to which the process belongs

Logs generated by user processes or other system service processes, such as access_log and error_log log files on the server.

2.syslog message

The log recorded by the system syslog, any system process or user process that wants to log can be called syslog to record the log.

The log system can be divided into three subsystems:

1. Connect time logs-executed by multiple programs, write records to programs such as / var/log/wtmp and / var/run/utmp,login to update wtmp and utmp files, enabling system administrators to track who logged in to the system and when.

2. Process statistics-- performed by the system kernel. When a process terminates, write a record to the process statistics file (pacct or acct) for each process. The purpose of process statistics is to provide command usage statistics for basic services in the system.

3. Error log-- executed by syslogd (8). Various system daemons, user programs, and kernels report noteworthy events to the file / var/log/messages through syslog (3).

2. Check the log file

All log files on the Linux system are under / var/log and must have root permission to view them.

Log files are actually plain text files, and each line is a message. There are many ways to observe.

1. Cat command. The log file is always large because messages are accumulated in the log file from the first time you start Linux. If the file is more than one page, then the display scrolls too fast to see the contents of the file.

2. Text editor. It is also best not to open the log file with a text editor, because on the one hand, it is memory-consuming, and on the other hand, you are not allowed to change the log file at will.

3. Use a paging display program like more or less.

4. Use grep to find specific messages.

Each line represents a message and consists of a fixed format of four fields:

N time label (timestamp), indicating the date and time the message was sent

N hostname (hostname) (in our example, the hostname is escher), which represents the name of the computer that generated the message. If there is only one computer, the hostname may not be necessary. However, if you use syslog in a network environment, you may have to send messages from different hosts to a single server for centralized processing.

N the name of the subsystem that generated the message. It can be "kernel", indicating that the message came from the kernel, or the name of the process, indicating the name of the program that sent the message. In square brackets is the PID of the process.

N message (message), the rest is the content of the message.

For example:

Enter: tail / var/log/messages at the [root@localhost root] # prompt

Jan 05 21:55:51 localhost last message repeated 3 times

Jan 05 21:55:51 localhost kernel: [drm] AGP 0.99 on Intel i810 @ 0xf0000000 128m

B

Jan 05 21:55:51 localhost kernel: [drm] Initialized i830 1.3.2 20021108 on minor

0

Jan 05 21:55:51 localhost kernel: mtrr: base (0xf0000000) is not aligned on a siz

E (0x12c000) boundary

Jan 05 21:56:35 localhost January 28 21:56:35 gdm (pam_unix) [4079]: session opened f

Or user root by (uid=0)

Jan 05 21:56:39 localhost January 28 21:56:39 gconfd (root-4162): starting (version 2.

2), pid 4162 user "root"

Jan 05 21:56:39 localhost January 28 21:56:39 gconfd (root-4162): resolved address "xml:re"

Adonly:/etc/gconf/gconf.xml.mandatory points to the read-only configuration source at 0

Jan 05 21:56:39 localhost January 28 21:56:39 gconfd (root-4162): resolved address "xml:re"

Adwrite:/root/.gconf points to the writable configuration source at 1

Jan 05 21:56:39 localhost January 28 21:56:39 gconfd (root-4162): resolved address "xml:re"

Adonly:/etc/gconf/gconf.xml.defaults points to the read-only configuration source at 2

Jan 05 21:58:20 localhost kernel: MSDOS FS: IO charset cp936

It is worth noting that, unlike the connection time log, the process statistics subsystem is not activated by default and must be started. Start the process statistics in the Linux system using the accton command, which must be run as root. The accton command takes the form that accton file,file must exist beforehand. Use the touch command to create the pacct file: touch / var/log/pacct, and then run accton:accton / var/log/pacct. Once accton is activated, you can use the lastcomm command to monitor commands executed at any time in the system. To turn off statistics, you can use the accton command without any parameters.

3. Working principle and configuration of log system

3.1 syslog

It sends messages to system logger together with closelog and openlog.

The Linux kernel consists of many subsystems, including network, file access, memory management and so on. The subsystem needs to send some messages to users, including the source of the message and its importance. All subsystems send messages to a maintainable public message area. So, there is a program called Syslog.

This program is responsible for receiving messages (for example, error messages, warnings, and other messages generated by the system core and many system programs, each of which includes an important level) and distributing the messages to the appropriate places. Typically, all messages are logged to a specific file-- a log file (usually a messages file in the / var/adm or / var/log directory), and particularly important messages are displayed on the user terminal window.

The syslog tool has two important files: syslogd and syslog.Conf

It can accept log information from the access system and process it according to the instructions in the "/ etc/syslog.conf" configuration file. Daemons and kernels provide log information to access the system. Therefore, any program that wants to generate log information can call the syslog interface to generate that information.

3.2 syslogd daemon

Like other complex operating systems, Linux is made up of many different subsystems. Some programs called daemon have been running in the background (daemon: patron saint). In other words, they are "unknown" and do not need to interact with users), dealing with routine tasks such as printing, sending e-mail, establishing Internet connections, and so on. Each subsystem assigns a type to the message when it sends out a log message. A message is divided into two parts: "device (facility)" and "level". The "device" identifies the subsystem that sends the message, and the "level" indicates the importance of the message, which ranges from debug (least important) to emerg (most important). The combination of facility and level is called priority. (for detailed explanation, please refer to 5.3)

This is defined in / usr/include/sys/syslog.h.

Daemon programs are not visible to users because they do not have windows and user interfaces. However, these programs sometimes send some information to the user. In order to achieve this goal, a special mechanism is needed. Syslogd is a good example of daemon, which runs in the background and transfers messages from the log area to the log file.

Function interface

# include

Void openlog (char *, int, int)

Where it can be a combination of OR with the following values:

LOG_CONS: if the message cannot be sent to syslogd, it is output directly to the system console.

LOG_NDELAY: open the connection to syslogd immediately. By default, the connection is opened the first time a message is written.

LOG_PERROR: send the message to stderr at the same time

LOG_PID: log PID to each message

Void syslog (int, char *)

Among them, it is the OR combination of facility and level

Void closelog (void)

Generally, you only need to use the syslog () function, and other functions may not be used.

3.3 syslog.conf

This is a very important document. Located in the "/ etc/" directory. Tell syslogd how to report information based on device and information importance.

The file uses the following form:

Facility.level action

The first column facility.level of syslog.conf is used to specify log function and log level, for intermediate use. Separated, you can use * to match

All log functions and log levels. The second column, action, is the distribution target of the message.

Blank lines and lines that begin with # are comments and can be ignored.

The Facility.level field is also called the seletor.

N facility specifies syslog features, which mainly include the following:

Auth Certification activities reported by pam_pwdb.

Authpriv authentication activities including privileged information such as user name

Cron information related to cron and at.

Daemon information related to the inetd daemon.

The kern kernel information is first passed through klogd.

Lpr information related to the printing service.

Mail email-related information

Mark syslog internal function is used to generate timestamps

News information from the news server

Syslog Information generated by syslog

User information generated by a user program

Uucp Information generated by uucp

Local0----local7 is used with custom programs, such as using local5 as a ssh function

* wildcards represent all functions except mark

The level level determines the importance of the message.

The priorities corresponding to each function are arranged in a certain order, emerg is the highest, followed by alert, and so on. By default, the level specified in the / etc/syslog.conf record is this level and higher. If you want to use a determined level, you can use two operational symbols! (not equal) and =.

For example, user.=info tells syslog to accept all user feature information at the info level.

The importance of the following grades decreases step by step:

Emerg the system is not available

Conditions under which alert needs to be modified immediately

Error conditions under which crit prevents the implementation of certain tools or subsystem functions

Error conditions in which err blocks the implementation of some functions of tools or some subsystems

Warning early warning information

General conditions under which notice is important

Messages provided by info

Debug does not contain other information about function conditions or problems

None has no importance level and is usually used to troubleshoot

* all levels except none

The n action field is an action field, and the activities represented have a lot of flexibility, in particular, the role of the name pipeline is to enable syslogd to generate post-processing information.

Syslog mainly supports the following activities:

File appends the message to the end of the specified file

Full serial or parallel device identifier for terminal or print

@ host remote log server

Username writes the message to the specified user

Named pipe specifies the absolute path to the FIFO file that is created using the mkfifo command.

* write messages to all users

The selection field indicates the type and priority of the message; the action field indicates the action that the syslogd takes when it receives a message that matches the selection criteria. Each option is made up of devices and priorities. When a priority is specified, syslogd logs a message with the same or higher priority. For example, if "crit" is specified, all messages marked crit, alert, and emerg will be logged. The action field of each row indicates where the selected domain should be sent after a given message is selected.

The following is a configuration (syslog.conf) file for the actual site:

# Store critical stuff in critical

#

*. = crit;kern.none / var/adm/critical

This will save all information in the / var/adm/critical file as a priority crit, except for some kernel information

# Kernel messages are first, stored in the kernel

# file, critical messages and higher ones also go

# to another host and to the console

#

Kern.* / var/adm/kernel

Kern.crit @ finlandia

Kern.crit / dev/console

Kern.infoterKern.principerr / var/adm/kernel-info

The first code directs some kernel devices to access information about the file / var/adm/kernel.

The second code directs all kernel information with crit and higher priority directly to the remote host. If they are also stored on a remote host, you can still try to find the cause of the damage.

The fourth line states that syslogd holds all kernel information with info-to-warning priority in the / var/adm/kernel-info folder. All err and higher priorities are excluded.

# The tcp wrapper loggs with mail.info, we display

# all the connections on tty12

#

Mail.=info / dev/tty12

This directs all information using mail.info (in source LOG_MAIL | LOG_INFO) to / dev/tty12, 12.

A console. For example, tcpwrapper tcpd (8) uses this by default

# Store all mail concerning stuff in a file

Mail.mailbilit.Following info / var/adm/mail

The pattern matches all the information with mail functionality, except those with info priority. They will be saved in the file / var/adm/mail

# Log all mail.info and news.info messages to info

#

Mail,news.=info / var/adm/info

Extract all information with mail.info or news.info functional priority and store it in the file / var/adm/info

# Log info and notice messages to messages file

#

*. = info;*.=notice;\

Mail.none / var/log/messages

Make information with info or notice functions in all syslogd logs stored in a file / var/log/messages, except for information from all mail functions

# Log info messages to messages file

#

*. = info;\

Mail,news.none / var/log/messages

This declaration causes all info priority information in the syslogd log to be stored in the / var/log/messages file. However, some information with mail or news functions cannot be stored.

# Emergency messages will be displayed using wall

#

*. = emerg *

This line of code tells syslogd to write all emergency messages to all currently logged-in user logs. This will be implemented.

# Messages of the priority alert will be directed

# to the operator

#

* .alert root,joey

*. * @ finlandia

This code directs all information with alert or higher privileges to the terminal operation.

The second line of code directs all the information to a remote host called finlandia. This code is very useful, especially on cluster computers where all syslog information will be saved to one machine.

3.4 klogd daemon

Klog is a device that accepts messages from the UNIX kernel

The klogd daemon acquires and records Linux kernel information. Usually, syslogd records all the information sent by klogd. That is, klogd reads the kernel information and forwards it to the syslogd process. However, if you call klogd with the-f filename variable, klogd records all the information in filename instead of passing it to syslogd. When you specify another file for logging, klogd writes all levels or priorities to that file. There is no configuration file similar to / etc/syslog.conf in Klogd. The advantage of using klogd instead of syslogd is that you can find a large number of errors.

Log management and log protection

The logrotate program is used to help users manage log files, and it works with its own daemon. Logrotate periodically rotates the log files, periodically renaming each log file to a backup name, and then having its daemon start using a new copy of the log file. Generate files such as maillog, maillog.1, maillog.2, boot.log.1, boot.log.2, and so on, under / var/log/. It is driven by a configuration file, which is / etc/logroatate.conf.

The following is an example of a logroatate.conf file:

# see "man logrotate" for details

# rotate log files weekly

Weekly

# take 7 days as a cycle

# keep 4 weeks worth of backlogs

Rotate 4

# back up log files every 4 weeks

# send errors to root

Errors root

# report errors to root

# create new (empty) log files after rotating old ones

Create

# create a new log file after transferring the old log file

# uncomment this if you want your log files compressed

# compress

# specify whether to compress log files

# RPM packages drop log rotation information into this directory

Include / etc/logrotate.d

# no packages own lastlog or wtmp-we'll rotate them here

/ var/log/wtmp {

Monthly

Create 0664 root utmp

Rotate 1

}

# system-specific logs may be configured here

In network applications, there is a way to protect logs by setting a secret syslog host in the network and setting the network card of this host into promiscuous mode to monitor all syslog packets in the subnet, so that all hosts that need to send logs can be configured to send logs to a host that does not exist. In this way, even if the target host is captured, the host that backs up the log cannot be found through the syslog.conf file. It is just a host that does not exist. In practice, it can also be supplemented by the configuration of the switch to ensure that the syslog packet can be accepted by the syslog process on the backup log host. For example, set the shipping log host in syslog.conf to @ 192.168.0.13, but this log host does not exist in the actual network. It may actually be 192.168.0.250 or other hosts are receiving syslog packets.

Undefined

On how to analyze the Linux log system to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.