Shulou(Shulou.com)06/03 Report--

Log:

Historical events: time, place, people, date and time of events

Event record format:

Date time host process [pid]: event content

Cpact S architecture: log records are delivered through services of TCP or UDP protocol, and logs distributed on different hosts are managed centrally

Rsyslog

 rsyslog features: CentOS6 and 7  multithreading

 UDP, TCP, SSL, TLS, RELP

 MySQL, PGSQL, Oracle to implement log storage

 powerful filter to filter any part of log information

 custom output format

[root@node4~] # rpm-Q rsyslog # query rsyslog log package rsyslog-8.24.0-12.el7.x86_64 [root@node4~] # rpm-ql rsyslog/etc/logrotate.d/syslog/etc/pki/rsyslog/etc/rsyslog.conf/etc/rsyslog.d/etc/sysconfig/rsyslog/usr/bin/rsyslog-recover-qi.pl/usr/lib/systemd/system/rsyslog.service

ELK:elasticsearch, logstash, kibana

 non-relational distributed database

 is based on the project lucene of the jakarta project team of apache Software Foundation.

 Elasticsearch is an open source distributed search engine

 Logstash collects, analyzes, and stores logs for future use

 kibana can provide a friendly Web interface for log analysis

Rsyslog introduction

Terminology, see man logger

Facility: a facility to categorize logs functionally or programmatically

Auth, authpriv, cron, daemon,ftp,kern, lpr, mail, news, security (auth), user, uucp, local0-local7, syslog

Priority priority, sorted from low to high

Debug, info, notice, warn (warning), err (error), crit (critical), alert, emerg (panic)

 see help: man 3 syslog

Rsyslog

 package: rsyslog

 main program: / usr/sbin/rsyslogd

 CentOS 6:service rsyslog {start | stop | restart | status}  CentOS 7:/usr/lib/systemd/system/rsyslog.service

 configuration file: / etc/rsyslog.conf,/etc/rsyslog.d/*.conf

 library file: / lib64/rsyslog/*.so

Configuration file format: consists of three parts

MODULES: related module configuration

GLOBAL DIRECTIVES: global configuration

RULES: rule configuration related to logging

Rsyslog

 RULES configuration format: facility.priority; facility.priority … Target

 facility:*: all the facility

List of facility specified by facility1,facility2,facility3,...:

 priority: *: all levels

None: no level, that is, no record

PRIORITY: all levels above the specified level (inclusive)

= PRIORITY: only log information at the specified level is recorded

 target:

File path: usually in front of the / var/log/, file path-indicates asynchronous write

User: notifies the specified user of the log event, * indicates all logged-in users

Log server: @ host, send the log to the specified remote server for record

Pipeline: | COMMAND, forward to other commands for processing

Departure log tool: logger [root@node4~] # logger "this is a test log" [root@node4~] # tail / var/log/messages Jan 18 17:40:01 node4 systemd: Starting Session 27 of user root.Jan 18 17:46:26 node4 dbus: [system] Activating via systemd: service name='org.freedesktop.PackageKit' unit='packagekit.service'Jan 18 17:46:26 node4 dbus-daemon: dbus: [system] Activating via systemd: service name='org.freedesktop. PackageKit' unit='packagekit.service'Jan 18 17:46:26 node4 systemd: Starting PackageKit Daemon...Jan 18 17:46:26 node4 dbus [626]: [system] Successfully activated service' org.freedesktop.PackageKit'Jan 18 17:46:26 node4 dbus-daemon: dbus [626]: [system] Successfully activated service' org.freedesktop.PackageKit'Jan 18 17:46:26 node4 systemd: Started PackageKit Daemon.Jan 18 17:50:01 node4 systemd: Started Session 28 of user root.Jan 18 17:50:01 Node4 systemd: Starting Session 28 of user root.Jan 18 17:51:03 node4 root: this is a test log [root@node4~] # egrep-v'^ $| #'/ etc/rsyslog.conf # View the log path related to the configuration file $WorkDirectory / var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig / etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info Mail.none;authpriv.none Cron.none / var/log/messagesauthpriv.* / var/log/securemail.*-/ var/log/maillogcron.* / var/log/cron*.emerg : omusrmsg:*uucp News.crit / var/log/spoolerlocal7.* / var/log/boot.log

The ssh log is recorded in the secure log.

[root@node4~] # ssh 192.168.137.47 root@192.168.137.47's password: [root@node4~] # tail / var/log/secureJan 18 18:14:56 node4 sshd [4090]: pam_unix (sshd:auth): authentication failure Logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.137.47 user=rootJan 18 18:14:56 node4 sshd [4090]: pam_succeed_if (sshd:auth): requirement "uid > = 1000" not met by user "root" Jan 18 18:14:58 node4 sshd [4090]: Failed password for root from 192.168.137.47 port 52894 ssh3 [root@node4~] # egrep-v "^ $| ^ #" / etc/ssh/sshd_config | grep SyslogFacility SyslogFacility AUTHPRIV

Define log log path

[root@node4~] # vim + 33 / etc/ssh/sshd_config 33 SyslogFacility local7 34 LogLevel INFO [root@node4~] # vim / etc/rsyslog.d/sshd.conf 1 local7.* / var/log/sshd.log [root@node4~] # systemctl restart rsyslog sshd [root@node4~] # ps aux | grep rsyslogd (rpm-Q rsyslog / rpm-ql rsyslog.$packet) root 4665 0.0 0.2 275560 2668? Ssl 18:49 0:00 / usr/sbin/rsyslogd-nroot 4700 0.0 112660 968 pts/1 S + 18:50 0:00 grep-- color=auto rsyslogd [root@node4~] # ssh 192.168.137.47root@192.168.137.47's password: Permission denied, please try again.root@192.168.137.47's password: Permission denied, please try again.root@192.168.137.47's password: Permission denied (publickey Password). [root@node4~] # tail / var/log/sshd.logJan 18 18:49:08 node4 sshd [4664]: Server listening on 0.0.0.0 port 22.Jan 18 18:49:08 node4 sshd [4664]: Server listening on:: port 22.Jan 18 18:49:46 node4 sshd [4681]: Failed password for root from 192.168.137.47 port 52900 ssh3Jan 18 18:49:46 node4 sshd [4681]: Failed password for root from 192.168.137.47 port 52900 ssh3Jan 18 18:49:46 node4 sshd [4681]: Connection closed by 192.168.137.47 port 52900 [preauth] event recording format: date time host process [pid]: event content

Centos7: modify the host name:

[root@node3~] # hostnamectl set-hostname $hostname

[root@node3~] # / etc/host

Log server: @ host, send the log to the specified remote server for record

Enable the web log service

The usual log format of :

Date-time host process (pid) generated by the event: event content

For example,  such as / var/log/messages,cron,secure configures rsyslog to become a log server

# MODULES #

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

Log server: @ host Send the log to the designated remote server to record the source host: 192.168.137.47 node4 destination host: 192.168.137.37 node3 [root@node4~] # cat / etc/rsyslog.d/sshd.conf local7.* / var/log/sshd.log#udplocal2.* @ 192.168.137.37 recording tcpkeeper local7.* @ @ 192.168.137.37 [ro ot@node3~] # cat / etc/rsyslog.conf | | grep-A1 $ModLoad imudp$ ModLoad imudp$UDPServerRun 514 [root@node3~] # cat / etc/rsyslog.conf | grep local2.* local2.* / var/log/udp.log test: [root@node4~] # ssh 192.168.137.47root@192.168.137.47's password: [root@node3~] # tail / var/log/udp.log-f Jan 18 22:00 | : 59 node4 sshd [7903]: Accepted password for root from 192.168.137.47 port 52916 ssh3Jan 18 22:01:24 node4 sshd [7903]: Received disconnect from 192.168.137.47 port 52916:11: disconnected by userJan 18 22:01:24 node4 sshd [7903]: Disconnected from 192.168.137.47 port 52916Jan 18 22:19:09 node4 sshd [8172]: Failed password for root from 192.168.137.47 port 52920 ssh3Jan 18 22:19:12 node4 sshd [8172]: Accepted password for root from 192.168.137.47 port 52920 ssh3

Other logs

Other log files

# / var/log/secure: system installation log, text format, should be analyzed periodically

# / var/log/btmp: log information related to failed login attempts of users on the current system, binary grid

Style, lastb command to view

# / var/log/wtmp: log information of users logging in to the system normally on the current system, in binary format

Type, the last command can view

# / var/log/lastlog: each user's last login information, binary format, lastlog command

You can view

# / var/log/dmesg: log information during system boot, text format

Text View tool View

Special command dmesg view

# / var/log/messages: most of the information in the system

# / var/log/anaconda: log of anaconda

[root@node4/var/log] # lastb | head | awk'{print $3}'| sort | uniq-c 10 192.168.137.47 [root@node4/var/log] # lastb | head | awk'{ip [$3] +} END {for (i in ip) {print ip [I], I}'10 192.168.137.47

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.