Shulou(Shulou.com)06/01 Report--

This article focuses on "how to understand the Linux system log", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to understand Linux's system log".

Syslogd & klogd-/ etc/syslog.conf

/ var/log/secure: log in to the system to access data; FTP, SSH, TELNET...

/ var/log/wtmp: record login records, binary files, which need to be read with last

/ var/log/messages: grocery store

/ var/log/boot.log: record the boot message, dmesg | more

First, common sense

The code is as follows:

# ps aux | grep syslog

# chkconfig-- list | grep syslog

# cat / var/log/secure

/ etc/syslog.conf which services generate which level messages are recorded to where

Multiple sources recorded in the same place are spaced by semicolons

Vi / etc/syslog.conf

Second, receive remote logs

The code is as follows:

# grep 514 / etc/services

Syslog 514/udp

Vi / etc/sysconfig/syslog

# SYSLOGD_OPTIONS= "- m 0"

# change to

SYSLOGD_OPTIONS= "- m 0-r"

/ etc/init.d/syslog restart

[root@linux ~] # netstat-tlunp

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

Udp 0 0 0.0.0. 0 514 0.0.0. 0. 0. 0.

Corresponding client

# vi / etc/syslog.conf

*. @ 192.168.1.100

III. Logrotate

The code is as follows:

* / etc/logrotate.conf

* / etc/logrotate.d/

Logrotate.conf is the main configuration file, and all files in / logrotate.d / this directory are read into / etc/logrotate.conf to execute!

What if there are no detailed settings in the / etc/logrotate.d/ directory file? Set / etc/logrotate.conf as the default!

The code is as follows:

Vi / etc/logrotate.d/syslog

/ var/log/messages / var/log/secure / var/log/maillog / var/log/spooler

/ var/log/boot.log / var/log/cron {

Sharedscripts

Postrotate

/ bin/kill-HUP `cat / var/run/syslogd.pid 2 > / dev/ null`2 > / dev/null | | true

Endscript

}

1. Separate multiple files with spaces

2. All settings are set in {}

3. # prerotate: instructions executed when starting logrotate

# postrotate: instructions to be processed after logrotate

Logrotate [- vf] logfile

??:

-v: display proc

-f: enforcement

And logrotate's work is added to crontab / etc/cron.daily/logrotate;, so the system automatically checks it every day.

Just pay attention to whether / var/log/messages has such a similar content.

Oct 24 15:15:35 localhost syslogd 1.4.1: restart.

4. Examples:

Requirements: login files are replaced once a month

If > 10MB; mandatory replacement, do not consider the time limit of one month

Save five backup documents

Backup documents are not compressed.

Step 1:

The code is as follows:

Root@linux ~] # chattr + a / var/log/admin.log

[root@linux ~] # lsattr / var/log/admin.log

-a-/ var/log/admin.log

Can only be added and cannot be deleted unless chattr-a / var/log/admin.log

The code is as follows:

[root@linux ~] # mv / var/log/admin.log / var/log/admin.log.1

Mv: cannot move'/ var/log/admin.log' to'/ var/log/admin.log.1':permission deny

Step 2:

The code is as follows:

Vi / etc/logrotate.d/admin

# This configuration is from VBird 2005-10-24

/ var/log/admin.log {

Monthly

Size=10M

Rotate 5

Nocompress

Sharedscripts

Prerotate

/ usr/bin/chattr-a / var/log/admin.log

Endscript

Sharedscripts

Postrotate

/ usr/bin/killall-HUP syslogd

/ usr/bin/chattr + a / var/log/admin.log

Endscript

}

Step 3: test

The code is as follows:

# logrotate-v / etc/logrotate.conf

. (omitted before).

Rotating pattern: / var/log/admin.log 10485760 bytes (5 rotations)

Empty log files are rotated, old logs are removed

Considering log/ var/log/admin.log

Log does not need rotating

Not running shared prerotate script, since no logs will be rotated

.

# logrotate-vf / etc/logrotate.d/admin

Reading config file / etc/logrotate.d/admin

Reading config info for / var/log/admin.log

That is to say, / etc/syslog.conf is used in conjunction with the corresponding document of / etc/logrotate.d/*; syslogd first processes the message according to the method specified by syslog.conf

It is then sent to logrotat to rotate the logs according to the requirements of the / etc/logrotate.d/* document.

5. Common instructions:

The code is as follows:

# dmesg | more

Read / var/log/boot.log

The code is as follows:

Dmesg | grep 'eth'

The code is as follows:

# last-n number

[root@linux] # last-f filename

-n: number

-f: the last default is to read / var/log/wtmp documents, while-f reads different documents

The code is as follows:

# last-n 5-f / var/log/wtmp.1

Dmtsai2 pts/2 Mon Oct 24 14:18-14:18 (00:00)

Dmtsai2 work:0 work Mon Oct 24 14:18 gone-no logout

Dmtsai2 work:0 work Mon Oct 24 14:18-14:18 (00:00)

Dmtsai2 pts/2 Mon Oct 24 14:18-14:18 (00:00)

Dmtsai2 work:0 work Mon Oct 24 14:18-14:18 (00:00)

# lastlog

Only read / var/log/lastlog content, including only the time of the last LOGIN of all accounts on the current system.

At this point, I believe you have a deeper understanding of "how to understand Linux's system log". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.