Shulou(Shulou.com)06/02 Report--

A normal service Linux server is generating a lot of log information all the time. If there are dozens or even hundreds of servers in the production environment, it is very troublesome to check the log of the system one by one.

Today, with the continuous updating of technology, there are many technologies that can manage logs centrally, and the most common operation is the ELK log analysis system, but how are these logs generated? Which service is under the unified management? This article revolves around the Syslog service-rsyslog.

There are many log types in the Linux system. Here are some log files generated by the system itself:

/ var/log/boot.log/var/log/cron/var/log/dmesg/var/log/lastlog/var/log/maillog or / var/log/mail/*/var/log/messages/var/log/secure/var/log/wtmp,/var/log/faillog/var/log/httpd/*, / var/log/samba/*

To learn more about what is recorded in log files, you can refer to this blog post: an introduction to common log files in Linux, including 7 error levels! Don't talk about it here.

Most of the logs in the system are managed by the rsyslog service, whose main configuration file is as follows:

[root@aaa ~] # grep-v "^ $" / etc/rsyslog.conf | grep-v "^ #" # filter blank lines and comment lines in the configuration file $ModLoad imuxsock # provides support for local system logging (e.g. Via logger command) $ModLoad imjournal # provides access to the systemd journal$WorkDirectory / var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig / etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none The asterisk at the beginning of the line above cron.none / var/log/messages indicates all services, and the level after the period indicates that those grades are recorded, / var/lo.... Indicates where to record authpriv.* / var/log/secure # indicates that all levels of authpriv information are recorded in the secure file mail.* / var/log/maillog # indicates that all level information of the mail service is recorded in / var/log/maillog cron.* / var/log/cron*.emerg : omusrmsg:*uucp News.crit / var/log/spoolerlocal7.* / var/log/boot.log# can be seen from the comments above The period in the first paragraph is preceded by a service and followed by a period indicating which error levels are to be recorded. The # dot can be indicated by a wildcard asterisk before and after the # dot. If the first column is "*. *", it means all levels of all services. If "* .info", it means that the info levels of all services and more serious grades than info are recorded.

In the configuration file above, the location of the logs can be changed, and the level of the logs can be changed, but it is generally not recommended.

In fact, rely on / etc/rsyslog.conf this configuration file, you can also send its logs to another server, and then another server for unified management, if the production environment is small, not many servers, you can use this situation, but if the number of servers in the production environment is relatively large, it is recommended to deploy ELK log analysis system.

Configure rsyslog service instance

I have two servers here, the hostnames are aaa and bbb (the IP addresses are 192.168.1.1 and 1.2, respectively), so let's implement the following requirements:

1. Send the synchronization of all the system service logs of the aaa server above the info level to the bbb server for unified management; 2. Send the compiled and installed Nginx logs to the bbb server for management 3. Send the log of the compiled and installed apache to the bbb server for management (due to the conflict with the default port and Nginx, after the second requirement is implemented, stop the Nginx service and start the apache service)

Start the configuration:

1. Send synchronization above info level of all system service logs of aaa server to bbb server for unified management.

(1) do the following on the aaa server:

[root@aaa ~] # vim / etc/rsyslog.conf # Edit the configuration file of the log service #. Omit part of the content $ModLoad imudp # to remove the comment symbol "#" at the beginning of the line, in order to open the udp protocol $UDPServerRun 514 # to remove the comment symbol "#" at the beginning of the line, in order to open port # Provides TCP syslog reception$ModLoad imtcp # to remove the comment symbol "#" at the beginning of the line, so as to open the tcp protocol $InputTCPServerRun 514 # to remove the comment symbol "#" at the beginning of the line. To open port # 514 of tcp. Omit part of the content * .info; mail.none;authpriv.none Cron.none / var/log/messages*.info @ @ 192.168.1.2 # asterisk indicates all services "* .info" indicates info level and above # @ @ indicates transmission using tcp protocol, 192.168.1.2 specifies which server to send to # if an @ symbol is used Then it means to use the udp protocol to transmit #. Omit part of the content # after editing, save and exit. [root@aaa ~] # systemctl restart rsyslog # restart the rsyslog service for the changes to take effect

(2) do the following on the bbb server:

[root@bbb ~] # vim / etc/rsyslog.conf # Edit the configuration file of CLS and open port # 514 of udp and tcp. Omit part $ModLoad imudp # remove the "#" comment symbol at the beginning of the line $UDPServerRun 514 # remove the "#" comment symbol # Provides TCP syslog reception $ModLoad imtcp # at the beginning of the line remove the "#" comment symbol $InputTCPServerRun 514 # at the beginning of the line. Omit part of [root@bbb ~] # systemctl restart rsyslog # restart service to make changes take effect [root@bbb ~] # tailf / var/log/secure # dynamically monitor local log files Sep 19 15:00:32 aaa useradd [5998]: new group: name=lvjianzh, GID=1003Sep 19 15:00:32 aaa useradd [5998]: new user: name=lvjianzh, UID=1003, GID=1003.... #. Omit part of the content

(3) do the following on the aaa server (mainly to generate log information):

[root@aaa ~] # useradd admini [root@aaa ~] # echo '123.com' | passwd-- stdin admini changes the password of the user admini. Passwd: all authentication tokens have been successfully updated.

(4) View the new logs generated by bbb as follows:

2. Send the log of compiled and installed Nginx to the bbb server for management

(1) do the following on the aaa server:

[root@aaa ~] # vim / etc/yum.repos.d/epel.repo # write the following file. Specify Ali Mirror Station [epel] name=epelbaseurl= https://mirrors.aliyun.com/epel/7/x86_64/gpgcheck=0# to ensure that the yum file that comes with the system default also exists in the / etc/yum.repos.d/ directory. After writing, you can save and exit. [root@aaa ~] # yum repolist # better execute the command #. Omit some content (7 base/7/x86_64/primary_db 7): base/7/x86_64/primary_db | 6.0 MB 00:01 Source ID Source name status base/7/x86_64 CentOS-7-Base 10097epel Epel 13384 # the above line is valid for the file we just wrote. Indicates that there is no problem extras/7/x86_64 CentOS-7-Extras 304updates/7/x86_64 CentOS-7-Updates 311repolist: 2409 if the above content is not displayed after the command yum repolist is executed, after eliminating the error in the configuration file You can execute the following command [root@aaa ~] # yum makecache # to establish the metadata cache #. Omitting part of the content metadata cache has been established [root@aaa ~] # yum-y install nginx # install the nginx service [root@aaa ~] # systemctl start nginx # start the Nginx service [root@aaa ~] # netstat-anpt | grep nginx # confirm that the Nginx service has been started tcp 000.0.0.0y install nginx 80 0.0.0.0nginx * LISTEN 6609 / Nginx: master tcp6 0 0: 80: * LISTEN 6609/nginx: master [root@aaa ~] # ls / var/log/nginx/ # the following is after yum installs Nginx The location of the two Nginx log files access.log error.log# remember the storage path of the Nginx log, which will be used later. If you are using a compiler and installation, please find the storage path of the Nginx log by yourself and write down [root@aaa] # vim / etc/rsyslog.conf # Edit the configuration file # of the rsyslog service. Omit part # write the following at the end of the configuration file $ModLoad imfile$InputFilePollInterval 1$ InputFileName / var/log/nginx/access.log$InputFileTag nginx-info-access;$InputFilestateFile state-nginx-info-accesslog$InputRunFileMonitor$InputFileName / var/log/nginx/error.log$InputFileTag nginx-info-error $InputFilestateFile state-nginx-info-errorlog$InputRunFileMonitor$InputFilePollInterval 10if $programname = = 'nginx-info-access' then @ 192.168.1.2:514if $programname = =' nginx-info-access' then ~ if $programname = = 'nginx-info-error' then @ 192.168.1.2:514if $programname = =' nginx-info-error' then ~ [root@aaa ~] # systemctl restart rsyslog # restart the service to take effect

The configuration items written above are explained as follows:

$ModLoad imfile # load module $InputFilePollInterval 1 # how many times to collect, the default unit is $InputFileName / var/log/nginx/access.log # specify the log file to be collected $InputFileTag nginx-info-access; # label the corresponding log $InputFilestateFile state-nginx-info-accesslog # name the log $InputRunFileMonitor # start monitoring # the configuration below is similar to the above, because you have to collect two log files! $InputFileName / var/log/nginx/error.log$InputFileTag nginx-info-error The following is to specify where to send the collected logs. Similarly, an @ symbol indicates the udp protocol used, and two ~ for the tcp protocol if $programname = = 'nginx-info-access' then @ 192.168.1.2:514if $programname = =' nginx-info-access' then ~ #, indicating the local meaning if $programname = 'nginx-info-error' then @ 192.168.1.2:514if $programname = =' nginx-info-error' then ~

(2) Monitoring logs on the bbb server:

(4) go back to the bbb server to see if the Nginx access log for the aaa server has been generated (if no new log is generated, the client can refresh it several more times without eliminating configuration errors):

As you can see, Nginx's log information is simply not too detailed, is it? Does the log information include the time when the log was generated? Which server produced it? What is the signature? Which IP address is accessed? What is the visiting time? What is the status code of the access? What system is used for client access, and what is the number of bits of the system? For example, (Windows NT 10.0; Win64; x64, indicating that it is a 64-for-win10 system), which browser is used to access it? I use Google to access it here, and it even records the version number of my client's Google browser.

At this point, the Nginx log file collection is completed, then now for apache log collection, with the previous groundwork, this is much easier, simply change the configuration items on it.

3. Send the log of compiled and installed apache to the bbb server for management

(1) do the following on the aaa server:

[root@aaa ~] # yum-y install httpd # install apache service [root@aaa ~] # systemctl stop nginx # to avoid port conflicts, stop the Nginx service [root@aaa] # systemctl start httpd # start the apache service [root@aaa] # vim / etc/rsyslog.conf # change the rsyslog configuration file It is mainly to change the path of collecting logs #. Omitting part of the content $ModLoad imfile$InputFilePollInterval 1$ InputFileName / var/log/httpd/access_log # is mainly to change this $InputFileTag httpd-info-access;$InputFilestateFile state-httpd-info-accesslog$InputRunFileMonitor$InputFileName / var/log/httpd/error_log # and to change this # the rest of the configuration items may not be changed, but it is recommended to change them so that the log does not look intuitive. $InputFileTag httpd-info-error;$InputFilestateFile state-httpd-info-errorlog$InputRunFileMonitor$InputFilePollInterval 10if $programname = = 'httpd-info-access' then @ 192.168.1.2:514if $programname = =' httpd-info-access' then ~ if $programname = = 'httpd-info-error' then @ 192.168.1.2:514if $programname = =' httpd-info-error' then ~ # mainly replace the Nginx in the above configuration with httpd. [root@aaa ~] # systemctl restart rsyslog # restart the service for the changes to take effect

(3) the client accesses aaa's Nginx service to generate logs (refresh several times more).

(4) go back to the bbb server to see if any httpd access logs about the aaa server have been generated.

OK! No problem. I got it.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.