Shulou(Shulou.com)06/01 Report--

10.1. Introduction to rsyslog

Syslog is a log system with a long history. Almost all UNIX and Linux operating systems use syslog to manage and configure system logs. The Linux kernel and many programs generate a variety of error messages, warnings, and other prompts. Syslog can save information to different log files according to the source and importance of the information. In the default syslog configuration, log files are usually saved in the / var/log directory. In Centos6, the syslog daemon is rsyslog, and the rsyslog daemon runs automatically when the system starts.

Some log files are defined in syslog, the location and description of these log files:

/ var/log/dmesg records the information before the init process starts

The log needs to be scrolled after the sbin/init process starts (log slicing)

Log information generated by / var/log/maillog mail system

Log information generated by / var/log/secure security system

/ var/log/messages system standard error log information; boot information generated by non-kernel; information generated by each subsystem

10.2. Rsyslog configuration

The configuration file for syslog is / etc/rsyslog.conf, where you specify the information source, information type, and location where rsyslog logs are saved.

[root@mylinux log] # cat / etc/rsyslog.conf # rsyslog v5 configuration file# For more information see / usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems See http://www.rsyslog.com/doc/troubleshoot.html#### MODULES # $ModLoad imuxsock # provides support for local system logging (e.g. Via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) # $ModLoad immark # provides-- MARK-- message capability# Provides UDP syslog reception#$ModLoad imudp#$UDPServerRun 51 "Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514" GLOBAL DIRECTIVES # Use default timestamp format$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat# File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on# Include all config files in / etc/rsyslog.d/$IncludeConfig / etc/rsyslog.d/*.conf#### RULES # Log all kernel messages to the console.# Logging much else clutters up the screen.#kern.* / dev/console# Log anything (except mail) of level info or higher.# Don't log private authentication messagesmail.infoten mail.none Authpriv.none Cron.none / var/log/messages# The authpriv file has restricted access.authpriv.* / var/log/secure# Log all the mail messages in one place.mail.*-/ var/log/maillog# Log cron stuffcron.* / var/log/cron# Everybody gets emergency messages*.emerg * # Save news errors of level crit and higher in a special file.uucp News.crit / var/log/spooler# Save boot messages also to boot.loglocal7.* / var/log/boot.log# begin forwarding rule # The statement between the begin... End define a SINGLE forwarding# rule. They belong together, do NOT split them. If you create multiple# forwarding rules, duplicate the whole blockade # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is# down, messages are spooled to disk and sent when it is up again.#$WorkDirectory / var/lib/rsyslog # where to place spool files#$ActionQueueFileName fwdRule1 # unique name prefix for spool files#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) # $ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount-1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1 var/lib/rsyslog 514 Port optional#*.* @ @ remote-host:514# end of the forwarding rule #

The file is annotated with'# 'and the syntax format for each line is:

[source of information. Message level] [Action]

Among them, [source. Message levels and actions are separated by the Tab key, and multiple message sources are allowed in the same line of rsyslog configuration. Message level], which must be separated by';'.

* .info;mail.none;authpriv.none;cron.none / var/log/messages

Rsyslog (facility) source and description:

Auth: authentication-related authpriv: permissions, authorization-related

Cron: task planning related daemon: daemon related

Kern: kernel-related lpr: print-related

Mail: message-related mark: tag-related

News: news related security: security related, similar to auth

Syslog:syslog 's own user: user-related

* indicates all facility uucp: unix to unix cp related

Local0-local7: local user

Rsyslog (log level) message level and description:

Debug: debugging information of a program or system info: general information

Notice: messages that do not affect normal function and need to pay attention to err/error: error messages

Crit: serious alert: must be dealt with immediately

Emerg/panic: makes the system unavailable *: indicates all log levels

None: contrary to *, it means nothing.

Warning/warn: important events that may affect system function and need to remind users

The rsyslog message level matches up, that is, if a message level is specified, both the specified level and messages higher than that specified level are included. For example, warning means that messages greater than or equal to the warning level are processed, including emerg, alert, crit, err, and warning. The lower the message level, the greater the number of messages, and if you only want to match a certain level of messages, but not more advanced messages, you can use the equal sign to specify.

Cron.=notice / var/log/cron

Rsyslog (action) processing actions:

Absolute path on the system: save the message to a normal file such as: / var/log/xxx

| |: send it to other commands through the pipeline for processing |

Terminal: send the message to the local host terminal such as: / dev/console

@ HOST: forward the message to another syslog server for processing, such as @ 10.0.0.1

User: send the message to the specified user with a user name separated by', 'such as: root

*: all users who log in to the system are defined as emerg-level logs.

Configuration example:

The logger command can be used to simulate the generation of various syslog messages to test whether the configuration is correct.

Usage: logger [- isd] [- f file] [- p pri] [- t tag] [- u socket] [message.]

[root@mylinux log] # vim / etc/rsyslog.conf # syslog Test # modify configuration file Add these two lines kern.info / var/log/kern_ test. Log [root @ mylinux log] # / etc/init.d/rsyslog restart # restart the process to close the system logger: [OK] start the system logger: [OK] [root@mylinux log] # log. Info' test info' # simulates kernel information [root@mylinux log] # cat / var/log/kern_test.log # generated daily solstice message May 3 19:11:30 localhost kernel: imklog 5.8.10 Log source = / proc/kmsg started.

10.3. Other logs

In addition to rsyslog, the Linux system provides a large number of other log files in which very important messages are recorded. The most commonly used ones are dmesg, wtmp, btmp and .bash _ history.

Dmesg logs: recording kernel log information

The log file / var/log/dmesg records the kernel log information during system startup, including the device information of the system, as well as any errors and problems recorded by the system during startup and operation.

[root@mylinux log] # less / var/log/dmesgInitializing cgroup subsys cpusetInitializing cgroup subsys cpuLinux version 2.6.32-642.11.1.el6.x86_64 (mockbuild@c1bm.rdu2.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)) # 1 SMP Fri Nov 18 19:25:05 UTC 2016Command line: ro root=/dev/vda1 console=ttyS0 console=tty0 printk.time=1 panic=5 rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us LANG=zh_CN.UTF-8 rd_ NO_MD SYSFONT=latarcyrheb-sun16 rd_NO_LVM crashkernel=auto rd_NO_DMKERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD Centaur CentaurHaulsBIOS-provided physical RAM map: BIOS-e820: 0000000000000000-000000000009fc00 (usable)

User login log

/ var/log/wtmp and / var/log/btmp are log files on Linux systems where users save user login information. Among them, wtmp is used to save the record of user's successful login, and btmp is used to save the log record of user's login failure. Both files are binary and cannot be opened directly with a text editing tool, but must be viewed through the last and lastb commands.

[root@mylinux log] # last | less # View login information root pts/0 192.168.1.120 Wed May 3 18:30 still logged in root pts/0 192.168.1.120 Tue May 2 14:47-15:40 (00:53) root pts/0 192.168.1.120 Fri Apr 28 12:00-22:01 (10:00) root Pts/0 192.168.1.120 Mon Apr 24 08:54-17:18 (08:23) root pts/0 192.168.1.120 Sun Apr 23 18:48-22:00 (03:11) root pts/0 192.168.1.120 Sun Apr 23 16:28-16 pts/0 32 (00root pts/0 03) root pts/0 192.168.1.120 Sat Apr 22 12:51-13:39 (00:47) root pts/0 192.168.1.120 Sat Apr 22 12:03-12:51 (00:47) root pts/0 192.168.1.120 Fri Apr 21 12:51-13 Fri Apr 16 (0015)... [root@mylinux log] # lastb # View login failure information support ssh:notty 171.212 .100 Wed May 3 18:27-18:27 (00:00) admin ssh:notty 78.106.24.79 Wed May 3 13:18-13:18 (00:00) liuyr ssh:notty 61.147.166.76 Wed May 3 12:53-12 admin ssh:notty 53 (140.107) admin ssh:notty 124.131.79.205 Wed May 3 12 Wed May 41 (00) admin Ssh:notty 112.120.73.220 Wed May 3 11:37-11:37 (00:00) support ssh:notty 2.177.238.135 Wed May 3 10:59-10:59 (00:00) ubnt ssh:notty 109.161.75.102 Wed May 3 09:33-09support ssh:notty 33 (00support ssh:notty 00) admin ssh:notty 181.25.207.227 Wed May 3 09Wed May 14-09Ze14 (00:00) admin ssh:notty 181.26.181.184 Wed May 3 06:54-06:54 (00:00) admin ssh:notty 181.26.181.184 Wed May 3 06:54-06:54 (00:00) admin ssh:notty 167.160.149.47 Wed May 305 admin ssh:notty 27-05 admin ssh:notty 27-05 admin ssh:notty 179.63.255.251 Wed May 3 05:07-05:07 (00:00).

User operation record

By default, there is a .bash _ history file in each user's home directory, which keeps a record of all commands entered by that user, through which administrators can see what a user has done.

[root@mylinux log] # cat / root/.bash_history # 1493001194htop#1493352081pip3 install Numpy#1493707660LS#1493707661ls#1493707664ls#1493707668cd / selinux/#1493707669ls#1493707869cat / etc/selinux/config # 1493708491ls#1493708497...

10.4. Loganalyzer log analysis tool

LogAnalyzer is a Web front end for syslog logs and other network event data. It provides simple browsing of logs, search, basic analysis and some chart reporting functions. Data can be obtained from a database or a generic syslog text file, so LogAnalyzer does not need to change the existing record schema. Based on the current log data, it can handle syslog log messages, Windows event logging, support troubleshooting, so that users can quickly find the solution to the problem in the log data.

There are two save modes for LogAnalyzer to obtain client logs. One is to directly read the logs in the client / var/log/ directory and save them to the server directory, and the other is to save them to the log server database after reading. The latter is recommended. LogAnalyzer is developed by php, so the log server needs the running environment of php, which is LAMP.

1) install and configure mysql database service

[root@mylinux home] # yum install mysql mysql-server-y [root@mylinux home] # / etc/init.d/mysqld start

2) install the rsyslog-mysql package

[root@mylinux log] # yum install rsyslog-mysql-y

3) create a database that rsyslog depends on:

[root@mylinux doc] # mysql

< /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql [root@localhost home]# mysql Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 4Server version: 5.1.73 Source distributionCopyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>

Show databases; # check whether the data is imported into +-+ | Database | +-+ | information_schema | | Syslog | | mysql | | test | +-+ 4 rows in set (0.00 sec)

4) configure rsyslog enable module, / etc/rsyslog.conf

Enable the module in # Modules #:

$ModLoad ommysql

Define logging information in the database in the # rules#### paragraph

Facility.priority: ommysql:SERVER_IP,DATABASE,USERNAME,PASSWORD

[root@mylinux rsyslog.d] # vim / etc/rsyslog.conf # MODULES # $ModLoad ommysql...#### RULES # facility.priority: ommysql:SERVER_IP,DATABASE,USERNAME,PASSWORD [root@localhost home] # / etc/init.d/rsyslog restartShutting down system logger: [OK] Starting system logger: [OK]

5) set up lamp environment and install loganalyzer

# yum-y install httpd php php-mysql php-gd [root@localhost home] # httpdhttpd: Could not reliably determine the server's fully qualified domain name Using localhost.localdomain for ServerName [root@mylinux home] # wget [root@mylinux home] # tar xf loganalyzer-3.6.6.tar.gz [root@mylinux home] # mkdir / var/www/html/loganalyzer [root@mylinux home] # cp-R loganalyzer-3.6.6/src/* / var/www/html/loganalyzer/ [root@mylinux home] # cp-R loganalyzer-3.6.6/contrib/* / var/www/html/loganalyzer/# cd / var/www / html/loganalyzer/# chmod + x configure.sh secure.sh#. / configure.sh#. / secure.sh# chmod 666 config.php# chown-R apache.apache. / *

6) enter the address of the website in the browser and follow the prompts to complete the configuration.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.