Shulou(Shulou.com)06/03 Report--

Generally speaking, the log system on Linux is the record generated by the system at run time. If you encounter any problems, write it down. Because the problems are of different sizes, there are levels to regulate how they are recorded. Because the logs are all concentrated together, there will be a huge problem that is difficult to classify, so there is a classification of the log subsystem to solve this problem. In addition, the location to be stored also needs to be specified. So the process of log system (syslog) can be divided into the following three types: 1, information detail program: log level 2, subsystem: facility, facility 3, action: storage location, who records in addition, the log system syslog will also have an upgraded version, such as syslog-ng: the next generation of upgrade log system, as syslog has upgraded only one generation for so many years, so its improvement is very great. The definition of functions has also been greatly improved. You should also pay attention to this when using it. Here is a specific description of syslog. Syslog: in order to facilitate viewing the log information generated by each subsystem, a syslog is specially created to record the log information generated by each subsystem. Syslog is a service whose task is to record the logs generated by each subsystem, and you can think of each program as a subsystem. However, some services, such as web, customize their own storage record format instead of using syslog. Therefore, syslog users are mostly used by facility devices on the core of the system. So it can be understood as follows: syslog service: syslogd: system, non-kernel generated information klogd: kernel, which is responsible for recording the log information generated by the kernel, in which the detail format of the information recorded by syslogd and klogd is quite different. Kernel-- > physical terminal (/ dev/console)-- > / var/log/dmesg when powered on, the kernel loads, and then the virtual terminal service of the system is not enabled (it starts in init), so at this time the information is displayed on the physical terminal, and the corresponding device is / dev/console, including the parameters of the system hardware and so on, which are all stored in / var/log/dmesg. You can view this file to view: # dmesg or # cat / var/log/dmesg do not upload images to view because the content shows too much. / sbin/init / var/log/messages: system standard error log information; boot information generated by non-kernel; information generated by each subsystem; (will be scrolled multiple times) log needs to be scrolled (log cut logrotate to execute): messages messages.1 messages.2 messages.3 when the messages content reaches a certain amount, it will be renamed and re-recorded. If the messages.# file reaches a certain number, the system will delete some automatically. (change the condition of. # for time, a program with a large capacity, or a double standard) the log is cut by logrotate to execute, and its configuration file can be viewed in / etc/logrotate.conf. The script file / etc/cron.daily/logrotate is shown in figure 1, which can be viewed and understood:

/ var/log/maillog: log information generated by the mail system

/ var/log/secure: security-related permissions, which are generally not allowed to be viewed by other users

Syslog: syslogd and klogd

The configuration file definition format is: facility.priority action

Facility, which can be understood as the source of log or device, there are several kinds of facility commonly used at present:

Auth # authentication related authpriv # permissions, authorization related cron # task planning related daemon # daemon related kern # kernel related lpr # printing related mail # mail related mark # tags related news # news related security # security related Auth similar to syslog # syslog own user # user related uucp # unix to unix cp related local0 to local7 # user customized use of * # * to indicate who generated the log for all facilityfacility What level of logs are generated by priority and what about the logs generated by action?

The level of the priority (log level) log, which generally has the following levels (from low to high)

Debug # debugging information of the program or system info # General information notice # does not affect the normal function, the message warning/warn # that requires attention may affect the function of the system, important events that need to be alerted to users err/error # error message crit # serious alert # must be dealt with immediately emerg/panic # will cause the system to become unavailable * # indicates that all log levels none # is the opposite of *, indicating that there is nothing.

Location of action (action) logging

Absolute path on the system # ordinary files such as: / var/log/xxx | # pipes are sent to other command processing terminals # terminals such as / dev/console@HOST # remote hosts such as @ 10.0.0.1 users # system users such as: root* # log on to all users on the system is generally defined in this way

Examples of defining formats:

Mail.info / var/log/mail.log # means to record mail-related information at the level of info and # info in the / var/log/mail.log file auth.=info @ 10.0.0.1 # means to record auth-related information The basic info information is recorded to the 10.0.0.1 host # provided that 10.0.0.1 can receive the log information from other hosts, user. logging error # indicates recording user-related Does not include error-level information user.invalid error # as opposed to user.error * .info # means to record all log information at info level mail.* # means to record all levels of information related to mail *. * # you know .cron.info Mail.info # multiple log sources can be separated with ";" to separate cron,mail.info # from cron.info;mail.info means to record all levels of information related to mail, but does not include info level II. Syslog-ng details (excerpt http://ant595.blog.51cto.com/5074217/1080922)

Introduction to 1.syslog-ng

Syslog-ng (syslog-Next generation) is an upgraded version of syslog. There are two versions of syslog-ng, one is fee-based and the other is open source. As the next generation product of syslog, its functions are conceivable and must be much more powerful than those of syslog, such as

High performance

Reliable transmission

Support for multiple platforms

High reliability

Numerous user groups

Powerful log filtering and sorting

Event labels and relevance

Support the latest IETF standards

Wait for.

Installation of the open source version of the home page http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/overview 2.syslog-ng

Rhel5.x system does not use syslog-ng to log by default. If you need to use it, you need to compile and install it yourself. The installation method is as follows # yum install gcc*#cd / usr/src#wget http://www.balabit.com/downloads/files/syslog-ng/sources/3.2.4/source/eventlog_0.2.12.tar.gz#wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.5/source/syslog-ng_3.3.5.tar.gz#tar xvf eventlog_0.2.12.tar.gz# Cd eventlog-0.2.12#./configure-- prefix=/usr/local/eventlog#make#make install##cd / usr/src#tar xvf syslog-ng_3.3.5.tar.gz#cd syslog-ng-3.3.5#export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig#./configure-- prefix=/usr/local/syslog-ng#make#make install### adds syslog-ng as a system service # vim / etc/init.d/syslog-ng # is as follows # #! / bin/bash#### chkconfig:-60 27 vim # description: syslog-ng SysV script.#. / etc/rc.d/init.d/functions##syslog_ng=/usr/local/syslog-ng/sbin/syslog-ng#prog=syslog-ng#pidfile=/usr/local/syslog-ng/var/syslog-ng.pid#lockfile=/usr/local/syslog-ng/var/syslog-ng.lock#RETVAL=0#STOP_TIMEOUT=$ {STOP_TIMEOUT-10} # 35.start () {# echo-n $"Starting $prog:" # daemon-- pidfile=$pidfile $syslog_ng $OPTIONS# RETVAL=$?# echo# [ $RETVAL= 0] & & touch ${lockfile} # return $RETVAL#} # # stop () {# echo-n $"Stopping $prog:" # killproc-p $pidfile-d $STOP_TIMEOUT $syslog_ng# RETVAL=$?# echo# [$RETVAL= 0] & & rm-f $lockfile $pidfile#} # case "$1" in# start) # start# ; # stop) # stop#;; # status) # status-p $pidfile $syslog_ng# RETVAL=$?#;; # restart) # stop# start# # *) # echo $"Usage: $prog {start | stop | restart | status}" # RETVAL=2#esac#exit $RETVAL#---#chmod astatx / etc/init.d/syslog-ng#killall syslogd 75.chkconfig-- add syslog-ng#chkconfig syslog-ng on#service syslog-ng start

Detailed explanation of 3.syslog-ng configuration file

At this point, the syslog-ng service has been started, and the location of the configuration file is in etc/syslog-ng.conf under the installation directory.

The content in the syslog-ng.conf file consists of the following parts: # Global options, separate multiple options ";" separate options {. }; # define log sources, source s_name {...}; # define filtering rules, which can be defined using regular expressions. This is optional, and it doesn't matter if you don't define filter f_name {...}; # define destination destination d_name {...}; # define message chain to define multiple sources, multiple filtering rules, and multiple destinations as a chain log {...} The details are as follows-options {long_hostnames (off); sync (0); perm (0640); stats (3600);} More options are as follows: chain_hostnames (yes | no) # whether to enable the hostname chain function, which is valid when forwarding logs in multiple network segments. Long_hostnames (yes | no) # is an alias for chain_hostnames. It is no longer recommended to use keep_hostname (yes | no) # whether to keep the hostname use_dns (yes | no) saved in the log message # whether to turn on the DNS query function. Use_fqdn (yes | no) # whether to use the full domain name check_hostname (yes | no) # check whether the host name contains illegal characters bad_hostname (regexp) # you can specify through regular expressions that the information of a host is not accepted dns_cache (yes | no) # whether to turn on DNS caching dns_cache_expire (n) # when DNS caching is turned on Expiration time of a successful cache dns_cache_expire_failed (n) # DNS cache when the cache function is turned on, the expiration time of a failed cache dns_cache_size (n) # number of hostnames retained by the DNS cache create_dirs (yes | no) # permission to create the directory dir_owner (uid) # directory UIDdir_group (gid) # directory GIDdir_perm (perm) # directory when the specified target directory does not exist Use octal labeling, such as permissions for 0644owner (uid) # file UIDgroup (gid) # file GIDperm (perm) # file, similarly, use octal to label gc_busy_threshold (n) # when syslog-ng is busy, the time it takes to enter the garbage collection state as soon as the assigned object reaches this number, syslog-ng starts the garbage collection state. The default value is 3000. Gc_idle_threshold (n) # when syslog-ng is idle, the time it enters the garbage collection state once the dispatched object reaches this number, syslog-ng will start the garbage collection state The default value is: 100log_fifo_size (n) # the number of rows in the output queue log_msg_size (n) # the maximum value of the message log (bytes) mark (n) # how long (in seconds) to write two lines of MARK information for reference. Currently, there is no implementation of stats (n) # how long (in seconds) to write two lines of STATUS information. The default value is: 600sync (n) # how many lines of information are cached and then written to the file. 0: no cache. Local parameters can override this value. Time_reap (n) # how many seconds before there is no message, that is, how many seconds to close the connection to the file time_reopen (n) # for dead connections, how many seconds will the use_time_recvd (yes | no) # macros be generated using the accepted time or the time recorded in the log It is recommended to use the macro of R _ instead of the receive time, and the macro of S _ instead of the logging time, instead of relying on this value to define. Source s_name {internal (); unix-dgram ("/ dev/log"); udp (ip ("0.0.0.0") port;} File (filename) # read log information from the specified file unix-dgram (filename) # Open the specified SOCK_DGRAM mode unix socket and receive the log message unix-stream (filename) # Open the unix socket for the specified SOCK_STREAM mode Receive log messages udp ((ip), (port)) # receive log messages tcp ((ip), (port)) on designated UDP ports # receive log messages sun-streams (filename) on specified TCP ports # in solaris system, open one (or more) specified STREAM devices Read log messages from internal () # messages generated within syslog-ng pipe (filename), fifo (filename) # read log information filter f_name {not facility (news, mail) and not filter (f_iptables) from specified pipes or FIFO devices }; more rule functions are as follows: facility (..) # Select log messages based on facility (device), use commas to split multiple facilitylevel (..) # Select log messages based on level (priority), use commas to split multiple level, or use ".." Represents a range program (expression) # whether the program name of the log message matches a regular expression host (expression) # whether the hostname of the log message matches a regular expression match (expression) # regular matching of the contents of the log message filter () # you can also use logic when calling another filtering rule and determining its value definition rule Compilation operator and or notdestination d_name {file ("/ var/log/messages") } More actions are as follows: file (filename) # write log messages to the specified file unix-dgram (filename) # write log messages to the specified SOCK_DGRAM mode unix socket unix-stream (filename) # write log messages to the specified SOCK_STREAM mode unix socket udp (ip), (port) # send log messages to the specified UDP port tcp (ip) (port) # send the log message to the designated TCP port usertty (username) # send the log message to the designated user terminal window pipe (filename) that has been logged in, and fifo (filename) # send the log message to the specified pipeline or FIFO device program (parm) # start the specified program And send the log message to the standard input log {source (s_name) of the process Filter (f_name); destination (d_name)}; the processing flow of a log looks like this, as follows

The first is "the source of the log source s_name {.};"

Then there is the filter rule filter f_name {...};

And then "message chain log {source (s_name); filter (f_name); destination (d_name)};"

Finally, there is "target action destination d_name {.};"

In this way, a log will be processed according to your intention. It is important to note that after a log message has passed, it will match all the defined configurations, not that it will not match any further. Example of 4.syslog-ng configuration file $syslog-ng_path/etc/syslog-ng.conf is as follows: options {long_hostnames (off); sync (0); perm (0640); stats (3600);}; source src {internal (); unix-dgram ("/ dev/log"); # indicates that the log source is port 514 of native udp, udp (ip ("0.0.0.0") port (514));} Filter f_iptables {facility (kern) and match ("IN=") and match ("OUT="); filter f_console {level (warn) and facility (kern) and not filter (f_iptables) or level (err) and not facility (authpriv); filter f_newsnotice {level (notice) and facility (news);}; filter f_newscrit {level (crit) and facility (news); filter f_newserr {level (err) and facility (news);}; filter f_news {facility (news);} Filter f_mailinfo {level (info) and facility (mail); filter f_mailwarn {level (warn) and facility (mail);}; filter f_mailerr {level (err, crit) and facility (mail);}; filter f_mail {facility (mail);}; filter f_cron {facility (cron);}; filter f_local {facility (local0, local1, local2, local3,local4, local6, local7);}; filter f_acpid_full {match ('^ acpid:');} Filter f_acpid {level (emerg..notice) and match ('^ acpid:');}; filter f_acpid_old {match ('^ [acpid\]:');}; filter f_netmgm {match ('^ NetworkManager:');}; filter f_messages {not facility (news, mail) and not filter (f_iptables);}; filter f_warn {level (warn, err, crit) and not filter (f_iptables);}; filter f_alert {level (alert);} Destination console {pipe ("/ dev/tty10" owner (- 1) group (- 1) perm (- 1));}; log {source (src); filter (f_console); destination (console);}; destination xconsole {pipe ("/ dev/xconsole" owner (- 1) group (- 1) perm (- 1)); log {source (src); filter (f_console); destination (xconsole);} Destination newscrit {file ("/ var/log/news/news.crit" owner (news) group (news));}; log {source (src); filter (f_newscrit); destination (newscrit);}; destination newserr {file ("/ var/log/news/news.err" owner (news) group (news));}; log {source (src); filter (f_newserr); destination (newserr);}; destination newsnotice {file ("/ var/log/news/news.notice" owner (news) group (news) ; log {source (src); filter (f_newsnotice); destination (newsnotice);}; destination mailinfo {file ("/ var/log/mail.info");}; log {source (src); filter (f_mailinfo); destination (mailinfo);}; destination mailwarn {file ("/ var/log/mail.warn");}; log {source (src); filter (f_mailwarn); destination (mailwarn);}; destination mailerr {file ("/ var/log/mail.err" fsync (yes)) }; log {source (src); filter (f_mailerr); destination (mailerr);}; destination mail {file ("/ var/log/mail");}; log {source (src); filter (f_mail); destination (mail);}; destination acpid {file ("/ var/log/acpid");}; destination null {}; log {source (src); filter (f_acpid); destination (acpid); flags (final);}; log {source (src); filter (f_acpid_full) Destination (null); flags (final);}; log {source (src); filter (f_acpid_old); destination (acpid); flags (final);}; destination netmgm {file ("/ var/log/NetworkManager");}; log {source (src); filter (f_netmgm); destination (netmgm); flags (final);}; destination localmessages {file ("/ var/log/localmessages");}; log {source (src); filter (f_local); destination (localmessages); Destination messages {file ("/ var/log/messages");}; log {source (src); filter (f_messages); destination (messages);}; destination firewall {file ("/ var/log/firewall");}; log {source (src); filter (f_iptables); destination (firewall);}; destination warn {file ("/ var/log/warn" fsync (yes));}; log {source (src); filter (f_warn); destination (warn);} Filter f_ha {facility (local5);}; destination hamessages {file (/ var/log/ha);}; log {source (src); filter (f_ha); destination (hamessages);}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.