Linux-日志管理

Linux-日志管理

日志的AAA认证:

  • Authentication 认证
  • Authorization 授权
  • Account Audit 审计

dmesg

查看与系统启动有关的日志

[root@localhost ~]# dmesg
[    0.000000] Linux version 4.18.0-193.el8.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com) (gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)) #1 SMP Fri Mar 27 14:35:58 UTC 2020
[    0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-193.el8.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet
[    0.000000] Disabled fast string operations
[    0.000000] x86/fpu: Supporting XSAVE feature 0x001: ‘x87 floating point registers‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x002: ‘SSE registers‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x004: ‘AVX registers‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x020: ‘AVX-512 opmask‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x040: ‘AVX-512 Hi256‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x080: ‘AVX-512 ZMM_Hi256‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x200: ‘Protection Keys User registers‘
......

查看日志信息

一般情况下查看日志都是使用tail -f命令来查看,实时刷新

查看除内核之外错误的日志信息

[root@localhost ~]# tail -f /var/log/messages
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option requested_subnet_mask => ‘1‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option requested_time_offset => ‘1‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option requested_wpad       => ‘1‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option routers              => ‘192.168.237.2‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option subnet_mask          => ‘255.255.255.0‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): state changed extended -> extended
Dec 15 15:31:04 localhost dbus-daemon[1033]: [system] Activating via systemd: service name=‘org.freedesktop.nm_dispatcher‘ unit=‘dbus-org.freedesktop.nm-dispatcher.service‘ requested by ‘:1.8‘ (uid=0 pid=1122 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")
Dec 15 15:31:04 localhost systemd[1]: Starting Network Manager Script Dispatcher Service...
Dec 15 15:31:04 localhost dbus-daemon[1033]: [system] Successfully activated service ‘org.freedesktop.nm_dispatcher‘
Dec 15 15:31:04 localhost systemd[1]: Started Network Manager Script Dispatcher Service.

查看邮件系统产生的日志信息

[root@localhost ~]# tail -f /var/log/maillog

查看与安全相关的日志信息

[root@localhost ~]# tail -f /var/log/secure
Dec  4 15:14:04 localhost polkitd[1021]: Loading rules from directory /usr/share/polkit-1/rules.d
Dec  4 15:14:04 localhost polkitd[1021]: Finished loading, compiling and executing 2 rules
Dec  4 15:14:04 localhost polkitd[1021]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Dec  4 15:14:06 localhost sshd[1133]: Server listening on 0.0.0.0 port 22.
Dec  4 15:14:06 localhost sshd[1133]: Server listening on :: port 22.
Dec  4 15:14:15 localhost systemd[4268]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Dec  4 15:14:15 localhost login[1158]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Dec  4 15:14:15 localhost login[1158]: ROOT LOGIN ON tty1
Dec 15 14:16:49 localhost sshd[5378]: Accepted password for root from 192.168.237.1 port 65504 ssh2
Dec 15 14:16:49 localhost sshd[5378]: pam_unix(sshd:session): session opened for user root by (uid=0)

priority(log level)日志的级别

一般有以下几种级别(从低到高),级别越低,信息越详细:

级别 含义
debug 程序或系统的调试信息
info 一般信息
notice 不影响正常功能,需要注意的消息
warning/warn 可能影响系统功能,需要提醒用户的重要事件
err/error 错误信息
crit 紧急,比较严重的
alert 必须马上处理的
emerg/panic 会导致系统不可用的
* *表示所有的日志级别
none 跟*相反,表示什么都没有

远程日志收集:

为什么需要日志收集?

因为需要进行大数据分析,分析原因出来好完善系统。

  • ELK

    • elasticsearch:存储,分析日志

    • logstash:日志收集工具

    • kibana:前端展示工具

[root@localhost ~]# tty
/dev/pts/0
//记录所有日志到终端
[root@localhost ~]# vi /etc/rsyslog.conf
*.* /dev/pts/0
//重启日志服务
[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# Dec 15 16:04:08 localhost systemd[1]: Stopping System Logging Service...
Dec 15 16:04:09 localhost rsyslogd[1366]: [origin software="rsyslogd" swVersion="8.1911.0-3.el8" x-pid="1366" x-info="https://www.rsyslog.com"] exiting on signal 15.
Dec 15 16:04:09 localhost systemd[1]: Stopped System Logging Service.
Dec 15 16:04:09 localhost systemd[1]: Starting System Logging Service...
Dec 15 16:04:09 localhost rsyslogd[47457]: [origin software="rsyslogd" swVersion="8.1911.0-3.el8" x-pid="47457" x-info="https://www.rsyslog.com"] start
Dec 15 16:04:09 localhost systemd[1]: Started System Logging Service.
Dec 15 16:04:09 localhost rsyslogd[47457]: imjournal: journal files changed, reloading...  [v8.1911.0-3.el8 try https://www.rsyslog.com/e/0 ]
//故意输错密码登录后
Dec 15 16:05:11 localhost unix_chkpwd[47464]: password check failed for user (root)
Dec 15 16:05:11 localhost sshd[47462]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1  user=root
Dec 15 16:05:12 localhost sshd[47462]: Failed password for root from 192.168.237.1 port 52482 ssh2
Dec 15 16:05:18 localhost sshd[47462]: error: Received disconnect from 192.168.237.1 port 52482:0:  [preauth]
Dec 15 16:05:18 localhost sshd[47462]: Disconnected from authenticating user root 192.168.237.1 port 52482 [preauth]

定义格式例子

mail.info /var/log/maillog

表示将mail相关的,级别为info及info以上级别的信息同步记录到/var/log/maillog文件中

mail.* -/var/log/maillog

表示将mail相关的所有日志信息异步记录到/var/log/maillog文件中,路径前的“-”表示异步模式

#同步: 一有数据立马写,时时刻刻都在等待数据,不能操作别的
#异步: 等数据多一点在写,等待时间可以操作

user.!=error / user.!error

表示记录user相关的,不包括error级别的信息,与user.error相反

*.info

表示记录所有的日志信息的info级别

mail.*

表示记录mail相关的所有级别的信息

* . *

表示记录所有级别的所有日志信息

cron.info;mail.info

多个日志来源可以用分号隔开

cron,mail.info

相当于cron.info;mail.info

mail.*;mail.!=info

表示记录mail相关的所有级别的信息,但是不包括info级别的

文件记录(/var/log/message)的日志的格式:

事件产生的日期时间 主机 进程(pid): 事件内容

 Dec 15 16:16:04 localhost NetworkManager[1122]: <info>  [1608020164.0143] dhcp4 (ens160): option requested_subnet_mask => ‘1‘

格式为二进制格式的日志记录

/var/log/wtmp

当前系统成功登录的日志,可使用last命令查看其内容

[root@localhost ~]# file /var/log/btmp
/var/log/btmp: data
[root@localhost ~]# last
root     pts/0        192.168.237.1    Tue Dec 15 14:16   still logged in
root     tty1                          Fri Dec  4 15:14    gone - no logout
reboot   system boot  4.18.0-193.el8.x Fri Dec  4 15:14   still running
wtmp begins Fri Dec  4 15:14:01 2020

/var/log/btmp

当前系统失败的登录尝试的日志,可使用lastb命令查看其内容

[root@localhost ~]# file /var/log/wtmp
/var/log/wtmp: firmware 0 v0 (revision 0)   V2, 0 bytes or less, UNKNOWN2 0x38365f36, at 0x0 0 bytes , at 0x0 0 bytes
[root@localhost ~]# lastb
root     ssh:notty    192.168.237.1    Tue Dec 15 16:05 - 16:05  (00:00)
btmp begins Tue Dec 15 16:05:12 2020

配置rsyslog服务器

问:如果想要把一台主机的权限日志写到另外一台主机上应该怎么做呢?

客户端: 主机名:128 IP地址:192.168.237.128

服务端: 主机名:133 IP地址:192.168.237.133

//配置客服端
//(注释默认路径,添加新路径到服务端)
[root@128 ~]# vi /etc/rsyslog.conf
# The authpriv file has restricted access.
#authpriv.*                                              /var/log/secure
authpriv.*                                              @192.168.237.133
[root@128 ~]# systemctl restart rsyslog
[root@128 ~]# systemctl stop firewalld
[root@128 ~]# setenforce 0
//配置服务端
//(取消注释)
[root@133 ~]# vi /etc/rsyslog.conf
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
[root@133 ~]# systemctl restart rsyslog
//ssh登录客服端128故意密码输错,在服务端133中也有记录
[C:\~]$ ssh root@192.168.237.128
[root@133 ~]# tail -f /var/log/secure
Dec 15 17:33:28 128 unix_chkpwd[47650]: password check failed for user (root)
Dec 15 17:33:28 128 sshd[47648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1  user=root
Dec 15 17:33:31 128 sshd[47648]: Failed password for root from 192.168.237.1 port 53843 ssh2
Dec 15 17:33:33 128 sshd[47648]: error: Received disconnect from 192.168.237.1 port 53843:0:  [preauth]
Dec 15 17:33:33 128 sshd[47648]: Disconnected from authenticating user root 192.168.237.1 port 53843 [preauth]
//ssh登录客服端133故意密码输错,在服务端133自己本身也有记录
[C:\~]$ ssh root@192.168.237.133
[root@133 ~]# tail -f /var/log/secure
Dec 15 17:33:47 133 unix_chkpwd[1955]: password check failed for user (root)
Dec 15 17:33:47 133 sshd[1953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1  user=root
Dec 15 17:33:49 133 sshd[1953]: Failed password for root from 192.168.237.1 port 53847 ssh2
Dec 15 17:33:52 133 sshd[1953]: error: Received disconnect from 192.168.237.1 port 53847:0:  [preauth]
Dec 15 17:33:52 133 sshd[1953]: Disconnected from authenticating user root 192.168.237.1 port 53847 [preauth]

Linux-日志管理

原文地址:https://www.cnblogs.com/yuqinghao/p/14147812.html

系统相关
我还没有学会写个人说明!
上一篇

重磅 | 吴恩达新书《Machine Learning Yearning》最新版分享

你也可能喜欢

评论已经被关闭。

插入图片