日志分析及管理
/var/log目录下面就是日志
日志的作用和分类:
.
主机名为localhost.localdomain会出现问题如图:
是正常的
图5.3
[root@host ~]# cd /var/log/httpd http访问
[root@host httpd]# ls
access_log error_log
[root@host httpd]# vim access_log
[root@host httpd]#
1.正常日志
[root@host httpd]# cd /var/www/html
[root@host html]# ls
[root@host html]# pwd
/var/www/html
[root@host html]# vim apache.html
[root@host html]# vim index.html
[root@host html]# cat index.html
it'is my web site!
[root@host html]#
图5.4
使用firefox 访问网站会产生日志
[root@localhost html]# cd /var/log/httpd/ httpd提供web服务
[root@localhost httpd]# ls
access_log error_log
[root@localhost httpd]#
access_log:记录正常的访问日志
error_log :记录错误的访问日志
2.错误日志
[root@localhost httpd]# cd /var/www/html/
[root@localhost html]# ls
index.html
[root@localhost html]# ll
total 4
-rw-r--r--. 1 root root 32 Jul 21 03:25 index.html
[root@localhost html]# chmod 600 index.html 修改权限
,使普通用户不可访问
[root@localhost html]# ll
total 4
-rw-------. 1 root root 32 Jul 21 03:25 index.html
[root@localhost html]#
然后firefox访问,出现403错误
[root@localhost httpd]# tail error_log 查看错误访问日志
http访问时正确访问则在access_log中可以查看到,访问出错则在error_log中可以查看日志,所以当访问出问题的时候则去日志里面查看先,看能否找到原因。
httpd有自己的独立管理的日志文件
没有独立的在rsyslog中
若 yum install httpd -y 安装不了的话,加上*
[root@host conf.d]# yum install httpd* -y 安装软件
[root@host conf.d]# tail -f /var/log/messages 查看日志
messages下面日志记录格式:什么时间,什么主机,做什么事情,具体内容
Jul 22 10:59:55 host vmnet-dhcpd: DHCPACK on 172.16.155.129 to 00:0c:29:b8:16:99 via vmnet8
Jul 22 11:01:57 host yum[9385]: Installed: apr-devel-1.3.9-3.el6_1.2.i686
Jul 22 11:01:58 host yum[9385]: Installed: expat-devel-2.0.1-11.el6_2.i686
Jul 22 11:01:58 host yum[9385]: Installed: db4-cxx-4.7.25-17.el6.i686
Jul 22 11:02:05 host yum[9385]: Installed: db4-devel-4.7.25-17.el6.i686
Jul 22 11:02:06 host yum[9385]: Installed: cyrus-sasl-devel-2.1.23-13.el6.i686
Jul 22 11:02:07 host yum[9385]: Installed: openldap-devel-2.4.23-26.el6.i686
Jul 22 11:02:07 host yum[9385]: Installed: apr-util-devel-1.3.9-3.el6_0.1.i686
Jul 22 11:02:08 host yum[9385]: Installed: httpd-devel-2.2.15-15.el6_2.1.i686
Jul 22 11:02:09 host yum[9385]: Installed: httpd-manual-2.2.15-15.el6_2.1.noarch
[root@localhost yum.repos.d]# service httpd restart 刷新服务
停止 httpd: [确定]
正在启动 httpd:httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
[确定]
[root@localhost yum.repos.d]#
[root@localhost yum.repos.d]# iptables -F
[root@localhost yum.repos.d]#
如果想显示网站的内容,供别人下载,需以下步骤:
1.进入该路径
[root@host httpd]# cd /var/www/html/
2.删除默认的进入文件
[root@host html]# rm -rf index.html 删除默认的访问文件
3.修改配置文件,都注释掉
[root@host html]# cd /etc/httpd/conf.d
[root@host conf.d]# ls
mod_dnssd.conf README welcome.conf
[root@host conf.d]# vim welcome.conf 修改配置文件,都注释掉
[root@localhost conf.d]# cat welcome.conf
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$"> 注释
# Options -Indexes
# ErrorDocument 403 /error/noindex.html
#</LocationMatch>
4.创建所需文件和目录,供下载
[root@host html]# mkdir music
[root@host html]# touch a b c
5.刷新服务
[root@host conf.d]# service httpd restart 刷新服务
停止 httpd: [确定]
正在启动 httpd: [确定]
[root@host conf.d]#
结果图5.5
很实用的命令
[root@host conf.d]# last 查看最近谁登录了你的机器
root pts/0 :0.0 Mon Jul 22 08:30 still logged in
root tty1 :0 Mon Jul 22 08:27 still logged in
reboot system boot 2.6.32-279.el6.i Mon Jul 22 08:26 - 10:13 (01:47)
[root@host conf.d]# w 查看现在谁登录了
10:15:55 up 1:50, 2 users, load average: 0.00, 0.00, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WH
AT
root tty1 :0 08:27 ? 51.93s 51.93s /usr/bin/Xorg :
root pts/0 :0.0 08:30 0.00s 37.04s 0.00s w
[root@host conf.d]#
日志格式:
图5.6
日志的类型
1.系统和内核
2.用户的
3.程序的
rhel6.3里使用rsyslog进程来管理日志
图5.7
[root@teacher httpd]# which rsyslogd
/sbin/rsyslogd
[root@teacher httpd]# rpm -qf /sbin/rsyslogd 查看rsyslogd有没有安装
rsyslog-5.8.10-2.el6.i686
[root@teacher httpd]#
默认情况下rsyslog软件包已经安装
[root@teacher httpd]# rpm -qa |grep rsyslog
rsyslog-5.8.10-2.el6.i686
[root@teacher httpd]#
[root@host conf.d]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@host conf.d]#
日志的级别:
图5.8
===
配置文件:/etc/rsyslog.conf 用来告诉rsyslog怎么管理--》给日志文件在轮转的时候做指导的,告诉logrotate这个程序如何去轮转。例如:是否压缩,多大的时候开始轮转,保留几个文件等
异常关闭,同时编辑会产生临时文件.开头.swp结尾
取消/etc/.rsyslog.conf.swp
,
进入该文件有提示
[root@host conf.d]# vim /etc/rsyslog.conf
/etc/rsyslog.conf的用法
图5.9
[root@host conf.d]# man 5 rsyslog.conf 查看配置文件
[root@host conf.d]# cat /etc/rsyslog.conf |grep -v ^#|grep -v ^$ 去掉注释行和空行
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg * 所有人都收得到,emerg紧急
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
/etc/rsyslog.conf里面可以指定日志的存储位置
[root@host conf.d]# man 3 syslog 查看服务名称
设备类型
authpriv
cron
mail
*
设备类型经常和日志级别一起使用
设备类别[连接符]日志级别
. :记录大于等于后面的级别日志
.=:只记录等于后面的级别日志
.!=:只记录不等于后面的级别日志
图5.10
[root@host conf.d]# ssh xiaoliu@10.0.0.190 以xiaoliu用户远程连接
The authenticity of host '10.0.0.190 (10.0.0.190)' can't be established.
RSA key fingerprint is 90:ab:09:5f:15:db:c8:db:7a:e2:7d:d6:c2:c8:7e:58.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '10.0.0.190' (RSA) to the list of known hosts.
xiaoliu@10.0.0.190's password:
Last login: Sun Jul 21 05:05:06 2013 from 10.0.0.142
[xiaoliu@localhost ~]$
wall 向所有的终端发信息
mesg 可以关闭接收终端信息
mesg n
[root@localhost conf.d]# shutdown -k +2
[root@localhost conf.d]#
Broadcast message from root@localhost.localdomain
(/dev/pts/3) at 5:14 ...
The system is going down for maintenance in 2 minutes! 假消息,并不会关闭,只是提醒
====
[root@host httpd]# cat access_log |awk '{print $1}'|sort
10.0.0.144
10.0.0.144
[root@host httpd]# pwd
/var/log/httpd
常用日志操作命令:
who
不接任何参数,查看当前登录进系统的用户
读取的是/var/run/utmp
[root@host httpd]# who
root tty1 2013-07-22 08:27 (:0)
root pts/0 2013-07-22 08:30 (:0.0)
[root@host httpd]#
users
单独一行打印当前登录的用户,如果同一个用户登录不止一次,那么相同的名称打印多次出来。
[root@host httpd]# users
root root
[root@host httpd]#
w
也是查看utmp文件
[root@host httpd]# w
当前时间 开机多久了 登录用户数 cup的1,5,15分钟的平均负载
15:05:25 up 6:39, 2 users, load average: 0.00, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 :0 08:27 ? 2:37 2:37 /usr/bin/Xorg :
root pts/0 :0.0 08:30 0.00s 1:06 0.00s w
[root@host httpd]#
up 6:39 --》 运行多久了
load average: 0.00, 0.02, 0.00 负载
tty1 不打开任何终端,刚开机时的状态
FROM :0 0号桌面
:3.0 3号桌面
地址的话 从远程连接过来的
WHAT 正在做什么
[root@host httpd]# uptime 用的不多,w就可以实现了
15:23:45 up 6:57, 4 users, load average: 0.07, 0.02, 0.00
last(
常用)
[root@host httpd]# last 从现在往过去搜索 /var/log/wtmp
root pts/3 :0.0 Mon Jul 22 15:18 still logged in
root pts/2 :0.0 Mon Jul 22 15:18 still logged in
root pts/1 :0.0 Mon Jul 22 13:59 - 13:59 (00:00)
root pts/0 :0.0 Mon Jul 22 08:30 still logged in
root tty1 :0 Mon Jul 22 08:27 still logged in
reboot system boot 2.6.32-279.el6.i Mon Jul 22 08:26 - 15:24 (06:58)
lastlog(常用)
[root@host httpd]# lastlog 显示出谁最后登录的信息,或者显示从未登录过
用户名 端口 来自 最后登陆时间
root pts/2 10.0.0.136 四 7月 18 21:03:27 +0800 2013
bin **从未登录过**
daemon **从未登录过**
adm **从未登录过**
[root@localhost ~]# accton /var/account/pacct 开启统计功能
[root@localhost ~]# accton 关闭
[root@localhost ~]# lastcomm --user root 根据用户来分析
sshd S root __ 0.15 secs Sun Jul 21 09:09
accton S root pts/14 0.00 secs Sun Jul 21 09:16
sshd S root __ 0.10 secs Sun Jul 21 09:09
unix_chkpwd S root __ 0.00 secs Sun Jul 21 09:13
unix_chkpwd S root __ 0.02 secs Sun Jul 21 09:13
ping S root pts/14 0.00 secs Sun Jul 21 09:13
ls root pts/14 0.00 secs Sun Jul 21 09:12
mkdir S root pts/14 0.00 secs Sun Jul 21 09:12
w S root pts/14 0.01 secs Sun Jul 21 09:12
accton S root pts/14 0.00 secs Sun Jul 21 09:12
[root@localhost ~]#
[root@host httpd]# ping -c2 10.0.0.253 控制发两个包
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=0.240 ms
64 bytes from 10.0.0.253: icmp_seq=2 ttl=64 time=0.186 ms
--- 10.0.0.253 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.186/0.213/0.240/0.027 ms
[1]+ Done firefox 10.0.0.253
[root@host httpd]#
[root@host httpd]# ping 10.0.0.253 |logger -it "ping fuwuqi" -p cron.info
根据cron.info 到 /etc/rsyslog.conf 中查看
[root@host conf.d]# cat /etc/rsyslog.conf |grep -v ^#|grep -v ^$ 去掉注释行和空行
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info
;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.*
/var/log/cron
*.emerg * 所有人都收得到,emerg紧急
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
[root@host conf.d]#
这里*.info对应的文件里没有该日志
[root@host httpd]# tail -f /var/log/cron
Jul 22 15:49:18 host ping fuwuqi[17573]: 64 bytes from 10.0.0.253: icmp_seq=3 ttl=64 time=0.218 ms
Jul 22 15:49:19 host ping fuwuqi[17573]: 64 bytes from 10.0.0.253: icmp_seq=4 ttl=64 time=0.197 ms
Jul 22 15:49:20 host ping fuwuqi[17573]: 64 bytes from 10.0.0.253: icmp_seq=5 ttl=64 time=0.188 ms
Jul 22 15:49:21 host ping fuwuqi[17573]: 64 bytes from 10.0.0.253: icmp_seq=6 tt
[17573]是进程号
[root@host httpd]# ping -c5 10.0.0.253 |logger -it "253" -p authpriv.error
[root@host httpd]# tail -f /var/log/secure
Jul 22 15:56:34 host 253[17629]: PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
Jul 22 15:56:34 host 253[17629]: 64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=0.237 ms
日志备份:一般备份到其他机器
服务器端
1.修改配置文件允许别的机器发送日志过来
[root@localhost httpd]# vim /etc/rsyslog.conf
# Provides UDP syslog reception 开启udp方式接收日志,打开514端口
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception 开启tcp方式接收日志,打开514端口
$ModLoad imtcp
$InputTCPServerRun 514
2.刷新rsyslog服务,让新修改的配置生效
[root@localhost httpd]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@localhost httpd]#
3.关闭防火墙和selinux
[root@localhost httpd]# iptables -F
[root@localhost httpd]# getenforce
Enforcing
[root@localhost httpd]# setenforce 0
[root@localhost httpd]# getenforce
Permissive
[root@localhost httpd]#
修改客户端的配置
1./etc/rsyslog.conf
*.* @@10.0.0.190:514
2.刷新服务
service rsyslog restart
===
验证
1.在客户端做操作
[root@teacher httpd]# ping -c3 10.0.0.190 |logger -it "test" -p cron.info
[root@teacher httpd]#
2.在服务器看日志
[root@localhost httpd]# tail -f /var/log/hailong.txt
===
[root@localhost httpd]# netstat -ntplu|grep :514 查看打开514端口的进程id和进程号
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 31315/rsyslogd
tcp 0 0 :::514 :::* LISTEN 31315/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 31315/rsyslogd
udp 0 0 :::514 :::* 31315/rsyslogd
[root@localhost httpd]#
图5.12
轮转的配置文件/etc/logrotate.conf
想对哪个日志进行轮转,就建立一个配置文件
[root@host httpd]# grep -v ^# /etc/logrotate.conf|grep -v ^$
weekly
rotate 4
create
dateext
include /etc/logrotate.d
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
[root@host httpd]#
[root@teacher log]# cat /etc/logrotate.conf |grep -v ^#|grep -v ^$
weekly
rotate 4
create
dateext 以日期做后缀
compress 对轮转文件进行压缩
include /etc/logrotate.d 次配置文件都存放在次目录下(单独的配置的文件)
/var/log/wtmp {
monthly
create 0664 root utmp 创建文件的时候,指定权限和属组、属主
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
全局配置
局部配置
suffix后缀
compless压缩
[root@host logrotate.d]# cat syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
sharedscripts #开始使用脚本
postrotate #logrotate命令运行后执行脚本
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
[root@host logrotate.d]# pwd
/etc/logrotate.d
[root@host logrotate.d]#
[root@host logrotate.d]# date +%F
2013-07-22
prerotate:轮转前需要做的事情
postrotate:轮转后需要做的事情
1.在/etc/rsyslog.conf文件里添加日志记录
[root@localhost httpd]# echo "*.info /var/log/liuxy">>/etc/rsyslog.conf
[root@localhost httpd]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@localhost httpd]# cd /var/log 查看是否有liuxy文件
[root@localhost log]# ls
anaconda.ifcfg.log audit dmesg.old messages spooler
anaconda.log boot.log dracut.log ntpstats sssd
anaconda.program.log btmp hailong.txt prelink tallylog
anaconda.storage.log ConsoleKit httpd rhsm wtmp
anaconda.syslog cron lastlog sa yum.log
anaconda.xlog cups liuxy samba
anaconda.yum.log dmesg maillog secure
[root@localhost log]#
2.单独建立配置文件
[root@localhost log]# cd /etc/logrotate.d/
[root@localhost logrotate.d]# ls
cups httpd sssd syslog yum
dracut psacct subscription-manager up2date
[root@localhost logrotate.d]#
[root@localhost logrotate.d]# cd /var/log
[root@localhost log]# ls
anaconda.ifcfg.log audit dmesg.old liuxz~ samba
anaconda.log boot.log dracut.log maillog secure
anaconda.program.log btmp hailong.txt messages spooler
anaconda.storage.log ConsoleKit httpd ntpstats sssd
anaconda.syslog cron lastlog prelink tallylog
anaconda.xlog cups liuxy rhsm wtmp
anaconda.yum.log dmesg liuxy~ sa yum.log
[root@localhost log]#
[root@localhost logrotate.d]# cat liuxy
/var/log/liuxy {
weekly
size=15M
rotate 4
compress
create 0644 root root
sharedscripts
prerotate
/bin/cp /var/log/liuxy /bak/liuxy-`date +%F-%H-%M-%S`
endscript
}
这样设置不能实现,但是#去create后面几行就可以的到结果
3.使用logrotate命令强制轮转,看效果
[root@localhost log]# logrotate -fv /etc/logrotate.d/liuxy
[root@localhost log]# ls
anaconda.ifcfg.log boot.log hailong.txt maillog spooler
anaconda.log btmp httpd messages sssd
anaconda.program.log ConsoleKit lastlog ntpstats tallylog
anaconda.storage.log cron liuxy prelink wtmp
anaconda.syslog cups liuxy.1.gz rhsm yum.log
anaconda.xlog dmesg liuxy.2.gz sa
anaconda.yum.log dmesg.old liuxy.3.gz samba
audit dracut.log liuxy.4.gz secure
[root@localhost log]#