zoukankan      html  css  js  c++  java
  • Linux操作系统的日志管理之rsyslog实战案例

                  Linux操作系统的日志管理之rsyslog实战案例

                                           作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.日志介绍

    1>.什么是日志

    历史事件:
      时间,地点,人物,事件

    日志级别:
      事件的关键性程度,Loglevel

    2>.常见的系统日志服务 

    sysklogd日志服务(CentOS 5及之前版本使用)
      syslogd: 
        system application 记录应用日志
      klogd: 
        linux kernel 记录内核日志
      事件记录格式:
        日期时间 主机 进程[pid]: 事件内容
      C/S架构:
        通过TCP或UDP协议的服务完成日志记录传送,将分布在不同主 机的日志实现集中管理
    
    rsyslog日志服务(CentOS6和7版本使用),其主要特性如下所示:
      多线程
      UDP, TCP, SSL, TLS, RELP
      MySQL, PGSQL, Oracle实现日志存储
      强大的过滤器,可实现过滤记录日志信息中任意部分
      自定义输出格式
    
    ELK(elasticsearch, logstash, kibana)
      非关系型分布式数据库 
      基于apache软件基金会jakarta项目组的项目lucene 
      Elasticsearch是个开源分布式搜索引擎
      Logstash对日志进行收集、分析,并将其存储供以后使用 
      kibana 可以提供的日志分析友好的 Web 界面

    3>.博主推荐阅读

      https://www.cnblogs.com/yinzhengjie/p/7745560.html

    二.rsyslog介绍

    1>.常见术语

    [root@node101.yinzhengjie.org.cn ~]# man logger
    LOGGER(1)                                                User Commands                                                LOGGER(1)
    
    NAME
           logger - a shell command interface to the syslog(3) system log module
    
    SYNOPSIS
           logger [options] [message]
    
    DESCRIPTION
           logger makes entries in the system log.  It provides a shell command interface to the syslog(3) system log module.
    
    OPTIONS
           -n, --server server
                  Write  to the specified remote syslog server instead of to the builtin syslog routines.  Unless --udp or --tcp is
                  specified the logger will first try to use UDP, but if it fails a TCP connection is attempted.
    
           -d, --udp
                  Use datagram (UDP) only.  By default the connection is tried to syslog port defined in  /etc/services,  which  is
                  often 514.
    
           -T, --tcp
                  Use stream (TCP) only.  By default the connection is tried to syslog-conn port defined in /etc/services, which is
                  often 601.
    
           -P, --port port
                  Use the specified port.  When this option is not specified, the port defaults to syslog for udp  and  to  syslog-
                  conn for tcp connections.
    
           -i, --id
                  Log the process ID of the logger process with each line.
    
           -f, --file file
                  Log the contents of the specified file.  This option cannot be combined with a command-line message.
    
           -h, --help
                  Display a help text and exit.
    
           -p, --priority priority
                  Enter  the  message  into the log with the specified priority.  The priority may be specified numerically or as a
                  facility.level pair.  For example, -p local3.info logs the message as informational in the local3 facility.   The
                  default is user.notice.
    
           -S, --size size
                  Sets the maximum permitted message size. The default is 1KiB, which is the limit traditionally used and specified
                  in RFC 3164. When selecting a maximum message size, it is important to ensure that the receiver supports the  max
                  size as well, otherwise messages may become truncated.
    
           -s, --stderr
                  Output the message to standard error as well as to the system log.
    
           -t, --tag tag
                  Mark  every  line  to be logged with the specified tag.  The default tag is the name of the user logged in on the
                  terminal (or a user name based on effective user ID).
    
           -u, --socket socket
                  Write to the specified socket instead of to the builtin syslog routines.
    
           -V, --version
                  Display version information and exit.
    
           --     End the argument list.  This is to allow the message to start with a hyphen (-).
    
           message
                  Write the message to log; if not specified, and the -f flag is not provided, standard input is logged.
    
           The logger utility exits 0 on success, and >0 if an error occurs.
    
    FACILITIES AND LEVELS
           Valid facility names are:
    
                  auth
                  authpriv   for security information of a sensitive nature
                  cron
                  daemon
                  ftp
                  kern       cannot be generated from userspace process, automatically converted to user
                  lpr
                  mail
                  news
                  syslog
                  user
                  uucp
                  local0
                    to
                  local7
                  security   deprecated synonym for auth
    
           Valid level names are:
    
                  emerg
                  alert
                  crit
                  err
                  warning
                  notice
                  info
                  debug
                  panic     deprecated synonym for emerg
                  error     deprecated synonym for err
                  warn      deprecated synonym for warning
    
           For the priority order and intended purposes of these facilities and levels, see syslog(3).
    
    EXAMPLES
           logger System rebooted
           logger -p local0.notice -t HOSTIDM -f /dev/idmc
           logger -n loghost.example.com System rebooted
    
    SEE ALSO
           syslog(3), syslogd(8)
    
    STANDARDS
           The logger command is expected to be IEEE Std 1003.2 ("POSIX.2") compatible.
    
    AVAILABILITY
           The logger command is part of the util-linux package and is available from Linux  Kernel  Archive  ⟨ftp://ftp.kernel.org
           /pub/linux/utils/util-linux/⟩.
    
    util-linux                                                 April 2013                                                 LOGGER(1)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# man logger

    2>.facility(从功能或程序上对日志进行归类)

      Valid facility names are:
        auth
        authpriv   for security information of a sensitive nature
        cron
        daemon
        ftp
        kern       cannot be generated from userspace process, automatically converted to user
        lpr
        mail
        news
        syslog
        user
        uucp
        local0
        to
        local7
        security   deprecated synonym for auth

    3>.Priority(优先级别,从低到高排序)

      Valid level names are:
        debug
        info
        notice
        warning
        warn      deprecated synonym for warning
        err
        error     deprecated synonym for err
        crit
        alert
        emerg
        panic     deprecated synonym for emerg

     4>.可参考帮助信息

    [root@node101.yinzhengjie.org.cn ~]# man 3 syslog

    三.rsyslog系统日志服务

    1>.安装rsyslog软件 

    [root@node101.yinzhengjie.org.cn ~]# yum -y install syslog
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    epel/x86_64/metalink                                                                                        | 7.6 kB  00:00:00     
     * base: mirrors.aliyun.com
     * epel: mirrors.tuna.tsinghua.edu.cn
     * extras: mirrors.aliyun.com
     * updates: mirror.bit.edu.cn
    base                                                                                                        | 3.6 kB  00:00:00     
    epel                                                                                                        | 5.4 kB  00:00:00     
    extras                                                                                                      | 2.9 kB  00:00:00     
    updates                                                                                                     | 2.9 kB  00:00:00     
    (1/3): epel/x86_64/updateinfo                                                                               | 1.0 MB  00:00:00     
    (2/3): updates/7/x86_64/primary_db                                                                          | 5.8 MB  00:00:02     
    (3/3): epel/x86_64/primary_db                                                                               | 6.9 MB  00:00:14     
    Resolving Dependencies
    --> Running transaction check
    ---> Package rsyslog.x86_64 0:8.24.0-34.el7 will be updated
    ---> Package rsyslog.x86_64 0:8.24.0-41.el7_7.2 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ===================================================================================================================================
     Package                     Arch                       Version                                  Repository                   Size
    ===================================================================================================================================
    Updating:
     rsyslog                     x86_64                     8.24.0-41.el7_7.2                        updates                     616 k
    
    Transaction Summary
    ===================================================================================================================================
    Upgrade  1 Package
    
    Total download size: 616 k
    Downloading packages:
    Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
    rsyslog-8.24.0-41.el7_7.2.x86_ FAILED                                                            ]  0.0 B/s |  30 kB  --:--:-- ETA 
    http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: [Errno 12] Timeout on http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds')
    Trying other mirror.
    rsyslog-8.24.0-41.el7_7.2.x86_64.rpm                                                                        | 616 kB  00:00:00     
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Updating   : rsyslog-8.24.0-41.el7_7.2.x86_64                                                                                1/2 
      Cleanup    : rsyslog-8.24.0-34.el7.x86_64                                                                                    2/2 
      Verifying  : rsyslog-8.24.0-41.el7_7.2.x86_64                                                                                1/2 
      Verifying  : rsyslog-8.24.0-34.el7.x86_64                                                                                    2/2 
    
    Updated:
      rsyslog.x86_64 0:8.24.0-41.el7_7.2                                                                                               
    
    Complete!
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# yum -y install syslog
    [root@node101.yinzhengjie.org.cn ~]# rpm -qi rsyslog
    Name        : rsyslog
    Version     : 8.24.0
    Release     : 41.el7_7.2
    Architecture: x86_64
    Install Date: Thu 12 Dec 2019 11:05:01 PM EST
    Group       : System Environment/Daemons
    Size        : 2002500
    License     : (GPLv3+ and ASL 2.0)
    Signature   : RSA/SHA256, Mon 21 Oct 2019 10:51:54 AM EDT, Key ID 24c6a8a7f4a80eb5
    Source RPM  : rsyslog-8.24.0-41.el7_7.2.src.rpm
    Build Date  : Fri 18 Oct 2019 12:12:28 PM EDT
    Build Host  : x86-02.bsys.centos.org
    Relocations : (not relocatable)
    Packager    : CentOS BuildSystem <http://bugs.centos.org>
    Vendor      : CentOS
    URL         : http://www.rsyslog.com/
    Summary     : Enhanced system logging and kernel message trapping daemon
    Description :
    Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
    syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
    and fine grain output format control. It is compatible with stock sysklogd
    and can be used as a drop-in replacement. Rsyslog is simple to set up, with
    advanced features suitable for enterprise-class, encryption-protected syslog
    relay chains.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# rpm -qi rsyslog          #可以查看相应的日志版本
    [root@node101.yinzhengjie.org.cn ~]# rpm -ql rsyslog
    /etc/logrotate.d/syslog
    /etc/pki/rsyslog
    /etc/rsyslog.conf
    /etc/rsyslog.d
    /etc/sysconfig/rsyslog
    /usr/bin/rsyslog-recover-qi.pl
    /usr/lib/systemd/system/rsyslog.service
    /usr/lib64/rsyslog
    /usr/lib64/rsyslog/imdiag.so
    /usr/lib64/rsyslog/imfile.so
    /usr/lib64/rsyslog/imjournal.so
    /usr/lib64/rsyslog/imklog.so
    /usr/lib64/rsyslog/immark.so
    /usr/lib64/rsyslog/impstats.so
    /usr/lib64/rsyslog/imptcp.so
    /usr/lib64/rsyslog/imtcp.so
    /usr/lib64/rsyslog/imudp.so
    /usr/lib64/rsyslog/imuxsock.so
    /usr/lib64/rsyslog/lmnet.so
    /usr/lib64/rsyslog/lmnetstrms.so
    /usr/lib64/rsyslog/lmnsd_ptcp.so
    /usr/lib64/rsyslog/lmregexp.so
    /usr/lib64/rsyslog/lmstrmsrv.so
    /usr/lib64/rsyslog/lmtcpclt.so
    /usr/lib64/rsyslog/lmtcpsrv.so
    /usr/lib64/rsyslog/lmzlibw.so
    /usr/lib64/rsyslog/mmanon.so
    /usr/lib64/rsyslog/mmcount.so
    /usr/lib64/rsyslog/mmexternal.so
    /usr/lib64/rsyslog/mmutf8fix.so
    /usr/lib64/rsyslog/omjournal.so
    /usr/lib64/rsyslog/ommail.so
    /usr/lib64/rsyslog/omprog.so
    /usr/lib64/rsyslog/omruleset.so
    /usr/lib64/rsyslog/omstdout.so
    /usr/lib64/rsyslog/omtesting.so
    /usr/lib64/rsyslog/omuxsock.so
    /usr/lib64/rsyslog/pmaixforwardedfrom.so
    /usr/lib64/rsyslog/pmcisconames.so
    /usr/lib64/rsyslog/pmlastmsg.so
    /usr/lib64/rsyslog/pmrfc3164sd.so
    /usr/lib64/rsyslog/pmsnare.so
    /usr/sbin/rsyslogd
    /usr/share/doc/rsyslog-8.24.0
    /usr/share/doc/rsyslog-8.24.0/AUTHORS
    /usr/share/doc/rsyslog-8.24.0/COPYING
    /usr/share/doc/rsyslog-8.24.0/COPYING.ASL20
    /usr/share/doc/rsyslog-8.24.0/COPYING.LESSER
    /usr/share/doc/rsyslog-8.24.0/ChangeLog
    /usr/share/man/man5/rsyslog.conf.5.gz
    /usr/share/man/man8/rsyslogd.8.gz
    /var/lib/rsyslog
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# rpm -ql rsyslog          #查看安装的文件列表

    2>.rsyslog服务概述

    程序包:
      rsyslog
    
    主程序:
      /usr/sbin/rsyslogd
    
    CentOS 6:
      service rsyslog {start|stop|restart|status} 
    
    CentOS 7:
      /usr/lib/systemd/system/rsyslog.service 
    
    配置文件:
      /etc/rsyslog.conf,/etc/rsyslog.d/*.conf 
    
    库文件: 
      /lib64/rsyslog/*.so
    [root@node101.yinzhengjie.org.cn ~]# systemctl status rsyslog
    ● rsyslog.service - System Logging Service
       Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
       Active: active (running) since Thu 2019-12-12 23:05:01 EST; 16min ago
         Docs: man:rsyslogd(8)
               http://www.rsyslog.com/doc/
     Main PID: 13400 (rsyslogd)
       CGroup: /system.slice/rsyslog.service
               └─13400 /usr/sbin/rsyslogd -n
    
    Dec 12 23:05:01 node101.yinzhengjie.org.cn systemd[1]: Starting System Logging Service...
    Dec 12 23:05:01 node101.yinzhengjie.org.cn rsyslogd[13400]:  [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pi...start
    Dec 12 23:05:01 node101.yinzhengjie.org.cn systemd[1]: Started System Logging Service.
    Hint: Some lines were ellipsized, use -l to show in full.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl status rsyslog

    3>./etc/rsyslog.conf的配置文件格式

    /etc/rsyslog.conf的配置文件格式是由三部分组成,如下所示:
      MODULES:
        相关模块配置 
      GLOBAL DIRECTIVES:
        全局配置 
      RULES:
        日志记录相关的规则配置
    
    默认配置文件参数说明(红色的表示MODULES相关配置,蓝色的表示全局配置,粉色的表示日志记录相关规则配置):
      [root@node101.yinzhengjie.org.cn ~]# egrep -v "^#|^$" /etc/rsyslog.conf 
      $ModLoad imuxsock                             #支持本地系统日志记录
      $ModLoad imjournal                             #提供对系统日志的访问
      $WorkDirectory /var/lib/rsyslog                    #指定日志存放为止
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat     #使用默认时间戳格式
      $IncludeConfig /etc/rsyslog.d/*.conf                  #加载"/etc/rsyslog.d/*.conf "配置文件
      $OmitLocalLogging on                           #通过本地日志套接字关闭消息接收,本地消息现在通过imjournal检索。
      $IMJournalStateFile imjournal.state                 #在日志中存储位置的文件
      *.info;mail.none;authpriv.none;cron.none /var/log/messages   #记录info级别或更高级别的任何内容(邮件,身份验证,周期性任务日志除外,因为下面已经有单独将他们存放在指定的配置文件啦),不要记录私人身份验证消息哟,系统默认记录在"/var/log/messages"
      authpriv.* /var/log/secure                       #把权限认证的所有日志级别均记录到"/var/log/secure"文件中。
      mail.* -/var/log/maillog                         #有邮件所有日志级别均记录到"/var/log/maillog"文件中,其中前面的"-"表示异步写入文件。
      cron.* /var/log/cron                             #记录cron服务的所有日志级别到"/var/log/cron"文件中。
      *.emerg :omusrmsg:*                            #每个人都会收到紧急(emerg)信息
      uucp,news.crit /var/log/spooler                   #将crit及更高级别的新闻错误保存在"/var/log/spooler"
      local7.* /var/log/boot.log                       #将启动消息也保存到"/var/log/boot.log"
      [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/rsyslog.conf
    # rsyslog configuration file
    
    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
    
    #### MODULES ####
    
    # The imjournal module bellow is now used as a message source instead of imuxsock.
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    #$ModLoad imklog # reads kernel messages (the same are read from journald)
    #$ModLoad immark  # provides --MARK-- message capability
    
    # Provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514
    
    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514
    
    
    #### GLOBAL DIRECTIVES ####
    
    # Where to place auxiliary files
    $WorkDirectory /var/lib/rsyslog
    
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
    
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
    
    # Turn off message reception via local log socket;
    # local messages are retrieved through imjournal now.
    $OmitLocalLogging on
    
    # File to store the position in the journal
    $IMJournalStateFile imjournal.state
    
    
    #### RULES ####
    
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.*                                                 /dev/console
    
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    
    # The authpriv file has restricted access.
    authpriv.*                                              /var/log/secure
    
    # Log all the mail messages in one place.
    mail.*                                                  -/var/log/maillog
    
    
    # Log cron stuff
    cron.*                                                  /var/log/cron
    
    # Everybody gets emergency messages
    *.emerg                                                 :omusrmsg:*
    
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit                                          /var/log/spooler
    
    # Save boot messages also to boot.log
    local7.*                                                /var/log/boot.log
    
    
    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList   # run asynchronously
    #$ActionResumeRetryCount -1    # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/rsyslog.conf

    4>.RULES配置格式 

    RULES配置格式: 
      facility.priority; facility.priority... target 
    
      facility:
        *: 所有的facility
        facility1,facility2,facility3,...:指定的facility列表 
    
      priority:
        *: 所有级别
        none:没有级别,即不记录 
        PRIORITY:指定级别(含)以上的所有级别 
        =PRIORITY:仅记录指定级别的日志信息
    
      target: 
        文件路径:通常在/var/log/,文件路径前的-表示异步写入,一般不推荐将重要的日志异步写入,所谓的异步写入是指先将数据库写入buffer,间隔时间断后才真正写入磁盘,可能存在丢失日志的风险,但写入效率高。 
        用户:将日志事件通知给指定的用户,* 表示登录的所有用户 
        日志服务器:@host,把日志送往至指定的远程服务器记录 
        管道: | COMMAND,转发给其它命令处理

    四.配置sshd服务的日志案例(前提是sshd服务有调用rsyslog服务的日志接口,如果你自己开发的软件不支持则rsyslog就管不着啦,比如apache,nginx均有自己的日志实现方式,它们不用系统日志记录)

    1>.修改sshd服务默认的日志类型并通过rsyslog服务记录

    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config  |grep SyslogFacility      #我们直到sshd服务将日志类别定义为"AUTHPRIV"
    SyslogFacility AUTHPRIV
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/rsyslog.conf  |grep authpriv               #我们查看rsyslog服务将"AUTHPRIV"类别的日志单独记录到"/var/log/secure"文件中
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    authpriv.*                                              /var/log/secure
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# tail -20  /var/log/secure                            #的确如此,我们在该日志文件中找到了有关sshd服务的日志,但除了sshd日志外还有其他服务对应"AUTHPRIV"日志级别的信息也保存到该文件啦。
    Dec 12 19:13:09 node101 sshd[981]: Accepted password for root from 172.30.1.2 port 62044 ssh2
    Dec 12 19:13:09 node101 sshd[981]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Dec 12 19:48:45 node101 su: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
    Dec 12 19:48:45 node101 su: PAM adding faulty module: /usr/lib64/security/pam_fprintd.so
    Dec 12 19:48:45 node101 su: pam_unix(su-l:session): session opened for user yinzhengjie by root(uid=0)
    Dec 12 19:50:40 node101 su: pam_unix(su-l:session): session closed for user yinzhengjie
    Dec 12 20:09:40 node101 sshd[981]: pam_systemd(sshd:session): Failed to release session: Interrupted system call
    Dec 12 20:09:40 node101 sshd[981]: pam_unix(sshd:session): session closed for user root
    Dec 12 20:12:36 node101 sshd[4562]: Accepted password for root from 172.30.1.2 port 62441 ssh2
    Dec 12 20:12:36 node101 sshd[4562]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Dec 12 20:51:47 node101 useradd[6579]: new group: name=jason, GID=1001
    Dec 12 20:51:47 node101 useradd[6579]: new user: name=jason, UID=1001, GID=1001, home=/home/jason, shell=/bin/bash
    Dec 12 20:53:18 node101 userdel[6663]: delete user 'jason'
    Dec 12 20:53:18 node101 userdel[6663]: removed group 'jason' owned by 'jason'
    Dec 12 20:53:18 node101 userdel[6663]: removed shadow group 'jason' owned by 'jason'
    Dec 12 22:03:16 node101 sshd[4562]: pam_unix(sshd:session): session closed for user root
    Dec 12 22:06:15 node101 sshd[10398]: Accepted password for root from 172.30.1.2 port 64529 ssh2
    Dec 12 22:06:15 node101 sshd[10398]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Dec 12 23:04:05 node101 sshd[13301]: Accepted password for root from 172.30.1.2 port 49462 ssh2
    Dec 12 23:04:05 node101 sshd[13301]: pam_unix(sshd:session): session opened for user root by (uid=0)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# tail -20 /var/log/secure    #我们在该日志文件中找到了有关sshd服务的日志,但除了sshd服务的日志外还有其他服务对应"AUTHPRIV"日志级别的信息也保存到该文件啦。因此我们可以把sshd服务的日志单独抽出来保存
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config  |grep SyslogFacility        #默认sshd的日志类别为AUTHPRIV
    SyslogFacility AUTHPRIV
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# vim /etc/ssh/sshd_config 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config  |grep SyslogFacility         #我们将默认的日志类注释掉,我们直到local0-7是可以自定义的日志类别,而local7已经被保存boot日志了,因此我们可用的只有local0-6啦,于是我这里将sshd服务日志类型定义为自定义类型local0。
    SyslogFacility local0
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# grep local0 /etc/rsyslog.conf                             #我们将自定义日志类型local0对应的所有日志级别日志记录到"/var/log/sshd.log"中
    local0.* /var/log/sshd.log
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log                                  #我们发现修改了配置文件后并没有生成"/var/log/sshd.log"文件,那是因为配置还没有生效,需要重启服务
    ls: cannot access /var/log/sshd.log: No such file or directory
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# systemctl restart sshd rsyslog                             #注意,咱们修改了sshd服务和rsyslog服务的配置文件,因此我们需要重启这2个服务
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log                                      #我们重启服务后就存在该文件啦
    -rw------- 1 root root 143 Dec 13 00:26 /var/log/sshd.log
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log                                     #重启后发现文件立即就记录类容啦
    Dec 13 00:26:23 node101 sshd[17428]: Server listening on 0.0.0.0 port 22.
    Dec 13 00:26:23 node101 sshd[17428]: Server listening on :: port 22.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ssh 127.0.0.1                                      #于是我们使用ssh连接一下本机在观察日志是否有记录
    The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
    ECDSA key fingerprint is SHA256:uv+7B8M+Muy0u0bnGOplDlSUE4lRiinkGDgEdRk7ChA.
    ECDSA key fingerprint is MD5:b8:16:3f:d7:e2:7d:68:70:f5:bf:d2:d0:0c:af:db:16.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
    root@127.0.0.1's password: 
    Last login: Thu Dec 12 23:04:05 2019 from 172.30.1.2
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# exit 
    logout
    Connection to 127.0.0.1 closed.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log                                #果不其然,的确有日志记录啦~
    Dec 13 00:26:23 node101 sshd[17428]: Server listening on 0.0.0.0 port 22.
    Dec 13 00:26:23 node101 sshd[17428]: Server listening on :: port 22.
    Dec 13 00:27:21 node101 sshd[17480]: Accepted password for root from 127.0.0.1 port 58598 ssh2
    Dec 13 00:27:26 node101 sshd[17480]: Received disconnect from 127.0.0.1 port 58598:11: disconnected by user
    Dec 13 00:27:26 node101 sshd[17480]: Disconnected from 127.0.0.1 port 58598
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]#  

    2>.logger命令使用案例

    [root@node101.yinzhengjie.org.cn ~]# logger -p local0.info "ssh event start"                     #我们往local0日志类型发一条info级别信息,消息内容为"ssh event start"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# tail -1 /var/log/sshd.log                             #很显然,上面的日志被rsyslog服务记录到local0类型所对应存储的位置了
    Dec 13 00:33:53 node101 root: ssh event start
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 

    五.远程日志收集

    1>.启用网络日志服务

    2>.

    3>.

  • 相关阅读:
    C++内存泄漏检测拾遗
    利用ACE_Get_Opt解析命令
    ACE Reactor模型学习
    Acceptor模型和Connector模型学习
    IOCP模型示例
    ACE Proactor模型示例
    如何:为 ASP.NET 网页全球化设置区域性和 UI 区域性
    Update Calendar Item In excaheng server by exchange web services
    ASP.NET Security Architecture
    Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 500.19 – Internal Server Error"
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12026811.html
Copyright © 2011-2022 走看看