Linux-日志管理
日志的AAA认证:
- Authentication 认证
- Authorization 授权
- Account Audit 审计
dmesg
查看与系统启动有关的日志
[root@localhost ~]# dmesg
[ 0.000000] Linux version 4.18.0-193.el8.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com) (gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)) #1 SMP Fri Mar 27 14:35:58 UTC 2020
[ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-193.el8.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet
[ 0.000000] Disabled fast string operations
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x020: 'AVX-512 opmask'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x040: 'AVX-512 Hi256'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x080: 'AVX-512 ZMM_Hi256'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x200: 'Protection Keys User registers'
......
查看日志信息
一般情况下查看日志都是使用tail -f命令来查看,实时刷新
查看除内核之外错误的日志信息
[root@localhost ~]# tail -f /var/log/messages
Dec 15 15:31:04 localhost NetworkManager[1122]: <info> [1608017464.0147] dhcp4 (ens160): option requested_subnet_mask => '1'
Dec 15 15:31:04 localhost NetworkManager[1122]: <info> [1608017464.0147] dhcp4 (ens160): option requested_time_offset => '1'
Dec 15 15:31:04 localhost NetworkManager[1122]: <info> [1608017464.0147] dhcp4 (ens160): option requested_wpad => '1'
Dec 15 15:31:04 localhost NetworkManager[1122]: <info> [1608017464.0147] dhcp4 (ens160): option routers => '192.168.237.2'
Dec 15 15:31:04 localhost NetworkManager[1122]: <info> [1608017464.0147] dhcp4 (ens160): option subnet_mask => '255.255.255.0'
Dec 15 15:31:04 localhost NetworkManager[1122]: <info> [1608017464.0147] dhcp4 (ens160): state changed extended -> extended
Dec 15 15:31:04 localhost dbus-daemon[1033]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8' (uid=0 pid=1122 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")
Dec 15 15:31:04 localhost systemd[1]: Starting Network Manager Script Dispatcher Service...
Dec 15 15:31:04 localhost dbus-daemon[1033]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Dec 15 15:31:04 localhost systemd[1]: Started Network Manager Script Dispatcher Service.
查看邮件系统产生的日志信息
[root@localhost ~]# tail -f /var/log/maillog
查看与安全相关的日志信息
[root@localhost ~]# tail -f /var/log/secure
Dec 4 15:14:04 localhost polkitd[1021]: Loading rules from directory /usr/share/polkit-1/rules.d
Dec 4 15:14:04 localhost polkitd[1021]: Finished loading, compiling and executing 2 rules
Dec 4 15:14:04 localhost polkitd[1021]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Dec 4 15:14:06 localhost sshd[1133]: Server listening on 0.0.0.0 port 22.
Dec 4 15:14:06 localhost sshd[1133]: Server listening on :: port 22.
Dec 4 15:14:15 localhost systemd[4268]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Dec 4 15:14:15 localhost login[1158]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Dec 4 15:14:15 localhost login[1158]: ROOT LOGIN ON tty1
Dec 15 14:16:49 localhost sshd[5378]: Accepted password for root from 192.168.237.1 port 65504 ssh2
Dec 15 14:16:49 localhost sshd[5378]: pam_unix(sshd:session): session opened for user root by (uid=0)
priority(log level)日志的级别
一般有以下几种级别(从低到高),级别越低,信息越详细:
| 级别 | 含义 |
|---|---|
| debug | 程序或系统的调试信息 |
| info | 一般信息 |
| notice | 不影响正常功能,需要注意的消息 |
| warning/warn | 可能影响系统功能,需要提醒用户的重要事件 |
| err/error | 错误信息 |
| crit | 紧急,比较严重的 |
| alert | 必须马上处理的 |
| emerg/panic | 会导致系统不可用的 |
| * | *表示所有的日志级别 |
| none | 跟*相反,表示什么都没有 |
远程日志收集:
为什么需要日志收集?
因为需要进行大数据分析,分析原因出来好完善系统。
-
ELK
-
elasticsearch:存储,分析日志
-
logstash:日志收集工具
-
kibana:前端展示工具
-
[root@localhost ~]# tty
/dev/pts/0
//记录所有日志到终端
[root@localhost ~]# vi /etc/rsyslog.conf
*.* /dev/pts/0
//重启日志服务
[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# Dec 15 16:04:08 localhost systemd[1]: Stopping System Logging Service...
Dec 15 16:04:09 localhost rsyslogd[1366]: [origin software="rsyslogd" swVersion="8.1911.0-3.el8" x-pid="1366" x-info="https://www.rsyslog.com"] exiting on signal 15.
Dec 15 16:04:09 localhost systemd[1]: Stopped System Logging Service.
Dec 15 16:04:09 localhost systemd[1]: Starting System Logging Service...
Dec 15 16:04:09 localhost rsyslogd[47457]: [origin software="rsyslogd" swVersion="8.1911.0-3.el8" x-pid="47457" x-info="https://www.rsyslog.com"] start
Dec 15 16:04:09 localhost systemd[1]: Started System Logging Service.
Dec 15 16:04:09 localhost rsyslogd[47457]: imjournal: journal files changed, reloading... [v8.1911.0-3.el8 try https://www.rsyslog.com/e/0 ]
//故意输错密码登录后
Dec 15 16:05:11 localhost unix_chkpwd[47464]: password check failed for user (root)
Dec 15 16:05:11 localhost sshd[47462]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1 user=root
Dec 15 16:05:12 localhost sshd[47462]: Failed password for root from 192.168.237.1 port 52482 ssh2
Dec 15 16:05:18 localhost sshd[47462]: error: Received disconnect from 192.168.237.1 port 52482:0: [preauth]
Dec 15 16:05:18 localhost sshd[47462]: Disconnected from authenticating user root 192.168.237.1 port 52482 [preauth]
定义格式例子
mail.info /var/log/maillog
表示将mail相关的,级别为info及info以上级别的信息同步记录到/var/log/maillog文件中
mail.* -/var/log/maillog
表示将mail相关的所有日志信息异步记录到/var/log/maillog文件中,路径前的“-”表示异步模式
#同步: 一有数据立马写,时时刻刻都在等待数据,不能操作别的
#异步: 等数据多一点在写,等待时间可以操作
user.!=error / user.!error
表示记录user相关的,不包括error级别的信息,与user.error相反
*.info
表示记录所有的日志信息的info级别
mail.*
表示记录mail相关的所有级别的信息
* . *
表示记录所有级别的所有日志信息
cron.info;mail.info
多个日志来源可以用分号隔开
cron,mail.info
相当于cron.info;mail.info
mail.*;mail.!=info
表示记录mail相关的所有级别的信息,但是不包括info级别的
文件记录(/var/log/message)的日志的格式:
事件产生的日期时间 主机 进程(pid): 事件内容
Dec 15 16:16:04 localhost NetworkManager[1122]: <info> [1608020164.0143] dhcp4 (ens160): option requested_subnet_mask => '1'
格式为二进制格式的日志记录
/var/log/wtmp
当前系统成功登录的日志,可使用last命令查看其内容
[root@localhost ~]# file /var/log/btmp
/var/log/btmp: data
[root@localhost ~]# last
root pts/0 192.168.237.1 Tue Dec 15 14:16 still logged in
root tty1 Fri Dec 4 15:14 gone - no logout
reboot system boot 4.18.0-193.el8.x Fri Dec 4 15:14 still running
wtmp begins Fri Dec 4 15:14:01 2020
/var/log/btmp
当前系统失败的登录尝试的日志,可使用lastb命令查看其内容
[root@localhost ~]# file /var/log/wtmp
/var/log/wtmp: firmware 0 v0 (revision 0) V2, 0 bytes or less, UNKNOWN2 0x38365f36, at 0x0 0 bytes , at 0x0 0 bytes
[root@localhost ~]# lastb
root ssh:notty 192.168.237.1 Tue Dec 15 16:05 - 16:05 (00:00)
btmp begins Tue Dec 15 16:05:12 2020
配置rsyslog服务器
问:如果想要把一台主机的权限日志写到另外一台主机上应该怎么做呢?
客户端: 主机名:128 IP地址:192.168.237.128
服务端: 主机名:133 IP地址:192.168.237.133
//配置客服端
//(注释默认路径,添加新路径到服务端)
[root@128 ~]# vi /etc/rsyslog.conf
# The authpriv file has restricted access.
#authpriv.* /var/log/secure
authpriv.* @192.168.237.133
[root@128 ~]# systemctl restart rsyslog
[root@128 ~]# systemctl stop firewalld
[root@128 ~]# setenforce 0
//配置服务端
//(取消注释)
[root@133 ~]# vi /etc/rsyslog.conf
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
[root@133 ~]# systemctl restart rsyslog
//ssh登录客服端128故意密码输错,在服务端133中也有记录
[C:~]$ ssh root@192.168.237.128
[root@133 ~]# tail -f /var/log/secure
Dec 15 17:33:28 128 unix_chkpwd[47650]: password check failed for user (root)
Dec 15 17:33:28 128 sshd[47648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1 user=root
Dec 15 17:33:31 128 sshd[47648]: Failed password for root from 192.168.237.1 port 53843 ssh2
Dec 15 17:33:33 128 sshd[47648]: error: Received disconnect from 192.168.237.1 port 53843:0: [preauth]
Dec 15 17:33:33 128 sshd[47648]: Disconnected from authenticating user root 192.168.237.1 port 53843 [preauth]
//ssh登录客服端133故意密码输错,在服务端133自己本身也有记录
[C:~]$ ssh root@192.168.237.133
[root@133 ~]# tail -f /var/log/secure
Dec 15 17:33:47 133 unix_chkpwd[1955]: password check failed for user (root)
Dec 15 17:33:47 133 sshd[1953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1 user=root
Dec 15 17:33:49 133 sshd[1953]: Failed password for root from 192.168.237.1 port 53847 ssh2
Dec 15 17:33:52 133 sshd[1953]: error: Received disconnect from 192.168.237.1 port 53847:0: [preauth]
Dec 15 17:33:52 133 sshd[1953]: Disconnected from authenticating user root 192.168.237.1 port 53847 [preauth]