Linux system learning series -- Linux system log management (2)

Logs are important system files , All important events in the system are recorded and saved . But log files also need regular maintenance , Because log files are growing , If you don't do log maintenance at all , And let it increase at will , It won't take long , Our hard disk will be full of .

The main job of log maintenance is to delete the old log files , To make room for new log files . If the work is done manually by the Administrator , It's actually very cumbersome , And it's easy to forget . that Linux Whether the system can automatically complete the rotation of the log ？

logrotate It's used for log rotation （ Also called log dump ） Of , That is to move and rename the old log file , At the same time, create a new empty log file to record the new log , Old log files are deleted when they are out of range .

need Linux Information and Linux Beginner Subjects +qun832218493 obtain

Naming rules for log files

The main function of log rotation is to move and rename old log files , Also create a new empty log file , Old log files are deleted when they are out of range . that , After the old log file was renamed , How to name it ？ Mainly depends on /etc/logrotate.conf In the configuration file “dateext” Parameters .

If there is... In the configuration file “dateext” Parameters , Then the log will use the date as the suffix of the log file , Such as “secure-20130605”. In this way, the log file names will not overlap , There is no need to rename the log file , Only the specified number of logs need to be saved , Delete redundant log files .

If there is no “dateext” Parameters , Then the log file needs to be renamed . When the first log rotation , Current “secure” The log will automatically be renamed “secure.1”, Then build “secure” journal , To save new logs ; When the log rotation is performed for the second time ,“secure.1” It will automatically change its name to “secure.2”, Current “secure” The log will automatically be renamed “secure.1”, And then it's going to be new “secure” journal , To save new logs ; And so on .

logrotate The configuration file

Let's take a look at logrotate Configuration file for /etc/logrotate.conf Default content of .

[[email protected] ~]# vi /etc/logrotate.conf

see "man logrotate" for details

rotate log files weekly

weekly

Rotate the log files once a week

keep 4 weeks worth of backlogs rotate 4

preservation 4 Log files , in other words , If it does 5 Next log rotation , The first backup log will be deleted

create new (empty) log files after rotating old ones create

In log rotation , Automatically create new log files

use date as a suffix of the rotated file dateext

Use date as suffix of log rotation file

uncomment this if you want your log files compressed #compress

Is the log file compressed . If uncomment , The log will be compressed at the same time as the dump

The above log configuration is the default configuration , If the log needs to be rotated, no independent parameters are set , Then the above parameters will be followed

If the rotation log is configured with independent parameters , Then independent parameters have a higher priority

RPM packages drop log rotation information into this directory include /etc/logrotate.d

contain /etc/logrotate.d/ All the sub configuration files in the directory . in other words , It will read all the sub configuration files in this directory , Log rotation

no packages own wtmp and btmp -- we'11 rotate them here

The following two rotations have their own independent parameters , If it conflicts with the default parameters , Then the independent parameters take effect

/var/log/wtmp {

The following parameters are only valid for this directory

monthly

Rotate the log files once a month

create 0664 root utmp

New log files created , Permissions are 0664, The owner is root, The group is utmp Group

minsize 1M

The minimum rotation size of the log file is 1MB. That is to say, the log must exceed 1MB It will take turns , Otherwise, even if the time reaches one month , And we don't have to take turns

rotate 1

Keep only one log backup . That is to say, only keep wtmp and wtmp.1 Yuezhi )

/var/log/btmp {

The following parameters are only for /var/log/btmp take effect

missingok

If the log does not exist , Ignore the warning message in the log

monthly
create 0600 root utmp
rotate 1
}

system-specific logs may be also be configured here.

In this configuration file , It is divided into three parts ： The first part is the default settings , If there is no special configuration for the log file to be dumped , The default parameters are followed ;
The second part is reading /etc/logrotate.d/ The sub configuration file of log rotation in directory , in other words , stay /etc/logrotate.d/ All sub configuration files in the directory that conform to the syntax rules will also be log rotated ;
The third part is about wtmp and btmp Set the rotation of log files , If this setting conflicts with the default parameter , The current settings take effect （ Such as wtmp The current parameter set for the rotation time is monthly , The rotation time of the default parameter is weekly , On the other hand wtmp This log file says , The rotation time is monthly , The current setting parameters take effect ）.

logrotate The main parameters of the configuration file are shown in the table 1 Shown .

Among these parameters, the more difficult to understand should be prerotate/endscript and postrotate/endscript, We make use of “man logrotate” To explain these two parameters . for example ：

"/var/log/httpd/access.log" /var/log/httpd/error.log {

The log rotation is /var/log/httpd/ in RPM Package installed by default apache Correct access log and error log

    rotate 5
    # Rotation 5 Time
    mail [email protected]
    # Send the message to the designated mailbox
    size 100k
    # The log is larger than 100KB Only when the log rotation , No longer rotate according to time
    sharedscripts
    # The following script is executed only once
    postrotate
    # After the log rotation , Execute the following script
    /usr/bin/killall -HUP httpd
    # restart apache service
endscript

Script end

}

prerotate and postrotate It is mainly used to execute the specified script while the log rotation is in progress , It is generally used to restart the service after log rotation . Let's emphasize here , If your log is written rsyslog Of the configuration file for the service , Then add the new log to logrotate after , Make sure you reboot rsyslog service , Otherwise you will find out , Although the new log set up , But the data is still written into the old log . That's because although logrotate Know that the log rotation , however rsyslog The service didn't know .

Empathy , If you use the source package to install apache、Nginx Etc , You need to restart apache or Nginx service , At the same time, you have to restart rsyslog service , Otherwise, the log will not rotate normally .

however , A typical application here is to add specific logs chattr Of a attribute . If the system file is added with a attribute , Then this file can only add data , You can't delete or modify existing data ,root Users are no exception .

therefore , We will add... To important log files a attribute , In this way, the log file can be protected from malicious modification . however , Once joined a attribute , So in the log rotation , This log file cannot be renamed , Of course, there is no log rotation . We can use prerotate and postrotate Parameter to modify the log file chattr Of a attribute .

Add your own log to the log rotation

If some logs do not add log rotation by default （ For example, the log of the service installed by the source code package , Or add your own log ）, Then these logs will not rotate by default , This certainly does not meet our requirements for log management . If you need to add these logs to the log rotation , Then how to operate ？

There are two ways ： The first way is directly to /etc/logrotate.conf Rotation policy written to the log in the configuration file , To add the log to the rotation ;
The second way is to /etc/logrotate.d/ The rotation file of the newly created log in the directory , Write the correct rotation policy in the rotation file , Because the files in this directory will be included in the main configuration file , So you can also add logs to rotation .

We recommend the second method , Because there are a lot of logs that need to rotate in the system , If all are written directly into /etc/logrotate.conf The configuration file , Then the manageability of this file will be very poor , Not conducive to the maintenance of this file .

It's complicated to say , Let's take an example . Remember that we made it ourselves /var/log/alert.log Journal ？ This log is not the default log of the system , It's through /etc/rsyslog.conf The log generated by the configuration file itself , So by default, the log will not be rotated . If we need to add this log to the log rotation strategy , Then how to achieve it ？ We use the second method , That is to say /etc/logrotate.d/ Create a rotation file for this log in the directory .

The specific steps are as follows ：

[[email protected] ~]# chattr +a /var/log/alert.log # First give the log file chattr Of a attribute , Keep the log safe
[[email protected] ~]# vi /etc/logrotate.d/alter

establish alter Rotation documents , hold /var/log/alert.log Join the rotation

/var/log/alert.log {
    weekly
    # Rotate once a week
    rotate 6
    # Retain 6 One rotation says ambition
    sharedscripts
    # The following command is executed only once
    prerotate
    # Execute before log rotation
        /usr/bin/chattr -a /var/log/alert.log
        # Cancel before log rotation a attribute , So that the logs can rotate
    endscript
    # The script ends with
    sharedscripts
    postrotate
    # Execute after log rotation
        /usr/bin/chattr +a /var/log/alert.log
        # After the log rotation , Rejoin a attribute
    endscript
    sharedscripts
    postrotate
    /bin/kill -HUP $(/bin/cat /var/run/syslogd.pid 2>/dev/null) fi>/dev/null
    endscript
    # restart rsyslog service , Make sure that the log rotation works properly
}

So we generate our own logs /var/log/alert.log It's time for log rotation , Of course, these configuration information can also be written directly /etc/logrotate.conf Of this configuration file .

Linux logrotate Command usage is explained in detail ： Log dump （ Rotation ）

The reason why log rotation can backup logs at a specified time , Because it depends on the system's timed tasks . If you remember /etc/cron.daily/ Catalog , You will find that there are logrotate Of documents , Take a look at this file , The order is as follows ：

[[email protected] ~]# vi /etc/cron.daily/logrotate

！/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1

The most important thing is to implement logrotate command

EXITVALUE=$?
if [ $EXITVALUE！= 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

in other words , The system runs every day /etc/cron.daily/logrotate file , Run... In this file “/usr/sbin/logrotate/etc/logrotate.conf>/dev/null 2>&1” command .logrotate Orders will be based on /etc/logrotate.conf Configuration of configuration file , To determine whether the logs in the configuration file meet the conditions of log rotation （ such as , Log backup time has been full for a week ）, If meet , The journal will rotate . So , Log rotation or by crond Service initiated .

logrotate What is the format of the command ？ Let's learn about .

[[email protected] ~]# logrotate [ Options ] Profile name

Options ： If there are no options for this command , The log rotation will be performed according to the conditions in the configuration file
-v： Show log rotation process . Joined the -v Options , The log rotation process will be displayed
-f： Force log rotation . Whether the conditions of log rotation are met or not , Force rotation of all logs in the configuration file

We execute logrotate command , And take a look at the execution process .

[[email protected] ~]# logrotate -v /etc/logrotate.conf

Check the log rotation process

… Omit part of the output …
rotating pattern：/var/log/alert.log weekly (6 rotations)

That's what we've joined in the rotation alert.log journal

empty log files are rotated, old logs are removed
considering log /var/log/alert.log
log does not need rotating

It's not a week , So there's no log rotation

… Omit part of the output …

We found that ,/var/log/alert.log Added log rotation , Has been logrotate Identify and call , It's just that time doesn't meet the criteria for rotation , So there was no rotation . Then we force a log rotation , See what happens .

[[email protected] ~]# logrotate -vf /etc/logrotate.conf

Force log rotation , Whether or not the rotation conditions are met

… Omit part of the output …
rotating pattern：/var/log/alert.log forced from command line (6 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/alert.log
log needs rotating

The journal needs to rotate

rotating log /var/log/alert.log,log->rotateCount is 6
dateext suffix '-20130607'

Extract date parameters

glob pattern '-0-90-90-90-9'
glob finding old rotated logs failed
running prerotate script
fscreate context set to unconfined_u：object_r：var_log_t：s0
renaming /var/log/alert.log to /var/log/alert.log-20130607

The old log was renamed

creating new /var/log/alert.log mode = 0600 uid = 0 gid = 0

Create a new log file , Also specify permissions 、 Owners and groups

running postrotate script
… Omit part of the output …

We found that ,alert.log The log has completed the log rotation . Take a look at the newly generated logs and the old logs , as follows ：

[[email protected] ~]# ll /var/log/alert.log*
-rw-------.1 root root 0 6 month 7 10：07 /var/log/alert.log
-rw-------.1 root root 237 6 month 7 09：58 /var/log/alert.log-20130607

The old log files have been rotated

[[email protected] ~]# lsattr /var/log/alert.log
-----a-------e- /var/log/alert.log

New log files are added automatically chattr Of a attribute

logrotate The command is using “-f” After the option , It doesn't matter if the log meets the rotation conditions , And mandatory rotation of all logs .

Linux Log analysis tool （logwatch） Installation and use

Logs are very important system files , The important work of the administrator every day is to analyze and view the log of the server , Determine the health status of the server . But log management is a very boring job , If you need an administrator to view all logs on the server manually , It was a very painful job . Some administrators are lazy , Omit log detection , But doing so can easily lead to server problems .

So do we have alternatives ？ Yes , That's the log analysis tool . These log analysis tools look at the logs in detail , Analyze these logs at the same time , And send the results of the analysis to root user . such , We just check the email of log analysis tool every day , You can know the basic situation of the server , Instead of checking the logs one by one . In this way, the system administrator can be free from the heavy daily work , To deal with more important work .

stay CentOS It comes with a log analysis tool , Namely logwatch. However, this tool is not installed by default （ Because we chose “Basic Server”）, So you need to install it by hand . The installation command is as follows ：

[[email protected] Packages]# yum -y install logwatch

After installation , It needs to be generated manually logwatch Configuration file for . The default profile is /etc/logwatch/conf/logwatch.conf, But this configuration file is empty , You need to copy the template configuration file . The order is as follows ：

[[email protected] ~]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf

Copy profile

Most of the contents of this configuration file are comments , Let's get rid of the comments , The contents of this configuration file are as follows ：

[[email protected] ~]# vi /etc/logwatch/conf/logwatch.conf

View the configuration file

LogDir = /var/log

logwatch Can analyze and count /var/log/ Log in

TmpDir = /var/cache/logwatch

Appoint logwatch The temporary directory of

MailTo = root

Log analysis results , to root Users send email

MailFrom = Logwatch

The sender of the mail is Logwatch, Show when receiving mail

Print =

Whether or not to print . If you choose “yes”, Then log analysis will be printed to standard output , And don't send email . We don't print here ,# But to root Users send email

Save = /tmp/logwatch

If you turn this on , Log analysis doesn't send email , It's stored in /tmp/logwatch In file

Range = yesterday

Analyze which day's log . Can identify “All”“Today”“Yesterday”, Used for analysis “ All logs ”“ Today's Journal ”“ Yesterday's diary ”

Detail = Low

The level of detail in the log . Can identify “Low”“Med”“High”. It can also be expressed in numbers , The scope is 0～10,“0” It means the least detailed ,“10” For the most detailed

Service = All

Analyze and monitor all logs

Service = "-zz-network"

But not monitoring “-zz-network” Logs of services .“- service name ” Indicates that the log of this service is not analyzed and monitored

Service = "-zz-sys"
Service = "-eximstats"

This configuration file doesn't need to be modified （ I put Range Item changed to All, Otherwise, there are too few logs that can be analyzed in the experiment later ）, It will default to daily execution . Why does it run every day ？ Smart readers have thought of , It must be crond The function of service . you 're right ,logwatch Once installed , Will be in /etc/cron.daily/ Create in directory “0logwatch” file , Used to execute at regular intervals every day logwatch command , Analyze and monitor relevant logs .

If you want this log analysis to be performed immediately , Then just execute logrotate Command is enough . The order is as follows ：

[[email protected] ~]# logwatch

Do it now logwatch Log analysis tool

[root01ocalhost ~]# mail

Check email

Heirloom Mail version 12.4 7/29/08. Type ? for help, "/var/spool/mail/root": 5 messages 1 new 2 unread
1 [email protected] Fri Jun 7 11:17 42/1482 "Logwatch for localhost.localdomain (Linux)"
U 2 [email protected] Fri Jun 7 11:19 42/1481 "Logwatch for localhost.localdomain (Linux)"
3 [email protected] Fri Jun 7 11:23 1234/70928 "Logwatch for localhost.localdomain (Linux)"
4 [email protected] Fri Jun 7 11:24 190/5070 "Logwatch for localhost.localdomain (Linux)"
5 [email protected] Fri Jun 7 11:55 41/1471 "Logwatch for localhost.localdomain (Linux)"

N 6 [email protected] Fri Jun 7 11:57 189/5059 "Logwatch for localhost.localdomain (Linux)"

The first 6 An email is a newly generated blog analysis email ,"N" The representative didn't check

& 6
Message 6:
From [email protected] Fri Jun 7 11:57:35 2013 Return-Path: <[email protected]>
X-Original-To: root
Delivered-To: [email protected]
To: [email protected]
From: [email protected]
Subject: Logwatch for localhost.localdomain (Linux)
Content-Type: text/plain; charset="iso-8859-1"
Date: Fri, 7 Jun 2013 11:57:33 +0800 (CST)
Status: R

Logwatch 7.3.6 (05/19/07)

Processing Initiated: Fri Jun 7 11:57:33 2013
Date Range Processed: all
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: localhost.localdomain

The above is the time and date of the analysis

... Omit part of the output ...
--------- Connections (secure-log) Begin-----------

analysis secure.log Contents of the log . Count which users and groups have been created , And the wrong login information New Users：

    bb (501)
    def (503)
    hjk (504)
    zhangsan (505)
    dovecot (97)
    dovenull (498)
    aa (500)

New Groups:
    bb (501)
    def (503)
    hjk (504)
    zhangsan (505)
    dovecot (97)
    dovenull (498)
    aa (500)

Failed logins:
User root:
(null): 3 Time(s)

Root logins on tty's: 7 Time(s).

Unmatched Entries
groupadd: group added to /etc/group: name=dovecot, GID=97: 1 Time(s)
groupadd: group added to /etc/group: name=dovenul1, GID=498: 1 Time(s)
groupadd: group added to /etc/gshadow: name=dovecot: 1 Time(s)groupadd: group added to /etc/gshadow: name=dovenull: 1 Time(s)
--------Connections (secure-log)End-------
-------------SSHD Begin-------------------

analysis SSHD Log . You can know what IP The address is connected to the server

SSHD Killed: 7 Time(s)
SSHD Started: 24 Time(s)
Users logging in through sshd:
192.168.0.104: 10 times
192.168.0.108: 8 times
192.168.0.101: 6 times
192.168.0.126: 4 times
192.168.0.100: 3 times
192.168.0.105: 3 times
192.168.0.106: 2 times
192.168.0.102: 1 time
192.168.0.103: 1 time
SFTP subsystem requests: 3. Time(s)
Unmatched Entries
Exiting on signal 15 : 6 time(s)
----------------SSHD End-----------

--------------- yum Begin ---------

Statistics yum Installed software . You can know what software we have installed

Packages Installed:
    perl-YAML-Syck-1.07-4.el6.i686
    perl-Date-Manip-6.24-1.el6.noarch
    logwatch-7.3.6-49.el6.noarch
-----------yum End-------------

--------Disk Space Begin-------

Statistics of disk space

Filesystem Size Used Avail Use% Mounted on
/dev/sda3 20G 1.9G 17G 11% /
/dev/sda1 194M 26M 158M 15% /boot
/dev/sr0 3.5G 3.5G 0 100% /mnt/cdrom
---------Disk Space End-----------------

Logwatch End

With this log analysis tool , Log management will be much easier . Of course , stay Linux Can support many log analysis tools , We only introduce here CentOS Self contained logwatch, You can choose the corresponding log analysis tool according to your own habits .