一、日志的作用
二、rsyslog服务介绍
三、日志文件的存放位置
四、常见日志文件内容介绍
五、用户验证相关日志
六、常用日志操作命令
七、日志管理策略
八、日志转储功能(logrotate)
一、日志的作用
用于记录系统、程序运行中发生的各种事件,有助于定位问题的根本原因
通过阅读日志,有助于诊断和解决系统故障
操作日志也重要
要会看日志
如何用日志呢?如下所示:
Linux系统日志目录:/var/log/messages,一行一条日志记录,如图所示:
日志文件的分类
内核及系统日志
由系统服务rsyslog统一进行管理,日志格式基本相似,日志格式可以自己定义,也 可以由rsyslog统一管理,由rsyslog统一管理的日志格式基本类似
用户日志
记录系统用户登录及退出系统的相关信息
程序日志
由各种应用程序独立管理的日志文件,记录格式不统一
Rsyslog记录日志的一般格式
二、rsyslog服务介绍
Rsyslog系统日志由系统服务 rsyslog统一管理
软件包:rsyslog-5.8.10-8
主要程序:/sbin/rsyslogd
配置文件:/etc/rsyslog.conf,#注释,通过修改配置文件可以改变工作方式
要使用rsyslog必须先安装rsyslog,检测是否有安装包:rpm -q rsyslog,看一下当前版本:rsyslogd -v,如下所示:
[root@centos—text ~]# rpm -q rsyslog
rsyslog-5.8.10-10.el6_6.x86_64
[root@centos—text ~]# rsyslogd -v
rsyslogd 5.8.10, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
See http://www.rsyslog.com for more information.
[root@centos—text ~]#
也可以通过查看是否有rsyslog的进程查看,如下:
[root@centos—text ~]# ps -ef | grep rsyslog
root 1241 1 0 Nov10 ? 00:00:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
root 15812 15068 0 15:46 pts/0 00:00:00 grep rsyslog
[root@centos—text ~]#
查看配置文件如下:
[root@centos—text ~]# cat /etc/rsyslog.conf
rsyslog v5 configuration file
For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
MODULES
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
KaTeX parse error: Expected 'EOF', got '#' at position 18: …dLoad imklog #̲ provides kerne…ModLoad immark # provides --MARK-- message capability
Provides UDP syslog reception
#KaTeX parse error: Expected 'EOF', got '#' at position 15: ModLoad imudp #̲UDPServerRun 514
Provides TCP syslog reception
#KaTeX parse error: Expected 'EOF', got '#' at position 15: ModLoad imtcp #̲InputTCPServerRun 514
GLOBAL DIRECTIVES
Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
File syncing capability is disabled by default. This feature is usually not required,
not useful and an extreme performance hit
#$ActionFileEnableSync on
Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
RULES ####//规则主要在这里,规则记录了各种日志如何处理
Log all kernel messages to the console.
Logging much else clutters up the screen.
#kern.* /dev/console
#Log anything (except mail) of level info or higher.
#Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
#The authpriv file has restricted access.
authpriv.* /var/log/secure
Log all the mail messages in one place.
mail.* -/var/log/maillog
Log cron stuff
cron.* /var/log/cron
Everybody gets emergency messages
*.emerg *
Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
Save boot messages also to boot.log
local7.* /var/log/boot.log
The statement between the begin … end define a SINGLE forwarding
rule. They belong together, do NOT split them. If you create multiple
forwarding rules, duplicate the whole block!
Remote Logging (we use TCP for reliable delivery)
An on-disk queue is created for this action. If the remote host is
down, messages are spooled to disk and sent when it is up again.
#KaTeX parse error: Expected 'EOF', got '#' at position 32: …ar/lib/rsyslog #̲ where to place…ActionQueueFileName fwdRule1 # unique name prefix for spool files
#KaTeX parse error: Expected 'EOF', got '#' at position 30: …DiskSpace 1g #̲ 1gb space limi…ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#KaTeX parse error: Expected 'EOF', got '#' at position 30: …e LinkedList #̲ run asynchrono…ActionResumeRetryCount -1 # infinite retries if host is down
remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#. @@remote-host:514
end of the forwarding rule ###
[root@centos—text ~]#
在配置文件中,以#开头的都是注释,配置文件中设置日志处理的规则,规则写的格式如下:
配置文件:/etc/rsyslog.conf语法
日志设备(类型).(连接符号)日志级别 日志处理方式(action)
日志设备(可以理解为日志类型):
日志级别
NONE: 什么都不记录
EMERG(紧急):会导致主机系统不可用的情况
ALERT(警告):必须马上采取措施解决的问题
CRIT(严重):比较严重的情况
ERR(错误):运行出现错误
WARNING(提醒):可能会影响系统功能的事件
NOTICE(注意):不会影响系统但值得注意
NFO(信息):一般信息
DEBUG(调试):程序或系统调试信息等
从下到上,级别从低到高,记录的信息越来越少
连接符号
. :记录大于等于后面的级别日志
.=:只记录等于后面的级别日志
.!=:只记录不等于后面的级别日志
日志处理方式(即将日志如何处理)
本地文件:通常就是文件的绝对路径
打印机:例如 /dev/lp0 这个打印机装置
用户名称:显示给用户
远程主机:例如 @202.100.100.1
*:所有在线的用户
系统日志文件
系统日志保存位置
默认位于:/var/log 目录下
主要日志文件介绍
内核及公共消息日志:/var/log/messages
计划任务日志:/var/log/cron
系统引导日志:/var/log/dmesg
邮件系统日志:/var/log/maillog
程序日志文件
由相应的应用程序独立进行管理
Web服务:/var/log/httpd/
access_log、error_log
代理服务:/var/log/squid/
access.log、cache.log、squid.out、store.log
FTP服务:/var/log/xferlog
分析工具
文本查看、grep过滤检索、Webmin管理套件中查看
awk、sed等文本过滤、格式化编辑工具
Webalizer、Awstats等专用日志分析工具
用户日志文件(不能通过cat查看,要通过工具查看)
保存了用户登录、退出系统等相关信息
/var/log/lastlog:最近的用户登录事件
/var/log/wtmp:用户登录、注销及系统开、关机事件
/var/run/utmp:当前登录的每个用户的详细信息
/var/log/secure:与用户验证相关的安全性事件
用户登录分析
who、w、users、last、ac、lastlog
日志命令
主动记录日志工具
logger:从命令行直接向系统日志文件写入一行信息,logger是记录(产生)日志 的工具,rsyslog是处理日志的。
Logger如何用呢?
[root@centos—text ~]# echo “123456” | logger -it “test” -p authpriv.info
[root@centos—text ~]# tail /var/log/secure
Nov 12 21:57:08 centos—text sshd[12193]: pam_unix(sshd:session): session closed for user root
Nov 13 04:13:48 centos—text sshd[13939]: Accepted password for root from 172.16.2.17 port 56389 ssh2
Nov 13 04:13:48 centos—text sshd[13939]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 13 11:03:01 centos—text sshd[13939]: Received disconnect from 172.16.2.17: 0:
Nov 13 11:03:01 centos—text sshd[13939]: pam_unix(sshd:session): session closed for user root
Nov 13 11:03:31 centos—text sshd[15064]: Accepted password for root from 172.16.2.17 port 49232 ssh2
Nov 13 11:03:31 centos—text sshd[15064]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 13 16:18:11 centos—text sshd[15911]: Accepted password for root from 172.16.2.17 port 53059 ssh2
Nov 13 16:18:11 centos—text sshd[15911]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 13 16:20:49 centos—text test[15945]: 123456
[root@centos—text ~]#
-p指定如何根据规则处理此条日志
-it指定第三列子系统名
一个日志发过来后,会匹配每一个规则,如果匹配成功就会按相应的规则处理一遍。
修改/etc/rsyslog.conf配置文件后,要重启rsyslog后新的配置文件才会有效,service rsyslog restart。重启就会重新加载新的配置文件,就可加载到新的配置文件了。
selinux 用来加强Linux的一个模块,该模块会让好多功能不能实现,一般我们会关掉它。网络安全方面会通过其他的模块实现。
[root@centos—text ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
File contexts:
Controlling term: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/sbin/mingetty system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
[root@centos—text ~]#
关掉selinux如下:
修改配置文件,
[root@centos—text ~]# vim /etc/selinux/config
#This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=disabled//改为disabled
SELINUXTYPE= can take one of these two values:
targeted - Targeted processes are protected,
mls - Multi Level Security protection.
SELINUXTYPE=targeted
然后重启内核,即重启计算机reboot
日志管理策略
A.及时作好备份和归档
B.控制日志访问权限
日志中可能会包含各类敏感信息,如账户、口令等
C.集中管理日志
使用日志服务器便于日志的统一收集、整理和分析
杜绝日志信息的意外丢失、恶意篡改或删除
应用示例:
调整rsyslog服务设置,建立集中管理的日志服务器
将客户机B中所有日志消息,自动发送到服务器A的日志文件中(客户机可能会有多个)
前提他们都有rsyslog,客户机也要对日志进行处理,服务器也会处理接收到的日志
这个过程至少要有两台计算机,一个服务器,一个客户机
A.在服务器上配置:172.16.50.59 172.16.3.37 要关闭防火墙service iptables stop
1、修改/etc/rsyslog.conf文件,把以下2项的注释取消
$ModLoad imudp
$UDPServerRun 514 开放514端口 netstat -anp | grep :514查看有没有514端口
例如:加一行*.* /opt/all.log
2、重启rsyslog服务
service rsyslog restart
[root@rehl6–text ~]# vim /etc/rsyslog.conf
rsyslog v5 configuration file
For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
KaTeX parse error: Expected 'EOF', got '#' at position 18: …dLoad imklog #̲ provides kerne…ModLoad immark # provides --MARK-- message capability
#Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
Provides TCP syslog reception
#KaTeX parse error: Expected 'EOF', got '#' at position 15: ModLoad imtcp #̲InputTCPServerRun 514
GLOBAL DIRECTIVES ####
Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
File syncing capability is disabled by default. This feature is usually not required,
not useful and an extreme performance hit
#$ActionFileEnableSync on
Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
RULES ####
Log all kernel messages to the console.
Logging much else clutters up the screen.
#kern.* /dev/console
Log anything (except mail) of level info or higher.
“/etc/rsyslog.conf” 80L, 2941C
Log anything (except mail) of level info or higher.
Don’t log private authentication messages!
.info;mail.none;authpriv.none;cron.none /var/log/messages
The authpriv file has restricted access.
authpriv. /var/log/secure
Log all the mail messages in one place.
mail.* -/var/log/maillog
Log cron stuff
cron.* /var/log/cron
Everybody gets emergency messages
*.emerg *
Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
Save boot messages also to boot.log
local7.* /var/log/boot.log
. /opt/all.log
The statement between the begin … end define a SINGLE forwarding
rule. They belong together, do NOT split them. If you create multiple
forwarding rules, duplicate the whole block!
Remote Logging (we use TCP for reliable delivery)
An on-disk queue i
[root@rehl6–text ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
B.在客户机上配置:172.16.50.60 172.16.3.36 要关闭sestatus
1、修改/etc/rsyslog.conf文件,在最后加一行,内容如下:
. @服务器IP 例如:加一行 . @172.16.50.59
一个@用UDP传输层协议 两个@用TCP传输层协议
2、重启rsyslog服务
service rsyslog restart
[root@centos—text ~]# vim /etc/rsyslog.conf
rsyslog v5 configuration file
For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
KaTeX parse error: Expected 'EOF', got '#' at position 18: …dLoad imklog #̲ provides kerne…ModLoad immark # provides --MARK-- message capability
Provides UDP syslog reception
#KaTeX parse error: Expected 'EOF', got '#' at position 15: ModLoad imudp #̲UDPServerRun 514
Provides TCP syslog reception
#KaTeX parse error: Expected 'EOF', got '#' at position 15: ModLoad imtcp #̲InputTCPServerRun 514
GLOBAL DIRECTIVES ####
Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
File syncing capability is disabled by default. This feature is usually not required,
not useful and an extreme performance hit
#$ActionFileEnableSync on
Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
RULES ####
Log all kernel messages to the console.
Logging much else clutters up the screen.
#kern.* /dev/console
Log anything (except mail) of level info or higher.
Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
The authpriv file has restricted access.
authpriv.* /var/log/secure
Log all the mail messages in one place.
mail.* -/var/log/maillog
Log cron stuff
cron.* /var/log/cron
Everybody gets emergency messages
*.emerg *
Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
Save boot messages also to boot.log
local7.* /var/log/boot.log
. @172.16.3.37
The statement between the begin … end define a SINGLE forwarding
Remote Logging (we use TCP for reliable delivery)
An on-disk queue is created for this action. If the remote host is
down, messages are spooled to disk and sent when it is up again.
#KaTeX parse error: Expected 'EOF', got '#' at position 32: …ar/lib/rsyslog #̲ where to place…ActionQueueFileName fwdRule1 # unique name prefix for spool files
C.测试
在客户机通过logger添加日志
在服务器上查看日志
日志转储功能
系统时时刻刻都在产生日志,如果不及时清理,很快就会填满硬盘,但如果要手工清理,又很麻烦。这种情况下,logrotate 这个程序很好的完成这个任务。
logrotate 用来把旧的日志文件删除,并创建新的日志文件,我们把它叫做“转储”。我们可以根据日志文件的大小,也可以根据天数来转储,这个过程一般通过crond进程来执行,logrotate 还可以用于压缩日志文件。
Logrotate做的工作其实是重命名(mv),创建(touch)新文件(旧文件_日期),删除(rm)旧文件。
logrotate的主配置文件:/etc/logrotate.conf
主配置文件如下:
[root@centos—text ~]# cat /etc/logrotate.conf
see “man logrotate” for details
rotate log files weekly
Weekly //默认每周转储一次
keep 4 weeks worth of backlogs
rotate 4 //默认存储四个
create new (empty) log files after rotating old ones
create
use date as a suffix of the rotated file
Dateext //后缀
uncomment this if you want your log files compressed
#compress
RPM packages drop log rotation information into this directory
include /etc/logrotate.d //次要配置文件
no packages own wtmp and btmp – we’ll rotate them here
/var/log/wtmp { //存储文件格式如下:
Monthly //
create 0664 root utmp//
minsize 1M//
rotate 1//
}//
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
system-specific logs may be also be configured here.
[root@centos—text ~]#
主要参数:
参数 功能
compress 通过gzip 压缩转储以后的日志
nocompress 不需要压缩时,用这个参数
copytruncate 用于还在打开中的日志文件,把当前日志备份并截断
nocopytruncate 备份日志文件但是不截断
create mode owner group 转储文件,使用指定的文件模式创建新 的日志文件
nocreate 不建立新的日志文件
delaycompress 和 compress 一起使用时,转储的日志文件到下一次转储时才压缩
nodelaycompress 覆盖 delaycompress 选项,转储同时压缩。
errors address 专储时的错误信息发送到指定的Email 地址
ifempty 即使是空文件也转储,这个是 logrotate 的缺省选项。
notifempty 如果是空文件的话,不转储
mail address 把转储的日志文件发送到指定的E-mail 地址
nomail 转储时不发送日志文件
olddir directory 转储后的日志文件放入指定的目录,必须和当前日志文件在同一个文件系统
noolddir 转储后的日志文件和当前日志文件放在同一个目录下
prerotate/endscript 在转储以前需要执行的命令可以放入这个对,这两个关键字必须单独成行
postrotate/endscript 在转储以后需要执行的命令可以放入这个对,这两个关键字必须单独成行
daily 指定转储周期为每天
weekly 指定转储周期为每周
monthly 指定转储周期为每月
rotate count(数字) 指定日志文件删除之前转储的次数,0 指没有备份,5 指保留5 个备份
tabootext [+] list 不转储指定扩展名的文件,缺省的扩展名是:.rpm-orig .rpmsave
size size( 数字和单位) 当日志文件到达指定的大小时才转储,可以指定bytes(缺省)以及KB(sizek)或者MB (sizem).
Logrotate的次要配置文件:/etc/logrotate.d/*
次要配置文件其中之一如下:
[root@centos—text ~]# cd /etc/logrotate.d/
[root@centos—text logrotate.d]# ls
ConsoleKit cups dracut mcelog numad psacct sssd syslog yum
[root@centos—text logrotate.d]# cat yum
/var/log/yum.log {
missingok
notifempty
yearly
create 0600 root root
}[root@centos—text logrotate.d]#
每个文件代表一种日志的配置
也可以在次要配置文件目录中创建新的配置文件,格式和其他的保持一致即可,例如创建一个新的配置文件如下:
172.16.3.37[root@rehl6–text logrotate.d]# vim log.all
[root@rehl6–text logrotate.d]# cat log.all
/opt/all.log{
daily
size 10k
rotate 3
}
[root@rehl6–text logrotate.d]#
然后172.16.3.36[root@centos—text ~]# echo “123456” | logger -it “3.37” -p local2.info //多次执行这个,使文件大小达到10k
然后转储172.16.3.37[root@rehl6–text logrotate.d]# logrotate /etc/logrotate.conf
可以看到变化,有了一个新的文件后缀的那个
172.16.3.37[root@rehl6–text opt]# ll
total 160
-rw------- 1 root root 0 Jan 12 20:33 all.log
-rw------- 1 root root 158175 Jan 12 20:31 all.log-20190112
drwxr-xr-x. 2 root root 4096 Mar 11 2015 rh
然后172.16.3.36[root@centos—text ~]# echo “123456” | logger -it “3.37” -p local2.info //多次执行这个,使文件再次增大
但是文件再次达到10k,也不会创建新的文件了,这种情况下,重启rsyslog即可
172.16.3.37[root@rehl6–text opt]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@rehl6–text opt]#
然后172.16.3.36[root@centos—text ~]# echo “123456” | logger -it “3.37” -p local2.info //多次执行这个,使文件再次增大
172.16.3.37[root@rehl6–text opt]# ll
total 164
-rw------- 1 root root 1355 Jan 12 20:40 all.log
-rw------- 1 root root 158395 Jan 12 20:39 all.log-20190112
drwxr-xr-x. 2 root root 4096 Mar 11 2015 rh
[root@rehl6–text opt]#
文件再次增大了,此时考虑不能一直手工重启rsyslog,且每次转储完都应该重启,所以将重启命令写入新的配置文件,
172.16.3.37[root@rehl6–text logrotate.d]# cat log.all
/opt/all.log{
daily
size 10k
rotate 3
postrotate
service rsyslog restart
endscript
}
[root@rehl6–text logrotate.d]#
然后172.16.3.36[root@centos—text ~]# echo “123456” | logger -it “3.37” -p local2.info //多次执行这个,使文件再次增大
然后看一下是否转储了,发现未转储,因为每天只转储一次
172.16.3.37
[root@rehl6–text opt]# ll
total 164
-rw------- 1 root root 2433 Jan 12 20:46 all.log
-rw------- 1 root root 158395 Jan 12 20:39 all.log-20190112
drwxr-xr-x. 2 root root 4096 Mar 11 2015 rh
然后 172.16.3.37[root@rehl6–text opt]# logrotate -v /etc/logrotate.conf可以看到
说明已经存在,跳过了,如果还想转储可以改一下系统时间,如下:
172.16.3.37[root@rehl6–text opt]# date
Sat Jan 12 20:56:27 CST 2019
[root@rehl6–text opt]# date -s “2019-1-13 10:00:00”
Sun Jan 13 10:00:00 CST 2019
[root@rehl6–text opt]# date
Sun Jan 13 10:00:02 CST 2019
[root@rehl6–text opt]#
此时再去看一下有没有报哪个问题,发现没有了172.16.3.37[root@rehl6–text opt]# logrotate -v /etc/logrotate.conf
rotating pattern: /opt/all.log 10240 bytes (3 rotations)
empty log files are rotated, old logs are removed
considering log /opt/all.log
log needs rotating
rotating log /opt/all.log, log->rotateCount is 3
dateext suffix ‘-20190113’
glob pattern ‘-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]’
renaming /opt/all.log to /opt/all.log-20190113
creating new /opt/all.log mode = 0600 uid = 0 gid = 0
running postrotate script
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
然后,172.16.3.37[root@rehl6–text opt]# ll
total 184
-rw------- 1 root root 221 Jan 13 10:10 all.log
-rw------- 1 root root 158395 Jan 12 20:39 all.log-20190112
-rw------- 1 root root 17774 Jan 13 10:10 all.log-20190113
drwxr-xr-x. 2 root root 4096 Mar 11 2015 rh
[root@rehl6–text opt]#
会发现多了一个13结尾的
再写入发现往新的文件写了。
可以再次改时间转储,会发现转储文件最多有3个,因为设置的最多为3个,大于三个就删除了。
日志转储
logrotate -v /etc/logrotate.conf //转储主配置文件即可,因为主配置文件包括次要配置文件
-f:强制转储
-v:显示具体信息
重启rsyslog :service rsyslog restart
[root@localhost ~]# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP cat /var/run/syslogd.pid 2> /dev/null
2> /dev/null || true
/bin/kill -HUP cat /var/run/rsyslogd.pid 2> /dev/null
2> /dev/null || true
endscript
}