CHAPTER 1 CentOS的日志系统(日志文件)
日志文件
- CentOS操作系统的日志文件
-
- 1.1 /var/log/secure
- 1.2 /var/log/message
- 1.3 /var/log.boot.log
- 1.4 /var/log/maillog
- 1.5 /var/log/cron
- 1.6 /var/log/httpd、/var/log/mysqld.log等文件
- 1.7 /var/log/acpid
- 1.8 /var/run/utmp
- 1.9 /var/log/wtmp
- 1.10 /var/log/lastlog
- 1.11 /var/log/btmp
- 1.2 /var/log/dmesg
- 1.13 /var/log/cpus
- 1.14 /var/log/syslog
- 1.15 /var/log/auth.log
- 1.16 /var/log/daemon.log
- 1.17 /var/log/mail.err
- 1.18 /var/log/mail.info
- 1.19 /var/log/mail.warn
- 1.21 /var/log/kern
- 1.22 /var/log/lpr
CentOS操作系统的日志文件
系统的引导日志:/var/log/boot.log
核心启动日志:/var/log/dmesg
系统报错日志:/var/log/messages
邮件系统日志:/var/log/maillog
FTP系统日志:/var/log/xferlog
安全信息和系统登录与网络连接的信息:/var/log/secure
News日志:/var/log/spooler
RPM软件包:/var/log/rpmpkgs
定制任务日志日志:/var/log/cron
记录所有的登录和注销/var/log/wtmp
记录每个用户最后的登录信息/var/log/lastlog
记录错误的登录方式/var/log/btmp
常见的Linux操作系统登录文件有如下几个:
1.1 /var/log/secure
centos记录登录系统存取数据的文件; 例如pop3,ssh,telnet,ftp等都会记录在此.
1、每行信息各字段含义:
月份 日期 时分秒 服务器主机名 程序(sshd或则su) 模块 详细信息
Nov 7 12:38:51 k8s-node-02 sshd[75467]: Accepted password for root from 192.168.20.3 port 39444 ssh2
2、正常通过ssh连接进服务器的日志
Accepted publickey for root from 192.168.71.183 port 53384 ssh2: RSA SHA256:unMhS8aRBuzoAhh8IIcj1FngQazgK0vom6/o7ES4
3、正常登陆后,退出日志
Nov 9 05:26:35 k8s-node-02 sshd[68560]: Received disconnect from 192.168.71.183 port 53550:11: disconnected by user
Nov 9 05:26:35 k8s-node-02 sshd[68560]: Disconnected from 192.168.71.183 port 53550
4、使用root用户登录进系统户,切换到zcy用户,直接从zcy用户关掉连接窗口
Aug 8 02:38:11 imzcy sshd[19167]: Accepted password for root from 192.168.217.10 port 58165 ssh2
Aug 8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 8 02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy by root(uid=0)
Aug 8 02:38:27 imzcy su: pam_unix(su-l:session): session closed for user zcy
Aug 8 02:38:27 imzcy sshd[19167]: pam_unix(sshd:session): session closed for user root
5、密码输入错误
Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
6、密码错误次数太多
Nov 9 05:32:06 k8s-node-02 sshd[71163]: Failed password for yurq from 192.168.71.183 port 53748 ssh2
Nov 9 05:32:06 k8s-node-02 sshd[71163]: Connection closed by 192.168.71.183 port 53748 [preauth]
Nov 9 05:32:06 k8s-node-02 sshd[71163]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=k8s-node-02 user=yurq
1.2 /var/log/message
centos系统报错日志,所有的开机系统发生的错误都会在此记录
messages 日志是核心系统日志文件。它包含了系统启动时的引导消息,以及系统运行时的其他状态消息。IO 错误、网络错误和其他系统错误都会记录到这个文件中。其他信息,比如某个人的身份切换为 root,也在这里列出。如果服务正在运行,比如 DHCP 服务器,您可以在 messages 文件中观察它的活动。通常,/var/log/messages 是您在做故障诊断时首先要查看的文件。
1.3 /var/log.boot.log
系统的引导日志,记录一些开机或者关机启动的一些服务显示的启动或者关闭的信息
[root@dbc-server-554 log]# cat /var/log/boot.log-20230224
[ OK ] Started Show Plymouth Boot Screen.
[ OK ] Started Forward Password Requests to Plymouth Directory Watch.
[ OK ] Reached target Paths.
[ OK ] Reached target Basic System.
[ OK ] Found device /dev/mapper/centos-root.
Starting File System Check on /dev/mapper/centos-root...
...
[ OK ] Reached target Switch Root.
[ OK ] Started Plymouth switch root service.
Starting Switch Root...
Welcome to CentOS Linux 7 (Core)!
[ OK ] Stopped Switch Root.
[ OK ] Stopped Journal Service.
Starting Journal Service...
...
[ OK ] Started D-Bus System Message Bus.
[ OK ] Started Avahi mDNS/DNS-SD Stack.
Starting Kernel Samepage Merging...
Starting Login Service...
Starting Self Monitoring and Reporting Technology (SMART) Daemon...
Starting RealtimeKit Scheduling Policy Service...
Starting Network Manager...
Starting Dump dmesg to /var/log/dmesg...
...
[ OK ] Started Availability of block devices.
[FAILED] Failed to start Ipmievd Daemon.
See 'systemctl status ipmievd.service' for details.
[ OK ] Started Permit User Sessions.
...
[ OK ] Started /etc/rc.d/rc.local Compatibility.
Starting GNOME Display Manager...
[ OK ] Started GNOME Display Manager.
1.4 /var/log/maillog
记录邮件的存取和往来;
该日志文件记录了每个发送到系统或从系统发出的电子邮件的活动。它能够用来查看用户使用哪一个系统发送工具或把数据发送到哪一个系统。下面是该日志文件的片断:
Sep 4 17:23:52 UNIX sendmail[1950]: g849Npp01950: from=root, size=25,
class=0, nrcpts=1,
msgid=<200209040923[email protected]>,
relay=root@localhost
Sep 4 17:23:55 UNIX sendmail[1950]: g849Npp01950: to=[email protected],
ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=30025,
relay=fcceec.net. [10.152.8.2], dsn=2.0.0, stat=Sent (Message queued)
1.5 /var/log/cron
用来记录任务计划的运行日志,如下,分别表示:
任务运行的日期与时间 、在哪台主机上运行 、运行任务的程序[进程号] 、任务运行的具体信息
Feb 27 13:01:01 dbc-server-554 run-parts(/etc/cron.hourly)[28025]: starting 0anacron
Feb 27 13:01:01 dbc-server-554 run-parts(/etc/cron.hourly)[28037]: finished 0anacron
Feb 27 13:10:01 dbc-server-554 CROND[28769]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Feb 27 13:20:01 dbc-server-554 CROND[29606]: (root) CMD (/usr/lib64/sa/sa1 1 1)
1.6 /var/log/httpd、/var/log/mysqld.log等文件
记录不同的网络服务的日志
1.7 /var/log/acpid
ACPI – Advanced Configuration and Power Interface,表示高级配置和电源管理接口。
1.8 /var/run/utmp
记录所有的登录和注销,被编码过,所以必须以last解析;
[root@dbc-server-554 log]# last -f /var/run/utmp
root pts/0 192.168.20.252 Thu Feb 23 17:40 still logged in
reboot system boot 3.10.0-1160.83.1 Thu Feb 23 17:39 - 13:23 (3+19:43)
utmp begins Thu Feb 23 17:39:42 2023
如果想禁用who命令,则只需要将utmp的可读权限去掉就行,这样非root用户就不能用此命令了;如果是btmp文件,手工创建的话注意权限必须为600,否则不能正确写入信息。
1.9 /var/log/wtmp
记录着现在登录的用户
[root@dbc-server-554 log]# last -f /var/log/wtmp
root pts/1 192.168.70.183 Mon Feb 27 09:09 - 09:17 (00:07)
root pts/1 192.168.70.183 Mon Feb 27 09:07 - 09:08 (00:01)
root pts/1 192.168.20.252 Fri Feb 24 11:27 - 09:03 (2+21:36)
1.10 /var/log/lastlog
记录每个用户最后的登录信息;
[root@dbc-server-554 log]# last -f /var/log/lastlog
lastlog begins Thu Jan 1 08:00:00 1970
以上提及的3个文件(/var/log/wtmp、/var/run/utmp、/var/log/lastlog)是日志子系统的关键文件,都记录了用户登录的情况。这些文件的所有记录都包含了时间戳。这些文件是按二进制保存的,故不能用less、cat之类的命令直接查看这些文件,而是需要使用相关命令通过这些文件而查看。其中,utmp和wtmp文件的数据结构是一样的,而lastlog文件则使用另外的数据结构,关于它们的具体的数据结构可以使用man命令查询。
每次有一个用户登录时,login程序在文件lastlog中查看用户的UID。如果存在,则把用户上次登录、注销时间和主机名写到标准输出中,然后login程序在lastlog中记录新的登录时间,打开utmp文件并插入用户的utmp记录。该记录一直用到用户登录退出时删除。utmp文件被各种命令使用,包括who、w、users和finger。
下一步,login程序打开文件wtmp附加用户的utmp记录。当用户登录退出时,具有更新时间戳的同一utmp记录附加到文件中。wtmp文件被程序last使用。
1.11 /var/log/btmp
记录错误的登录尝试;
[root@dbc-server-554 log]# last -f /var/log/btmp
root ssh:notty 192.168.70.183 Mon Feb 27 09:07 gone - no logout
root ssh:notty 192.168.70.183 Mon Feb 27 09:06 - 09:07 (00:00)
root ssh:notty 192.168.70.183 Tue Feb 14 09:48 - 09:06 (12+23:18)
1.2 /var/log/dmesg
内核日志;
dmesg命令设备故障的诊断是非常重要的。在dmesg命令的帮助下进行硬件的连接或断开连接操作时,我们可以看到硬件的检测或者断开连接的信息。dmesg命令在多数基于Linux和Unix的操作系统中都可以使用。
[root@dbc-server-554 log]# dmesg |tail -10
[ 55.169895] IPv6: ADDRCONF(NETDEV_UP): docker_gwbridge: link is not ready
[ 55.189011] IPv6: ADDRCONF(NETDEV_UP): br-d44dbcba5be7: link is not ready
[ 55.207360] IPv6: ADDRCONF(NETDEV_UP): docker0: link is not ready
[ 55.225136] IPv6: ADDRCONF(NETDEV_UP): br-4a107b89632c: link is not ready
[ 55.243850] IPv6: ADDRCONF(NETDEV_UP): br-7a074dc4b5d6: link is not ready
[ 55.261710] IPv6: ADDRCONF(NETDEV_UP): br-c0ba7b9c2a7c: link is not ready
[ 55.280767] IPv6: ADDRCONF(NETDEV_UP): br-c59bd6f64464: link is not ready
[101569.947943] perf: interrupt took too long (2520 > 2500), lowering kernel.perf_event_max_sample_rate to 79000
[150035.568272] perf: interrupt took too long (3153 > 3150), lowering kernel.perf_event_max_sample_rate to 63000
[218334.434190] perf: interrupt took too long (3942 > 3941), lowering kernel.perf_event_max_sample_rate to 50000
关于dmesg的详细使用方法,请参考下一章《日志工具》
1.13 /var/log/cpus
CPU的处理信息;
1.14 /var/log/syslog
事件记录监控程序日志,它和/etc/log/messages日志文件不一样,它只记录警告信息
默认RedHat Linux不生成该日志文件,但可以配置/etc/syslog.conf让系统生成该日志文件。它和/etc/log/messages日志文件不一样,它只记录警告信息,经常是系统出问题的信息,因此更应该关注该文件。要让系统生成该日志文件,在/etc/syslog.conf文件中加上: *.warning /var/log/syslog该日志文件能记录当用户登陆时login记录下的错误口令、Sendmail的问题、su命令执行失败等信息
[root@zabbix-svr-2 ~]# cat /var/log/syslog |tail -10
Feb 27 00:30:48 zabbix-svr-2 kernel: core: CPUID marked event: 'branch instructions' unavailable
Feb 27 00:30:48 zabbix-svr-2 kernel: core: CPUID marked event: 'branch misses' unavailable
Feb 27 00:30:48 zabbix-svr-2 kernel: NMI watchdog: disabled (cpu0): hardware events not enabled
Feb 27 00:30:48 zabbix-svr-2 kernel: ACPI: Enabled 4 GPEs in block 00 to 0F
Feb 27 00:30:48 zabbix-svr-2 kernel: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
Feb 27 00:30:49 zabbix-svr-2 kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Feb 27 00:30:53 zabbix-svr-2 kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled!
Feb 27 00:30:55 zabbix-svr-2 /usr/sbin/irqbalance: Balancing is ineffective on systems with a single cpu. Shutting down
Feb 27 00:30:57 zabbix-svr-2 systemd: Failed to start Crash recovery kernel arming.
Feb 27 00:30:57 zabbix-svr-2 systemd: kdump.service failed.
关于rsyslogd的详细使用方法,请参考下一章《日志工具》
1.15 /var/log/auth.log
ubuntu用户认证日志,同centos secure
1.16 /var/log/daemon.log
系统进程日志;
1.17 /var/log/mail.err
ubuntu邮件错误信息;
1.18 /var/log/mail.info
邮件信息;
1.19 /var/log/mail.warn
邮件警告信息;
1.21 /var/log/kern
ubuntu内核产生的信息;
1.22 /var/log/lpr
打印机假脱机系统产生的信息;