日志由程序产生,在内存中产生。通过Rsyslog来将内存中程序产生的日志持久化到硬盘,并且支持udp、tcp等协议来进行不同服务器的日志同步。
/var/log/messages:大多数系统日志信息纪录在此
/var/log/secure:安全和身份认证相关的消息和错误的日志文件
/var/log/maillog:与邮件服务器相关的日志文件
/var/log/cron:与定时任务相关的日志文件
/var/log/boot.log:与系统启动有关的日志文件
pam:在linux中执行某些程序,这些程序在执行前要对启动它的用户进行认证,符合一定要求后才允许执行,例如login、su等,在linux中进行身份验证或是状态的验证程序由pam来进行。pam即可动态加载验证模块,因为可以按需要动态的对验证的内容进行变更,大大提高验证的灵活性。
Linux-pam:是一套共享库,使本地系统管理员可以随意选择程序的认证方式。使用配置/etc/pam.d/下的文件来管理对程序的认证方式。应用程序调用相应的配置文件,从而调用本地的认证模块,模块放置在/lib/secureity下,以加载动态库的形式进行,像我们使用su命令时,系统提示你输入root用户的密码,这就是su命令通过调用PAM模块实现的。
日志类型分为:
auth:pam产生的日志
authpriv:ssh,ftp等登陆信息的验证信息
cron:时间任务相关
kern:内核
lpr:打印
mail:邮件
mark(syslog)-rsyslog:服务内部的信息,时间标识
news:新闻组
user:用户程序产生的相关信息
uucp:unix to unix copy,unix主机之间相关的通讯
local 1-7:自定义的日志设备
日志级别:(由上到下,级别由低到高,记录信息越来越少)
debug:有调试信息的,日志信息最多
info:一般信息的日志,最常用
notice:具有重要性的普通条件的信息
warning:警告级别
err:错误级别,阻止某个功能或者模块不能正常工作的信息
crit:严重级别,阻止整个系统或者整个软件不能正常运行的信息
alert:需要立刻修改的信息
emerg:内核崩溃等严重信息
none:什么都不记录
test1 作为日志服务器收集日志
test4 作为客户端
yum install rsyslog -y
vim /etc/rsyslog.conf
#这四行去掉注释
$ModLoad imudp 收集udp日志,并开启端口
$UDPServerRun 514
$ModLoad imtcp 收集tcp日志,并开启端口
$InputTCPServerRun 514
#添加
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#表示收集的日志存放在/var/log/rsyslog/下,收集那个机器的日志就以那个机器ip命名
$template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
#不收集本机的日志
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
& ~
systemctl restart rsyslog.service
yum install rsyslog -y
# 无论什么级别的日志都收集到 /var/log/messages
*.*;mail.none;authpriv.none;cron.none /var/log/messages
#*.info;mail.none;authpriv.none;cron.none /var/log/messages 只收集info以上的日志
#在最底部添加
*.* @@192.168.134.25:514 #@@两个代表收集tcp的日志
*.* @192.168.134.25:514 #@代表收集udp的日志
#192.168.206.25是日志服务器的地址
systemctl restart rsyslog.service
#此时再看服务端就有ip对应的日志
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log 192.168.134.28_2023-12-12.log
[root@test4 ~]# grep http /etc/nginx/nginx.conf
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
http ;{
'$status $body_bytes_sent "$http_referer" '
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log 192.168.134.28_2023-12-12.log
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-12.log
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)