Linux操作系统的日志管理之rsyslog实战案例

              Linux操作系统的日志管理之rsyslog实战案例

                                       作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

一.日志介绍

1>.什么是日志

历史事件:
  时间,地点,人物,事件 日志级别:
  事件的关键性程度,Loglevel

2>.常见的系统日志服务

sysklogd日志服务(CentOS 5及之前版本使用)
  syslogd:
    system application 记录应用日志
  klogd:
    linux kernel 记录内核日志
  事件记录格式:
    日期时间 主机 进程[pid]: 事件内容
  C/S架构:
    通过TCP或UDP协议的服务完成日志记录传送,将分布在不同主 机的日志实现集中管理 rsyslog日志服务(CentOS6和7版本使用),其主要特性如下所示:
  多线程
  UDP, TCP, SSL, TLS, RELP
  MySQL, PGSQL, Oracle实现日志存储
  强大的过滤器,可实现过滤记录日志信息中任意部分
  自定义输出格式 ELK(elasticsearch, logstash, kibana)
  非关系型分布式数据库
  基于apache软件基金会jakarta项目组的项目lucene
  Elasticsearch是个开源分布式搜索引擎
  Logstash对日志进行收集、分析,并将其存储供以后使用
  kibana 可以提供的日志分析友好的 Web 界面

3>.博主推荐阅读

  https://www.cnblogs.com/yinzhengjie/p/7745560.html

二.rsyslog介绍

1>.常见术语

[root@node101.yinzhengjie.org.cn ~]# man logger
LOGGER() User Commands LOGGER() NAME
logger - a shell command interface to the syslog() system log module SYNOPSIS
logger [options] [message] DESCRIPTION
logger makes entries in the system log. It provides a shell command interface to the syslog() system log module. OPTIONS
-n, --server server
Write to the specified remote syslog server instead of to the builtin syslog routines. Unless --udp or --tcp is
specified the logger will first try to use UDP, but if it fails a TCP connection is attempted. -d, --udp
Use datagram (UDP) only. By default the connection is tried to syslog port defined in /etc/services, which is
often . -T, --tcp
Use stream (TCP) only. By default the connection is tried to syslog-conn port defined in /etc/services, which is
often . -P, --port port
Use the specified port. When this option is not specified, the port defaults to syslog for udp and to syslog-
conn for tcp connections. -i, --id
Log the process ID of the logger process with each line. -f, --file file
Log the contents of the specified file. This option cannot be combined with a command-line message. -h, --help
Display a help text and exit. -p, --priority priority
Enter the message into the log with the specified priority. The priority may be specified numerically or as a
facility.level pair. For example, -p local3.info logs the message as informational in the local3 facility. The
default is user.notice. -S, --size size
Sets the maximum permitted message size. The default is 1KiB, which is the limit traditionally used and specified
in RFC . When selecting a maximum message size, it is important to ensure that the receiver supports the max
size as well, otherwise messages may become truncated. -s, --stderr
Output the message to standard error as well as to the system log. -t, --tag tag
Mark every line to be logged with the specified tag. The default tag is the name of the user logged in on the
terminal (or a user name based on effective user ID). -u, --socket socket
Write to the specified socket instead of to the builtin syslog routines. -V, --version
Display version information and exit. -- End the argument list. This is to allow the message to start with a hyphen (-). message
Write the message to log; if not specified, and the -f flag is not provided, standard input is logged. The logger utility exits on success, and > if an error occurs. FACILITIES AND LEVELS
Valid facility names are: auth
authpriv for security information of a sensitive nature
cron
daemon
ftp
kern cannot be generated from userspace process, automatically converted to user
lpr
mail
news
syslog
user
uucp
local0
to
local7
security deprecated synonym for auth Valid level names are: emerg
alert
crit
err
warning
notice
info
debug
panic deprecated synonym for emerg
error deprecated synonym for err
warn deprecated synonym for warning For the priority order and intended purposes of these facilities and levels, see syslog(). EXAMPLES
logger System rebooted
logger -p local0.notice -t HOSTIDM -f /dev/idmc
logger -n loghost.example.com System rebooted SEE ALSO
syslog(), syslogd() STANDARDS
The logger command is expected to be IEEE Std 1003.2 ("POSIX.2") compatible. AVAILABILITY
The logger command is part of the util-linux package and is available from Linux Kernel Archive ⟨ftp://ftp.kernel.org
/pub/linux/utils/util-linux/⟩. util-linux April LOGGER()
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

[root@node101.yinzhengjie.org.cn ~]# man logger

2>.facility(从功能或程序上对日志进行归类)

  Valid facility names are:
    auth
    authpriv for security information of a sensitive nature
    cron
    daemon
    ftp
    kern cannot be generated from userspace process, automatically converted to user
    lpr
    mail
    news
    syslog
    user
    uucp
    local0
    to
    local7
    security deprecated synonym for auth

3>.Priority(优先级别,从低到高排序)

  Valid level names are:
    debug
    info
    notice
    warning
    warn deprecated synonym for warning
    err
    error deprecated synonym for err
    crit
    alert
    emerg
    panic deprecated synonym for emerg

 4>.可参考帮助信息

[root@node101.yinzhengjie.org.cn ~]# man  syslog

三.rsyslog系统日志服务

1>.安装rsyslog软件

[root@node101.yinzhengjie.org.cn ~]# yum -y install syslog
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 7.6 kB ::
* base: mirrors.aliyun.com
* epel: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.aliyun.com
* updates: mirror.bit.edu.cn
base | 3.6 kB ::
epel | 5.4 kB ::
extras | 2.9 kB ::
updates | 2.9 kB ::
(/): epel/x86_64/updateinfo | 1.0 MB ::
(/): updates//x86_64/primary_db | 5.8 MB ::
(/): epel/x86_64/primary_db | 6.9 MB ::
Resolving Dependencies
--> Running transaction check
---> Package rsyslog.x86_64 :8.24.-.el7 will be updated
---> Package rsyslog.x86_64 :8.24.-.el7_7. will be an update
--> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================
Updating:
rsyslog x86_64 8.24.-.el7_7. updates k Transaction Summary
===================================================================================================================================
Upgrade Package Total download size: k
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
rsyslog-8.24.-.el7_7..x86_ FAILED ] 0.0 B/s | kB --:--:-- ETA
http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: [Errno 12] Timeout on http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds')
Trying other mirror.
rsyslog-8.24.-.el7_7..x86_64.rpm | kB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : rsyslog-8.24.-.el7_7..x86_64 /
Cleanup : rsyslog-8.24.-.el7.x86_64 /
Verifying : rsyslog-8.24.-.el7_7..x86_64 /
Verifying : rsyslog-8.24.-.el7.x86_64 / Updated:
rsyslog.x86_64 :8.24.-.el7_7. Complete!
[root@node101.yinzhengjie.org.cn ~]#

[root@node101.yinzhengjie.org.cn ~]# yum -y install syslog

[root@node101.yinzhengjie.org.cn ~]# rpm -qi rsyslog
Name : rsyslog
Version : 8.24.
Release : .el7_7.
Architecture: x86_64
Install Date: Thu Dec :: PM EST
Group : System Environment/Daemons
Size :
License : (GPLv3+ and ASL 2.0)
Signature : RSA/SHA256, Mon Oct :: AM EDT, Key ID 24c6a8a7f4a80eb5
Source RPM : rsyslog-8.24.-.el7_7..src.rpm
Build Date : Fri Oct :: PM EDT
Build Host : x86-.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.rsyslog.com/
Summary : Enhanced system logging and kernel message trapping daemon
Description :
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC , permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.
[root@node101.yinzhengjie.org.cn ~]#

[root@node101.yinzhengjie.org.cn ~]# rpm -qi rsyslog          #可以查看相应的日志版本

[root@node101.yinzhengjie.org.cn ~]# rpm -ql rsyslog
/etc/logrotate.d/syslog
/etc/pki/rsyslog
/etc/rsyslog.conf
/etc/rsyslog.d
/etc/sysconfig/rsyslog
/usr/bin/rsyslog-recover-qi.pl
/usr/lib/systemd/system/rsyslog.service
/usr/lib64/rsyslog
/usr/lib64/rsyslog/imdiag.so
/usr/lib64/rsyslog/imfile.so
/usr/lib64/rsyslog/imjournal.so
/usr/lib64/rsyslog/imklog.so
/usr/lib64/rsyslog/immark.so
/usr/lib64/rsyslog/impstats.so
/usr/lib64/rsyslog/imptcp.so
/usr/lib64/rsyslog/imtcp.so
/usr/lib64/rsyslog/imudp.so
/usr/lib64/rsyslog/imuxsock.so
/usr/lib64/rsyslog/lmnet.so
/usr/lib64/rsyslog/lmnetstrms.so
/usr/lib64/rsyslog/lmnsd_ptcp.so
/usr/lib64/rsyslog/lmregexp.so
/usr/lib64/rsyslog/lmstrmsrv.so
/usr/lib64/rsyslog/lmtcpclt.so
/usr/lib64/rsyslog/lmtcpsrv.so
/usr/lib64/rsyslog/lmzlibw.so
/usr/lib64/rsyslog/mmanon.so
/usr/lib64/rsyslog/mmcount.so
/usr/lib64/rsyslog/mmexternal.so
/usr/lib64/rsyslog/mmutf8fix.so
/usr/lib64/rsyslog/omjournal.so
/usr/lib64/rsyslog/ommail.so
/usr/lib64/rsyslog/omprog.so
/usr/lib64/rsyslog/omruleset.so
/usr/lib64/rsyslog/omstdout.so
/usr/lib64/rsyslog/omtesting.so
/usr/lib64/rsyslog/omuxsock.so
/usr/lib64/rsyslog/pmaixforwardedfrom.so
/usr/lib64/rsyslog/pmcisconames.so
/usr/lib64/rsyslog/pmlastmsg.so
/usr/lib64/rsyslog/pmrfc3164sd.so
/usr/lib64/rsyslog/pmsnare.so
/usr/sbin/rsyslogd
/usr/share/doc/rsyslog-8.24.
/usr/share/doc/rsyslog-8.24./AUTHORS
/usr/share/doc/rsyslog-8.24./COPYING
/usr/share/doc/rsyslog-8.24./COPYING.ASL20
/usr/share/doc/rsyslog-8.24./COPYING.LESSER
/usr/share/doc/rsyslog-8.24./ChangeLog
/usr/share/man/man5/rsyslog.conf..gz
/usr/share/man/man8/rsyslogd..gz
/var/lib/rsyslog
[root@node101.yinzhengjie.org.cn ~]#

[root@node101.yinzhengjie.org.cn ~]# rpm -ql rsyslog          #查看安装的文件列表

2>.rsyslog服务概述

程序包:
  rsyslog 主程序:
  /usr/sbin/rsyslogd CentOS :
  service rsyslog {start|stop|restart|status} CentOS :
  /usr/lib/systemd/system/rsyslog.service 配置文件:
  /etc/rsyslog.conf,/etc/rsyslog.d/*.conf 库文件:
  /lib64/rsyslog/*.so
[root@node101.yinzhengjie.org.cn ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu -- :: EST; 16min ago
Docs: man:rsyslogd()
http://www.rsyslog.com/doc/
Main PID: (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─ /usr/sbin/rsyslogd -n Dec :: node101.yinzhengjie.org.cn systemd[]: Starting System Logging Service...
Dec :: node101.yinzhengjie.org.cn rsyslogd[]: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pi...start
Dec :: node101.yinzhengjie.org.cn systemd[]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

[root@node101.yinzhengjie.org.cn ~]# systemctl status rsyslog

3>./etc/rsyslog.conf的配置文件格式

/etc/rsyslog.conf的配置文件格式是由三部分组成,如下所示:
  MODULES:
    相关模块配置
  GLOBAL DIRECTIVES:
    全局配置
  RULES:
    日志记录相关的规则配置 默认配置文件参数说明(红色的表示MODULES相关配置,蓝色的表示全局配置,粉色的表示日志记录相关规则配置):
  [root@node101.yinzhengjie.org.cn ~]# egrep -v "^#|^$" /etc/rsyslog.conf
  $ModLoad imuxsock                         #支持本地系统日志记录
  $ModLoad imjournal                        #提供对系统日志的访问
  $WorkDirectory /var/lib/rsyslog                 #指定日志存放为止
  $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat   #使用默认时间戳格式
  $IncludeConfig /etc/rsyslog.d/*.conf              #加载"/etc/rsyslog.d/*.conf "配置文件
  $OmitLocalLogging on                         #通过本地日志套接字关闭消息接收,本地消息现在通过imjournal检索。
  $IMJournalStateFile imjournal.state                 #在日志中存储位置的文件
  *.info;mail.none;authpriv.none;cron.none /var/log/messages   #记录info级别或更高级别的任何内容(邮件,身份验证,周期性任务日志除外,因为下面已经有单独将他们存放在指定的配置文件啦),不要记录私人身份验证消息哟,系统默认记录在"/var/log/messages"
  authpriv.* /var/log/secure                     #把权限认证的所有日志级别均记录到"/var/log/secure"文件中。
  mail.* -/var/log/maillog                     #有邮件所有日志级别均记录到"/var/log/maillog"文件中,其中前面的"-"表示异步写入文件。
  cron.* /var/log/cron                     #记录cron服务的所有日志级别到"/var/log/cron"文件中。
  *.emerg :omusrmsg:*                       #每个人都会收到紧急(emerg)信息
  uucp,news.crit /var/log/spooler                  #将crit及更高级别的新闻错误保存在"/var/log/spooler"
  local7.* /var/log/boot.log                     #将启动消息也保存到"/var/log/boot.log"
  [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/rsyslog.conf
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun # Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun #### GLOBAL DIRECTIVES #### # Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog # Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on # File to store the position in the journal
$IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console # Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access.
authpriv.* /var/log/secure # Log all the mail messages in one place.
mail.* -/var/log/maillog # Log cron stuff
cron.* /var/log/cron # Everybody gets emergency messages
*.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler # Save boot messages also to boot.log
local7.* /var/log/boot.log # ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
[root@node101.yinzhengjie.org.cn ~]#

[root@node101.yinzhengjie.org.cn ~]# cat /etc/rsyslog.conf

4>.RULES配置格式 

RULES配置格式:
  facility.priority; facility.priority... target   facility:
    *: 所有的facility
    facility1,facility2,facility3,...:指定的facility列表   priority:
    *: 所有级别
    none:没有级别,即不记录
    PRIORITY:指定级别(含)以上的所有级别
    =PRIORITY:仅记录指定级别的日志信息   target:
    文件路径:通常在/var/log/,文件路径前的-表示异步写入,一般不推荐将重要的日志异步写入,所谓的异步写入是指先将数据库写入buffer,间隔时间断后才真正写入磁盘,可能存在丢失日志的风险,但写入效率高。
    用户:将日志事件通知给指定的用户,* 表示登录的所有用户
    日志服务器:@host,把日志送往至指定的远程服务器记录
    管道: | COMMAND,转发给其它命令处理

四.配置sshd服务的日志案例(前提是sshd服务有调用rsyslog服务的日志接口,如果你自己开发的软件不支持则rsyslog就管不着啦,比如apache,nginx均有自己的日志实现方式,它们不用系统日志记录)

1>.修改sshd服务默认的日志类型并通过rsyslog服务记录

[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config  |grep SyslogFacility      #我们直到sshd服务将日志类别定义为"AUTHPRIV"
SyslogFacility AUTHPRIV
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/rsyslog.conf |grep authpriv       #我们查看rsyslog服务将"AUTHPRIV"类别的日志单独记录到"/var/log/secure"文件中
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail - /var/log/secure                            #的确如此,我们在该日志文件中找到了有关sshd服务的日志,但除了sshd日志外还有其他服务对应"AUTHPRIV"日志级别的信息也保存到该文件啦。
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
Dec :: node101 su: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Dec :: node101 su: PAM adding faulty module: /usr/lib64/security/pam_fprintd.so
Dec :: node101 su: pam_unix(su-l:session): session opened for user yinzhengjie by root(uid=)
Dec :: node101 su: pam_unix(su-l:session): session closed for user yinzhengjie
Dec :: node101 sshd[]: pam_systemd(sshd:session): Failed to release session: Interrupted system call
Dec :: node101 sshd[]: pam_unix(sshd:session): session closed for user root
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
Dec :: node101 useradd[]: new group: name=jason, GID=
Dec :: node101 useradd[]: new user: name=jason, UID=, GID=, home=/home/jason, shell=/bin/bash
Dec :: node101 userdel[]: delete user 'jason'
Dec :: node101 userdel[]: removed group 'jason' owned by 'jason'
Dec :: node101 userdel[]: removed shadow group 'jason' owned by 'jason'
Dec :: node101 sshd[]: pam_unix(sshd:session): session closed for user root
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
Dec :: node101 sshd[]: Accepted password for root from 172.30.1.2 port ssh2
Dec :: node101 sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
[root@node101.yinzhengjie.org.cn ~]#

[root@node101.yinzhengjie.org.cn ~]# tail -20 /var/log/secure    #我们在该日志文件中找到了有关sshd服务的日志,但除了sshd服务的日志外还有其他服务对应"AUTHPRIV"日志级别的信息也保存到该文件啦。因此我们可以把sshd服务的日志单独抽出来保存

[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config  |grep SyslogFacility        #默认sshd的日志类别为AUTHPRIV
SyslogFacility AUTHPRIV
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# vim /etc/ssh/sshd_config
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config |grep SyslogFacility         #我们将默认的日志类注释掉,我们直到local0-7是可以自定义的日志类别,而local7已经被保存boot日志了,因此我们可用的只有local0-6啦,于是我这里将sshd服务日志类型定义为自定义类型local0。
SyslogFacility local0
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# grep local0 /etc/rsyslog.conf                             #我们将自定义日志类型local0对应的所有日志级别日志记录到"/var/log/sshd.log"中
local0.* /var/log/sshd.log
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log                                  #我们发现修改了配置文件后并没有生成"/var/log/sshd.log"文件,那是因为配置还没有生效,需要重启服务
ls: cannot access /var/log/sshd.log: No such file or directory
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl restart sshd rsyslog                           #注意,咱们修改了sshd服务和rsyslog服务的配置文件,因此我们需要重启这2个服务
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log                             #我们重启服务后就存在该文件啦
-rw------- root root Dec : /var/log/sshd.log
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log                             #重启后发现文件立即就记录类容啦
Dec :: node101 sshd[]: Server listening on 0.0.0.0 port .
Dec :: node101 sshd[]: Server listening on :: port .
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ssh 127.0.0.1                                      #于是我们使用ssh连接一下本机在观察日志是否有记录
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:uv+7B8M+Muy0u0bnGOplDlSUE4lRiinkGDgEdRk7ChA.
ECDSA key fingerprint is MD5:b8::3f:d7:e2:7d:::f5:bf:d2:d0:0c:af:db:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
root@127.0.0.1's password:
Last login: Thu Dec :: from 172.30.1.2
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# exit
logout
Connection to 127.0.0.1 closed.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log                                #果不其然,的确有日志记录啦~
Dec :: node101 sshd[]: Server listening on 0.0.0.0 port .
Dec :: node101 sshd[]: Server listening on :: port .
Dec :: node101 sshd[]: Accepted password for root from 127.0.0.1 port ssh2
Dec :: node101 sshd[]: Received disconnect from 127.0.0.1 port :: disconnected by user
Dec :: node101 sshd[]: Disconnected from 127.0.0.1 port
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#  

2>.logger命令使用案例

[root@node101.yinzhengjie.org.cn ~]# logger -p local0.info "ssh event start"                     #我们往local0日志类型发一条info级别信息,消息内容为"ssh event start"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail - /var/log/sshd.log                             #很显然,上面的日志被rsyslog服务记录到local0类型所对应存储的位置了
Dec :: node101 root: ssh event start
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

五.远程日志收集

1>.启用网络日志服务

2>.

3>.

上一篇:JAVA基础学习之路(九)[2]String类常用方法


下一篇:FOJ 1858 Super Girl 单调队列