linux系统日志

Linux 系统日志

/var/log/messages

核心系统日志文件,包含了系统启动时的引导消息,以及系统运行时的其他状态消息。I/O错误、网络错误和其他系统错误都会记录到这个文件中。
故障诊断时首先要查看的文件

守护进程:rsyslogd 这个进程关闭后,就不产生/var/log/messages日志
通过logrotate工具的控制来实现日志切割每星期切割一次
logrotate工具配置文件:/etc/logrotate.conf

[root@jinkai rsync]# cat /etc/logrotate.conf
.# see "man logrotate" for details
.# rotate log files weekly
weekly

.# keep 4 weeks worth of backlogs
rotate 4

.# create new (empty) log files after rotating old ones
create

.# use date as a suffix of the rotated file
dateext

.# uncomment this if you want your log files compressed
#compress

.# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

.# no packages own wtmp and btmp -- we‘ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}

.# system-specific logs may be also be configured here.
[root@jinkai rsync]#

dmesg命令

显示系统启动的信息,如果你的硬件有故障,这个命令可以查看

[root@jinkai rsync]# dmesg | head -5
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.10.0-957.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) ) #1 SMP Thu Nov 8 23:39:32 UTC 2018
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=zh_CN.UTF-8
[root@jinkai rsync]#

安全日志

last命令查看登录linux的历史信息(读取的是/var/log/wtmp)

[root@jinkai rsync]# last |head -5
root pts/0 192.168.111.1 Tue Sep 1 12:28 still logged in
root pts/0 192.168.111.1 Mon Aug 31 21:41 - 10:45 (13:03)
reboot system boot 3.10.0-957.el7.x Mon Aug 31 21:41 - 23:45 (1+02:03)
root pts/0 192.168.111.1 Mon Aug 31 21:35 - 21:36 (00:00)
reboot system boot 3.10.0-957.el7.x Mon Aug 31 21:35 - 23:45 (1+02:09)
从左至右依次为账户名称、登录终端、登录客户端IP、登录日期及时长

lastb

查看登录失败的日志信息,调用文件/var/log/btmp

[root@jinkai rsync]# lastb
root ssh:notty 192.168.111.137 Tue Sep 1 23:51 - 23:51 (00:00)
root ssh:notty 192.168.111.137 Tue Sep 1 23:51 - 23:51 (00:00)

btmp begins Tue Sep 1 23:51:24 2020

/var/log/secure

登录系统成功或者失败时,相关的信息都会记录在这个日志里

[root@jinkai rsync]# head -5 /var/log/secure
Aug 30 22:08:04 jinkai groupadd[7798]: group added to /etc/group: name=tcpdump, GID=72
Aug 30 22:08:04 jinkai groupadd[7798]: group added to /etc/gshadow: name=tcpdump
Aug 30 22:08:04 jinkai groupadd[7798]: new group: name=tcpdump, GID=72
Aug 30 22:08:04 jinkai useradd[7803]: new user: name=tcpdump, UID=72, GID=72, home=/, shell=/sbin/nologin
Aug 30 22:11:11 jinkai sshd[7843]: Connection closed by 192.168.111.1 port 61342 [preauth]

screen 工具介绍

screen是一个可以在多个进程之间多路复用一个物理终端的窗口管理器

用户可以在一个screen会话中创建多个screen窗口,在每一个screen窗口中就像操作一个真实的SSH连接窗口一样

安装包

yum install -y screen

新建一个screen终端
screen
在终端运行脚本或命令后
切换回正常模式
先按ctrl+a键,按完后再按d键(只是退出,并没有结束,结束screen会话要按Ctrl+D键或者输入exit)
查看screen的id
screen -ls

[root@jinkai rsync]# screen -ls
There are screens on:
10889.pts-0.jinkai (Detached)
10874.pts-0.jinkai (Detached)
2 Sockets in /var/run/screen/S-root.

返回其中一个screen
格式:screen -r ID号
[root@jinkai rsync]# screen -r 10889

新建一个别名screen,方便寻找所需要的screen
screen -S jinkai

[root@jinkai rsync]# screen -S jinkai
[detached from 10908.jinkai]
[root@jinkai rsync]# screen -ls
There are screens on:
10908.jinkai (Detached)
10889.pts-0.jinkai (Detached)
10874.pts-0.jinkai (Detached)
3 Sockets in /var/run/screen/S-root.

[root@jinkai rsync]# screen -r jinkai
[detached from 10908.jinkai

nohup

运行脚本sh时,只在当前终端显示生效,一旦断开终端也就是ssh,那么脚本就会失效;
那么可以使用nohup 掉到后台执行sh脚本,断开终端也能执行;
格式:
nohup sh 脚本目录 &

nohup sh /usr/local/sbin/sleep.sh &

linux系统日志

上一篇:zabbix通过api 批量自动添加主机


下一篇:VS附加到进程调试