Chapter 3 of the second book on linux Log Management in linux system

Experimental environment: systemctl stop firewalld  

1, Journal

Service Name: systemd-journald.service

journalctl

systemctl status systemd-journald   ## View service status

Default log storage path: / run/log/journal/      ## The name of the directory is the machine code

  1. Usage of journalctl command:

journalctl 
 -n 3    ##The latest 3 entries in the log
 --since "2021-10-24 11:00:00"  ##Show logs after 11:00
 --until "2021-20-24 14:00:00"    ##Show log until 14:00
journalctl -o              ##Set how logs are displayed
           ##      short displays logs in standard classic mode
           ##      verbose displays all bytes of the log
           ##      export binary format suitable for outgoing and backup
           ##      Display output in JSON JS format

journalctl -p
           ##Critical issue log for 0 emerg system 
           ##1. Information to be changed immediately in alert system
           ##2. The severity of crit will cause the system software to fail to work normally, and the failure of some hardware will cause the software to fail to work normally
           ##3 err program error
           ##4 warning program warning
           ##5 notice general log and normal log of important information
           ##6 info general information
           ##7 debug program error message

-F   PRIORITY ##View controllable log levels
-u    sshd    ##Specify viewing service
--disk-usage      ##View log size
--vacuum-size=1G  ##Set log storage size
--vacuum-time=1W  ##Maximum storage time of logs in the system
-f           ##Monitoring log
journalctl _PID=10924 _SYSTEMD_UNIT=sshd.service

journalctl   - n 3          ## The latest 3 entries in the log
jouenalctl   -- since "2021-10-24 18:20:00"   ## Show log after 18:20
journalctl   -- until "2021-20-24 18:35:50"     ## Show log to 18:30:50

journalctl -o short      ## Show log in classic mode

  journalctl -o verbose    ## Displays all bytes of the log

  journalctl -o export     ## Binary format for outgoing and backup

journalctl -o json       ## js format display output     

  journalctl -p emerg system critical issues log
  journalctl -p alert the information to be changed immediately in the system
  journalctl -p crit   The severity level will cause the system software to fail to work normally, and the failure of some hardware will cause the software to fail to work normally

  journalctl -p   err    Program error

  journalctl -p   Warning program warning   

  journalctl -p   notice general log of important information, normal log  

  journalctl -p   info   General information

  journalctl -pdebug program error message   

journalctl -F       PRIORITY   ## View controllable log levels
journalctl -u       sshd       ## Specify viewing service

journalctl --disk-usage       ## View log size
journalctl --vacuum-size=1G   ## Set the log storage size and how many hard disks are used to store logs
journalctl --vacuum-time=1W   ## Maximum storage time of logs in the system

journalctl -f                 ## Monitor the log, generate one, display and view one
journalctl _PID=2575          ## View the log about PID = 2575    

2. Use journaled service to store logs permanently

The default log in the system is: / run/log/journal
By default, the log will be cleared after system restart. To permanently save the log, complete the following operations:

mkdir /var/log/journal
chgrp systemd-journal /var/log/journal
chmod 2775            /var/log/journal
systemctl restart systemd-journald.service

When the service restarts, the log storage path will be set to: / var/log/journal

Test:
1. Check the log before operating the above steps
2. Restart the system
3. View the log again
4. You can see that the log will not be saved. You can only see the log after restart
5. After completing the above operations, restart the system again to see that the log has been saved.

2, rsyslog

Service Name: rsyslog.service

Log storage:
/var/log/messages     ## System service log, general information, service error
/var/log/secure          ## System authentication information log
/var/log/maillog        ## System mail log information
/var/log/cron           ## System scheduled task information
/var/log/boot.log    ## System startup log information
Profile:    / etc/rsyslog.conf

1. Customize log collection path

vim /etc/rsyslog.conf
 Log type.Log level log storage path
*.*                   /var/log/westos   ##Store all levels of logs in the system in westos
*.*;authpriv.none     /var/log/westos   ##All levels of logs in the system are stored in westos, but authpriv is not stored in westos
Log type
auth
authpriv
cron
kern
mail
news
user
#User authentication
#Service certification
#Time task
#Kernel type
#Mail
#System update information
#User
log level
debug
info
notice
waring
err
crit
alert
emerg
none
#Program troubleshooting information
#Program general operation information
#General log of important information
#Program warning
#Program error
#The severity level will cause the system software to not work properly
#Information in the system to be changed immediately
#Critical issues log for the system
#No collection
vim /etc/rsyslog.conf   ##Custom log collection path
> /var/log/westos  ##Clear log
cat /var/log/westos
systemctl restart rsyslog.service  ##After restarting the service, log in remotely with another host ssh
cat /var/log/westos   ##view log

1) Store all types and levels of logs in / var/log/westos

  2) Save all levels of logs except authpriv (service authentication) to / var/log/westos

2. Remote synchronization of logs

westoshost139:172.25.254.139   ## Store logs as the log receiver, and all logs are stored on this host
westoshoat239:172.25.254.239   ## Send log to westshost139 host

stay westoshost139 Set up to receive everyone's logs in:
vim /etc/rsyslog.conf
systemctl restart rsyslog.service   ##Restart service
systemctl disable --now firewalld    ##Turn off firewall
netstat -antlupe | grep rsyslog   ##Query port
> /var/log/messages     ##Clear log
cat /var/log/messages
cat /var/log/messages

19 module(load="imudp")                     ## Open log acceptance plug-in

20 input(type="imudp" port="514")    ## Specifies the interface used by the plug-in  

westoshost239 Set send log to westoshost139 In the host:
vim /etc/rsyslog.conf
systemctl restart rsyslog.service
> /var/log/messages  ##Clear log
logger test
logger hahah

be careful:

@           ## Indicates that udp is used to transfer logs
@@      ## Indicates that tcp transport logs are used
@172.25.254.139    ## Send the local log to the 172.25.254.139 host by udp transmission

  3. How to change the log collection format

  1) Define log collection format

$template WESTOS_FORMAT, "%FROMHOST-IP% %timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n"
#WESTOS_FORMAT: format name
#%Fromhost IP%: log source host IP
#%timegenerated%: log generation time
#%syslogtag%: log generation service
#%msg%: log content
#\n: Line feed

2) Set log collection format  

*.*;authpriv.none       /var/log/westos;WESTOS
module(load="builtin:omfile" Template="WESTOS_FORMAT") ##Westos is adopted by default_ Format format

 

Tags: Linux

Posted on Sun, 24 Oct 2021 09:35:54 -0400 by Gregghawes