Experimental environment: systemctl stop firewalld
1, Journal
Service Name: systemd-journald.service
journalctl
systemctl status systemd-journald ## View service status
Default log storage path: / run/log/journal/ ## The name of the directory is the machine code
1. Usage of journalctl command:
journalctl
-n 3 ##The latest 3 entries in the log
--since "2021-10-24 11:00:00" ##Show logs after 11:00
--until "2021-20-24 14:00:00" ##Show log until 14:00
journalctl -o ##Set how logs are displayed
## short displays logs in standard classic mode
## verbose displays all bytes of the log
## export binary format suitable for outgoing and backup
## Display output in JSON JS format
journalctl -p
##Critical issue log for 0 emerg system
##1. Information to be changed immediately in alert system
##2. The severity of crit will cause the system software to fail to work normally, and the failure of some hardware will cause the software to fail to work normally
##3 err program error
##4 warning program warning
##5 notice general log and normal log of important information
##6 info general information
##7 debug program error message
-F PRIORITY ##View controllable log levels
-u sshd ##Specify viewing service
--disk-usage ##View log size
--vacuum-size=1G ##Set log storage size
--vacuum-time=1W ##Maximum storage time of logs in the system
-f ##Monitoring log
journalctl _PID=10924 _SYSTEMD_UNIT=sshd.servicejournalctl - n 3 ## The latest 3 entries in the log
jouenalctl -- since "2021-10-24 18:20:00" ## Show log after 18:20
journalctl -- until "2021-20-24 18:35:50" ## Show log to 18:30:50
journalctl -o short ## Show log in classic mode
journalctl -o verbose ## Displays all bytes of the log
journalctl -o export ## Binary format for outgoing and backup
journalctl -o json ## js format display output
journalctl -p emerg system critical issues log
journalctl -p alert the information to be changed immediately in the system
journalctl -p crit The severity level will cause the system software to fail to work normally, and the failure of some hardware will cause the software to fail to work normally
journalctl -p err Program error
journalctl -p Warning program warning
journalctl -p notice general log of important information, normal log
journalctl -p info General information
journalctl -pdebug program error message
journalctl -F PRIORITY ## View controllable log levels
journalctl -u sshd ## Specify viewing service
journalctl --disk-usage ## View log size
journalctl --vacuum-size=1G ## Set the log storage size and how many hard disks are used to store logs
journalctl --vacuum-time=1W ## Maximum storage time of logs in the system
journalctl -f ## Monitor the log, generate one, display and view one
journalctl _PID=2575 ## View the log about PID = 2575
2. Use journaled service to store logs permanently
The default log in the system is: / run/log/journal
By default, the log will be cleared after system restart. To permanently save the log, complete the following operations:
mkdir /var/log/journal chgrp systemd-journal /var/log/journal chmod 2775 /var/log/journal systemctl restart systemd-journald.service
When the service restarts, the log storage path will be set to: / var/log/journal
Test:
1. Check the log before operating the above steps
2. Restart the system
3. View the log again
4. You can see that the log will not be saved. You can only see the log after restart
5. After completing the above operations, restart the system again to see that the log has been saved.
2, rsyslog
Service Name: rsyslog.service
Log storage:
/var/log/messages ## System service log, general information, service error
/var/log/secure ## System authentication information log
/var/log/maillog ## System mail log information
/var/log/cron ## System scheduled task information
/var/log/boot.log ## System startup log information
Profile: / etc/rsyslog.conf
1. Customize log collection path
vim /etc/rsyslog.conf Log type.Log level log storage path *.* /var/log/westos ##Store all levels of logs in the system in westos *.*;authpriv.none /var/log/westos ##All levels of logs in the system are stored in westos, but authpriv is not stored in westos
| Log type | |
| auth authpriv cron kern news user | #User authentication #Service certification #Time task #Kernel type #System update information #User |
| log level | |
| debug info notice waring err crit alert emerg none | #Program troubleshooting information #Program general operation information #General log of important information #Program warning #Program error #The severity level will cause the system software to not work properly #Information in the system to be changed immediately #Critical issues log for the system #No collection |
vim /etc/rsyslog.conf ##Custom log collection path > /var/log/westos ##Clear log cat /var/log/westos systemctl restart rsyslog.service ##After restarting the service, log in remotely with another host ssh cat /var/log/westos ##view log
1) Store all types and levels of logs in / var/log/westos
2) Save all levels of logs except authpriv (service authentication) to / var/log/westos
2. Remote synchronization of logs
westoshost139:172.25.254.139 ## Store logs as the log receiver, and all logs are stored on this host
westoshoat239:172.25.254.239 ## Send log to westshost139 host
stay westoshost139 Set up to receive everyone's logs in: vim /etc/rsyslog.conf systemctl restart rsyslog.service ##Restart service systemctl disable --now firewalld ##Turn off firewall netstat -antlupe | grep rsyslog ##Query port > /var/log/messages ##Clear log cat /var/log/messages cat /var/log/messages
19 module(load="imudp") ## Open log acceptance plug-in
20 input(type="imudp" port="514") ## Specifies the interface used by the plug-in
westoshost239 Set send log to westoshost139 In the host: vim /etc/rsyslog.conf systemctl restart rsyslog.service > /var/log/messages ##Clear log logger test logger hahah
be careful:
@ ## Indicates that udp is used to transfer logs
@@ ## Indicates that tcp transport logs are used
@172.25.254.139 ## Send the local log to the 172.25.254.139 host by udp transmission
3. How to change the log collection format
1) Define log collection format
$template WESTOS_FORMAT, "%FROMHOST-IP% %timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n" #WESTOS_FORMAT: format name #%Fromhost IP%: log source host IP #%timegenerated%: log generation time #%syslogtag%: log generation service #%msg%: log content #\n: Line feed
2) Set log collection format
*.*;authpriv.none /var/log/westos;WESTOS module(load="builtin:omfile" Template="WESTOS_FORMAT") ##Westos is adopted by default_ Format format