Article Directory
-
- Log file
-
- Log function
- Classification of log files
- Log save location
- Introduction to main log files
- Some common log files:
- Unified management by the system service rsyslog
- Priority level of Linux system kernel log messages (the smaller the number level, the higher the priority, the more important the message)
- General format of log records
- Relevant information such as user login and logout is saved
- Independently managed by the corresponding application
- Log management strategy
Log file
Log function
Used to record various events that occur in the system and program operation.
By reading the log, it is helpful to diagnose and solve system failures.
Classification of log files
Kernel and system logs are
managed uniformly by the system service rsyslog, and the log format is basically similar.
User log
records system user login and logout information.
Program log
A log file independently managed by various applications. The record format is not uniform.
Log save location
The default location: /var/log directory
Introduction to main log files
Some common log files:
#Kernel and public message log:
/var/log/messages: Record Linux kernel messages and public log information of various applications, including startup, IO errors, network errors, program failures, etc. For applications or services that do not use a separate log file, you can generally obtain related event record information from the log file.
#Planned task log:
/var/log/cron: record the event information generated by the crond scheduled task.
#System boot log:
/var/log/dmesg: Record various event information of the Linux system during the boot process.
Mail system log:
/var/log/maillog: records the e-mail activity entering or sending out the system.
User login log:
/var/log/secure: records security event information related to user authentication.
/var/log/lastlog: Record the latest login events of each user. Binary format
/var/log/wtmp: record each user login, logout, system startup and shutdown events. Binary format
/var/run/btmp: Record failed, wrong login attempts and verification events. Binary format
Unified management by the system service rsyslog
Package: rsyslog-7.4.7-16.el7.x86_64
Main program: /sbin/rsyslogd
configuration file: /etc/rsyslog.conf
* vim /etc/rsyslog.conf #View rsyslog.conf configuration file.info
;mail. none;authpriv.none;cron.none /var/log/messages
*.info #Indicates that all information of the info level and above is written to the corresponding log file
mail.none #Indicates that the information of an event is not written to the log In the file (e.g. mail here)
Priority level of Linux system kernel log messages (the smaller the number level, the higher the priority, the more important the message)
| Grade number | news | level | Description |
|---|---|---|---|
| 0 | EMERG | urgent | Will cause the host system to be unavailable. |
| 1 | ALERT | caveat | Problems that must be resolved immediately. |
| 2 | CRIT | serious | More serious situation. |
| 3 | ERR | error | An error occurred during operation. |
| 4 | WARNING | remind | Important events that may affect system functions and need to remind users. |
| 5 | NOTICE | note | Will not affect normal functions, but events that require attention. |
| 6 | INFO | information | General information. |
| 7 | DEBUG | debugging | Program or system debugging information, etc. |
General format of log records
| Jun 3 13:26:35 | localhost | vmusr [2439]: | [critical] [GLib-GObject] | g_object_new |
|---|---|---|---|---|
| Time stamp | CPU name | Subsystem name | Message field |
Relevant information such as user login and logout is saved
/var/log/lastlog: recent user login events
/var/log/wtmp: user login, logout and system startup and shutdown events
/var/run/utmp: detailed information of each user currently logged in
/var/log/ secure: security events related to user authentication
Analysis tools
users, who, w, last, lastb
last command is used to query user records that successfully log in to the system
lastb command is used to query user records that fail to log in
Independently managed by the corresponding application
Web service: /var/log/httpd/
access_log ##Record customer access events
error_log ## Record error events
Proxy service: /var/log/squid/
access.log, cache.log,
Analysis tools
Text viewing, grep filter retrieval, Webmin management suite viewing
awk, sed and other text filtering, formatting editing tools
Webalizer, Awstats and other special log analysis tools
Log management strategy
Make timely backups and archives
Extend the log retention period
Control log access
- Logs may contain various sensitive information, such as accounts, passwords, etc.
Centralized management of logs
- Send the server's log file to the unified log file server
- Facilitate the unified collection, sorting and analysis of log information
- Prevent accidental loss, malicious tampering or deletion of log information