日志介绍
日志
- 记录历史事件:时间,地点,人物,事件
- 日志级别:事件的关键性程度,Loglevel
系统日志服务
syslogd
- CentOS 5 之前的版本
- syslogd: system application记录应用日志
- klogd: linux kernel记录日志
rsyslog特性
- CentOS 6和CentOS 7
- 多线程
- 支持UDP,TCP,SSL,TLS,RELP
- 支持把日志写入MySQL,PGSQL,Oracle实现日志存储
- 拥有强大的过滤器,可实现过滤记录日志信息中任意部分
- 可自定义输出格式
ELK: elasticsearch, logstatsh,kibana
- 非关系型分布式数据库
- 基于apache软件基金会jakarta醒目组的项目lucene
- Elasticsearch是个开源分布式搜索引擎
- Logstash对日志进行收集、分析,并将其存储供以后使用
- Kibana可以提供的日志分析友好的Web界面
rsyslog介绍
相关术语
facility
- 设施,从功能或程序上对日志进行归类
- 内置类型:auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security, user, uucp, local0-local7, syslog
- 帮助文档:man logger
priority
优先级别,从低到高排序:debug, info, notice, warn(warning), err(error), crit(critical), alert, emerg(panic)
帮助文档: man 3 syslog
rsyslog组件
- 程序包:rsyslog
- 主程序:/usr/sbin/rsyslogd
- CentOS 6:service rsyslog {start|stop|restart|status}
- CentOS 7:systemctl {start|stop|restart|status} rsyslog.service
- 配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf
- 库文件: /lib64/rsyslog/*.so
rsyslog配置文件格式:由三部分组成
- MODULES:相关模块配置
- GLOBAL DIRECTIVES:全局配置
- RULES:日志记录相关的规则配置
RULES配置
- 配置格式:facility.priority; facility.priority… target
facility
- *: 所有的facility
- facility1,facility2,facility3,....: 指定的facility列表
priority
- *: 所有级别
- none: 没有级别
- priority: 此级别及更高级别的日志信息
- =priority: 此级别
target
- 记录与指定的日志文件中,通常应该在/var/log目录下,文件路径前的“-”表示异步写入
- 用户: 将日志通知给指定用户,*表示所有用户
- 日志服务器:@host,把日志送往至指定的远程服务器记录
- 管道: | COMMAND,转发给其它命令处理
启用网络日志服务
通常的日志格式
- 事件产生的日期时间-主机-进程(pid):事件内容
- r日志通常存放在:/var/log/messages, /var/log/cron, /var/log/secure等
Sep 16 09:38:38 mariadb systemd: Started System Logging Service.
配置rsyslog成为日志服务器
- 加载imudp或imtcp模块
- 开启TCP或UDP的514端口(也可以同时开启)
#### MODULES ####
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
其他日志
- /var/log/secure: 系统安装日志,文本格式,应周期性分析
- /var/log/btmp: 当前系统上,用户的失败尝试登录相关日志;二进制格式;使用lastb命令查看
- /var/log/wtmp: 当前系统上,用户正常登录系统的相关日志信息; 二进制格式; last命令可以查看
- /var/log/lastlog:每一个用户最近一次的登录信息,二进制格式,lastlog命令可以查看;如果重没登录,显示“Never logged in”
- /var/log/dmesg:系统引导过程中的日志信息,文本格式;可以使用dmesg命令查看
- /var/log/messages :系统中大部分的信息
- /var/log/anaconda : anaconda的日志
日志管理journalctl (CentOS 7)
- Systemd 统一管理所有 Unit 的启动日志。带来的好处就是,可以只用journalctl一个命令,查看所有日志(内核日志和应用日志)
- 日志的配置文件: /etc/systemd/journald.conf
journalctl用法
- journalctl :查看所有日志(默认情况下 ,只保存本次启动的日志)
- journalctl -k:查看内核日志(不显示应用日志)
- journalctl -b :查看系统本次启动的日志
- journalctl -b -0 :查看系统本次启动的日志
- journalctl -b -1 :查看上一次启动的日志(需更改设置)
- journalctl -n :显示尾部的最新10行日志
- journalctl -n 20 :显示尾部指定行数的日志
- journalctl -f:实时滚动显示最新日志
- journalctl --since : 查看指定时间的日志
journalctl --since="2017-10-30 18:10:30"
journalctl --since "20 min ago"
journalctl --since yesterday
journalctl --since "2017-01-10" --until "2017-01-11 03:00"
journalctl --since 09:00 --until "1 hour ago"
- journalctl /PATH/TO/SERVER:查看指定服务的日志
journalctl /usr/lib/systemd/systemd
- journalctl _PID=# 查看指定进程的日志
journalctl _PID=1
- journalctl /PATH/TO/SH :查看某个路径的脚本的日志
journalctl /usr/bin/bash
- journalctl _UID=#: 查看指定用户的日志
journalctl _UID=33 --since today
- journalctl -u APP.UNIT :查看某个 Unit 的日志
journalctl -u nginx.service
journalctl -u nginx.service --since today
- journalctl -u APP.UNIT -f :实时滚动显示某个 Unit 的最新日志
journalctl -u nginx.service -f
- journalctl -u APP1.UNIT -u APP2.UNIT :合并显示多个 Unit 的日志
journalctl -u nginx.service -u php-fpm.service --since today
journalctl --no-pager: 日志默认分页输出,--no-pager 改为正常的标准输出
UNIT日志以JSON格式输出
journalctl -b -u UNIT -o json :单行
journalctl -b -u UNIT -o json-pretty :多行
journalctl --disk-usage:显示日志占据的硬盘空间
journalctl --vacuum-size=#{M|G}:指定日志文件占据的最大空间
journalctl --vacuum-time=1years :指定日志文件保存多久
查看指定优先级(及其以上级别)的日志
- 语法: journalctl -p PRIORTY -b
- 0: emerg
- 1: alert
- 2: crit
- 3: err
- 4: warning
- 5: notice
- 6: info
- 7: debug
[root@mariadb ~]#journalctl -p err -b
-- Logs begin at Sat 2018-09-01 05:27:12 CST, end at Sun 2018-09-16 10:21:03 CST. --
Sep 01 05:27:13 centos7 kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Aug 31 21:27:17 centos7 kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled!
Sep 11 10:15:34 mariadb.guangxi.com sshd[23117]: error: Received disconnect from 192.168.32.9 port 65
lines 1-4/4 (END)
实验:配置日志服务器
配置日志服务器,收集将其他主机的日志
| hostname | ip |
|---|---|
| logsrv | 192.168.32.71 |
| logclient | 192.168.32.72 |
1. logsrv设置日志服务器
- 修改/etc/rsyslog.conf
- 开启tcp或udp监听,或两个都开启;同时加载模块
- sed -i 's@#
ModLoad imudp@' /etc/rsyslog.conf
- sed -i 's@#
ModLoad imtcp@' /etc/rsyslog.conf
- sed -i 's@#
UDPServerRun 514@' /etc/rsyslog.conf
- sed -i 's@#
InputTCPServerRun 514@' /etc/rsyslog.conf
[root@logsrv ~]#sed -i 's@#$ModLoad imudp@$ModLoad imudp@' /etc/rsyslog.conf
[root@logsrv ~]#sed -i 's@#$ModLoad imtcp@$ModLoad imtcp@' /etc/rsyslog.conf
[root@logsrv ~]#sed -i 's@#$UDPServerRun 514@$UDPServerRun 514@' /etc/rsyslog.conf
[root@logsrv ~]#sed -i 's@#$InputTCPServerRun 514@$InputTCPServerRun 514@' /etg.conf
[root@logsrv ~]#sed -n '14,21p' /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
- 重启rsyslog服务,查看监听
- systemctl restart rsyslog
- ss -ntlu |grep 514
[root@logsrv ~]#systemctl restart rsyslog
[root@logsrv ~]#ss -ntlu |grep 514
udp UNCONN 0 0 *:514 *:*
udp UNCONN 0 0 :::514 :::*
tcp LISTEN 0 25 *:514 *:*
tcp LISTEN 0 25 :::514 :::*
[root@logsrv ~]#
2. logclinet设置
- 修改rsyslog.conf,让日志指向logsrv
- 只需要把相关日志的target修改即可
*.info;mail.none;authpriv.none;cron.none @192.168.32.71
- 重启rsyslog服务
[root@logclient ~]#systemctl restart rsyslog
- 安装一个包做测试,然后查看日志信息
- logclient没有日志信息
[root@logclient ~]#yum -y -q install lrzsz
[root@logclient ~]#tail /var/log/messages
Sep 16 10:49:18 7node02 systemd-logind: New session 20 of user root.
Sep 16 10:49:18 7node02 systemd: Starting Session 20 of user root.
Sep 16 10:49:59 7node02 systemd-logind: Removed session 20.
Sep 16 10:50:00 7node02 systemd: Started Session 21 of user root.
Sep 16 10:50:00 7node02 systemd-logind: New session 21 of user root.
Sep 16 10:50:00 7node02 systemd: Starting Session 21 of user root.
Sep 16 10:51:19 7node02 chronyd[666]: Selected source 120.25.115.19
Sep 16 10:51:19 7node02 chronyd[666]: System clock wrong by 2.820143 seconds, adjustment started
Sep 16 11:01:01 7node02 systemd: Started Session 22 of user root.
Sep 16 11:01:01 7node02 systemd: Starting Session 22 of user root.
3. 在服务器端查看日志情况
- 服务器端收到日志信息
[root@logsrv ~]#tail /var/log/messages
Sep 16 11:06:03 logsrv systemd: Started Session 14 of user root.
Sep 16 11:06:03 logsrv systemd-logind: New session 14 of user root.
Sep 16 11:06:03 logsrv systemd: Starting Session 14 of user root.
Sep 16 11:06:03 logsrv systemd-logind: Removed session 14.
Sep 16 11:07:29 logclient systemd: Stopping System Logging Service...
Sep 16 11:07:29 logclient rsyslogd: [origin software="rsyslogd" swVersion="8.24.0" x-pid="992" x-info="http://www.rsyslog.com"] exiting on signal 15.
Sep 16 11:07:29 logclient systemd: Starting System Logging Service...
Sep 16 11:07:29 logclient rsyslogd: [origin software="rsyslogd" swVersion="8.24.0" x-pid="24944" x-info="http://www.rsyslog.com"] start
Sep 16 11:07:29 logclient systemd: Started System Logging Service.
Sep 16 11:08:06 logclient yum[24948]: Installed: lrzsz-0.12.20-36.el7.x86_64
实验:rsyslog日志记录存放于MySQL中
- 把日志数据存放在MySQL中
依赖包rsyslog-mysql- 配置web日志管理工具loganalyzer
需要http服务
| hostname | ip |
|---|---|
| logsrv | 192.168.32.71 |
| logclient | 192.168.32.72 |
| mariadb | 192.168.32.73 |
1. logsrv日志服务器配置
1.1 若要收集其他主机的日志,则开启监听端口
[root@logsrv ~]#sed -n '14,21p' /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
1.2 安装rsyslog-mysql和mysql客户端
[root@logsrv ~]#yum -y install rsyslog-mysql mysql
[root@logsrv ~]#rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
1.3 查看rsyslog-mysql自带的sql
- 数据库名Syslog
- 表:SystemEvents,SystemEventsProperties
[root@logsrv ~]#tail -n 40 /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
CREATE DATABASE Syslog;
USE Syslog;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
ID int unsigned not null auto_increment primary key,
SystemEventID int NULL ,
ParamName varchar(255) NULL ,
ParamValue text NULL
);
[root@logsrv ~]#
2. 准备数据库服务器
2.1 安装mariadb
- centos6: mysql-server
- centos7: mariadb-server
[root@mariadb ~]#yum -y install mariadb-server
[root@mariadb ~]#systemctl start mariadb
[root@mariadb ~]#ss -ntl |grep :3306
LISTEN 0 50 *:3306 *:*
2.2 修改配置文件
- vi /etc/my.cnf
- innodb_file_per_table=yes
- skip_name_resolve=yes
[root@mariadb ~]#vi /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
innodb_file_per_table=yes
skip_name_resolve=yes
[root@mariadb ~]#systemctl restart mariadb
2.3 修改数据库root密码
- 默认空秘密
- 账号:root,密码:123456
[root@mariadb ~]#mysqladmin -uroot -p -h127.0.0.1 password 123456
Enter password:
[root@mariadb ~]#mysql -uroot -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.56-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
2.4 提前给日志数据库Syslog赋权,并设置相关用户
- GRANT ALL ON Syslog.* TO 'syslog'@'192.168.32.%' IDENTIFIED BY '123456';
MariaDB [(none)]> GRANT ALL ON Syslog.* TO 'syslog'@'192.168.32.%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]>
- 测试syslog用户登录数据库
[root@mariadb ~]#mysql -usyslog -p123456 -h192.168.32.73
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.56-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
3. 日志服务器连接数据库
3.1 导入sql
[root@logsrv ~]#rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
[root@logsrv ~]#mysql -usyslog -h192.168.32.73 -p < /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
Enter password:
[root@logsrv ~]#
3.2 确认创建相应数据库和表
- SHOW DATABASES;
- SHOW TABLES;
- SELECT COUNT(*) FROM SystemEvents;
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Syslog |
| test |
+--------------------+
3 rows in set (0.00 sec)
MariaDB [(none)]> use Syslog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [Syslog]> SHOW TABLES;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)
MariaDB [Syslog]> SELECT COUNT(*) FROM SystemEvents;
+----------+
| COUNT(*) |
+----------+
| 0 |
+----------+
1 row in set (0.00 sec)
MariaDB [Syslog]>
3.3 修改/etc/rsyslog.conf
- rsyslog-mysql使用到的库文件ommysql
[root@logsrv ~]#rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
- 根据需求将需要存放在数据库的日志指向mysql服务器
- $ModLoad ommysql
- facility.priority :ommysql:DBHOST,DBNAME,DBUSER, PASSWORD
#### MODULES ####
$ModLoad ommysql
#### RULES ####
*.info;mail.none;authpriv.none;cron.none :ommysql:192.168.32.73,Syslog,syslog,123456
3.4 重启服务后测试配置情况
- 数据库的数据增加了
- systemctl restart rsyslog
- mysql -usyslog -p123456 -h192.168.32.73
- SELECT COUNT(*) FROM SystemEvents;
[root@logsrv ~]#systemctl restart rsyslog
[root@logsrv ~]#yum -y install samba
[root@logsrv ~]#mysql -usyslog -p123456 -h192.168.32.73
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.56-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use Syslog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [Syslog]> SELECT COUNT(*) FROM SystemEvents;
+----------+
| COUNT(*) |
+----------+
| 21 |
+----------+
1 row in set (0.00 sec)
MariaDB [Syslog]>
4. 配置loganalyzer使用web展示日志
4.1 日志服务器配置httpd服务
- loganalyzer是基于php开发的
- php-mysql用于连接数据库
- php-gd用于显示web页面的统计图,否则无法显示统计柱状图
[root@logsrv ~]#yum -y install httpd php php-mysql php-gd
[root@logsrv ~]#systemctl start httpd
[root@logsrv ~]#ss -ntl |grep :80
LISTEN 0 128 :::80 :::*
4.2 安装LogAnalyzer
- 解包
[root@logsrv data]#tar xf loganalyzer-4.1.6.tar.gz
- 把loganalyzer站点拷贝到http的中心主机路径下
- 创建配置文件,并赋权
- 重启httpd服务
[root@logsrv data]#cp -ar loganalyzer-4.1.6/src /var/www/html/loganalyzer
[root@logsrv data]#cd /var/www/html/loganalyzer/
[root@logsrv loganalyzer]#touch config.php
[root@logsrv loganalyzer]#chmod 666 config.php
[root@logsrv loganalyzer]#systemctl restart httpd
- 配置loganalyzer(直接在web浏览器配置)
- 字符界面只是便于保存过程
- 第一步,选Next
[root@logsrv loganalyzer]#links 192.168.32.71/loganalyzer
LogAnalyzer :: Installer Step 1
Show Events
Installing LogAnalyzer Version 4.1.6 - Step 1
Step 1 - Prerequisites
Before you start installing LogAnalyzer, the Installer setup has to check a
few things first.
You may have to correct some file permissions first.
Click on [ Next ] to start the Test!
Install Progress: Installer Step 1 [ Next ]
Made by Adiscon GmbH Adiscon LogAnalyzer Partners: Rsyslog |
(2008-2016) Version 4.1.6 WinSyslog
- 第二步,选next
LogAnalyzer :: Installer Step 2
Show Events
Installing LogAnalyzer Version 4.1.6 - Step 2
Step 2 - Verify File Permissions
The following file permissions have been checked. Verify the results below!
You may use the configure.sh script from the contrib folder to set the
permissions for you.
file './config.php' Writeable
Install Progress: Installer Step 2 [ Next ]
Made by Adiscon GmbH Adiscon LogAnalyzer Partners: Rsyslog |
(2008-2016) Version 4.1.6 WinSyslog
- 第三步,修改想要的参数,然后next
Step 3 - Basic Configuration
In this step, you configure the basic configurations for LogAnalyzer.
Frontend Options
Number of syslog messages per 50_______________________________________
page
Message character limit for 80_______________________________________
the main view
Character display limit for 30_______________________________________
all string type fields
Show message details popup [X] Yes [ ] No
Automatically resolved IP [X] Yes [ ] No
Addresses (inline)
User Database Options
Enable User Database [ ] Yes [X] No
A MYSQL database Server is required for this feature. Other database
engines are not supported for the User Database System. However for
logsources, there is support for other database systems.
Database Host localhost________________________________
Database Port 3306_____________________________________
Database Name loganalyzer______________________________
Table prefix logcon___________________________________
Database User user_____________________________________
Database Password _________________________________________
Require user to be [ ] Yes [X] No
logged in
Authentication method [Internal authentication]
LDAP Authentication Options
LDAP Server Hostname/IP localhost________________________________
LDAP Port, default 389 (636 389______________________________________
for SSL)
Base DN for LDAP Search CN=Users,DC=domain,DC=local______________
Basic Search filter (objectClass=user)_______________________
LDAP Username attribute sAMAccountName___________________________
Privilegied user used to LDAP N=Searchuser,CN=Users,DC=domain,DC=local_
queries
Password of the privilegied ********_________________________________
user
Default administrative LDAP Administrator____________________________
Username
Install Progress: Installer Step 3 [ Next ]
Made by Adiscon GmbH Adiscon LogAnalyzer Partners: Rsyslog |
(2008-2016) Version 4.1.6 WinSyslog
- 第四步,配置数据源,填入数据库的信息和用户密码。下一个页面点击finish就完成了配置
- 配置完成后使用web登录即可links 192.168.32.71/loganalyzer
Step 7 - Create the first source for syslog messages
First Syslog Source
Name of the Source My Syslog Source_________________________
Source Type [MYSQL Native__]
Select View [Syslog Fields___]
Disk Type Options
Logline type [Syslog / RSyslog___________]
Syslog file /var/log/syslog______________________________________________
Database Type Options
Database Storage Engine [Mysql Server_______________]
Table type [MonitorWare]
Database Host 192.168.32.73____________________________
Database Name Syslog___________________________________
Database Tablename SystemEvents_____________________________
Database User syslog___________________________________
Database Password ******___________________________________
Enable Row Counting [X] Yes [ ] No
analyzer.png
analyzer2.png
