🏡博客主页: Passerby_Wang的博客_CSDN博客-系统运维,云计算,Linux基础领域博主
🌐所属专栏:『Linux基础』
🌌上期文章: Linux基础-网络配置
📰如觉得博主文章写的不错或对你有所帮助的话,还望大家多多支持呀! 关注、点赞、收藏、评论。
目录
日志:用于记录系统操作事件的文件,可以理解为系统和程序的“日记本”,记录系统、程序运行中发生的各种事件。可以通过查看日志,了解及排除故障,也是信息安全控制的依据。
内核及系统日志由系统服务rsyslog统一记录,rsyslog是linux系统中用来实现日志功能的服务。默认已经安装,并且自动启用。主要用于采集日志。日志消息采用文本格式,主要记录事件发生的时间、主机、进程、内容等信息。
| 日志文件 | 主要用途 |
| /var/log/messages | 记录内核消息、各种服务的公共消息 |
| /var/log/dmesg | 记录系统启动过程的各种消息 |
| /var/log/cron | 记录与cron计划任务相关的消息 |
| /var/log/maillog | 记录邮件收发相关的消息 |
| /var/log/secure | 记录与访问限制相关的安全消息 |
- [root@wangwu ~]# tail /var/log/messages
-
- Sep 8 11:00:01 wangwu systemd: Starting Session 86 of user root.
-
- Sep 8 11:01:01 wangwu systemd: Started Session 87 of user root.
-
- ... ... ...
- [root@wangwu ~]# tailf /var/log/dmesg
-
- [ 11.298470] work still pending
-
- [ 11.791755] RPC: Registered named UNIX socket transport module.
-
- ... ... ...
- [root@wangwu ~]# grep wangwu /var/log/cron
-
- Sep 8 11:12:31 wangwu run-parts(/etc/cron.daily)[23883]: finished mlocate
-
- Sep 8 11:12:31 wangwu anacron[19619]: Job `cron.daily' terminated
- ... ... ...
- [root@wangwu ~]# tail /var/log/maillog
-
- Aug 30 11:30:12 wangwu postfix/pickup[1387]: B4E004185177: uid=0 from=
-
- Aug 30 11:30:14 wangwu postfix/qmgr[1388]: 82D854185177: removed
-
- ... ... ...
-
- (END)
- [root@wangwu ~]# tail /var/log/secure
-
- Sep 8 11:12:57 wangwu unix_chkpwd[24051]: password check failed for user (root)
-
- Sep 8 11:12:57 wangwu gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root
-
- ... ... ...
用户日志由登录程序负责记录,日志消息采用二进制格式,记录登录用户的时间、来源、执行的命令等信息。
| 日志文件 | 主要用途 |
| /var/log/lastlog | 记录最近的用户登录事件 |
| /var/log/wtmp | 记录成功的用户登录/注销事件 |
| /var/log/btmp | 记录失败的用户登录事件 |
| /var/run/utmp | 记录当前登录的每个用户的相关信息 |
- [root@wangwu ~]# lastlog -u root
-
- Username Port From Latest
-
- root pts/0 192.168.6.168 Thu Sep 8 10:57:54 +0800 2022
-
- ... ... ...
-
- #/var/log/lastlog是二进制文件,需要用lastlog命令查询
- [root@wangwu ~]# last -f /var/log/wtmp
-
- root pts/0 192.168.6.168 Thu Sep 8 10:57 still logged in
-
- root pts/0 192.168.6.168 Wed Aug 31 14:51 - 15:11 (00:19)
-
- ... ... ...
-
- #/var/log/wtmp是二进制文件,需要用last命令查询,-f 指定文件
- [root@wangwu ~]# lastb
-
- zhaoliu :0 :0 Thu Sep 8 11:50 - 11:50 (00:00)
-
- wuba :0 :0 Thu Sep 8 11:50 - 11:50 (00:00)
-
- ... ... ...
-
- #/var/log/btmp是二进制文件,需要用lastb命令查询
- [root@wangwu ~]# who
-
- root pts/0 2022-09-08 10:57 (192.168.6.168)
-
- #/var/log/btmp是二进制文件,需要用who命令查询
tail、tailf、less、grep等文本浏览/检索命令
awk、sed等格式化过滤工具
Webmin系统管理套件
Webalizer、AWStats等日志统计套件
查看已登录的用户信息,详细度不同
实例
- [root@wangwu ~]# users
-
- root
- [root@wangwu ~]# who
-
- root pts/0 2022-09-08 10:57 (192.168.6.168)
- [root@wangwu ~]# w
-
- 13:40:23 up 12:30, 2 users, load average: 0.00, 0.01, 0.05
-
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
-
- root pts/0 192.168.6.168 10:57 7.00s 0.29s 0.03s w
查看最近登录成功/失败的用户信息
实例
- [root@wangwu ~]# last -2 #最近两条登入记录
-
- root pts/1 :0 Thu Sep 8 11:47 - 11:47 (00:00)
-
- root pts/0 192.168.154.1 Thu Sep 8 10:57 still logged in
- [root@wangwu ~]# lastb -2 #最近两条登录失败记录
-
- zhaoliu :0 :0 Thu Sep 8 11:50 - 11:50 (00:00)
-
- wuba :0 :0 Thu Sep 8 11:50 - 11:50 (00:00)
分为0~7共8种优先级别,其数值越小,表示对应事件越紧急/重要
| 优先级 | 状态 | 说明 |
| 0 | EMERG(紧急) | 会导致主机系统不可用的情况 |
| 1 | ALERT(警告) | 必须马上采取措施解决的问题 |
| 2 | CRIT(严重) | 比较严重的情况 |
| 3 | ERR(错误) | 运行出现错误 |
| 4 | WARNING(提醒) | 可能会影响系统功能的事件 |
| 5 | NOTICE(注意) | 不会影响系统但值得注意 |
| 6 | INFO(信息) | 一般信息 |
| 7 | DEBUG(调试) | 程序或系统调试信息等 |
- [root@wangwu ~]# man 2 syslog #用man查看帮助,2代表系统调用
-
- ... ... ...
-
- #define KERN_EMERG "<0>" /* system is unusable */
-
- #define KERN_ALERT "<1>" /* action must be taken immediately */
-
- #define KERN_CRIT "<2>" /* critical conditions */
-
- #define KERN_ERR "<3>" /* error conditions */
-
- #define KERN_WARNING "<4>" /* warning conditions */
-
- #define KERN_NOTICE "<5>" /* normal but significant condition */
-
- #define KERN_INFO "<6>" /* informational */
-
- #define KERN_DEBUG "<7>" /* debug-level messages */
-
- ... ... ...
journalctl工具提取由systemd-journal服务搜集的日志,主要包括内核/系统日志、服务日志。日志的配置文件位置:/etc/systemd/journald.conf
Journalct | grep 关键词
Journalct -r 反序输出(从新到旧)
journalctl -k 查看内核日志(不显示应用日志)
Journalctl -u服务名 (查看指定服务的日志信息)
journalctl -n 消息条数(缺省默认10条)
journalctl -f 日志文件 (实时输出最新条目)
- [root@wangwu ~]# systemctl start httpd #启动httpd服务
-
- [root@wangwu ~]# journalctl | grep httpd
-
- Sep 08 14:14:30 wangwu yum[90129]: Installed: httpd-tools-2.4.6-97.el7.centos.5.x86_64
-
- ... ... ...
-
- Sep 08 14:15:44 wangwu httpd[90899]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e97a:8402:cb2c:8e3e. Set the 'ServerName' directive globally to suppress this message
- [root@wangwu ~]# journalctl -r | grep httpd
-
- Sep 08 14:15:44 wangwu httpd[90899]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e97a:8402:cb2c:8e3e. Set the 'ServerName' directive globally to suppress this message
- ... ... ...
- Sep 08 14:14:30 wangwu yum[90129]: Installed: httpd-tools-2.4.6-97.el7.centos.5.x86_64
- [root@wangwu ~]# journalctl -k
-
- -- Logs begin at Tue 2022-08-30 11:28:46 CST, end at Thu 2022-09-08 14:30:02 CS
-
- Aug 30 11:28:46 wangwu kernel: Initializing cgroup subsys cpuset
-
- ... ... ...
- [root@wangwu ~]# journalctl -u httpd
-
- -- Logs begin at Tue 2022-08-30 11:28:46 CST, end at Thu 2022-09-08 14:41:37 CS
-
- Sep 08 14:15:28 wangwu systemd[1]: Starting The Apache HTTP Server...
-
- ... ... ...
- [root@wangwu ~]# journalctl -n 2
-
- -- Logs begin at Tue 2022-08-30 11:28:46 CST, end at Thu 2022-09-08 14:30:02 CS
-
- Sep 08 14:30:02 wangwu CROND[95764]: (root) CMD (/usr/lib64/sa/sa1 1 1)
-
- Sep 08 14:30:02 wangwu systemd[1]: Starting Session 111 of user root.
-
- lines 1-3/3 (END)
- [root@wangwu ~]# journalctl -f /usr/lib/systemd/systemd
-
- -- Logs begin at Tue 2022-08-30 11:28:46 CST. --
-
- Sep 08 14:15:28 wangwu systemd[1]: Starting The Apache HTTP Server...
-
- Sep 08 14:15:54 wangwu systemd[1]: Started The Apache HTTP Server.
-
- ... ... ...