Linux服务器的日志管理

消息紧急程度排行
emerg:该系统不可用
alert：需要立即修改
crit：紧急情况
err：错误信息
warning：预警信息
notice：具有重要性的普通条件
info：提供信息的消息
debug：不包含函数条件或问题的其他信息
none：没有重要级，通常用于排错

有时候出错了，查看一下日志对排错是有很大帮助的，下面就来介绍一下各种日志文件

#/var/log/messages不仅是服务器的系统日志，还是许多服务的日志
[root@bogon ~]# tail -n10 /var/log/messages     #查看最新的十条日志信息
Jun 26 05:21:46 localhost systemd: Starting Network Manager Script Dispatcher Service...
Jun 26 05:21:46 localhost dbus-daemon: dbus[518]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Jun 26 05:21:46 localhost dhclient[3825]: bound to 192.168.1.107 -- renewal in 2798 seconds.
Jun 26 05:21:46 localhost dbus[518]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jun 26 05:21:46 localhost dbus-daemon: dbus[518]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jun 26 05:21:46 localhost systemd: Started Network Manager Script Dispatcher Service.
Jun 26 05:21:46 localhost nm-dispatcher: req:1 'dhcp4-change' [ens33]: new request (5 scripts)
Jun 26 05:21:46 localhost nm-dispatcher: req:1 'dhcp4-change' [ens33]: start running ordered scripts...
Jun 26 05:30:01 localhost systemd: Started Session 60 of user root.
Jun 26 05:30:01 localhost systemd: Starting Session 60 of user root.
[root@bogon ~]# 
#有时候我们可能需要实时查看日志
tail -f /var/log/messages     #该命令会一直刷新显示日志文件信息
执行效果就省略了

#查看系统安全日志ssh，telent，ftp等等
[root@bogon ~]# tail -n5 /var/log/secure 
Jun 26 04:53:28 localhost polkitd[564]: Registered Authentication Agent for unix-process:9638:2696360 (system bus name :1.231 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 26 04:53:29 localhost polkitd[564]: Unregistered Authentication Agent for unix-process:9638:2696360 (system bus name :1.231, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jun 26 05:38:08 localhost gdm-password]: gkr-pam: unlocked login keyring
Jun 26 05:38:31 localhost polkitd[564]: Registered Authentication Agent for unix-process:12161:2966633 (system bus name :1.246 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 26 05:38:33 localhost polkitd[564]: Unregistered Authentication Agent for unix-process:12161:2966633 (system bus name :1.246, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
#上面的是什么啊，都看不懂，那我就直接查看ssh相关的信息吧，我一直使用ssh连接控制centos7
[root@bogon ~]# cat /var/log/secure |grep ssh
Jun 25 15:32:33 bogon sshd[1032]: Server listening on 0.0.0.0 port 22.
Jun 25 15:32:33 bogon sshd[1032]: Server listening on :: port 22.
Jun 25 18:31:12 bogon sshd[947]: Server listening on 0.0.0.0 port 22.
Jun 25 18:31:12 bogon sshd[947]: Server listening on :: port 22.
Jun 25 18:36:49 bogon sshd[11299]: Connection closed by 192.168.1.100 [preauth]
Jun 25 18:38:26 bogon sshd[11318]: Address 192.168.1.100 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!   #看到没，我从100这个ip登录的

#/var/log/wtmp是用来记录登录者的信息数据，是个二进制文件，使用cat查看是乱码，还记得用什么命令查看二进制文件吗（答案是xxd）
#既然如此，那我们就需要根据系统的设计，用last读取这个文件的内容了
[root@bogon ~]# last
root     pts/1        192.168.1.100    Sun Jun 25 22:00   still logged in   
root     pts/0        :0               Sun Jun 25 21:25   still logged in   
root     :0           :0               Sun Jun 25 21:24   still logged in   
(unknown :0           :0               Sun Jun 25 21:24 - 21:24  (00:00)    
reboot   system boot  3.10.0-514.el7.x Sun Jun 25 21:24 - 05:49  (08:25)    
root     pts/1        192.168.190.1    Sun Jun 25 20:36 - 21:19  (00:42)    
root     pts/1        :0               Sun Jun 25 20:09 - 20:09  (00:00)    
root     pts/1        192.168.1.100    Sun Jun 25 20:05 - 20:07  (00:01)    
root     pts/1        192.168.1.100    Sun Jun 25 19:21 - 20:04  (00:42)    
root     pts/1        192.168.1.100    Sun Jun 25 19:10 - 19:10  (00:00)    
root     pts/1        192.168.1.100    Sun Jun 25 19:09 - 19:09  (00:00)    
bp       pts/1        192.168.1.100    Sun Jun 25 19:08 - 19:09  (00:00)    
root     pts/1        192.168.1.100    Sun Jun 25 18:38 - 18:38  (00:00)    
root     pts/0        :0               Sun Jun 25 18:32 - 21:23  (02:50)    
root     :0           :0               Sun Jun 25 18:32 - 21:23  (02:51)    
(unknown :0           :0               Sun Jun 25 18:31 - 18:32  (00:01)    
reboot   system boot  3.10.0-514.el7.x Sun Jun 25 18:30 - 05:49  (11:19)    
root     :0           :0               Sun Jun 25 08:54 - 08:58  (00:03)    
(unknown :0           :0               Sun Jun 25 08:41 - 08:54  (00:13)    
reboot   system boot  3.10.0-514.el7.x Sun Jun 25 15:32 - 05:49  (14:17)    

wtmp begins Sun Jun 25 15:32:02 2017
[root@bogon ~]# 


#查看每个使用者最近登录系统的时间
[root@bogon ~]# lastlog|grep -E 'root|bp'      #查看这两个帐号
root             pts/1    192.168.1.100    Sun Jun 25 22:00:07 -0700 2017
bp               pts/1    192.168.1.100    Sun Jun 25 19:08:40 -0700 2017
[root@bogon ~]# lastlog|grep -e 'bp|root'
[root@bogon ~]# lastlog|grep -E 'bp|root'      #看到了吧，-e -E是有区别的，我开始时在这里就错用了-e
root             pts/1    192.168.1.100    Sun Jun 25 22:00:07 -0700 2017
bp               pts/1    192.168.1.100    Sun Jun 25 19:08:40 -0700 2017
[root@bogon ~]# lastlog|grep -E 'bp | root'    #能看出来这里错在哪里吗            root前面多了个空格，所以配置时寻找的是root前面带空格的，而文件root是顶格写的，当然找不着
bp               pts/1    192.168.1.100    Sun Jun 25 19:08:40 -0700 2017
[root@bogon ~]# 


#服务器的邮件日志/var/log/messages,iptables（防火墙）日志也是在这里

#查看系统启动信息
[root@bogon rsyslog.d]# dmesg|head -10      #如果启动过程中提示有硬件损坏，那么可以用dmesg|grep erro查看
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.0-514.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Tue Nov 22 16:42:41 UTC 2016
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-514.el7.x86_64 root=UUID=d46a9d1b-4fff-4097-ad89-09b482daa766 ro crashkernel=auto rhgb quiet LANG=en_US.UTF-8
[    0.000000] Disabled fast string operations
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved

#cron日志
[root@bogon rsyslog.d]# head -10 /var/log/cron 
Jun 25 15:32:34 bogon crond[1048]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 17% if used.)
Jun 25 07:33:11 bogon crond[1048]: (CRON) INFO (running with inotify support)
Jun 25 07:40:02 bogon CROND[10035]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jun 25 07:50:01 bogon CROND[10126]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jun 25 08:00:01 bogon CROND[10215]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jun 25 08:01:01 bogon CROND[10230]: (root) CMD (run-parts /etc/cron.hourly)
Jun 25 08:01:01 bogon run-parts(/etc/cron.hourly)[10230]: starting 0anacron
Jun 25 08:01:01 bogon anacron[10240]: Anacron started on 2017-06-25
Jun 25 08:01:01 bogon run-parts(/etc/cron.hourly)[10242]: finished 0anacron
Jun 25 08:01:01 bogon anacron[10240]: Will run job `cron.daily' in 28 min.
[root@bogon rsyslog.d]#