linux系統日誌

Linux 系統日誌

/var/log/messages

核心系統日誌文件，包含了系統啓動時的引導消息，以及系統運行時的其餘狀態消息。I/O錯誤、網絡錯誤和其餘系統錯誤都會記錄到這個文件中。
故障診斷時首先要查看的文件

守護進程：rsyslogd 這個進程關閉後，就不產生/var/log/messages日誌
經過logrotate工具的控制來實現日誌切割每星期切割一次
logrotate工具配置文件：/etc/logrotate.conf

[root@jinkai rsync]# cat /etc/logrotate.conf
.# see "man logrotate" for details
.# rotate log files weekly
weekly

.# keep 4 weeks worth of backlogs
rotate 4

.# create new (empty) log files after rotating old ones
create

.# use date as a suffix of the rotated file
dateext

.# uncomment this if you want your log files compressed
#compress

.# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

.# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}

.# system-specific logs may be also be configured here.
[root@jinkai rsync]#

dmesg命令

顯示系統啓動的信息，若是你的硬件有故障，這個命令能夠查看

[root@jinkai rsync]# dmesg | head -5
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.10.0-957.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) ) #1 SMP Thu Nov 8 23:39:32 UTC 2018
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=zh_CN.UTF-8
[root@jinkai rsync]#

安全日誌

last命令查看登陸linux的歷史信息（讀取的是/var/log/wtmp）

[root@jinkai rsync]# last |head -5
root pts/0 192.168.111.1 Tue Sep 1 12:28 still logged in
root pts/0 192.168.111.1 Mon Aug 31 21:41 - 10:45 (13:03)
reboot system boot 3.10.0-957.el7.x Mon Aug 31 21:41 - 23:45 (1+02:03)
root pts/0 192.168.111.1 Mon Aug 31 21:35 - 21:36 (00:00)
reboot system boot 3.10.0-957.el7.x Mon Aug 31 21:35 - 23:45 (1+02:09)
從左至右依次爲帳戶名稱、登陸終端、登陸客戶端IP、登陸日期及時長

lastb

查看登陸失敗的日誌信息，調用文件/var/log/btmp

[root@jinkai rsync]# lastb
root ssh:notty 192.168.111.137 Tue Sep 1 23:51 - 23:51 (00:00)
root ssh:notty 192.168.111.137 Tue Sep 1 23:51 - 23:51 (00:00)

btmp begins Tue Sep 1 23:51:24 2020

/var/log/secure

登陸系統成功或者失敗時，相關的信息都會記錄在這個日誌裏

[root@jinkai rsync]# head -5 /var/log/secure
Aug 30 22:08:04 jinkai groupadd[7798]: group added to /etc/group: name=tcpdump, GID=72
Aug 30 22:08:04 jinkai groupadd[7798]: group added to /etc/gshadow: name=tcpdump
Aug 30 22:08:04 jinkai groupadd[7798]: new group: name=tcpdump, GID=72
Aug 30 22:08:04 jinkai useradd[7803]: new user: name=tcpdump, UID=72, GID=72, home=/, shell=/sbin/nologin
Aug 30 22:11:11 jinkai sshd[7843]: Connection closed by 192.168.111.1 port 61342 [preauth]

screen 工具介紹

screen是一個能夠在多個進程之間多路複用一個物理終端的窗口管理器

用戶能夠在一個screen會話中建立多個screen窗口，在每個screen窗口中就像操做一個真實的SSH鏈接窗口同樣

安裝包

yum install -y screen

新建一個screen終端
screen
在終端運行腳本或命令後
切換回正常模式
先按ctrl+a鍵，按完後再按d鍵（只是退出，並無結束，結束screen會話要按Ctrl+D鍵或者輸入exit）
查看screen的id
screen -ls

[root@jinkai rsync]# screen -ls
There are screens on:
10889.pts-0.jinkai (Detached)
10874.pts-0.jinkai (Detached)
2 Sockets in /var/run/screen/S-root.

返回其中一個screen
格式：screen -r ID號
[root@jinkai rsync]# screen -r 10889

新建一個別名screen，方便尋找所須要的screen
screen -S jinkai

[root@jinkai rsync]# screen -S jinkai
[detached from 10908.jinkai]
[root@jinkai rsync]# screen -ls
There are screens on:
10908.jinkai (Detached)
10889.pts-0.jinkai (Detached)
10874.pts-0.jinkai (Detached)
3 Sockets in /var/run/screen/S-root.

[root@jinkai rsync]# screen -r jinkai
[detached from 10908.jinkai

nohup

運行腳本sh時，只在當前終端顯示生效，一旦斷開終端也就是ssh，那麼腳本就會失效；
那麼能夠使用nohup 掉到後臺執行sh腳本，斷開終端也能執行；
格式：
nohup sh 腳本目錄 &

nohup sh /usr/local/sbin/sleep.sh &