10.34 linux系統日誌 10.35 screen工具

時間 2019-11-05

標籤 10.34 linux 系統日誌 10.35 screen 工具欄目 Linux 简体版

原文原文鏈接

liunx系統日誌

內容：
• /var/log/messages
• /etc/logrotate.conf 日誌切割配置文件
參考http://www.javashuo.com/article/p-tauwscem-r.html
• dmesg命令
• /var/log/dmesg 日誌
• last命令，調用的文件/var/log/wtmp
• lastb命令查看登陸失敗的用戶，對應的文件時/var/log/btmp
• /var/log/secure /var/log/messages 系統的總日誌syslog；是作故障診斷是首要查看的日誌文件，系統有一個輪迴機制，每個星期切換一個日誌，切換後的日誌名字相似於messages-20170930，會存放在/var/log/目錄下面linux

那系統爲何有這個切割機制呢，是由於linux系統裏面有個服務 logrotate ；防止系統日誌無限制增大。安全

實戰：

/etc/logrotate.conf 日誌切割配置文件session

[root@linux-128 ~]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly                            \\每週切割一次

# keep 4 weeks worth of backlogs
rotate 4                            \\保留4個， 一個月

# create new (empty) log files after rotating old ones
create				\\切割完後建立一個新文件

# use date as a suffix of the rotated file
dateext				\\後綴

# uncomment this if you want your log files compressed
#compress        		\\是否要壓縮，.tar.gz

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d            \\還包含其餘目錄/etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly	
    create 0664 root utmp
	minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

咱們看下剛配置文件裏面提到的/etc/logrotate.dless

[root@linux-128 ~]# ls /etc/logrotate.d
chrony  ppp  syslog  wpa_supplicant  yum

查看/logrotate.d/目錄下面的 syslogssh

[root@linux-128 ~]# cat /etc/logrotate.
logrotate.conf  logrotate.d/
[root@linux-128 ~]# cat /etc/logrotate.d/syslog
/var/log/cron    
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    missingok
    sharedscripts
    postrotate
	/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

/var/log/messages對應的服務是syslogd，/bin/kill -HUP重啓post

dmesh命令

顯示系統的啓動信息，若是你的某個硬件有問題好比網卡，這個命令就能夠查看到ui
dmesh -c 清楚內容this

安全日誌

last 命令

last 命令是來查看歷史正確的登錄信息，調用的文件是/var/log/wtmp，這個文件是二進制文件，不能用cat，more，less，head，tail查看.net
lastd 命令是查看歷史登錄失敗的信息，調用文件是/var/log/btmpunix

/var/log/secure 文件也是登錄相關的日誌，裏面也會記錄正確和失敗登錄信息，好比遇到暴力破解均可以看到

[root@linux-128 ~]# tail -5  /var/log/secure
Apr  4 12:51:13 linux-128 polkitd[545]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr  4 12:51:34 linux-128 sshd[1333]: Server listening on 0.0.0.0 port 22.
Apr  4 12:51:34 linux-128 sshd[1333]: Server listening on :: port 22.
Apr  4 12:52:56 linux-128 sshd[2737]: Accepted publickey for root from 192.168.88.1 port 49461 ssh2: RSA 96:50:9f:6b:eb:62:48:cf:ef:f2:51:6f:bc:03:9e:72
Apr  4 12:52:56 linux-128 sshd[2737]: pam_unix(sshd:session): session opened for user root by (uid=0)

實驗：A機器上用tail -f /var/log/secure 動態查看；B機器上遠程連接A機器
ssh root@192.168.88.128 ；而後密碼輸入錯誤，A機器上就能查看出來

screen命令

內容：
• 爲了避免讓一個任務意外中斷
• nohup command &
• screen是一個虛擬終端
• yum install -y screen
• screen直接回車就進入了虛擬終端
• ctral a組合鍵再按d退出虛擬終端，但不是結束
• screen -ls 查看虛擬終端列表
• screen -r id 進入指定的終端
• screen -S aming
• screen -r aming
• screen -wipe aming #刪除會話

實戰：

[root@linux-128 ~]# screen
[detached from 2863.pts-0.linux-128]
[1]+  完成                  nohup sleep 100
[root@linux-128 ~]# screen -ls
There is a screen on:
	2863.pts-0.linux-128	(Detached)
1 Socket in /var/run/screen/S-root.

[root@linux-128 ~]# screen
[detached from 2882.pts-0.linux-128]
[root@linux-128 ~]# screen -ls
There are screens on:
	2882.pts-0.linux-128	(Detached)
	2863.pts-0.linux-128	(Detached)
2 Sockets in /var/run/screen/S-root.

[root@linux-128 ~]# screen -r 2882
[detached from 2882.pts-0.linux-128]

[root@linux-128 ~]# screen -S "wuzhou"
[detached from 2917.wuzhou]
[root@linux-128 ~]# screen -ls
There are screens on:
	2917.wuzhou	(Detached)
	2900.pts-0.linux-128	(Detached)
	2882.pts-0.linux-128	(Detached)
	2863.pts-0.linux-128	(Detached)
4 Sockets in /var/run/screen/S-root.

[root@linux-128 ~]# screen -r wuzhou
[detached from 2917.wuzhou]

若是想關閉某個screen，先進入指定的screen，輸入ctrl+d 或者輸入exit退出