Linux日誌管理系統rsyslog
1、日誌的概念php
什麼是日誌?日誌就是歷史事件。歷史事件包括時間、地點、人物、時間。這個是生活中所說的日誌很好理解。在Linux中也有相似的服務,它主要做用就是記錄Linux系統的歷史事件,包括什麼時間什麼服務或者那個進程或者pid發生的一些事件,經過記錄發生的事件,咱們能夠查看日誌來了解在過去的一段時間Linux系統發生了什麼事,從而能夠幫助咱們解決一些問題。html
在Linux系統裏日誌是有級別的,也就是說事件的關鍵程度,好比說有些事件只是警告,須要咱們注意,起個提醒咱們的目的,咱們能夠後面去處理,也能夠不處理,可是有些事件級別比較緊急,它不只僅只是提示咱們的做用,頗有可能這一秒發生了這樣的事件,下一秒Linux系統就掛了,因此在Linux系統裏事件的關鍵性程度很是重要。在centos5以前日誌系統的名稱叫syslog,它主要有兩個服務組成,一個是syslogd(system application )它主要記錄着應用程序的一些日誌,一個是klogd(Linux kernel)它主要記錄着Linux內核的日誌。一般記錄事件的格式是,日期時間 主機 進程[pid] 事件內容。Linux日誌系統不只僅能夠用作本地記錄本機的日誌,它還能夠經過tcp或者udp協議的服務完成日誌的傳送,從而實現幫助其餘主機記錄日誌功能,咱們把這樣的服務器稱爲日誌服務器。node
2、rsyslog介紹python
在centos6和centos7上rsyslog有以下特性mysql
1)多進程linux
2)支持UDP、TCP、SSL、TLS、RELP等協議nginx
3)能夠經過網絡將日誌儲存到Mysql、PGSQL、Oracle等數據庫中管理sql
4)支持強大的過濾器,可實現過濾記錄日誌信息中的任意部分docker
5)支持自定義日誌輸出格式數據庫
rsyslog日誌收集器重要術語
facility:中文翻譯過來是設施的意思,從功能或程序上對日誌分類,在Linux中常見的facility有auth(認證相關的日誌),authpriv(受權相關的日誌),cron(計劃任務相關日誌),daemon(系統服務相關日誌),ftp(ftp服務相關的日誌),kern(內核相關日誌),lpr(打印相關的日誌),mail(郵件相關日誌),news(新聞相關的日誌),security(安全相關的日誌),user(用戶相關的日誌),uucp(文件copy相關的日誌),local0-local7(自定義相關的日誌)
priority:優先級別,從低到高排序debug(調試),info(消息),notice(注意),warn(warning警告),err(error錯誤),crit(critical嚴重警告),alert(須要當即修改的信息)emerg(panic內核崩潰,內核恐慌等嚴重的信息)
程序環境:
程序包:rsyslog
主程序:/usr/sbin/rsyslogd
主配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf
庫文件:/lib64/rsyslog/*.so
服務腳本:
centos6:service rsyslog {start|stop|restart|status}
centos7:/usr/lib/systemd/system/rsyslog.service
配置文件格式:由三部分組成
MODULES:相關模塊配置
GLOBAL DIRECTIVES:全局配置
RULES:日誌記錄相關的規則設置
RULES配置格式:facility.priority;facility.priority;…… target
facility:
*:全部的facility
facility1,facility2,facility3,…:指定的facility列表
priority:
*:表示全部級別
none:沒有級別
priority:此級別以及高於此級別的全部級別
=priority:僅此級別
target:
文件路徑:一般在/var/log/,文件路前的「-」表示異步寫入
用戶:將日誌事件通知給指定用戶,是經過將信息發送給登陸到系統上的用戶的終端進行顯示;*表示登陸的全部用戶
日誌服務器:@host,把日誌送往指定的遠程服務器記錄;host:表示日誌服務器的地址,默認監聽在tcp或者udp協議的514端口以提供服務
管道:|command,轉發給其餘命令處理
其餘日誌:
/var/log/wtmp:當前系統成功登陸系統的日誌 須要使用last命令查看
/var/log/btmp:當前系統嘗試登陸系統失敗的日誌 須要使用lastb命令查看
/var/log/dmesg:系統引導過程當中的日誌信息; 也可以使用dmesg命令進行查看
lastlog:顯示當前系統上的全部用戶最近一次登陸系統的時間
3、實驗將sshd的日誌分離到/var/log/sshd.log
sshd是遠程登陸Linux系統的一個服務,默認工做在22端口,一般狀況下它的日誌是記錄在/var/log/secure 文件中,在以前咱們不知道它爲何要記錄在這個文件中,咱們學習了rsyslog後,就明白了。
首先咱們來看看sshd的配置文件
[root@test ~]#grep "log" /etc/ssh/sshd_config #SyslogFacility AUTH SyslogFacility AUTHPRIV [root@test ~]#
說明:能夠看到sshd的配置文件中明肯定義了syslogfacility authpriv。經過上面的介紹咱們大概知道rsyslog 的facility 中就包括authpriv 這個設施。接下來咱們在來看看rsyslog的配置文件
[root@test ~]#grep "authpriv" /etc/rsyslog.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure [root@test ~]#
說明:看到以上的結果,結合咱們以前介紹的rsyslog,是否是很清楚知道sshd的日誌爲何記錄在/etc/log/secure中了嘛。rsyslog的配置文件中明肯定義了authpriv設施中的任何級別的日誌都記錄在/var/log/secure中。
更改sshd 配置文件 將日誌的設施更改成自定義設施local3
[root@test ~]#grep "log" /etc/ssh/sshd_config #SyslogFacility AUTH #SyslogFacility AUTHPRIV SyslogFacility local3 [root@test ~]#
在rsyslog配置文件中指定 local3設施中的任何級別的目標文件爲/var/log/sshd.log
[root@test ~]#grep "local" /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. local7.* /var/log/boot.log local3.* /var/log/sshd.log [root@test ~]#
重啓rsyslogd 和sshd 服務
[root@test ~]#systemctl restart rsyslog sshd
查看/var/log/sshd.log
[root@test ~]#ll /var/log/sshd.log -rw-------. 1 root root 207 12月 24 19:23 /var/log/sshd.log [root@test ~]#cat /var/log/sshd.log Dec 24 19:23:33 test sshd[4532]: Received signal 15; terminating. Dec 24 19:23:33 test sshd[4575]: Server listening on 0.0.0.0 port 41319. Dec 24 19:23:33 test sshd[4575]: Server listening on :: port 41319. [root@test ~]#
說明:要想用rsyslog來管理應用程序的日誌,前提是應用程序內部實現rsyslog的日誌接口,不然是不能夠經過rsyslog來管理日誌
4、日誌管理小工具
logger:這個小工具能夠生成日誌,主要用於咱們配置的日誌系統是否能夠正常的記錄日誌
[root@test ~]#logger --help 用法: logger [選項] [消息] 選項: -T, --tcp 只使用 TCP -d, --udp 只使用 UDP -i, --id 同時記錄進程 ID -f, --file <文件> 記錄此文件的內容 -h, --help 顯示此幫助並退出 -S, --size <num> maximum size for a single message (default 1024) -n, --server <name> write to this remote syslog server -P, --port <port> use this port for UDP or TCP connection -p, --priority <prio> mark given message with this priority -s, --stderr output message to standard error as well -t, --tag <標誌> 用此標誌標記每一行 -u, --socket <套接字> 寫入此 Unix 套接字 -V, --version 輸出版本信息並退出 [root@test ~]#
給local3發送一條info級別或以上級別的日誌
[root@test ~]#logger -p "local3.info" "this is test log" [root@test ~]#tail /var/log/sshd.log Dec 24 19:23:33 test sshd[4532]: Received signal 15; terminating. Dec 24 19:23:33 test sshd[4575]: Server listening on 0.0.0.0 port 41319. Dec 24 19:23:33 test sshd[4575]: Server listening on :: port 41319. Dec 24 19:42:49 test qiuhom: this is test log [root@test ~]#
說明:有了這個工具咱們能夠很好的測試日誌系統是否在正常記錄日誌
配置local4 的全部級別消息都發送給全部登陸到系統的用戶終端進行顯示
[root@test ~]#grep "local" /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. local7.* /var/log/boot.log local3.* /var/log/sshd.log local4.* * [root@test ~]#systemctl restart rsyslog [root@test ~]#syst^C [root@test ~]#who root tty1 2019-12-24 19:50 qiuhom pts/0 2019-12-24 19:03 (192.168.0.232) qiuhom pts/1 2019-12-24 19:50 (192.168.0.232) [root@test ~]#logger -p "local4.info" "this is test log" Message from syslogd@test at Dec 24 19:53:02 ... qiuhom:this is test log [root@test ~]#
journalctl:此工具是centos7上的一個日誌管理工具。systemd統一管理全部unit的啓動日誌,帶來的好處就是,能夠用journalctl一個命令查看全部日誌(內核日誌和應用日誌),日誌的配置文件/etc/systemd/journald.conf
1)查看全部日誌(默認狀況下,只保存本次啓動的日誌)
[root@test ~]#journalctl -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 23 12:42:48 docker systemd-journal[105]: Runtime journal is using 8.0M (max allowed 91.3M, trying to leave 136.9 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct 12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc ve 12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos- 12月 23 12:42:48 docker kernel: Disabled fast string operations 12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map: 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved 12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable 12月 23 12:42:48 docker kernel: extended physical RAM map: 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable lines 1-39
2)查看內核日誌(不顯示應用日誌)
[root@test ~]#journalctl -k -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct 12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc ve 12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos- 12月 23 12:42:48 docker kernel: Disabled fast string operations 12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map: 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved 12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable 12月 23 12:42:48 docker kernel: extended physical RAM map: 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x000000000b91c018-0x000000000b92c057] usable lines 1-39
3)查看系統本次啓動的日誌
[root@test ~]#journalctl -b 0 -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 23 12:42:48 docker systemd-journal[105]: Runtime journal is using 8.0M (max allowed 91.3M, trying to leave 136.9 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuset 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpu 12月 23 12:42:48 docker kernel: Initializing cgroup subsys cpuacct 12月 23 12:42:48 docker kernel: Linux version 3.10.0-957.27.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc ve 12月 23 12:42:48 docker kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.27.2.el7.x86_64 root=/dev/mapper/centos- 12月 23 12:42:48 docker kernel: Disabled fast string operations 12月 23 12:42:48 docker kernel: e820: BIOS-provided physical RAM map: 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f045fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f046000-0x000000007f0ccfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cd000-0x000000007f0cefff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0cf000-0x000000007f0d6fff] ACPI data 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f0d7000-0x000000007f103fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f104000-0x000000007f104fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f105000-0x000000007f105fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f106000-0x000000007f125fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f126000-0x000000007f130fff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f131000-0x000000007f158fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f159000-0x000000007f19bfff] ACPI NVS 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f19c000-0x000000007f586fff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f587000-0x000000007f6e3fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6e4000-0x000000007f6effff] usable 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x000000007f6f0000-0x000000007fffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000e0000000-0x00000000efffffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed8ffff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved 12月 23 12:42:48 docker kernel: BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved 12月 23 12:42:48 docker kernel: NX (Execute Disable) protection: active 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b91c018-0x0b92c057] usable ==> usable 12月 23 12:42:48 docker kernel: e820: update [mem 0x0b92d018-0x0b93d057] usable ==> usable 12月 23 12:42:48 docker kernel: extended physical RAM map: 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000000000-0x000000000009ffff] usable 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x00000000000a0000-0x00000000000fffff] reserved 12月 23 12:42:48 docker kernel: reserve setup_data: [mem 0x0000000000100000-0x000000000b91c017] usable lines 1-39
4)查看指定時間的日誌
journalctl --since="2017-10-30 18:10:30" journalctl --since "20 min ago" journalctl --since yesterday journalctl --since "2017-01-10" --until "2017-01-11 03:00" journalctl --since 09:00 --until "1 hour ago"
[root@test ~]#journalctl --since 09:00 --until "1 hour ago" -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 24 09:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 09:01:01 test systemd[1]: Started Session 22 of user root. 12月 24 09:01:01 test CROND[2543]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 09:01:01 test run-parts(/etc/cron.hourly)[2546]: starting 0anacron 12月 24 09:01:01 test run-parts(/etc/cron.hourly)[2552]: finished 0anacron 12月 24 09:01:02 test systemd[1]: Removed slice User Slice of root. 12月 24 10:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 10:01:01 test systemd[1]: Started Session 23 of user root. 12月 24 10:01:01 test CROND[2561]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 10:01:01 test run-parts(/etc/cron.hourly)[2564]: starting 0anacron 12月 24 10:01:01 test run-parts(/etc/cron.hourly)[2570]: finished 0anacron 12月 24 10:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 11:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 11:01:01 test systemd[1]: Started Session 24 of user root. 12月 24 11:01:01 test CROND[2579]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 11:01:01 test run-parts(/etc/cron.hourly)[2582]: starting 0anacron 12月 24 11:01:01 test run-parts(/etc/cron.hourly)[2588]: finished 0anacron 12月 24 11:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 12:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 12:01:01 test systemd[1]: Started Session 25 of user root. 12月 24 12:01:01 test CROND[2597]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 12:01:01 test run-parts(/etc/cron.hourly)[2600]: starting 0anacron 12月 24 12:01:01 test run-parts(/etc/cron.hourly)[2606]: finished 0anacron 12月 24 12:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 12:58:31 test systemd[1]: Starting Cleanup of Temporary Directories... 12月 24 12:58:32 test systemd[1]: Started Cleanup of Temporary Directories. 12月 24 13:01:01 test systemd[1]: Created slice User Slice of root. 12月 24 13:01:01 test systemd[1]: Started Session 26 of user root. 12月 24 13:01:01 test CROND[2619]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 13:01:01 test run-parts(/etc/cron.hourly)[2622]: starting 0anacron 12月 24 13:01:01 test run-parts(/etc/cron.hourly)[2628]: finished 0anacron 12月 24 13:01:01 test systemd[1]: Removed slice User Slice of root. 12月 24 13:16:24 test sshd[2635]: Accepted password for qiuhom from 192.168.0.232 port 2097 ssh2 12月 24 13:16:25 test systemd[1]: Created slice User Slice of qiuhom. 12月 24 13:16:25 test systemd-logind[773]: New session 27 of user qiuhom. 12月 24 13:16:25 test systemd[1]: Started Session 27 of user qiuhom. 12月 24 13:16:25 test sshd[2635]: pam_unix(sshd:session): session opened for user qiuhom by (uid=0) 12月 24 13:16:28 test su[2673]: (to root) qiuhom on pts/0 lines 1-39
說明:指定時間不能超過記錄時間的最先時間
5)顯示尾部的最新日誌默認是現實10行
[root@test ~]#journalctl -n -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name 12月 24 19:53:02 test qiuhom[6222]: this is test log 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:54 test qiuhom[6466]: this is test log 12月 24 20:01:01 test systemd[1]: Started Session 37 of user root. 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron [root@test ~]#journalctl -n 15 -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:01:01 CST. -- 12月 24 19:52:16 test systemd[1]: Stopped System Logging Service. 12月 24 19:52:16 test systemd[1]: Starting System Logging Service... 12月 24 19:52:16 test rsyslogd[6118]: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="6118" x-info="htt 12月 24 19:52:16 test rsyslogd[6118]: action '*' treated as ':omusrmsg:*' - please use ':omusrmsg:*' syntax instead, 12月 24 19:52:16 test systemd[1]: Started System Logging Service. 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name 12月 24 19:53:02 test qiuhom[6222]: this is test log 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:54 test qiuhom[6466]: this is test log 12月 24 20:01:01 test systemd[1]: Started Session 37 of user root. 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron [root@test ~]#
6)實時滾動顯示最新日誌
[root@test ~]#journalctl -f -- Logs begin at 一 2019-12-23 12:42:48 CST. -- 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occured in file '/etc/rsyslog.conf' around line 75 [v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ] 12月 24 19:52:16 test polkitd[752]: Unregistered Authentication Agent for unix-process:6111:11217058 (system bus name :1.95, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus) 12月 24 19:53:02 test qiuhom[6222]: this is test log 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:54 test qiuhom[6466]: this is test log 12月 24 20:01:01 test systemd[1]: Started Session 37 of user root. 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6794]: starting 0anacron 12月 24 20:01:01 test run-parts(/etc/cron.hourly)[6800]: finished 0anacron 12月 24 20:51:28 test qiuhom[8356]: this is a test log
說明:此選項同tail -f 相似
7)查看指定服務的日誌
[root@test ~]#journalctl /sbin/nginx -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:51:28 CST. -- 12月 23 12:43:07 test nginx[1050]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 23 12:43:07 test nginx[1050]: nginx: configuration file /etc/nginx/nginx.conf test is successful [root@test ~]#journalctl /usr/lib/systemd/systemd -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 20:51:28 CST. -- 12月 23 12:42:49 docker systemd[1]: Started Setup Virtual Console. 12月 23 12:42:49 docker systemd[1]: Started dracut cmdline hook. 12月 23 12:42:49 docker systemd[1]: Starting dracut pre-udev hook... 12月 23 12:42:49 docker systemd[1]: Started dracut pre-udev hook. 12月 23 12:42:49 docker systemd[1]: Starting udev Kernel Device Manager... 12月 23 12:42:49 docker systemd[1]: Started udev Kernel Device Manager. 12月 23 12:42:49 docker systemd[1]: Starting udev Coldplug all Devices... 12月 23 12:42:49 docker systemd[1]: Mounting Configuration File System... 12月 23 12:42:49 docker systemd[1]: Mounted Configuration File System. 12月 23 12:42:49 docker systemd[1]: Started udev Coldplug all Devices. 12月 23 12:42:49 docker systemd[1]: Reached target System Initialization. 12月 23 12:42:49 docker systemd[1]: Starting Show Plymouth Boot Screen... 12月 23 12:42:49 docker systemd[1]: Starting dracut initqueue hook... 12月 23 12:42:49 docker systemd[1]: Started Show Plymouth Boot Screen. 12月 23 12:42:49 docker systemd[1]: Started Forward Password Requests to Plymouth Directory Watch. 12月 23 12:42:49 docker systemd[1]: Reached target Paths. 12月 23 12:42:49 docker systemd[1]: Reached target Basic System. 12月 23 12:42:51 docker systemd[1]: Found device /dev/mapper/centos-root. 12月 23 12:42:51 docker systemd[1]: Starting File System Check on /dev/mapper/centos-root... 12月 23 12:42:51 docker systemd[1]: Started File System Check on /dev/mapper/centos-root. 12月 23 12:42:51 docker systemd[1]: Started dracut initqueue hook. 12月 23 12:42:51 docker systemd[1]: Reached target Remote File Systems (Pre). 12月 23 12:42:51 docker systemd[1]: Reached target Remote File Systems. 12月 23 12:42:51 docker systemd[1]: Mounting /sysroot... 12月 23 12:42:52 docker systemd[1]: Mounted /sysroot. 12月 23 12:42:52 docker systemd[1]: Reached target Initrd Root File System. 12月 23 12:42:52 docker systemd[1]: Starting Reload Configuration from the Real Root... 12月 23 12:42:52 docker systemd[1]: Reloading. 12月 23 12:42:52 docker systemd[1]: Started Reload Configuration from the Real Root. 12月 23 12:42:52 docker systemd[1]: Reached target Initrd File Systems. 12月 23 12:42:52 docker systemd[1]: Reached target Initrd Default Target. 12月 23 12:42:52 docker systemd[1]: Starting dracut pre-pivot and cleanup hook... 12月 23 12:42:52 docker systemd[1]: Started dracut pre-pivot and cleanup hook. 12月 23 12:42:52 docker systemd[1]: Starting Cleaning Up and Shutting Down Daemons... 12月 23 12:42:52 docker systemd[1]: Stopped target Timers. 12月 23 12:42:52 docker systemd[1]: Starting Plymouth switch root service... 12月 23 12:42:52 docker systemd[1]: Stopped Cleaning Up and Shutting Down Daemons. 12月 23 12:42:52 docker systemd[1]: Stopped dracut pre-pivot and cleanup hook. lines 1-39
8)查看指定進程的日誌
[root@test ~]#journalctl _PID=757
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 23 12:42:56 test chronyd[757]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SI
12月 23 12:42:56 test chronyd[757]: Frequency -5.019 +/- 0.085 ppm read from /var/lib/chrony/drift
12月 23 12:43:07 test chronyd[757]: Selected source 84.16.67.12
[root@test ~]#journalctl _PID=10781
-- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. --
12月 24 21:08:08 test setroubleshoot[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc
12月 24 21:08:08 test python[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tcp_socket
***** Plugin connect_ports (85.9 confidence) suggests *********************
If you want to allow /usr/sbin/nginx to connect to network port 8888
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 8888
where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, http_po
***** Plugin catchall_boolean (7.33 confidence) suggests ******************
If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connec
Do
setsebool -P httpd_can_network_connect 1
***** Plugin catchall_boolean (7.33 confidence) suggests ******************
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (1.35 confidence) suggests **************************
If you believe that nginx should be allowed name_connect access on the port 888
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp
lines 1-38/38 (END)
9)查看某個路徑下腳本的日誌
[root@test ~]#journalctl /usr/bin/bash -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. -- 12月 23 12:42:56 test augenrules[730]: /sbin/augenrules: No change 12月 23 12:42:56 test augenrules[730]: No rules 12月 23 12:43:06 test network[883]: 正在打開環回接口: [ 肯定 ] 12月 23 12:43:06 test network[883]: 正在打開接口 enp2s0: [ 肯定 ] 12月 23 13:01:01 test CROND[1515]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 14:01:01 test CROND[2160]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 15:01:01 test CROND[2185]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 16:01:01 test CROND[2203]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 17:01:01 test CROND[2221]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 18:01:01 test CROND[2239]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 19:01:02 test CROND[2256]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 20:01:01 test CROND[2275]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 21:01:01 test CROND[2291]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 22:01:01 test CROND[2309]: (root) CMD (run-parts /etc/cron.hourly) 12月 23 23:01:01 test CROND[2328]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 01:01:01 test CROND[2368]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 02:01:01 test CROND[2388]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 03:01:01 test CROND[2408]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 04:01:01 test CROND[2455]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 07:01:01 test CROND[2507]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 08:01:01 test CROND[2525]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 09:01:01 test CROND[2543]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 10:01:01 test CROND[2561]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 11:01:01 test CROND[2579]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 12:01:01 test CROND[2597]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 13:01:01 test CROND[2619]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 14:01:01 test CROND[3415]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 16:01:01 test CROND[3454]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 17:01:01 test CROND[3472]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 18:01:01 test CROND[3490]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 19:01:01 test CROND[3509]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 20:01:01 test CROND[6791]: (root) CMD (run-parts /etc/cron.hourly) 12月 24 21:01:01 test CROND[9711]: (root) CMD (run-parts /etc/cron.hourly) [root@test ~]#
10)查看指定用戶的日誌
[root@test ~]#id qiuhom uid=1000(qiuhom) gid=1000(qiuhom) 組=1000(qiuhom) [root@test ~]#journalctl _UID=1000 -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. -- 12月 23 13:23:58 test su[1912]: (to root) qiuhom on pts/0 12月 23 13:23:58 test su[1912]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 23 14:07:46 test su[1912]: pam_unix(su-l:session): session closed for user root 12月 24 13:16:28 test su[2673]: (to root) qiuhom on pts/0 12月 24 13:16:28 test su[2673]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 14:02:19 test su[2673]: pam_unix(su-l:session): session closed for user root 12月 24 19:03:55 test su[3562]: (to root) qiuhom on pts/0 12月 24 19:03:55 test su[3562]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) 12月 24 19:53:47 test su[6256]: (to root) qiuhom on pts/1 12月 24 19:53:47 test su[6256]: pam_unix(su-l:session): session opened for user root by qiuhom(uid=1000) [root@test ~]#
11)查看某個unit的日誌
[root@test ~]#journalctl -u nginx.service -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:08:23 CST. -- 12月 23 12:43:07 test systemd[1]: Starting The nginx HTTP and reverse proxy server... 12月 23 12:43:07 test nginx[1050]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 23 12:43:07 test nginx[1050]: nginx: configuration file /etc/nginx/nginx.conf test is successful 12月 23 12:43:08 test systemd[1]: Started The nginx HTTP and reverse proxy server. [root@test ~]#journalctl -u nginx.service --since today -- No entries -- [root@test ~]#systemctl restart nginx [root@test ~]#journalctl -u nginx.service --since today -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:14:31 CST. -- 12月 24 21:14:31 test systemd[1]: Stopping The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test systemd[1]: Stopped The nginx HTTP and reverse proxy server. 12月 24 21:14:31 test systemd[1]: Starting The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test nginx[11296]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 24 21:14:31 test nginx[11296]: nginx: configuration file /etc/nginx/nginx.conf test is successful 12月 24 21:14:31 test systemd[1]: Started The nginx HTTP and reverse proxy server. [root@test ~]#
說明:能夠同時指定多個unit,分別用-u指定其名便可,也能夠用--since 指定時間,也能夠用-f來跟蹤某個nuit的最新日誌
12)查看指定優先級(及其以上級別)的日誌,共有8級
0: emerg
1: alert
2: crit
3: err
4: warning
5: notice
6: info
7: debug
[root@test ~]#journalctl -p err -- Logs begin at 一 2019-12-23 12:42:48 CST, end at 二 2019-12-24 21:14:31 CST. -- 12月 23 12:42:50 docker kernel: gma500 0000:00:02.0: GPU: power management timed out. 12月 24 19:47:41 test rsyslogd[5521]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 19:52:16 test rsyslogd[6118]: error during parsing file /etc/rsyslog.conf, on or before line 75: warnings occ 12月 24 21:07:45 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:48 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:49 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:50 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:50 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:51 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:52 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:53 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:53 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:54 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:55 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:56 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:56 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:57 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:58 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:58 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:07:59 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:00 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:01 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:01 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:02 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:03 test setroubleshoot[10603]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:08 test setroubleshoot[10781]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc 12月 24 21:08:23 test setroubleshoot[10826]: SELinux is preventing /usr/sbin/nginx from name_connect access on the tc [root@test ~]#
13)日誌默認分頁輸出,--no-pager 改成正常的標準輸出
……省略部分信息 12月 24 21:14:31 test polkitd[752]: Registered Authentication Agent for unix-process:11283:11710498 (system bus name :1.105 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) 12月 24 21:14:31 test systemd[1]: Stopping The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test systemd[1]: Stopped The nginx HTTP and reverse proxy server. 12月 24 21:14:31 test systemd[1]: Starting The nginx HTTP and reverse proxy server... 12月 24 21:14:31 test nginx[11296]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 12月 24 21:14:31 test nginx[11296]: nginx: configuration file /etc/nginx/nginx.conf test is successful 12月 24 21:14:31 test systemd[1]: Started The nginx HTTP and reverse proxy server. 12月 24 21:14:31 test polkitd[752]: Unregistered Authentication Agent for unix-process:11283:11710498 (system bus name :1.105, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus) [root@test ~]#
14)以json格式(單行)輸出
[root@test ~]#journalctl -b -u nginx.service -o json
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=4fe;b=e3110b5a73e44bebb9ac87b21fad016d;m=1401ea7;t=59a57a9eb3d4c
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50a;b=e3110b5a73e44bebb9ac87b21fad016d;m=1488bea;t=59a57a9f3aa8f
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50b;b=e3110b5a73e44bebb9ac87b21fad016d;m=1489f61;t=59a57a9f3be06
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50d;b=e3110b5a73e44bebb9ac87b21fad016d;m=14d1bc8;t=59a57a9f83a6e
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6b9;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44014f22;t=59a72ecac6
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6ba;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44020532;t=59a72ecad2
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bb;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44024a99;t=59a72ecad6
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bc;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44046779;t=59a72ecaf8
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6bd;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b44046be4;t=59a72ecaf8
{ "__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=6be;b=e3110b5a73e44bebb9ac87b21fad016d;m=1b440637c3;t=59a72ecb15
[root@test ~]#
多行輸出,可讀性更好
[root@test ~]#journalctl -b -u nginx.service -o json-pretty
{
"__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=4fe;b=e3110b5a73e44bebb9ac87b21fad016d;m=1401ea7;t=59a57a9
"__REALTIME_TIMESTAMP" : "1577076187151692",
"__MONOTONIC_TIMESTAMP" : "20979367",
"_BOOT_ID" : "e3110b5a73e44bebb9ac87b21fad016d",
"PRIORITY" : "6",
"_UID" : "0",
"_GID" : "0",
"_MACHINE_ID" : "931bcb70deb1435eaea1d542d13878cc",
"SYSLOG_FACILITY" : "3",
"SYSLOG_IDENTIFIER" : "systemd",
"_TRANSPORT" : "journal",
"_PID" : "1",
"_COMM" : "systemd",
"_EXE" : "/usr/lib/systemd/systemd",
"_CAP_EFFECTIVE" : "1fffffffff",
"_SYSTEMD_CGROUP" : "/",
"CODE_FILE" : "src/core/unit.c",
"CODE_FUNCTION" : "unit_status_log_starting_stopping_reloading",
"MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5",
"_HOSTNAME" : "test",
"_CMDLINE" : "/usr/lib/systemd/systemd --switched-root --system --deserialize 22",
"_SELINUX_CONTEXT" : "system_u:system_r:init_t:s0",
"CODE_LINE" : "1395",
"UNIT" : "nginx.service",
"MESSAGE" : "Starting The nginx HTTP and reverse proxy server...",
"_SOURCE_REALTIME_TIMESTAMP" : "1577076187143557"
}
{
"__CURSOR" : "s=1757eca9c8674c60bc078967261ae3d2;i=50a;b=e3110b5a73e44bebb9ac87b21fad016d;m=1488bea;t=59a57a9
"__REALTIME_TIMESTAMP" : "1577076187703951",
"__MONOTONIC_TIMESTAMP" : "21531626",
"_BOOT_ID" : "e3110b5a73e44bebb9ac87b21fad016d",
"PRIORITY" : "6",
"_UID" : "0",
"_GID" : "0",
"_SYSTEMD_SLICE" : "system.slice",
"_MACHINE_ID" : "931bcb70deb1435eaea1d542d13878cc",
"SYSLOG_FACILITY" : "3",
[root@test ~]#
15)顯示日誌佔據的磁盤空間
[root@test ~]#journalctl --disk-usage Archived and active journals take up 8.0M on disk. [root@test ~]#
指定日誌文件佔據的最大空間
[root@test ~]#journalctl --vacuum-size=1G Vacuuming done, freed 0B of archived journals on disk. [root@test ~]#
指定日誌文件保存多久
[root@test ~]#journalctl --vacuum-time=1years Vacuuming done, freed 0B of archived journals on disk. [root@test ~]#
logrotate:這個程序是一個日誌文件管理工具。用來把舊的日誌文件刪除,並建立新的日誌文件,咱們把這一過程稱爲日誌轉儲或滾動。它能夠根據日誌文件的大小,也能夠根據其天數來轉儲,一般咱們是設定定時計劃任務去完成。
配置文件是/etc/logrotate.conf
主要的參數有:
compress: 經過gzip壓縮轉儲之後的日誌
nocompress:不須要壓縮時,用這個參數
copytruncate:用於還在打開中的日誌文件,把當前日誌備份並截斷
nocopytruncate:備份日誌文件,但不截斷
create mode owner group 轉儲文件,使用指定的文件模式建立新的日誌文件
nocreate :不創建新的日誌文件
delaycompress和compress 一塊兒使用時,轉儲的日誌文件到下一次轉儲時才壓縮
nodelaycompress:覆蓋delaycompress選項,轉儲並壓縮
errors address :轉儲時代錯誤信息發送指定的email地址
ifempty:即便是空文件也轉儲,是缺省選項
notifempty:若是是空文件的話,不轉儲
mail address把轉儲的日誌文件發送到指定的email地址
nomail:轉儲時不發送日誌文件
olddir directory:轉儲後的日誌文件放入指定的目錄,必須和當前日誌文件在同一個文件系統
noolddir:轉儲後的日誌文件和當前日誌文件放在同一個目錄下
sharedscripts : 運行postrotate腳本,做用是在全部日誌都輪轉後統一執行一次腳本。若是沒有配置這個,那麼每一個日誌輪轉後都會執行一次腳本
prerotate/endscript :在轉儲之前須要執行的命令能夠放入這兩個關鍵字中間,這兩個關鍵字必須單獨成行
postrotate/endscript:在轉儲之後須要執行的命令能夠放入這兩個關鍵字中間,這兩個關鍵字必須單獨成行
dateext :使用當期日期做爲命名格式
dateformat :配合dateext使用,緊跟在下一行出現,定義文件切割後的文件名,必須配合dateext使用,只支持 %Y %m %d %s 這四個參數
daily:指定轉儲週期爲天天
weekly:指定轉儲週期爲每週
monthly:指定轉儲週期爲每個月
size:大小,指定日誌超過多大時,就執行日誌轉儲
rotate count:指定日誌文件刪除以前轉儲的次數,0指沒有備份,5指保留5個備份
missingok:若是日誌不存在,提示錯誤
nomissingok:若是日誌不存在,繼續下一第二天志,不提示錯誤
默認配置文件
[root@test ~]#cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
[root@test ~]#
說明:從上面的配置文件看,咱們能夠了解到/var/log/wtmp 這個日誌文件是每個月轉儲一次,並建立新的日誌文件 其權限是0644 屬主是root 屬組是utmp ,日誌文件小大超過1M,日誌文件就會轉儲, 保留一個備份文件。這個文件定義了系統的軟件日誌文件的轉儲規則,其中include /etc/logrotate.d/表示將/etc/logrotate.d目錄下的全部轉儲規則都導入配置文件中。這樣一來就能夠實現單獨的應用能夠用單獨的配置文件存儲。這樣一來就很方便的實現了管理轉儲規則的目的。
[root@test ~]#ll /etc/logrotate.d/
總用量 40
-rw-r--r--. 1 root root 91 4月 11 2018 bootlog
-rw-r--r--. 1 root root 160 9月 19 2018 chrony
-rw-r--r--. 1 root root 194 8月 6 21:44 httpd
-rw-r--r--. 1 root root 893 8月 8 19:49 mariadb
-rw-r--r--. 1 root root 243 5月 10 2019 nginx
-rw-r--r--. 1 root root 136 6月 10 2014 ppp
-rw-r--r--. 1 root root 115 8月 9 22:39 samba
-rw-r--r--. 1 root root 224 10月 18 23:48 syslog
-rw-r--r--. 1 root root 100 10月 31 2018 wpa_supplicant
-rw-r--r--. 1 root root 103 11月 5 2018 yum
[root@test ~]#cat /etc/logrotate.d/chrony
/var/log/chrony/*.log {
missingok
nocreate
sharedscripts
postrotate
/usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
endscript
}
[root@test ~]#cat /etc/logrotate.d/nginx
/var/log/nginx/*log {
create 0644 nginx nginx
daily
rotate 10
missingok
notifempty
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}
[root@test ~]#cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
missingok
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
[root@test ~]#cat /etc/logrotate.d/yum
/var/log/yum.log {
missingok
notifempty
maxsize 30k
yearly
create 0600 root root
}
[root@test ~]#
說明:/etc/logrotate.d/這個目錄就是存放各類應用程序的日誌文件轉儲規則
logrotate是基於cron來運行的,其腳本是/etc/cron.daily/logrotate,日誌的轉儲是系統自動完成對,事實上咱們運行logrotate會調用配置文件/etc/logrotate.conf,咱們能夠在/etc/logrotate.d目錄下定義各類應用程序日誌轉儲的規則,用來覆蓋其logrotate的默認值。一般咱們在測試本身寫的轉儲規則時,咱們能夠用 logrotate -f /etc/logrotate.d/xxx,這條命令的的做用就是強制讀取/etc/logrotate.d/xxx 來轉儲日誌文件;如下是logrotate命令的用法
[root@test ~]#logrotate --help 用法: logrotate [OPTION...] <configfile> -d, --debug Don't do anything, just test (implies -v) -f, --force Force file rotation -m, --mail=command Command to send mail (instead of `/bin/mail') -s, --state=statefile Path of state file -v, --verbose Display messages during rotation -l, --log=STRING Log file --version Display version information Help options: -?, --help Show this help message --usage Display brief usage message [root@test ~]#
說明:-d表示--debug,debug模式,測試配置文件是否有誤,-f表示--force強制轉儲日誌文件,-m指定壓縮後的日誌文件發送到郵箱地址,-s表示使用指定的狀態文件,-v表示顯示其轉儲過程。有了這個工具管理日誌文件就很輕鬆,咱們只須要定義其日誌文件的轉儲規則便可。
5、啓動網絡日誌服務,讓rsyslog工做在tcp或者udp協議上,配置rsyslog成爲日誌服務器
1)rsyslog工做在tcp或者udp協議的514端口配置
[root@test ~]#grep -i "tcp" /etc/rsyslog.conf # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # Remote Logging (we use TCP for reliable delivery) [root@test ~]#grep -i "udp" /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 [root@test ~]#
說明:以上配置是將rsyslog配置成工做在udp 514端口上,此時配置好配置文件後重啓服務,此服務器就成爲了rsyslog日誌服務器了,它能夠幫助其餘服務器記錄日誌。
2)重啓rsyslog服務,在其客戶機上配置rsyslog,讓其日誌發送給rsyslog服務器記錄
[root@test ~]#systemctl restart rsyslog [root@test ~]#ss -ntul Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:123 *:* udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 *:514 *:* udp UNCONN 0 0 ::1:323 :::* udp UNCONN 0 0 :::514 :::* tcp LISTEN 0 100 127.0.0.1:25 *:* tcp LISTEN 0 25 *:514 *:* tcp LISTEN 0 128 *:41319 *:* tcp LISTEN 0 50 *:3306 *:* tcp LISTEN 0 100 ::1:25 :::* tcp LISTEN 0 25 :::514 :::* tcp LISTEN 0 128 :::41319 :::* tcp LISTEN 0 128 :::80 :::* [root@test ~]#
說明:能夠看到重啓了服務後,514端口已經起來,接下來配置客戶機的rsyslog,讓其經過網絡發送日誌到日誌服務器上
[root@test-node1 ~]#grep "192.168.0.99" /etc/rsyslog.conf *.info;mail.none;authpriv.none;cron.none @192.168.0.99 [root@test-node1 ~]#
說明:以上配置的意思是除了mail ,authpriv,cron這三個之外的全部設施的info及info以上級別的日誌都發往192.168.0.99記錄,這裏須要注意一點,一個「@」表示鏈接服務器是經過udp協議鏈接,日誌經過udp協議傳送,兩個「@」表示鏈接服務器經過tcp去鏈接,日誌經過tcp協議傳送
3)重啓客戶機上的rsyslog服務,在服務器上查看客戶機的日誌
[root@test-node1 ~]#/etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@test-node1 ~]#logger "i am test-node1" [root@test-node1 ~]#tail /var/log/messages Dec 24 23:06:17 test kernel: cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A) Dec 24 23:06:17 test kernel: EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: Dec 24 23:06:17 test kernel: EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: Dec 24 23:06:17 test kernel: Adding 4128764k swap on /dev/mapper/VolGroup-lv_swap. Priority:-1 extents:1 across:4128764k Dec 24 23:06:17 test kernel: sky2 eth0: enabling interface Dec 24 23:06:17 test kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready Dec 24 23:06:17 test kernel: sky2 eth0: Link is up at 1000 Mbps, full duplex, flow control both Dec 24 23:06:17 test kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Dec 24 23:23:06 test kernel: Kernel logging (proc) stopped. Dec 24 23:23:06 test rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1471" x-info="http://www.rsyslog.com"] exiting on signal 15. [root@test-node1 ~]#
說明:能夠看到客戶機上沒有記錄日誌了
[root@test ~]#tail /var/log/messages Dec 24 21:43:07 test systemd: Started System Logging Service. Dec 24 23:26:04 test systemd: Stopping System Logging Service... Dec 24 23:26:04 test rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="16136" x-info="http://www.rsyslog.com"] exiting on signal 15. Dec 24 23:26:04 test systemd: Stopped System Logging Service. Dec 24 23:26:04 test systemd: Starting System Logging Service... Dec 24 23:26:04 test rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="16359" x-info="http://www.rsyslog.com"] start Dec 24 23:26:04 test rsyslogd: action '*' treated as ':omusrmsg:*' - please use ':omusrmsg:*' syntax instead, '*' will not be supported in the future [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2184 ] Dec 24 23:26:04 test systemd: Started System Logging Service. Dec 24 23:26:04 test rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 76: warnings occured in file '/etc/rsyslog.conf' around line 76 [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2207 ] Dec 24 23:26:13 test-node1 qiuhom: i am test-node1 [root@test ~]#
說明:在日誌服務器上能夠看到咱們剛纔的測試日誌信息,這裏須要說一下,咱們客戶端經過網絡把日誌發送給服務端,服務端裏怎麼儲存要看服務端配置,服務端能夠把它儲存到數據庫,儲存到文件均可以。
6、rsyslog將日誌記錄於mysql中
1)準備數據庫服務器
[root@test ~]#yum install mariadb 已加載插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 dockerrepo | 2.9 kB 00:00:00 epel | 5.3 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 軟件包 1:mariadb-5.5.64-1.el7.x86_64 已安裝而且是最新版本 無須任何處理 [root@test ~]#systemctl status mariadb ● mariadb.service - MariaDB database server Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@test ~]#systemctl start mariadb [root@test ~]#mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
說明:mariadb同mysql相似,yum安裝mariadb 並啓動服務便可
2)在mariadb server上受權rsyslog能鏈接至當前數據庫服務器
MariaDB [(none)]> select user,host,password from mysql.user
-> ;
+------+-----------+----------+
| user | host | password |
+------+-----------+----------+
| root | localhost | |
+------+-----------+----------+
1 row in set (0.00 sec)
MariaDB [(none)]> grant all on Syslog.* to 'rsyslog'@'%' identified by 'rsyslogpass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> select user,host,password from mysql.user;
+---------+-----------+-------------------------------------------+
| user | host | password |
+---------+-----------+-------------------------------------------+
| root | localhost | |
| rsyslog | % | *3AABCFD2E87DD4D86B283A77A7B21E449FBA9AFA |
+---------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
MariaDB [(none)]>
3)在rsyslog服務器上安裝mysql模塊相關的程序包rsyslog-mysql
[root@test ~]#yum install rsyslog-mysql 已加載插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com 正在解決依賴關係 --> 正在檢查事務 ---> 軟件包 rsyslog-mysql.x86_64.0.8.24.0-41.el7_7.2 將被 安裝 --> 正在處理依賴關係 rsyslog = 8.24.0-41.el7_7.2,它被軟件包 rsyslog-mysql-8.24.0-41.el7_7.2.x86_64 須要 --> 正在檢查事務 ---> 軟件包 rsyslog.x86_64.0.8.24.0-34.el7 將被 升級 ---> 軟件包 rsyslog.x86_64.0.8.24.0-41.el7_7.2 將被 更新 --> 解決依賴關係完成 依賴關係解決 ===================================================================================================================== Package 架構 版本 源 大小 ===================================================================================================================== 正在安裝: rsyslog-mysql x86_64 8.24.0-41.el7_7.2 updates 42 k 爲依賴而更新: rsyslog x86_64 8.24.0-41.el7_7.2 updates 616 k 事務概要 ===================================================================================================================== 安裝 1 軟件包 升級 ( 1 依賴軟件包) 總下載量:659 k Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/2): rsyslog-mysql-8.24.0-41.el7_7.2.x86_64.rpm | 42 kB 00:00:00 (2/2): rsyslog-8.24.0-41.el7_7.2.x86_64.rpm | 616 kB 00:00:00 --------------------------------------------------------------------------------------------------------------------- 總計 858 kB/s | 659 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在更新 : rsyslog-8.24.0-41.el7_7.2.x86_64 1/3 正在安裝 : rsyslog-mysql-8.24.0-41.el7_7.2.x86_64 2/3 清理 : rsyslog-8.24.0-34.el7.x86_64 3/3 驗證中 : rsyslog-8.24.0-41.el7_7.2.x86_64 1/3 驗證中 : rsyslog-mysql-8.24.0-41.el7_7.2.x86_64 2/3 驗證中 : rsyslog-8.24.0-34.el7.x86_64 3/3 已安裝: rsyslog-mysql.x86_64 0:8.24.0-41.el7_7.2 做爲依賴被升級: rsyslog.x86_64 0:8.24.0-41.el7_7.2 完畢! [root@test ~]#
說明:此插件必須在rsyslog服務器上安裝,也就說你準備把那臺服務器的日誌記錄到數據庫中你就在那臺日誌服務器上安裝此插件便可。
4)爲rsyslog建立數據庫及表
[root@test ~]#rpm -ql rsyslog-mysql /usr/lib64/rsyslog/ommysql.so /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql [root@test ~]#mysql < /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql [root@test ~]#mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | Syslog | | mysql | | performance_schema | | test | +--------------------+ 5 rows in set (0.00 sec) MariaDB [(none)]> use Syslog Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [Syslog]> show tables; +------------------------+ | Tables_in_Syslog | +------------------------+ | SystemEvents | | SystemEventsProperties | +------------------------+ 2 rows in set (0.00 sec) MariaDB [Syslog]>
說明:本人使用的是一臺主機,若須要把遠程主機上的日誌記錄到數據庫中,導入sql腳本時須要指定用戶名,主機以及密碼
5)配置rsyslog將日誌保存到mysql中
[root@test ~]#grep "ommysql" /etc/rsyslog.conf $ModLoad ommysql *.info;mail.none;authpriv.none;cron.none :ommysql:192.168.0.99,Syslog,rsyslog,rsyslogpass [root@test ~]#
說明:在須要將日誌記錄到mysql的主機上編輯/etc/rsyslog.conf 將其$ModLoad ommysql 寫在#### MODULES #### 下,將須要記錄的日誌設施和日誌級別以及數據庫的地址,數據庫名,鏈接數據庫用戶名和密碼寫在#### RULES ####下,如上所示
6)重啓rsyslog服務
[root@test ~]#systemctl restart rsyslog
到此rsyslog就會將日誌記錄到配置文件裏指定的數據庫裏
7)在數據庫中查看日誌
[root@test ~]#mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 5.5.64-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use Syslog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [Syslog]> show tables;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)
MariaDB [Syslog]> select * from SystemEvents;
+----+------------+---------------------+---------------------+----------+----------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+-----------+--------------+-----------------+----------+
| ID | CustomerID | ReceivedAt | DeviceReportedTime | Facility | Priority | FromHost | Message | NTSeverity | Importance | EventSource | EventUser | EventCategory | EventID | EventBinaryData | MaxAvailable | CurrUsage | MinUsage | MaxUsage | InfoUnitID | SysLogTag | EventLogType | GenericFileName | SystemID |
+----+------------+---------------------+---------------------+----------+----------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+-----------+--------------+-----------------+----------+
| 1 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 3 | 6 | test | Stopping System Logging Service... | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | systemd: | NULL | NULL | NULL |
| 2 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 5 | 6 | test | [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="12777" x-info="http://www.rsyslog.com"] exiting on signal 15. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL |
| 3 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 3 | 6 | test | Stopped System Logging Service. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | systemd: | NULL | NULL | NULL |
| 4 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 3 | 6 | test | Starting System Logging Service... | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | systemd: | NULL | NULL | NULL |
| 5 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 5 | 6 | test | [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="13125" x-info="http://www.rsyslog.com"] start | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL |
| 6 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 5 | 4 | test | action '*' treated as ':omusrmsg:*' - please use ':omusrmsg:*' syntax instead, '*' will not be supported in the future [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2184 ] | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL |
| 7 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 3 | 6 | test | Started System Logging Service. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | systemd: | NULL | NULL | NULL |
| 8 | NULL | 2019-12-24 22:00:51 | 2019-12-24 22:00:51 | 5 | 3 | test | error during parsing file /etc/rsyslog.conf, on or before line 76: warnings occured in file '/etc/rsyslog.conf' around line 76 [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2207 ] | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL |
| 9 | NULL | 2019-12-24 22:01:01 | 2019-12-24 22:01:01 | 3 | 6 | test | Started Session 39 of user root. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | systemd: | NULL | NULL | NULL |
+----+------------+---------------------+---------------------+----------+----------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+-----------+--------------+-----------------+----------+
9 rows in set (0.00 sec)
MariaDB [Syslog]> select * from SystemEvents\G
*************************** 1. row ***************************
ID: 1
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 3
Priority: 6
FromHost: test
Message: Stopping System Logging Service...
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 2. row ***************************
ID: 2
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 5
Priority: 6
FromHost: test
Message: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="12777" x-info="http://www.rsyslog.com"] exiting on signal 15.
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: rsyslogd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 3. row ***************************
ID: 3
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 3
Priority: 6
FromHost: test
Message: Stopped System Logging Service.
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 4. row ***************************
ID: 4
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 3
Priority: 6
FromHost: test
Message: Starting System Logging Service...
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 5. row ***************************
ID: 5
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 5
Priority: 6
FromHost: test
Message: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="13125" x-info="http://www.rsyslog.com"] start
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: rsyslogd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 6. row ***************************
ID: 6
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 5
Priority: 4
FromHost: test
Message: action '*' treated as ':omusrmsg:*' - please use ':omusrmsg:*' syntax instead, '*' will not be supported in the future [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2184 ]
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: rsyslogd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 7. row ***************************
ID: 7
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 3
Priority: 6
FromHost: test
Message: Started System Logging Service.
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 8. row ***************************
ID: 8
CustomerID: NULL
ReceivedAt: 2019-12-24 22:00:51
DeviceReportedTime: 2019-12-24 22:00:51
Facility: 5
Priority: 3
FromHost: test
Message: error during parsing file /etc/rsyslog.conf, on or before line 76: warnings occured in file '/etc/rsyslog.conf' around line 76 [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2207 ]
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: rsyslogd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 9. row ***************************
ID: 9
CustomerID: NULL
ReceivedAt: 2019-12-24 22:01:01
DeviceReportedTime: 2019-12-24 22:01:01
Facility: 3
Priority: 6
FromHost: test
Message: Started Session 39 of user root.
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
9 rows in set (0.00 sec)
MariaDB [Syslog]>
說明:可看到咱們重啓rsyslog服務產生的日誌都記錄於數據庫裏了。
7、經過loganalyzer展現數據庫中的日誌
1)在rsyslog服務器上準備amp或者nmp組合
[root@test ~]#yum install httpd php php-mysql php-gd -y 已加載插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com 軟件包 httpd-2.4.6-90.el7.centos.x86_64 已安裝而且是最新版本 正在解決依賴關係 --> 正在檢查事務 ---> 軟件包 php.x86_64.0.5.4.16-46.1.el7_7 將被 安裝 --> 正在處理依賴關係 php-common(x86-64) = 5.4.16-46.1.el7_7,它被軟件包 php-5.4.16-46.1.el7_7.x86_64 須要 --> 正在處理依賴關係 php-cli(x86-64) = 5.4.16-46.1.el7_7,它被軟件包 php-5.4.16-46.1.el7_7.x86_64 須要 ---> 軟件包 php-gd.x86_64.0.5.4.16-46.1.el7_7 將被 安裝 --> 正在處理依賴關係 libt1.so.5()(64bit),它被軟件包 php-gd-5.4.16-46.1.el7_7.x86_64 須要 ---> 軟件包 php-mysql.x86_64.0.5.4.16-46.1.el7_7 將被 安裝 --> 正在處理依賴關係 php-pdo(x86-64) = 5.4.16-46.1.el7_7,它被軟件包 php-mysql-5.4.16-46.1.el7_7.x86_64 須要 --> 正在檢查事務 ---> 軟件包 php-cli.x86_64.0.5.4.16-46.1.el7_7 將被 安裝 ---> 軟件包 php-common.x86_64.0.5.4.16-46.1.el7_7 將被 安裝 --> 正在處理依賴關係 libzip.so.2()(64bit),它被軟件包 php-common-5.4.16-46.1.el7_7.x86_64 須要 ---> 軟件包 php-pdo.x86_64.0.5.4.16-46.1.el7_7 將被 安裝 ---> 軟件包 t1lib.x86_64.0.5.1.2-14.el7 將被 安裝 --> 正在檢查事務 ---> 軟件包 libzip.x86_64.0.0.10.1-8.el7 將被 安裝 --> 解決依賴關係完成 依賴關係解決 ===================================================================================================================== Package 架構 版本 源 大小 ===================================================================================================================== 正在安裝: php x86_64 5.4.16-46.1.el7_7 updates 1.4 M php-gd x86_64 5.4.16-46.1.el7_7 updates 128 k php-mysql x86_64 5.4.16-46.1.el7_7 updates 101 k 爲依賴而安裝: libzip x86_64 0.10.1-8.el7 base 48 k php-cli x86_64 5.4.16-46.1.el7_7 updates 2.7 M php-common x86_64 5.4.16-46.1.el7_7 updates 565 k php-pdo x86_64 5.4.16-46.1.el7_7 updates 99 k t1lib x86_64 5.1.2-14.el7 base 166 k 事務概要 ===================================================================================================================== 安裝 3 軟件包 (+5 依賴軟件包) 總下載量:5.2 M 安裝大小:18 M Downloading packages: (1/8): libzip-0.10.1-8.el7.x86_64.rpm | 48 kB 00:00:00 (2/8): php-cli-5.4.16-46.1.el7_7.x86_64.rpm | 2.7 MB 00:00:00 (3/8): php-common-5.4.16-46.1.el7_7.x86_64.rpm | 565 kB 00:00:00 (4/8): php-gd-5.4.16-46.1.el7_7.x86_64.rpm | 128 kB 00:00:00 (5/8): php-mysql-5.4.16-46.1.el7_7.x86_64.rpm | 101 kB 00:00:00 (6/8): php-pdo-5.4.16-46.1.el7_7.x86_64.rpm | 99 kB 00:00:00 (7/8): php-5.4.16-46.1.el7_7.x86_64.rpm | 1.4 MB 00:00:01 (8/8): t1lib-5.1.2-14.el7.x86_64.rpm | 166 kB 00:00:00 --------------------------------------------------------------------------------------------------------------------- 總計 3.7 MB/s | 5.2 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在安裝 : libzip-0.10.1-8.el7.x86_64 1/8 正在安裝 : php-common-5.4.16-46.1.el7_7.x86_64 2/8 正在安裝 : php-cli-5.4.16-46.1.el7_7.x86_64 3/8 正在安裝 : php-pdo-5.4.16-46.1.el7_7.x86_64 4/8 正在安裝 : t1lib-5.1.2-14.el7.x86_64 5/8 正在安裝 : php-gd-5.4.16-46.1.el7_7.x86_64 6/8 正在安裝 : php-mysql-5.4.16-46.1.el7_7.x86_64 7/8 正在安裝 : php-5.4.16-46.1.el7_7.x86_64 8/8 驗證中 : php-cli-5.4.16-46.1.el7_7.x86_64 1/8 驗證中 : t1lib-5.1.2-14.el7.x86_64 2/8 驗證中 : libzip-0.10.1-8.el7.x86_64 3/8 驗證中 : php-5.4.16-46.1.el7_7.x86_64 4/8 驗證中 : php-common-5.4.16-46.1.el7_7.x86_64 5/8 驗證中 : php-mysql-5.4.16-46.1.el7_7.x86_64 6/8 驗證中 : php-gd-5.4.16-46.1.el7_7.x86_64 7/8 驗證中 : php-pdo-5.4.16-46.1.el7_7.x86_64 8/8 已安裝: php.x86_64 0:5.4.16-46.1.el7_7 php-gd.x86_64 0:5.4.16-46.1.el7_7 php-mysql.x86_64 0:5.4.16-46.1.el7_7 做爲依賴被安裝: libzip.x86_64 0:0.10.1-8.el7 php-cli.x86_64 0:5.4.16-46.1.el7_7 php-common.x86_64 0:5.4.16-46.1.el7_7 php-pdo.x86_64 0:5.4.16-46.1.el7_7 t1lib.x86_64 0:5.1.2-14.el7 完畢! [root@test ~]#
2)安裝loganalyzer
[root@test ~]#rz rz waiting to receive. zmodem trl+C ȡ 100% 1022 KB 1022 KB/s 00:00:01 0 Errorsgz... [root@test ~]#ls checkip.sh dos.sh install_nginx.yml loganalyzer-3.6.5.tar.gz nginx_role.yml roles selinux.sh templates [root@test ~]#tar xf loganalyzer-3.6.5.tar.gz [root@test ~]#cp -a loganalyzer-3.6.5/src/ /var/www/html/loganalyzer [root@test ~]#cd /var/www/html/loganalyzer [root@test loganalyzer]#touch config.php [root@test loganalyzer]#chmod 666 config.php [root@test loganalyzer]#
3)配置loganalyzer
[root@test ~]#systemctl start httpd
說明:啓動httpd服務後,在瀏覽器上配置loganalyzer ,用瀏覽器打開http://192.168.0.99/loganalyzer 192.168.0.99是本人環境的httpd服務器地址
至此loganalyzer就配置安裝完畢了,最後還須要注意一點的是 /var/www/html/loganalyzer/config.php 的權限須要改一下,把組和其餘的寫權限取消掉
[root@test ~]#cd /var/www/html/loganalyzer/ [root@test loganalyzer]#chmod 644 config.php
原文出處:https://www.cnblogs.com/qiuhom-1874/p/12091118.html
相關文章
- 1. Linux日誌管理系統rsyslog
- 2. Linux日誌管理(rsyslog系統日誌和logrotate日誌輪轉)
- 3. 日誌管理 —— rsyslog 系統日誌管理 logrotate 日誌輪轉
- 4. linux的系統日誌rsyslog
- 5. 日誌管理-rsyslog
- 6. Rsyslog日誌系統
- 7. rsyslog日誌系統
- 8. Linux 日誌管理——rsyslog&logrotate日誌管理【CentOS】
- 9. Linux系統日誌管理(systemd-journald,rsyslog,timedatectl,時間同步)
- 10. linux系統日誌管理
- 更多相關文章...
- • Swarm 集羣管理 - Docker教程
- • Maven 依賴管理 - Maven教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • Docker 清理命令
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章