Linux系统日志文件分析!
Posted handsomeboy-东
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux系统日志文件分析!相关的知识,希望对你有一定的参考价值。
日志文件概述
- 日志文件就是记录系统活动信息的几个文件,如:何时、何地、何人做了什么操作,以及执行操作后的一些错误信息,一个合格的管理员会经常查看自己的日志文件,以随时掌握系统的最新状态
日志文件的作用
- 记录系统,程序运行过程中发生的各种事件
- 可以通过日志文件诊断和解决一些系统问题
日志文件的一般格式
- 事件发生的日期时间
- 主机名
- 启动事件的服务名称或命令
- 信息的实际内容
系统常见的日志文件名
/var/log/boot.log :储存本次开机启动的信息
/var/log/cron :记录周期性计划任务的信息
/var/log/lastlog :记录系统上面所有账号最近登录时的信息
/var/log/maillog :记录邮件往来信息
/var/log/messages :非常重要的日志文件,几乎记录了系统发生的错误信息或其他重要信息
/var/log/sevure :系统安全日志
/var/log/wtmp、/var/log/faillog :记录正确登录账户信息(wtmp)和错误登录账户信息(faillog)
/var/log/网路服务名 :不用网路服务都会有自己的日志文件
[root@AIDEBOY whd]# tail -f /var/log/messages //实时查看messages日志文件
May 18 21:35:41 AIDEBOY dbus[6345]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 18 21:35:41 AIDEBOY dhclient[32952]: bound to 192.168.43.141 -- renewal in 800 seconds.
May 18 21:35:41 AIDEBOY systemd: Starting Network Manager Script Dispatcher Service...
May 18 21:35:41 AIDEBOY dbus[6345]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 18 21:35:41 AIDEBOY systemd: Started Network Manager Script Dispatcher Service.
May 18 21:35:41 AIDEBOY nm-dispatcher: req:1 'dhcp4-change' [ens33]: new request (4 scripts)
May 18 21:35:41 AIDEBOY nm-dispatcher: req:1 'dhcp4-change' [ens33]: start running ordered scripts...
May 18 21:36:01 AIDEBOY systemd: Started Session 341 of user root.
May 18 21:36:15 AIDEBOY chronyd[6435]: Selected source 203.107.6.88
May 18 21:38:01 AIDEBOY systemd: Started Session 342 of user root.
[root@AIDEBOY whd]# tail /var/log/httpd/error_log
[Thu Apr 29 14:24:07.182492 2021] [core:notice] [pid 14140] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Apr 29 14:27:14.396207 2021] [autoindex:error] [pid 14142] [client 127.0.0.1:41134] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
[Thu Apr 29 15:13:04.150055 2021] [mpm_prefork:notice] [pid 14140] AH00170: caught SIGWINCH, shutting down gracefully
[Thu Apr 29 16:20:32.500302 2021] [core:notice] [pid 19270] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Apr 29 16:20:32.501206 2021] [suexec:notice] [pid 19270] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.43.136. Set the 'ServerName' directive globally to suppress this message
[Thu Apr 29 16:20:33.530524 2021] [lbmethod_heartbeat:notice] [pid 19270] AH02282: No slotmem from mod_heartmonitor
[Thu Apr 29 16:20:33.534053 2021] [mpm_prefork:notice] [pid 19270] AH00163: Apache/2.4.6 (CentOS) configured -- resuming normal operations
[Thu Apr 29 16:20:33.534069 2021] [core:notice] [pid 19270] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Apr 30 13:40:41.353488 2021] [mpm_prefork:notice] [pid 19270] AH00170: caught SIGWINCH, shutting down gracefully
日志文件的管理
- linux的日志文件主要是由rsyslog.service管理,其配置文件为/etc/rsyslog.conf,默认随系统启动而启动
[root@AIDEBOY whd]# ps -ef | grep rsyslog
root 6719 1 0 5月17 ? 00:00:06 /usr/sbin/rsyslogd -n
root 33713 33064 0 21:51 pts/0 00:00:00 grep --color=auto rsyslog
[root@AIDEBOY whd]# systemctl is-enabled rsyslog
enabled
[root@AIDEBOY whd]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since 一 2021-05-10 14:14:12 CST; 1 weeks 1 days ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 6719 (rsyslogd)
Tasks: 3
CGroup: /system.slice/rsyslog.service
└─6719 /usr/sbin/rsyslogd -n
5月 10 14:14:06 AIDEBOY systemd[1]: Starting System Logging Service...
5月 10 14:14:12 AIDEBOY rsyslogd[6719]: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="6719" x-info="http://...] start
5月 10 14:14:12 AIDEBOY systemd[1]: Started System Logging Service.
5月 18 15:29:01 AIDEBOY rsyslogd[6719]: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="6719" x-info="http://...s HUPed
Hint: Some lines were ellipsized, use -l to show in full.
日志的信息等级
- 信息等级数值越高代表越安全,等级接近0表示系统出现很严重的问题,系统几乎要停机
- 0(emerg):紧急,表示系统几乎要停机,最严重的错误等级,通常为硬件问题
- 1(alert):警告,必须马上采取措施解决问题
- 2(crit):比较严重的情况
- 3(error):运行出现错误的i信息,可以用来诊断排错
- 4(warning):警示,可能会有问题
- 5(notice):虽然是正常信息,但还是要注意
- 6(info):一般信息
- 7(debug):程序或系统调试信息
查看用户登录信息
dmesg :查看系统引导日志
last :查看账户登录信息
lastlog :查看用户登录信息
lastb :查看最近登录错误信息
[root@AIDEBOY whd]# last
root pts/2 :0 Wed May 19 09:36 still logged in
whd pts/1 192.168.43.1 Wed May 19 08:29 still logged in
whd pts/0 192.168.43.1 Tue May 18 21:23 - 10:28 (13:04)
whd pts/3 192.168.43.1 Tue May 18 14:45 - 23:33 (08:47)
whd pts/2 192.168.43.1 Tue May 18 14:22 - 23:33 (09:11)
root pts/1 :0 Tue May 18 14:21 - 16:04 (01:43)
whd pts/0 192.168.43.1 Tue May 11 09:52 - 16:32 (7+06:39)
whd pts/1 192.168.43.1 Mon May 10 20:51 - 12:02 (15:10)
whd pts/0 192.168.43.1 Mon May 10 14:15 - 23:02 (08:47)
root :0 :0 Mon May 10 14:14 still logged in
reboot system boot 3.10.0-957.el7.x Mon May 10 14:13 - 13:55 (8+23:41)
whd pts/0 192.168.43.1 Mon May 10 08:35 - 14:13 (05:38)
[root@AIDEBOY whd]# lastlog
用户名 端口 来自 最后登陆时间
root pts/1 三 5月 19 08:29:47 +0800 2021
bin **从未登录过**
daemon **从未登录过**
adm **从未登录过**
lp **从未登录过**
sync **从未登录过**
shutdown **从未登录过**
halt **从未登录过**
mail **从未登录过**
operator **从未登录过**
games **从未登录过**
ftp **从未登录过**
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
gdm :0 一 5月 10 14:14:18 +0800 2021
gnome-initial-setup :0 四 4月 22 10:17:53 +0800 2021
sshd **从未登录过**
avahi **从未登录过**
postfix **从未登录过**
tcpdump **从未登录过**
whd pts/1 192.168.43.1 三 5月 19 08:29:39 +0800 2021
apache **从未登录过**
nginx **从未登录过**
journalctl查看登录信息
journalctl :默认显示全部log内容
选项参数 :
-n :显示最近几行
-f :实时显示journal日志内容
-ex :网络不可起时查看日志
-u 服务名 :查看服务登录日志
[root@AIDEBOY whd]# journalctl -n
-- Logs begin at 一 2021-05-10 14:13:48 CST, end at 三 2021-05-19 13:42:01 CST. --
5月 19 13:36:01 AIDEBOY systemd[1]: Started Session 616 of user root.
5月 19 13:36:01 AIDEBOY CROND[42494]: (root) CMD (/usr/sbin/ntpdate ntp1.aliyun.com >> /var/log/ntp/`date +%Y-%m-%d_%H:%M:%S`.log)
5月 19 13:38:01 AIDEBOY systemd[1]: Started Session 617 of user root.
5月 19 13:38:01 AIDEBOY CROND[42517]: (root) CMD (/usr/sbin/ntpdate ntp1.aliyun.com >> /var/log/ntp/`date +%Y-%m-%d_%H:%M:%S`.log)
5月 19 13:40:01 AIDEBOY systemd[1]: Started Session 618 of user root.
5月 19 13:40:01 AIDEBOY systemd[1]: Started Session 619 of user root.
5月 19 13:40:01 AIDEBOY CROND[42544]: (root) CMD (/usr/lib64/sa/sa1 1 1)
5月 19 13:40:01 AIDEBOY CROND[42545]: (root) CMD (/usr/sbin/ntpdate ntp1.aliyun.com >> /var/log/ntp/`date +%Y-%m-%d_%H:%M:%S`.log)
5月 19 13:42:01 AIDEBOY systemd[1]: Started Session 620 of user root.
5月 19 13:42:01 AIDEBOY CROND[42574]: (root) CMD (/usr/sbin/ntpdate ntp1.aliyun.com >> /var/log/ntp/`date +%Y-%m-%d_%H:%M:%S`.log)
[root@AIDEBOY whd]# journalctl -p err //找出信息严重等级的信息
-- Logs begin at 一 2021-05-10 14:13:48 CST, end at 三 2021-05-19 13:44:01 CST. --
5月 10 14:13:48 AIDEBOY kernel: Detected CPU family 6 model 165 stepping 2
5月 10 14:13:48 AIDEBOY kernel: Warning: Intel Processor - this hardware has not undergone upstream testing. Please consult http://wik
5月 10 14:13:49 AIDEBOY kernel: sd 2:0:3:0: [sdd] Assuming drive cache: write through
5月 10 14:13:49 AIDEBOY kernel: sd 2:0:2:0: [sdc] Assuming drive cache: write through
5月 10 14:13:49 AIDEBOY kernel: sd 2:0:0:0: [sda] Assuming drive cache: write through
5月 10 14:13:49 AIDEBOY kernel: sd 2:0:1:0: [sdb] Assuming drive cache: write through
5月 10 14:13:49 AIDEBOY kernel: sd 2:0:4:0: [sde] Assuming drive cache: write through
5月 10 14:13:49 AIDEBOY kernel: sd 2:0:5:0: [sdf] Assuming drive cache: write through
5月 10 14:13:49 AIDEBOY kernel: sd 2:0:6:0: [sdg] Assuming drive cache: write through
5月 10 14:13:55 AIDEBOY kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled!
以上是关于Linux系统日志文件分析!的主要内容,如果未能解决你的问题,请参考以下文章