28. 第22章 日志服务管理
1.将ssh服务的日志记录至自定义的local的日志设备
[root@centos8 ~]# vim /etc/ssh/sshd_config
SyslogFacility local6
:wq
[root@centos8 ~]# vim /etc/rsyslog.conf
local6.* /var/log/sshd.log
:wq
[root@centos8 ~]# ll /var/log/sshd.log
ls: cannot access '/var/log/sshd.log': No such file or directory
[root@centos8 ~]# systemctl restart rsyslog sshd
[root@centos8 ~]# ll /var/log/sshd.log
-rw------- 1 root root 141 Mar 8 17:34 /var/log/sshd.log
[root@centos7 ~]# ssh neteagle@10.0.0.8
neteagle@10.0.0.8's password:
Last login: Mon Mar 8 17:31:44 2021
[root@centos8 ~]# tail -f /var/log/secure
Mar 8 17:36:01 centos8 systemd[9670]: pam_unix(systemd-user:session): session opened for user neteagle by (uid=0)
Mar 8 17:36:01 centos8 sshd[9667]: pam_unix(sshd:session): session opened for user neteagle by (uid=0)
Mar 8 17:37:19 centos8 su[9615]: pam_unix(su-l:session): session closed for user neteagle
[root@centos8 ~]# tail -f /var/log/sshd.log
Mar 8 17:34:31 centos8 sshd[9649]: Server listening on 0.0.0.0 port 22.
Mar 8 17:34:31 centos8 sshd[9649]: Server listening on :: port 22.
Mar 8 17:35:48 centos8 sshd[9665]: Connection closed by authenticating user neteagle 10.0.0.7 port 49538 [preauth]
Mar 8 17:36:01 centos8 sshd[9667]: Accepted password for neteagle from 10.0.0.7 port 49540 ssh2
2.启用网络日志功能
[root@centos8-2 ~]# vim /etc/rsyslog.conf
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
:wq
[root@centos8-2 ~]# systemctl restart rsyslog
[root@centos8-2 ~]# ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:*
udp UNCONN 0 0 [::]:514 [::]:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]# vim /etc/rsyslog.conf
locat6.* @10.0.0.18:514
:wq
[root@centos8 ~]# systemctl restart rsyslog
[root@centos8-2 ~]# vim /etc/rsyslog.conf
local6.* /var/log/remote.log
:wq
[root@centos8-2 ~]# systemctl restart rsyslog
[root@centos8-2 ~]# ll /var/log/remote.log
ls: cannot access '/var/log/remote.log': No such file or directory
[root@centos7 ~]# ssh neteagle@10.0.0.8
neteagle@10.0.0.8's password:
Last login: Mon Mar 8 17:36:01 2021 from 10.0.0.7
[root@centos8-2 ~]# ll /var/log/remote.log
-rw------- 1 root root 291 Mar 8 18:09 /var/log/remote.log
[root@centos8-2 ~]# tail -f /var/log/remote.log
Mar 8 18:09:34 centos8 sshd[9678]: Received disconnect from 10.0.0.7 port 49540:11: disconnected by user
Mar 8 18:09:34 centos8 sshd[9678]: Disconnected from user neteagle 10.0.0.7 port 49540
Mar 8 18:09:37 centos8 sshd[9761]: Accepted password for neteagle from 10.0.0.7 port 49542 ssh2
root@ubuntu1804:~# vim /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none @@10.0.0.18:514 #@@ 代表走TCP协议
:wq
root@ubuntu1804:~# systemctl restart rsyslog
root@ubuntu1804:~# ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 128 [::1]:6010 [::]:*
[root@centos8-2 ~]# vim /etc/rsyslog.conf
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
:wq
[root@centos8-2 ~]# systemctl restart rsyslog
[root@centos8-2 ~]# ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:*
udp UNCONN 0 0 [::]:514 [::]:*
tcp LISTEN 0 25 0.0.0.0:514 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 25 [::]:514 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
root@ubuntu1804:~# logger "This is test ubuntu log"
[root@centos8-2 ~]# tail -f /var/log/messages
Mar 8 18:25:39 ubuntu1804 root: This is test ubuntu log
3.设置nginx的日志转储
[root@centos8 ~]# cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
rotate 100
missingok
compress
delaycompress
notifempty
create 644 ngnix nginx
postrotate
if [ -f /app/nginx/logs/nginx.pid ]; then
kill -USR1 `cat /app/nginx/logs/nginx.pid`
fi
endscript
}
4.对指定日志手动执行日志转储
[root@centos8 ~]# dd if=/dev/zero of=/var/log/test1.log bs=2M count=1
1+0 records in
1+0 records out
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00134912 s, 1.6 GB/s
[root@centos8 ~]# dd if=/dev/zero of=/var/log/test2.log bs=2M count=1
1+0 records in
1+0 records out
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00141095 s, 1.5 GB/s
[root@centos8 ~]# vim /etc/logrotate.d/test1
/var/log/test1.log {
daily
rotate 5
compress
delaycompress
missingok
size 1M
notifempty
create 644 root root
postrotate
echo `date +%F_%T` >> /data/test1.log
endscript
}
:wq
[root@centos8 ~]# vim /etc/logrotate.d/test2
/var/log/test2.log {
daily
rotate 5
compress
delaycompress
missingok
size 1M
notifempty
create 644 root root
postrotate
echo `date +%F_%T` >> /data/test2.log
endscript
}
:wq
[root@centos8 ~]# ll /var/log/test*
-rw-r--r-- 1 root root 2097152 Mar 8 20:38 /var/log/test1.log
-rw-r--r-- 1 root root 2097152 Mar 8 20:39 /var/log/test2.log
[root@centos8 ~]# logrotate /etc/logrotate.d/test1
[root@centos8 ~]# ll /var/log/test*
-rw-r--r-- 1 root root 0 Mar 8 20:46 /var/log/test1.log
-rw-r--r-- 1 root root 2097152 Mar 8 20:38 /var/log/test1.log.1
-rw-r--r-- 1 root root 2097152 Mar 8 20:39 /var/log/test2.log
[root@centos8 ~]# dd if=/dev/zero of=/var/log/test1.log bs=2M count=1
1+0 records in
1+0 records out
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00117412 s, 1.8 GB/s
[root@centos8 ~]# ll /var/log/test*
-rw-r--r-- 1 root root 2097152 Mar 8 20:47 /var/log/test1.log
-rw-r--r-- 1 root root 2097152 Mar 8 20:38 /var/log/test1.log.1
-rw-r--r-- 1 root root 2097152 Mar 8 20:39 /var/log/test2.log
[root@centos8 ~]# logrotate /etc/logrotate.d/test1
[root@centos8 ~]# ll /var/log/test*
-rw-r--r-- 1 root root 0 Mar 8 20:47 /var/log/test1.log
-rw-r--r-- 1 root root 2097152 Mar 8 20:47 /var/log/test1.log.1
-rw-r--r-- 1 root root 2067 Mar 8 20:38 /var/log/test1.log.2.gz
-rw-r--r-- 1 root root 2097152 Mar 8 20:39 /var/log/test2.log
[root@centos8 ~]# dd if=/dev/zero of=/var/log/test1.log bs=2M count=1
1+0 records in
1+0 records out
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00111189 s, 1.9 GB/s
[root@centos8 ~]# logrotate /etc/logrotate.d
[root@centos8 ~]# ll /var/log/test*
-rw-r--r-- 1 root root 0 Mar 8 20:49 /var/log/test1.log
-rw-r--r-- 1 root root 2097152 Mar 8 20:49 /var/log/test1.log.1
-rw-r--r-- 1 root root 2067 Mar 8 20:47 /var/log/test1.log.2.gz
-rw-r--r-- 1 root root 2067 Mar 8 20:38 /var/log/test1.log.3.gz
-rw-r--r-- 1 root root 0 Mar 8 20:49 /var/log/test2.log
-rw-r--r-- 1 root root 2097152 Mar 8 20:39 /var/log/test2.log.1
[root@centos8 ~]# cat /data/test1.log
2021-03-08_20:46:06
2021-03-08_20:47:44
2021-03-08_20:49:21
2021-03-08_20:50:25
[root@centos8 ~]# cat /data/test2.log
2021-03-08_20:49:21
2021-03-08_20:50:25
