从红帽7开始的两套日志系统
# systemctl status rsyslog● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-11-16 15:25:27 CST; 6h ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 1585 (rsyslogd)
Tasks: 3 (limit: 26213)
Memory: 6.9M
CGroup: /system.slice/rsyslog.service
└─1585 /usr/sbin/rsyslogd -n
11月 16 15:25:26 classroom.example.com systemd: Starting System Logging Service...
11月 16 15:25:27 classroom.example.com rsyslogd: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime[v8.37>
11月 16 15:25:27 classroom.example.com systemd: Started System Logging Service.
11月 16 15:25:27 classroom.example.com rsyslogd: [origin software="rsyslogd" swVersion="8.37.0-9.el8" x-pid="1585" x-info="http://www.>
# systemctl | grep journal
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
# systemctl status systemd-journald
● systemd-journald.service - Journal Service
Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled)
Active: active (running) since Mon 2020-11-16 15:25:14 CST; 6h ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Main PID: 656 (systemd-journal)
Status: "Processing requests..."
Tasks: 1 (limit: 26213)
Memory: 13.3M
CGroup: /system.slice/systemd-journald.service
└─656 /usr/lib/systemd/systemd-journald
11月 16 15:25:14 classroom.example.com systemd-journald: Journal started
11月 16 15:25:14 classroom.example.com systemd-journald: Runtime journal (/run/log/journal/fb086255a1e94490acaa4181501e2d31) is 8.0M, m>
11月 16 15:25:14 classroom.example.com systemd-jousystemd-journald进程的组是:
systemd-journal:x:190:
journalctl -xe
journalctl -xb
journalctl -p err -x
内核空间(dmesg)
[ 8077.814883] br0: port 6(enp0s20u4) entered learning state
[ 8093.174808] br0: port 6(enp0s20u4) entered forwarding state
[ 8093.174814] br0: topology change detected, propagating
[ 8403.750418] rfkill: input handler disabled
[ 8510.196195] EXT4-fs (dm-14): mounted filesystem with ordered data mode. Opts: (null)
[ 8657.807897] snd_hda_intel 0000:00:1b.0: IRQ timing workaround is activated for card #1. Suggest a bigger bdl_pos_adj.
[ 9800.221598] perf: interrupt took too long (3133 > 3128), lowering kernel.perf_event_max_sample_rate to 63000
br0: port 7(vnet5) entered blocking state
br0: port 7(vnet5) entered disabled state
device vnet5 entered promiscuous mode
br0: port 7(vnet5) entered blocking state
br0: port 7(vnet5) entered listening state
device-mapper: core: qemu-kvm: sending ioctl 5326 to DM device without required privilege.
br0: port 7(vnet5) entered learning state
br0: port 7(vnet5) entered forwarding state
br0: topology change detected, propagating
br0: port 7(vnet5) entered disabled state
device vnet5 left promiscuous mode
br0: port 7(vnet5) entered disabled state
perf: interrupt took too long (3923 > 3916), lowering kernel.perf_event_max_sample_rate to 50000
usb 3-6: new high-speed USB device number 10 using xhci_hcd
usb 3-6: New USB device found, idVendor=0bc2, idProduct=231a, bcdDevice= 7.10
usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 3-6: Product: Expansion
usb 3-6: Manufacturer: Seagate
usb 3-6: SerialNumber: NAA8QP6G
scsi host7: uas
scsi 7:0:0:0: Direct-Access SeagateExpansion 0710 PQ: 0 ANSI: 6
sd 7:0:0:0: Attached scsi generic sg12 type 0
sd 7:0:0:0: 3907029167 512-byte logical blocks: (2.00 TB/1.82 TiB)
sd 7:0:0:0: 4096-byte physical blocks
sd 7:0:0:0: Write Protect is off
sd 7:0:0:0: Mode Sense: 53 00 00 08
sd 7:0:0:0: Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
sd 7:0:0:0: Optimal transfer size 33553920 bytes not a multiple of physical block size (4096 bytes)
sdc: sdc1
sd 7:0:0:0: Attached SCSI disk
usb 3-6: USB disconnect, device number 10
sd 7:0:0:0: Synchronizing SCSI cache
sd 7:0:0:0: Synchronize Cache(10) failed: Result: hostbyte=DID_ERROR driverbyte=DRIVER_OK
snd_hda_intel 0000:00:1b.0: Unstable LPIB (393600 >= 24600); disabling LPIB delay counting
welcome to redhat enterprise linux . boot.log :
Started Berkeley Internet Name Domain (DNS).
Reached target Host and Network Name Lookups.
Created slice system-systemd\x2dcoredump.slice.
Started Process Core Dump (PID 1211/UID 0).
Started VDO volume services.
Started update of the root trust anchor for DNSSEC validation in unbound.
Started System Security Services Daemon.
Reached target User and Group Name Lookups.
Starting Accounts Service...
Starting Login Service...
Starting Permit User Sessions...
Started Permit User Sessions.
Started Command Scheduler.
Started Job spooling tools.
Started SYSV: The Oracle Secure Backup services daemon enables automatic.
Starting ohasd.service...
Started Accounts Service.
Started ohasd.service.
Started Login Service.
Starting Virtualization daemon...
Created slice system-user\x2druntime\x2ddir.slice.
Started /run/user/500 mount wrapper.
Created slice User Slice of UID 500.
Started Session c1 of user oracle.
Starting User Manager for UID 500...
Started Disk Manager.
Started Dynamic System Tuning Daemon.
Started User Manager for UID 500.
Stopping User Manager for UID 500...
Stopped User Manager for UID 500.
Stopping /run/user/500 mount wrapper...
Removed slice User Slice of UID 500.
Started OpenSSH server daemon.
Stopped /run/user/500 mount wrapper.
Started Virtualization daemon.
Starting WPA supplicant...
Started WPA supplicant.
Started Certificate monitoring and PKI enrollment.
Started Network Manager Wait Online.
Reached target Network is Online.
Starting NFS Mount Daemon...
Starting NFS status monitor for NFSv2/3 locking....
Starting System Logging Service...
Starting Crash recovery kernel arming...
Started System Logging Service.
Started NFS status monitor for NFSv2/3 locking..
Started NFS Mount Daemon.
Starting NFS server and services...
Started NFS server and services.
Starting Notify NFS peers of a restart...
Started Notify NFS peers of a restart.
Created slice system-dirsrv.slice.
Starting 389 Directory Server EXAMPLE-COM....
Started Crash recovery kernel arming.
Started 389 Directory Server EXAMPLE-COM..
Starting Kerberos 5 KDC...
Stopped Kerberos 5 KDC.
Stopping 389 Directory Server EXAMPLE-COM....
Stopped 389 Directory Server EXAMPLE-COM..
Started /etc/rc.d/rc.local Compatibility.
Starting GNOME Display Manager...
Starting Hold until boot process finishes up...
Failed to start Identity, Policy, Audit.
See 'systemctl status ipa.service' for details.
Started GNOME Display Manager.
用户空间
/var/log/messages......
时间:地点:人物(进程) :起因-经过-结果
ov 15 10:14:03 classroom rsyslogd: rsyslogd was HUPed
Nov 15 10:14:03 classroom rhsmd: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date.
Nov 15 10:14:10 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:14:20 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:14:30 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:14:40 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:14:50 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:15:00 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:15:10 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:15:19 classroom named: client @0x7f661009ee20 192.168.0.141#62322 (pan.baidu.com): query (cache) 'pan.baidu.com/A/IN' denied
Nov 15 10:15:20 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:15:30 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:15:40 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:15:50 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:15:54 classroom named: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:38::a#53
Nov 15 10:15:54 classroom named: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:32::a#53
Nov 15 10:15:54 classroom named: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:36::a#53
Nov 15 10:15:54 classroom named: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:34::a#53
Nov 15 10:15:58 classroom named: client @0x7f661009ee20 192.168.0.141#50980 (tongji.flash.cn): query (cache) 'tongji.flash.cn/A/IN' denied
Nov 15 10:16:00 classroom named: client @0x7f661009ee20 192.168.0.141#49521 (s.f.360.cn): query (cache) 's.f.360.cn/A/IN' denied
Nov 15 10:16:00 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:16:01 classroom named: client @0x7f661009ee20 192.168.0.141#63491 (hm.baidu.com): query (cache) 'hm.baidu.com/A/IN' denied
Nov 15 10:16:10 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:16:20 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:16:30 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:16:40 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:16:50 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:17:00 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:17:03 classroom named: client @0x7f661009ee20 192.168.0.141#56308 (pan.baidu.com): query (cache) 'pan.baidu.com/A/IN' denied
Nov 15 10:17:10 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:17:20 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:17:30 classroom init.ohasd: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
Nov 15 10:17:31 classroom named: client @0x7f661009ee20 192.168.0.141#6dhcpd和dns这两个服务器的日志是混在之上的,其他服务器有自己的文件夹和下面的日志文件,ftp服务器的日志是xferlog.1。
journalctl一个内存中的文件,冗余了一遍上面这一整套东西,包括服务器日志。
日志滚动的原理:
1. 有一个二进制的用来删掉(一段时间,具体多少时间看logrotate.conf)陈旧日志的程序:/usr/sbin/logrotate
# which logrotate
/usr/sbin/logrotate
# file /usr/sbin/logrotate
/usr/sbin/logrotate: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID=3ad872a040dc8938f1c2e5dda41300bfff8dc688, stripped
# vim /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may be also be configured here.
2. 谁来调度/usr/sbin/logrotate
/etc/crontab(空文件)
-->/etc/cron.d/ 有一个文件叫:0hourly
# Run the hourly jobs
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
01 * * * * root run-parts /etc/cron.hourly
去看/etc/cron.hourly有什么东东:
# ls
0anacron
检查有无错过cron的运行:
#!/bin/sh
# Check whether 0anacron was run today already
if test -r /var/spool/anacron/cron.daily; then
day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ]; then
exit 0
fi
# Do not run jobs when on battery power
online=1
for psupply in AC ADP0 ; do
sysfile="/sys/class/power_supply/$psupply/online"
if [ -f $sysfile ] ; then
if [ `cat $sysfile 2>/dev/null`x = 1x ]; then
online=1
break
else
online=0
fi
fi
done
if [ $online = 0 ]; then
exit 0
fi
/usr/sbin/anacron -s
/usr/sbin/anacron的配置文件是4列:
"/etc/anacrontab"
# /etc/anacrontab: configuration file for anacron
# See anacron(8) and anacrontab(5) for details.
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22
#period in days delay in minutes job-identifier command
1 5 cron.daily nice run-parts /etc/cron.daily
7 25 cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly
某种意义上说cron.daily/cron.weekly/cron.monthly都是由cron.hourly调度的。
/etc/cron.daily:
logrotate:
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit $EXITVALUE
页:
[1]