Log management in LINUX system

Experimental environment

systemctl stop firewalld


Service Name: SYSTEMd journal service
Default log storage path: / run/log

Experiment 1 usage of journalctl command


-n 3 ## latest 3 entries in log
--since "2020-05-01 11:00:00" ## displays the log after 11:00
--until "2020-05-01 11:05:00" ## display log to 11:05
-o## set the display mode of log

Show log in short classic mode

verbose displays all bytes of the log

export binary format suitable for outgoing and backup

json js format display output

-p ##Displays the log at the specified level
#Critical issue log for 0 emerg system
#1. Information to be changed immediately in alert system
#2. Crit severity level will cause the system software to not work normally
#3 err program error
#4 warning program warning
#5 notice general log of important information
#6 info general information
#7. Error shooting information of debug program

-F PRIORITY ## view controllable log level
-u sshd ## specify viewing service
– disk usage ## view log size
– vacuum size = 1g ## set the log storage size
– vacuum time = 1W ## maximum storage time of logs in the system
-f ## monitoring log
journalctl _PID=10924 _SYSTEMD_UNIT=sshd.service

Experiment 2 using journaled service to store logs permanently

The default log in the system is: / run/log/journal
By default, the log will be cleared after system restart. To permanently save the log, complete the following operations:

mkdir /var/log/journal
chgrp systemd-journal /var/log/journal
chmod 2775 /var/log/journal
systemctl restart systemd-journald.service

When the service restarts, the log storage path will be specified to: / var/log/journal

If it is not processed, the log will not be saved, and the node number 11473 will change at the next restart

At the next restart, the node number 2514500 will not change.


Service Name: rsyslog service

The system kernel and many programs will produce various error messages, warning messages and other prompt messages. These messages are very useful for users to understand the running state of the system, so they need to be saved in the corresponding log file for subsequent analysis and monitoring of the state of the system or software. Linux system has a very flexible and powerful logging function, which can save almost all operation records and retrieve the information we need. The daemon to complete this work is rsyslog.

In the configuration file: / etc / rsyslog Conf defines collecting system logs to designated locations by categories, as follows:

/var/log/messages #System service log, general information, service error
/var/log/secure #System authentication information log
/var/log/maillog #System mail log information
/var/log/cron #System scheduled task information
/var/log/boot.log #System startup log information

Experiment 1 Custom log collection path

vim /etc/rsyslog.conf

Log type.Log level log storage path
*.* /var/log/westos ##Store all levels of logs in the system in westos
*.*;authpriv.none /var/log/westos ##The logs of all levels in the system are stored in westos, except authpriv

In the experiment, the configuration file is modified.

Before the experiment,
Remote login.

After logging in, view the log.

When experimenting, modify the configuration file.
Experimental results.

Log type
auth #User authentication
authpriv #Service certification
cron #Time task
kern #Kernel type
mail #mail
news #System update information
user #user
 log level
debug #Program troubleshooting information
info #Program general operation information
notice #General log of important information
waring #Program warning
err #Program error
crit #The severity level will cause the system software to not work properly
alert #Information in the system to be changed immediately
emerg #Critical issues log for the system
none #No collection

Experiment 2 How to change the log collection format

1 define log collection format

$template WESTOS_FORMAT, "%FROMHOST-IP% %timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n"

#WESTOS_FORMAT: format name
#%FROMHOST-IP%: log source host IP
#%timegenerated%: log generation time
#%syslogtag%: log generation service
#%msg%: log content
#\n: Line feed

Experimental steps:
Note: the operation of modifying the configuration file is carried out at the receiver
Modify the configuration file / etc / rsyslog. In the log receiver westosa Conf, define the log collection format, WESTOS, / var/log/westos;WESTOS means that only the logs under the / var/log/messages path are collected in the defined format

2. Set log collection format

*.*;authpriv.none /var/log/westos;WESTOS

module(load="builtin:omfile" Template="WESTOS_FORMAT") ##Westos is adopted by default_ Format format

Experiment 3 Remote synchronization of logs

1).westos_node1: store logs as the log receiver, and all logs are stored on this host
2).westos_linux: sending logs to westos_node1 host

1. The first step is in westos_ Set in node1 to accept everyone's log

systemctl stop firewalld 
vim /etc/rsyslog.conf
19 module(load="imudp") ##Open log acceptance plug-in
20 input(type="imudp" port="514") ##Specifies the interface used by the plug-in
systemctl restart rsyslog

Query port:

root@rhel7_node1 ~]# netstat -antlupe | grep rsyslog
0 0* 0 
67600 11115/rsyslogd 
udp6 0 0 :::514 :::* 0 
67601 11115/rsyslogd 

Query whether the receiver port is opened successfully

2. Step 2: westos_ Set sending logs to westos in Linux_ In node1

vim /etc/rsyslog.conf

*.* @
systemctl restart rsyslog
@ Indicates use udp Transmission log
@@ Indicates use tcp Transmission log
@ Use the local log udp The transmission mode is sent to host


stay westos_linux and westos_node1 in
> /var/log/messages
 stay westos_linux in
logger westos test message
 stay westos_node1 Can be seen in westos_linux Log generated in!!


timedatectl set-time "2020-02-13 10:41:55" ##Set system time
timedatectl list-timezones ##Displays all time zones of the system
timedatectl set-timezone "Asia/Shanghai" ##Set system time zone
timedatectl set-local-rtc 0|1 ##Set the system time calculation method
##0 means using the utc time calculation method

The experiment in the above figure failed. You need to turn off chronyd.

4. Time synchronization service

#Service Name: chronyd service
#Configuration file: / etc / Chrony conf
Use rhel7 as the time source rhel8 to synchronize rhel7 time
At time_server
vim /etc/chrony.conf

26 allow ##Allow network segment host synchronization time
29 local stratum 10 ##Turn on the time synchronization server function and set the level to 10
systemctl restart chronyd.service
systemctl stop firewalld 

At time_ In clinet
vim /etc/chrony.conf

pool iburst
systemctl restart chronyd


At time_ Viewing time in client:
Reality has become time_ Time in server
Use the chronyc command to view the time effect:

[root@rhel8_node1 ~]# chronyc sources -v

210 Number of sources = 1
 .-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample 
^* 10 6 17 15 -6970ns[+8437ns] +/- 180u

In time server

In time client


Keywords: Linux Operation & Maintenance server

Added by PrinceOfDragons on Sun, 20 Feb 2022 08:23:00 +0200