Linux-日志管理

时间：2022-04-03 16:22

Linux-日志管理

日志的AAA认证：

Authentication 认证
Authorization 授权
Account Audit 审计

dmesg

查看与系统启动有关的日志

[root@localhost ~]# dmesg
[    0.000000] Linux version 4.18.0-193.el8.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com) (gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)) #1 SMP Fri Mar 27 14:35:58 UTC 2020
[    0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-193.el8.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet
[    0.000000] Disabled fast string operations
[    0.000000] x86/fpu: Supporting XSAVE feature 0x001: ‘x87 floating point registers‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x002: ‘SSE registers‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x004: ‘AVX registers‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x020: ‘AVX-512 opmask‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x040: ‘AVX-512 Hi256‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x080: ‘AVX-512 ZMM_Hi256‘
[    0.000000] x86/fpu: Supporting XSAVE feature 0x200: ‘Protection Keys User registers‘
......

查看日志信息

一般情况下查看日志都是使用tail -f命令来查看，实时刷新

查看除内核之外错误的日志信息

[root@localhost ~]# tail -f /var/log/messages 
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option requested_subnet_mask => ‘1‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option requested_time_offset => ‘1‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option requested_wpad       => ‘1‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option routers              => ‘192.168.237.2‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): option subnet_mask          => ‘255.255.255.0‘
Dec 15 15:31:04 localhost NetworkManager[1122]: <info>  [1608017464.0147] dhcp4 (ens160): state changed extended -> extended
Dec 15 15:31:04 localhost dbus-daemon[1033]: [system] Activating via systemd: service name=‘org.freedesktop.nm_dispatcher‘ unit=‘dbus-org.freedesktop.nm-dispatcher.service‘ requested by ‘:1.8‘ (uid=0 pid=1122 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")
Dec 15 15:31:04 localhost systemd[1]: Starting Network Manager Script Dispatcher Service...
Dec 15 15:31:04 localhost dbus-daemon[1033]: [system] Successfully activated service ‘org.freedesktop.nm_dispatcher‘
Dec 15 15:31:04 localhost systemd[1]: Started Network Manager Script Dispatcher Service.

查看邮件系统产生的日志信息

[root@localhost ~]# tail -f /var/log/maillog

查看与安全相关的日志信息

[root@localhost ~]# tail -f /var/log/secure
Dec  4 15:14:04 localhost polkitd[1021]: Loading rules from directory /usr/share/polkit-1/rules.d
Dec  4 15:14:04 localhost polkitd[1021]: Finished loading, compiling and executing 2 rules
Dec  4 15:14:04 localhost polkitd[1021]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Dec  4 15:14:06 localhost sshd[1133]: Server listening on 0.0.0.0 port 22.
Dec  4 15:14:06 localhost sshd[1133]: Server listening on :: port 22.
Dec  4 15:14:15 localhost systemd[4268]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Dec  4 15:14:15 localhost login[1158]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Dec  4 15:14:15 localhost login[1158]: ROOT LOGIN ON tty1
Dec 15 14:16:49 localhost sshd[5378]: Accepted password for root from 192.168.237.1 port 65504 ssh2
Dec 15 14:16:49 localhost sshd[5378]: pam_unix(sshd:session): session opened for user root by (uid=0)

priority（log level）日志的级别

一般有以下几种级别（从低到高），级别越低，信息越详细：

定义格式例子

mail.info /var/log/maillog

表示将mail相关的，级别为info及info以上级别的信息同步记录到/var/log/maillog文件中

mail.* -/var/log/maillog

表示将mail相关的所有日志信息异步记录到/var/log/maillog文件中，路径前的“-”表示异步模式

#同步: 一有数据立马写,时时刻刻都在等待数据,不能操作别的

#异步: 等数据多一点在写,等待时间可以操作

user.!=error / user.!error

表示记录user相关的，不包括error级别的信息，与user.error相反

*.info

表示记录所有的日志信息的info级别

mail.*

表示记录mail相关的所有级别的信息

* . *

表示记录所有级别的所有日志信息

cron.info;mail.info

多个日志来源可以用分号隔开

cron,mail.info

相当于cron.info;mail.info

mail.*;mail.!=info

表示记录mail相关的所有级别的信息，但是不包括info级别的

文件记录（/var/log/message）的日志的格式：

事件产生的日期时间主机进程（pid）：事件内容

 Dec 15 16:16:04 localhost NetworkManager[1122]: <info>  [1608020164.0143] dhcp4 (ens160): option requested_subnet_mask => ‘1‘

格式为二进制格式的日志记录

/var/log/wtmp

当前系统成功登录的日志，可使用last命令查看其内容

[root@localhost ~]# file /var/log/btmp
/var/log/btmp: data
[root@localhost ~]# last
root     pts/0        192.168.237.1    Tue Dec 15 14:16   still logged in
root     tty1                          Fri Dec  4 15:14    gone - no logout
reboot   system boot  4.18.0-193.el8.x Fri Dec  4 15:14   still running

wtmp begins Fri Dec  4 15:14:01 2020

/var/log/btmp

当前系统失败的登录尝试的日志，可使用lastb命令查看其内容

[root@localhost ~]# file /var/log/wtmp
/var/log/wtmp: firmware 0 v0 (revision 0)   V2, 0 bytes or less, UNKNOWN2 0x38365f36, at 0x0 0 bytes , at 0x0 0 bytes 

[root@localhost ~]# lastb
root     ssh:notty    192.168.237.1    Tue Dec 15 16:05 - 16:05  (00:00)

btmp begins Tue Dec 15 16:05:12 2020

配置rsyslog服务器

问：如果想要把一台主机的权限日志写到另外一台主机上应该怎么做呢?

客户端：主机名：128 IP地址：192.168.237.128

服务端：主机名：133 IP地址：192.168.237.133

//配置客服端
//(注释默认路径,添加新路径到服务端)
[root@128 ~]# vi /etc/rsyslog.conf 
# The authpriv file has restricted access.
#authpriv.*                                              /var/log/secure
authpriv.*                                              @192.168.237.133
[root@128 ~]# systemctl restart rsyslog
[root@128 ~]# systemctl stop firewalld
[root@128 ~]# setenforce 0

//配置服务端
//(取消注释)
[root@133 ~]# vi /etc/rsyslog.conf
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
[root@133 ~]# systemctl restart rsyslog


//ssh登录客服端128故意密码输错,在服务端133中也有记录
[C:\~]$ ssh root@192.168.237.128
[root@133 ~]# tail -f /var/log/secure
Dec 15 17:33:28 128 unix_chkpwd[47650]: password check failed for user (root)
Dec 15 17:33:28 128 sshd[47648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1  user=root
Dec 15 17:33:31 128 sshd[47648]: Failed password for root from 192.168.237.1 port 53843 ssh2
Dec 15 17:33:33 128 sshd[47648]: error: Received disconnect from 192.168.237.1 port 53843:0:  [preauth]
Dec 15 17:33:33 128 sshd[47648]: Disconnected from authenticating user root 192.168.237.1 port 53843 [preauth]

//ssh登录客服端133故意密码输错,在服务端133自己本身也有记录
[C:\~]$ ssh root@192.168.237.133
[root@133 ~]# tail -f /var/log/secure
Dec 15 17:33:47 133 unix_chkpwd[1955]: password check failed for user (root)
Dec 15 17:33:47 133 sshd[1953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.237.1  user=root
Dec 15 17:33:49 133 sshd[1953]: Failed password for root from 192.168.237.1 port 53847 ssh2
Dec 15 17:33:52 133 sshd[1953]: error: Received disconnect from 192.168.237.1 port 53847:0:  [preauth]
Dec 15 17:33:52 133 sshd[1953]: Disconnected from authenticating user root 192.168.237.1 port 53847 [preauth]