17.系统日志管理

1.#在服务器上执行下面操作
[root@rocky8 ~]#vim /etc/rsyslog.conf 
## MODULES ####
...省略...
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
2.#在客户端指定将日志发送到远程的TCP、UDP的日志服务器
[root@centos7 ~]#vim /etc/rsyslog.conf 
*.info;mail.none;authpriv.none;cron.none          /var/log/messages
*.info;mail.none;authpriv.none;cron.none @@10.0.0.161:514  #TCP
*.info;mail.none;authpriv.none;cron.none @10.0.0.161:514   #UDP

#查看所有日志（默认情况下 ，只保存本次启动的日志）
journalctl
#查看内核日志（不显示应用日志）
journalctl -k
#查看系统本次启动的日志
journalctl -b
journalctl -b -0
#查看上一次启动的日志（需更改设置）
journalctl -b -1
#查看指定时间的日志
journalctl --since="2017-10-30 18:10:30"
journalctl --since "20 min ago"
journalctl --since yesterday
journalctl --since "2017-01-10" --until "2017-01-11 03:00"
journalctl --since 09:00 --until "1 hour ago"
#显示尾部的最新10行日志
journalctl -n
#显示尾部指定行数的日志
journalctl -n 20
#实时滚动显示最新日志
journalctl -f
#查看指定服务的日志
journalctl /usr/lib/systemd/systemd
#查看指定进程的日志
journalctl _PID=1
#查看某个路径的脚本的日志
journalctl /usr/bin/bash
#查看指定用户的日志
journalctl _UID=33 --since today
#查看某个 Unit 的日志
journalctl -u nginx.service
journalctl -u nginx.service --since today
#实时滚动显示某个 Unit 的最新日志
journalctl -u nginx.service -f
#合并显示多个 Unit 的日志
journalctl -u nginx.service -u php-fpm.service --since today
#查看指定优先级（及其以上级别）的日志，共有8级
0: emerg
1: alert
2: crit
3: err
4: warning
5: notice
6: info
7: debug
journalctl -p err -b
#日志默认分页输出，--no-pager 改为正常的标准输出
journalctl --no-pager
#日志管理journalctl
#以 JSON 格式（单行）输出
journalctl -b -u nginx.service -o json
#以 JSON 格式（多行）输出，可读性更好
journalctl -b -u nginx.service -o json-pretty
#显示日志占据的硬盘空间
journalctl --disk-usage
#指定日志文件占据的最大空间
journalctl --vacuum-size=1G
#指定日志文件保存多久
journalctl --vacuum-time=1years

[root@centos8 ~]#yum -y install rsyslog-mysql
[root@ubuntu2004 ~]#apt -y install rsyslog-mysql
[root@centos8 ~]#rpm -ql rsyslog-mysql
/usr/lib/.build-id
/usr/lib/.build-id/d7
/usr/lib/.build-id/d7/77fc839aa07e92f0a8858cf3f122996436c7df
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog/mysql-createDB.sql
[root@ubuntu2004 ~]#dpkg -L rsyslog-mysql
/.
/usr
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/rsyslog
/usr/lib/x86_64-linux-gnu/rsyslog/ommysql.so
/usr/share
/usr/share/dbconfig-common
/usr/share/dbconfig-common/data
/usr/share/dbconfig-common/data/rsyslog-mysql
/usr/share/dbconfig-common/data/rsyslog-mysql/install
/usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql
/usr/share/doc
/usr/share/doc/rsyslog-mysql
/usr/share/doc/rsyslog-mysql/copyright
/usr/share/rsyslog-mysql
/usr/share/rsyslog-mysql/rsyslog-mysql.conf.template
/usr/share/doc/rsyslog-mysql/NEWS.Debian.gz
/usr/share/doc/rsyslog-mysql/changelog.Debian.gz
#查看sql脚本文件内容
[root@ubuntu2204 ~]#cat /usr/share/dbconfig-common/data/rsyslogmysql/
install/mysql
[root@ubuntu2004 ~]#cat /usr/share/dbconfig-common/data/rsyslogmysql/
install/mysql
[root@centos8 ~]#cat /usr/share/doc/rsyslog/mysql-createDB.sql
CREATE DATABASE Syslog; #Ubuntu22.04和20.04没有此行，需要手动创建数据库
USE Syslog;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
ID int unsigned not null auto_increment primary key,
SystemEventID int NULL ,
ParamName varchar(255) NULL ,
ParamValue text NULL
);
#将sql脚本复制到数据库服库上
[root@centos8 ~]#scp /usr/share/doc/rsyslog/mysql-createDB.sql 10.0.0.18:/data

[root@ubuntu2004 ~]#vim /etc/rsyslog.d/50-default.conf 
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none      -/var/log/syslog
*.*;auth,authpriv.none      @10.0.0.200      #此处为发送远处要添加的程序

#例子
#在客户端指定将日志发送到远程的TCP、UDP的日志服务器
[root@centos7 ~]#vim /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none               /var/log/messages
*.info;mail.none;authpriv.none;cron.none               @@10.0.0.18:514  #TCP
*.info;mail.none;authpriv.none;cron.none               @10.0.0.18:514   #UDP


#记录日志程序
[root@ubuntu2204 rsyslog.d]#tail -f /var/log/auth.log  /var/log/syslog
==> /var/log/auth.log  /var/log/syslog 

[root@rocky8 ~]#vim /etc/rsyslog.conf 
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
*.info;mail.none;authpriv.none;cron.none                @@10.0.0.200:514   #:514 可以省略
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
authpriv.*                                              @@10.0.0.200:514    #:514 可以省略
#重启
[root@rocky8 ~]#systemctl restart rsyslog
#测试身份日志
[root@rocky8 ~]#logger "This is a test log"
[root@rocky8 ~]#cat /var/log/messages

[root@centos8 ~]#yum install mysql-server
#在MySQL数据库服务器上创建相关数据库和表，并授权rsyslog能连接至当前服务器
[root@centos8 ~]#mysql -u
mysql>source /data/mysql-createDB.sql
mysql>CREATE USER 'rsyslog'@'10.0.0.%' IDENTIFIED BY '123456';
mysql>GRANT ALL ON Syslog.* TO 'rsyslog'@'10.0.0.%' ;
#然后回到原机子查看
[root@ubuntu2204 ~]#dpkg -L rsyslog-mysql
/.
/usr
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/rsyslog
/usr/lib/x86_64-linux-gnu/rsyslog/ommysql.so
/usr/share
/usr/share/dbconfig-common
/usr/share/dbconfig-common/data
/usr/share/dbconfig-common/data/rsyslog-mysql
/usr/share/dbconfig-common/data/rsyslog-mysql/install
/usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql
/usr/share/doc
/usr/share/doc/rsyslog-mysql
/usr/share/doc/rsyslog-mysql/copyright
/usr/share/rsyslog-mysql
/usr/share/rsyslog-mysql/rsyslog-mysql.conf.template
/usr/share/doc/rsyslog-mysql/NEWS.Debian.gz
/usr/share/doc/rsyslog-mysql/changelog.Debian.gz
#这条记录的是将来要记录的数据库名称，存了需要在数据库的表名叫啥，然后拷贝过去
[root@ubuntu2204 ~]#cat /usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql
[root@ubuntu2204 ~]#scp /usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql 10.0.0.162:
The authenticity of host '10.0.0.162 (10.0.0.162)' can't be established.
ED25519 key fingerprint is SHA256:rziuY3aU2QPQ9Aj+y//KUMlP8fkRzlREsMZcUn2sRuk.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:3: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.162' (ED25519) to the list of known hosts.
root@10.0.0.162's password: 
mysql                                         100% 1038   797.1KB/s   00:00  
#然后在另一边创建数据库
mysql> create database rsyslog;
Query OK, 1 row affected (0.00 sec)
#然后把刚才的文件读进来，放在家目录里了
mysql> ! ls /root
anaconda-ks.cfg  hellodb_innodb.sql  mysql
mysql> use rsyslog ;
Database changed
mysql> source mysql
Query OK, 0 rows affected (0.04 sec)

Query OK, 0 rows affected (0.01 sec)
然后查看表，存在
mysql> show tables;
+------------------------+
| Tables_in_rsyslog      |
+------------------------+
| SystemEvents           |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.01 sec)
#账号有了要授权

mysql> grant all on rsyslog.* to rsyslog@'10.0.0.%';
Query OK, 0 rows affected (0.01 sec)
#然后再去之前2204的账号，加载MySQL模块
[root@ubuntu2204 ~]#dpkg -L rsyslog-mysql
/.
/usr
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/rsyslog
/usr/lib/x86_64-linux-gnu/rsyslog/ommysql.so   #om表示输出
#然后查看rsyslog.conf文件，没有模块需要自己写
[root@ubuntu2204 ~]#vim /etc/rsyslog.conf
module(load="ommysql")
#因为规则在50里面写的，需要限制那个就在那个里面更改
[root@ubuntu2004 ~]#vim /etc/rsyslog.d/50-default.conf 
auth,authpriv.*         /var/log/auth.log
auth,authpriv.*           :ommysql:10.0.0.162,rsyslog,rsyslog,123456
*.*info;auth,authpriv.none      -/var/log/syslog
*.*info;auth,authpriv.none    :ommysql:10.0.0.162,rsyslog,rsyslog,123456  #后面加入要是嫌记得多可以加个info，只有info级才记录，防止记录非关键事件
#重启
[root@ubuntu2004 ~]#systemctl restart rsyslog.service
成功！。。。。。。。。。。。。。。。。

cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
rotate 100
missingok
compress
delaycompress
notifempty
create 644 ngnix nginx
postrotate
if [ -f /app/nginx/logs/nginx.pid ]; then
kill -USR1 `cat /app/nginx/logs/nginx.pid`
fi
endscript
}

[root@ubuntu2204 ~]#cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then 
run-parts /etc/logrotate.d/httpd-prerotate; 
fi 
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}
[root@rocky8 ~]#cat /etc/logrotate.d/nginx
/var/log/nginx/*log {
create 0664 nginx root
daily
rotate 10
missingok
notifempty
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}

[root@ubuntu2204 log]#dd if=/dev/zero of=/var/log/test/test1.log bs=2M count=1
记录了1+0 的读入
记录了1+0 的写出
2097152字节（2.1 MB，2.0 MiB）已复制，0.00407152 s，515 MB/s
[root@ubuntu2204 log]#dd if=/dev/zero of=/var/log/test/test2.log bs=2M count=1
记录了1+0 的读入
记录了1+0 的写出
2097152字节（2.1 MB，2.0 MiB）已复制，0.0036199 s，579 MB/s
[root@ubuntu2204 log]#cd
[root@ubuntu2204 ~]#ls /var/log/test/*
/var/log/test/test1.log  /var/log/test/test2.log
[root@ubuntu2204 ~]#cat /etc/logrotate.d/test1
/var/log/test/test1.log {
daily
rotate 5
compress
delaycompress
missingok
size 1M
notifempty
create 0640 bin daemon
sharedscripts
postrotate
echo `date +%F_%T` >> /data/test1.log
endscript
}
#手动转储
[root@ubuntu2204 ~]#logrotate /etc/logrotate.d/test1
#查看结果
[root@ubuntu2204 ~]#ll /var/log/test/
总用量 2056
drwxr-xr-x 2 600 root 4096 11月 18 12:22 ./
drwxrwxr-x 12 root syslog 4096 11月 18 12:14 ../
-rw-r----- 1 bin daemon 0 11月 18 12:22 test1.log
-rw-r--r-- 1 root root 2097152 11月 18 12:21 test1.log.1
#添加日志
[root@ubuntu2204 ~]#dd if=/dev/zero of=/var/log/test/test1.log bs=1M count=2
#手动转储
[root@ubuntu2204 ~]#logrotate /etc/logrotate.d/test1
#观察结果，发现延迟压缩
[root@ubuntu2204 ~]#ll /var/log/test/
总用量 2060
drwxr-xr-x 2 600 root 4096 11月 18 12:23 ./
drwxrwxr-x 12 root syslog 4096 11月 18 12:14 ../
-rw-r----- 1 bin daemon 0 11月 18 12:23 test1.log
-rw-r----- 1 bin daemon 2097152 11月 18 12:23 test1.log.1
-rw-r--r-- 1 root root 2067 11月 18 12:21 test1.log.2.gz
[root@ubuntu2204 ~]#cat /data/test1.log
2022-11-18_12:22:40
2022-11-18_12:23:07

#生成测试日志
[root@centos8 ~]#dd if=/dev/zero of=/var/log/test1.log bs=2M count=1
1+0 records in
1+0 records out
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00291879 s, 719 MB/s
[root@centos8 ~]#dd if=/dev/zero of=/var/log/test2.log bs=2M count=1
1+0 records in
1+0 records out
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00200561 s, 1.0 GB/s
#针对不同的日志创建转储配置文件
#Ubuntu需加下面两行
su bin syslog
sharedscripts
[root@centos8 ~]#cat /etc/logrotate.d/test1
/var/log/test1.log {
daily
rotate 5
compress
delaycompress
missingok
size 1M
notifempty
create 640 bin daemon
postrotate
echo `date +%F_%T` >> /data/test1.log
endscript
}
[root@centos8 ~]#cat /etc/logrotate.d/test2
/var/log/test2.log {
daily
rotate 5
compress
delaycompress
missingok
size 1M
notifempty
create 644 root root
postrotate
echo `date +%F_%T` >> /data/test2.log
endscript
}
#针对一个测试日志，手动执行日志转储
[root@centos8 ~]#logrotate /etc/logrotate.d/test1
[root@centos8 ~]#ll /var/log/test*
-rw-r----- 1 bin daemon 0 Dec 14 16:38 /var/log/test1.log
-rw-r--r-- 1 root root 2097152 Dec 14 16:35 /var/log/test1.log.1
-rw-r--r-- 1 root root 2097152 Dec 14 16:36 /var/log/test2.log
[root@centos8 ~]#ls /data
test1.log
[root@centos8 ~]#cat /data/test1.log
2019-11-12_14:00:14
#对所有日志进行手动转储
[root@centos8 ~]#logrotate /etc/logrotate.conf
[root@centos8 ~]#ll /var/log/test*
-rw-r--r-- 1 bin daemon 0 Nov 12 14:00 /var/log/test1.log
-rw-r--r-- 1 root root 2097152 Nov 12 13:59 /var/log/test1.log.1
-rw-r--r-- 1 root root 0 Nov 12 14:01 /var/log/test2.log
-rw-r--r-- 1 root root 2097152 Nov 12 13:59 /var/log/test2.log-20191112
[root@centos8 ~]#ls /data
test1.log test2.log
[root@centos8 ~]#cat /data/test1.log
2019-11-12_14:01:51