liunx系统日志

内容：

• /var/log/messages • /etc/logrotate.conf 日志切割配置文件 参考 • dmesg命令 • /var/log/dmesg 日志 • last命令，调用的文件/var/log/wtmp • lastb命令查看登录失败的用户，对应的文件时/var/log/btmp • /var/log/secure /var/log/messages 系统的总日志syslog； 是做故障诊断是首要查看的日志文件，系统有一个轮回机制，每一个星期切换一个日志，切换后的日志名字类似于messages-20170930，会存放在/var/log/目录下面

那系统为什么有这个切割机制呢，是因为linux系统里面有个服务 logrotate ；防止系统日志无限制增大。

---

实战：

/etc/logrotate.conf 日志切割配置文件

[root@linux-128 ~]# cat /etc/logrotate.conf# see "man logrotate" for details# rotate log files weeklyweekly                            \\每周切割一次# keep 4 weeks worth of backlogsrotate 4                            \\保留4个， 一个月# create new (empty) log files after rotating old onescreate				\\切割完后创建一个新文件# use date as a suffix of the rotated filedateext				\\后缀# uncomment this if you want your log files compressed#compress        		\\是否要压缩，.tar.gz# RPM packages drop log rotation information into this directoryinclude /etc/logrotate.d            \\还包含其他目录/etc/logrotate.d# no packages own wtmp and btmp -- we'll rotate them here/var/log/wtmp {    monthly	    create 0664 root utmp	minsize 1M    rotate 1}/var/log/btmp {    missingok    monthly    create 0600 root utmp    rotate 1}# system-specific logs may be also be configured here.

我们看下刚配置文件里面提到的/etc/logrotate.d

[root@linux-128 ~]# ls /etc/logrotate.dchrony  ppp  syslog  wpa_supplicant  yum

查看/logrotate.d/目录下面的 syslog

[root@linux-128 ~]# cat /etc/logrotate.logrotate.conf  logrotate.d/[root@linux-128 ~]# cat /etc/logrotate.d/syslog/var/log/cron    /var/log/maillog/var/log/messages/var/log/secure/var/log/spooler{    missingok    sharedscripts    postrotate	/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true    endscript}

/var/log/messages对应的服务是syslogd，/bin/kill -HUP重启

---

dmesh命令

• 显示系统的启动信息，如果你的某个硬件有问题比如网卡，这个命令就可以查看到

• dmesh -c 清楚内容

---

安全日志

last 命令

• last 命令是来查看历史正确的登陆信息，调用的文件是/var/log/wtmp，这个文件是二进制文件，不能用cat，more，less，head，tail查看

• lastd 命令是查看历史登陆失败的信息，调用文件是/var/log/btmp

/var/log/secure 文件也是登陆相关的日志，里面也会记录正确和失败登陆信息，比如遇到暴力破解都可以看到

[root@linux-128 ~]# tail -5  /var/log/secureApr  4 12:51:13 linux-128 polkitd[545]: Acquired the name org.freedesktop.PolicyKit1 on the system busApr  4 12:51:34 linux-128 sshd[1333]: Server listening on 0.0.0.0 port 22.Apr  4 12:51:34 linux-128 sshd[1333]: Server listening on :: port 22.Apr  4 12:52:56 linux-128 sshd[2737]: Accepted publickey for root from 192.168.88.1 port 49461 ssh2: RSA 96:50:9f:6b:eb:62:48:cf:ef:f2:51:6f:bc:03:9e:72Apr  4 12:52:56 linux-128 sshd[2737]: pam_unix(sshd:session): session opened for user root by (uid=0)

实验：A机器上 用tail -f /var/log/secure 动态查看；B机器上远程链接A机器

ssh ；然后密码输入错误，A机器上就能查看出来

---

screen命令

内容：

• 为了不让一个任务意外中断 • nohup command & • screen是一个虚拟终端 • yum install -y screen • screen直接回车就进入了虚拟终端 • ctral a组合键再按d退出虚拟终端，但不是结束 • screen -ls 查看虚拟终端列表 • screen -r id 进入指定的终端 • screen -S aming • screen -r aming • screen -wipe aming #删除会话

---

实战：

[root@linux-128 ~]# screen[detached from 2863.pts-0.linux-128][1]+  完成                  nohup sleep 100[root@linux-128 ~]# screen -lsThere is a screen on:	2863.pts-0.linux-128	(Detached)1 Socket in /var/run/screen/S-root.[root@linux-128 ~]# screen[detached from 2882.pts-0.linux-128][root@linux-128 ~]# screen -lsThere are screens on:	2882.pts-0.linux-128	(Detached)	2863.pts-0.linux-128	(Detached)2 Sockets in /var/run/screen/S-root.[root@linux-128 ~]# screen -r 2882[detached from 2882.pts-0.linux-128][root@linux-128 ~]# screen -S "wuzhou"[detached from 2917.wuzhou][root@linux-128 ~]# screen -lsThere are screens on:	2917.wuzhou	(Detached)	2900.pts-0.linux-128	(Detached)	2882.pts-0.linux-128	(Detached)	2863.pts-0.linux-128	(Detached)4 Sockets in /var/run/screen/S-root.[root@linux-128 ~]# screen -r wuzhou[detached from 2917.wuzhou]

如果想关闭某个screen，先进入指定的screen，输入ctrl+d 或者 输入exit退出