linux日志、日志轮转

• 哪类程序产生的时系统日志？
• 产生的什么日志？
• 放在什么地方？

1. rsyslogd：系统专职日志程序
2. 各类应用程序，可用以自己的方式记录日志

[root@localhost ~]# ps aux|grep rsyslogd
root       666  0.0  0.2 216424  7232 ?        Ssl  03:51   0:00 /usr/sbin/rsyslogd -n
root       956  0.0  0.0  12528   972 pts/0    R+   04:04   0:00 grep --color=auto rsyslogd

• 系统日志路径：/var/log/messages
  不要关注内容，涉及知识面较为广泛，只有专业的运维才合适熟悉其中内容

• 安全认证相关日志：/var/log/secure

• yum相关日志:/var/log/yum.log

• 安装：yum install rsyslog logrotate（默认已安装）
• 启动程序：systemctl start rsyslog.service
• 查看进程启动状态：systemctl status rsyslog
• 查看程序安装列表：rpm -qa
• 查看安装程序涉及到的文件：rpm -ql rsyslog
• 查看安装程序的配置文件：rpm -qc rsyslog

[root@localhost ~]# rpm -qc rsyslog
/etc/logrotate.d/syslog
/etc/rsyslog.conf
/etc/sysconfig/rsyslog

1. /etc/rsyslog.conf：rsyslogd的主配置文件（关键）
2. /etc/sysconfig/rsyslog：rsyslogd相关文件，定义级别（了解）
3. /etc/logrotate.d/syslog：日志轮转相关配置

[root@localhost ~]# cat /etc/rsyslog.conf
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

程序/设备 日志级别 路径
如下

#### RULES ####
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# mail 的任务级别都存放日志到 /var/log/maillog

• 常用设备类型

• 日志级别

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# *.info： *代表所有程序, info代表标准输出,  表示所有设备的所有info等级日志都输出到目标位置
# mail.none： none，在日志等级中是没有的，其实意思时排除，表示mail日志不用输出到这个位置

• 日志调整后重启
  配置文件一般都已经被加载进入了内存，需要重新加载配置文件才能生效修改的配置

systemctl restart rsyslog

管理日志文件的大小，备份等，引入logrotate

• 主配置文件（全局规则）：/etc/logrotate.conf
• 子配置文件（定制规则）：/etc/logrotate.d/

cat /etc/logrotate.conf

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
        minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

子配置文件夹中内容

ls -l /etc/logrotate.d/
total 20
-rw-r--r--. 1 root root 160 Sep 19  2018 chrony
-rw-r--r--. 1 root root 115 Apr  2  2020 samba
-rw-r--r--. 1 root root 224 Nov 27  2019 syslog
-rw-r--r--. 1 root root 100 Oct 30  2018 wpa_supplicant
-rw-r--r--. 1 root root 103 Apr  2  2020 yum

查看其中一个文件配置

cat yum
/var/log/yum.log {
    missingok
    notifempty
    maxsize 30k
    yearly
    create 0600 root root
}