linux系統日誌

##日誌記錄系統每天發生的各種各樣的事情，比如監控系統的狀況，排查系統的故障等。你可以通過日誌來檢查錯誤發生的原因，或者受到***時留下的痕跡。日誌的主要功能是審計和監測，還有實時的監測系統狀態，監測和追蹤***者

## 經常查看的系統文件是 /var/log/message,它是系統核心日誌文件

Linux系統日誌

./var/log/messages

./etc/logrotate.conf 日誌分割文件

./var/log/dmesg

./last 命令，調用的是/var/log/wtmp

./lastb命令查看登錄失敗的用戶，對應的文件是/var/log/btmp

./var/logsecure

/var/log/messages  這個是經常查看的日誌文件  核心系統日誌文件，包含啓動時間的引導消息，以及系統運行的其他狀態消息，I/O錯誤 網絡錯誤和其他系統錯誤都會記錄到這個文件下

[root@yzllinux123 ~]# less /var/log/messages    #查看系統日誌文件的信息
Jan 29 07:01:01 yzllinux123 systemd: Started Session 3 of user root.
Jan 29 07:01:01 yzllinux123 systemd: Starting Session 3 of user root.
Jan 29 07:12:33 yzllinux123 systemd-logind: Removed session 1.
Jan 29 07:12:33 yzllinux123 systemd: Removed slice User Slice of root.
Jan 29 07:12:33 yzllinux123 systemd: Stopping User Slice of root.
Jan 29 07:12:40 yzllinux123 systemd: Created slice User Slice of root.
Jan 29 07:12:40 yzllinux123 systemd: Starting User Slice of root.
Jan 29 07:12:40 yzllinux123 systemd: Started Session 4 of user root.
Jan 29 07:12:40 yzllinux123 systemd-logind: New session 4 of user root.

/etc/logrotate.conf  #日誌切割配置文件

[root@yzllinux123 ~]# cat /etc/logrotate.conf  #查看日誌切割配置文件內容
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
 minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

[root@yzllinux123 ~]# cat /etc/logrotate.conf  #查看日誌切割配置文件
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
 minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

[root@yzllinux123 ~]# du -sh /etc/logrotate.conf   #du -sh 查看切割文件的大小
4.0K /etc/logrotate.conf

dmesg 命令  它可以顯示系統的啓動信息，如果你的某個硬件有問題（比如有網卡），這個命令也可以看到

[root@yzllinux123 ~]# dmesg |head   #列出系統硬件信息
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.0-123.el7.x86_64 ([email protected]) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-123.el7.x86_64 root=UUID=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet.UTF-8
[    0.000000] Disabled fast string operations
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009efff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reserved
[root@yzllinux123 ~]# ^C

/var/log/dmesg  日誌  #  記錄系統啓動的日誌

[root@yzllinux123 ~]# cat /var/log/dmesg |head    #系統啓動日誌
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.0-123.el7.x86_64 ([email protected]) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-123.el7.x86_64 root=UUID=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet.UTF-8
[    0.000000] Disabled fast string operations
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009efff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reserved

last 命令  查看正確的登錄

[root@yzllinux123 ~]# last |head  #查看正確的登錄歷史  誰 怎麼登錄 時間 等
root     pts/0        192.168.12.1     Thu Feb  1 05:00   still logged in  
reboot   system boot  3.10.0-123.el7.x Thu Feb  1 04:59 - 06:04  (01:05)   
root     pts/0        192.168.12.1     Mon Jan 29 07:12 - crash (2+21:46)  
root     pts/0        192.168.12.1     Mon Jan 29 05:01 - 07:12  (02:10)   
reboot   system boot  3.10.0-123.el7.x Mon Jan 29 05:01 - 06:04 (3+01:03)  
root     pts/0        192.168.12.1     Fri Jan 26 08:00 - crash (2+21:00)  
reboot   system boot  3.10.0-123.el7.x Fri Jan 26 07:58 - 06:04 (5+22:05)  
root     tty1                          Fri Jan 26 07:58 - 07:58  (00:00)   
root     pts/0        192.168.12.1     Fri Jan 26 07:29 - down   (00:28)   
reboot   system boot  3.10.0-123.el7.x Fri Jan 26 07:28 - 07:58  (00:29)

lastb  #記錄的是登錄失敗的信息

[root@yzllinux123 ~]# lastb |head  #登錄錯誤的信息

btmp begins Thu Feb  1 05:32:02 2018

/var/log/secure  #記錄驗證和授權等方面的信息

[root@yzllinux123 ~]# cat /var/log/secure
Jan 29 07:12:33 yzllinux123 sshd[2131]: pam_unix(sshd:session): session closed for user root
Jan 29 07:12:40 yzllinux123 sshd[2538]: Accepted password for root from 192.168.12.1 port 52861 ssh2
Jan 29 07:12:40 yzllinux123 sshd[2538]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb  1 04:59:25 yzllinux123 polkitd[677]: Loading rules from directory /etc/polkit-1/rules.d
Feb  1 04:59:25 yzllinux123 polkitd[677]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb  1 04:59:25 yzllinux123 polkitd[677]: Finished loading, compiling and executing 2 rules
Feb  1 04:59:25 yzllinux123 polkitd[677]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb  1 04:59:31 yzllinux123 sshd[1107]: Server listening on 0.0.0.0 port 22.
Feb  1 04:59:31 yzllinux123 sshd[1107]: Server listening on :: port 22.
Feb  1 05:00:11 yzllinux123 sshd[2128]: Accepted password for root from 192.168.12.1 port 51159 ssh2
Feb  1 05:00:11 yzllinux123 sshd[2128]: pam_unix(sshd:session): session opened for user root by (uid=0)

screen 工具  (虛擬終端)

爲了不讓一個任務中斷 除了我們一直在線  還可以把任務丟在後臺運行  使用：nohup +運行的日誌 +&

還有一個辦法 就是 screen  虛擬終端

首先我們需要安裝screen  # yum install -y screen

安裝完成之後，我們只需要輸入#screen  然後回車 就進入虛擬終端

然後按Ctrl +A鍵 在按d 鍵退出screen會話

#screen -ls #是查看已經打開的screen 會話

#screen -r +編號  #是再次打開screen會話

#exit 是結束screen會話