SDB:系统日志

跳转至: 导航, 搜索
本文介绍了简单的系统日志知识,以及如何利用syslogd和logwatch管理系统日志

系统日志的作用

系统日志是系统的声音。要了解系统上发生了什么,我们有时不得不借助于系统日志。为了系统安全或者为了排除系统的一些故障,我们都需要查阅系统日志。

特别的,如果你在论坛或者其它的一些地方请求别人来帮助你处理一些故障时,你可以提供翔实的错误日志,那么无疑会帮助你更好更快的解决问题。

linux的系统日志非常的灵活,你可以控制日志记录什么那些信息并且把它存放在哪里。你也可以把信息发送给使用者或某个主机。你还可以借助一些工具监视系统日志。

但是在此之前,我们先来了解一些系统日志的基本知识,然后在来认识两个比较常用的工具:syslogd和logwatch。

基本知识

一般的,我们的系统日志是存放在/var/log这个目录下的。我们可以到那个目录下去看看里面有什么东西。可以用命令查看 

ls /var/log

我们注意到下面的内容。 

boot.log  zypper.log  Xorg.0.log  Xorg.0.log.old

这些都是日志,我们可以看看它们的具体内容。比如boot.log。 

cat /var/log/boot.log

你会看到类似下面的内容 

Trying manual resume from /dev/disk/by-id/ata-HITACHI_HTS545050A7E380_TA9512GZJYWBMV-part10
Invoking userspace resume from /dev/disk/by-id/ata-HITACHI_HTS545050A7E380_TA9512GZJYWBMV-part10
resume: libgcrypt version: 1.5.0
Trying manual resume from /dev/disk/by-id/ata-HITACHI_HTS545050A7E380_TA9512GZJYWBMV-part10
Invoking in-kernel resume from /dev/disk/by-id/ata-HITACHI_HTS545050A7E380_TA9512GZJYWBMV-part10
Waiting for device /dev/root to appear:  ok
fsck from util-linux 2.21.2
[/sbin/fsck.ext4 (1) -- /] fsck.ext4 -a /dev/sda5 
top: clean, 29428/3276800 files, 489152/13106688 blocks
fsck succeeded. Mounting root device read-write.
Mounting root /dev/root
mount -o rw,acl,user_xattr -t ext4 /dev/root /root
fsck from util-linux 2.21.2
[/sbin/fsck.ext4 (1) -- /dev/sda7] fsck.ext4 -a /dev/sda7 
uer: clean, 530677/6553600 files, 4054121/26213888 blocks
Mounting /usr

Welcome to openSUSE 12.3 (Dartmouth) (i586)!

[ SKIP ] Ordering cycle found, skip Syslog
         Starting Collect Read-Ahead Data...
         Starting Replay Read-Ahead Data...
[  OK  ] Reached target Remote File Systems.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Reached target Encrypted Volumes.
[  OK  ] Listening on udev Kernel Socket.


这个只是一部分,也可查看到一些出错或警告,比如。 

[FAILED] Failed to start LSB: VirtualBox Linux Additions kernel modules.
See 'systemctl status vboxadd.service' for details.

这些信息都可以帮助我们修复一些问题。


我们再来看一个, 

cat /var/zypper.log

输出如下 

2013-06-17 12:57:23 <1> linux-nirvana.site(6546) [zypp] TargetImpl.cc(~TargetImpl):816 Targets closed
2013-06-17 12:57:23 <1> linux-nirvana.site(6546) [zypp] RpmDb.cc(~RpmDb):242 ~RpmDb()
2013-06-17 12:57:23 <1> linux-nirvana.site(6546) [zypp] RpmDb.cc(~RpmDb):245 ~RpmDb() end


这个东西就没有上面的清晰了。但是你还是会发现它是遵守一定的规则的。其实每个日志都是有一定规则的,以上面这个为例,比较明显的比如第一个是时间,中间的是主机名之类。如果你还可以使用sed和AWK来格式化输出这些日志。 当然,你可以自己设置一些输出的信息。还可以让日志自动发送给你而不是每次要查看。这些后面会说到。

其实通过YaST也是可以查看日志的。 

YaST -> 杂项 -> 系统日志

在最上面输入日志所在的位置就好了。但是据我观察,输出的格式没有cat出来的清晰。所以,学点指令还是好的。


在目录下我们还会看到类似这样的东西。 

zypper.log-20130522.xz

很明显这是个压缩文件,你把它cp到主目录解压出来会发现里面放着的也是日志。我们知道日志是会不断增加的,这样会很占磁盘,而且太久的日志也就没有什么价值。所以系统会把以前的日志打包,并且定期清理。 当然,何时打包何时清理,这些都可以由你来控制。

syslogd

安装

源里面有这个软件,直接安装就可以了 

zypper in syslogd

配置

配置文件在这里 

/etc/syslogd.conf

我们可以看看它的内容。 

# /etc/syslog.conf - Configuration file for syslogd(8)
#
# For info about the format of this file, see "man syslog.conf".
#

#
#
# print most on tty10 and on the xconsole pipe
#
kern.warning;*.err;authpriv.none         /dev/tty10
kern.warning;*.err;authpriv.none        |/dev/xconsole
*.emerg                          *

# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert                                 root
 
 
#
# all email-messages in one file
#
mail.*                          -/var/log/mail
mail.info                       -/var/log/mail.info
mail.warning                    -/var/log/mail.warn
mail.err                         /var/log/mail.err
 
#
# all news-messages
#
# these files are rotated and examined by "news.daily"
news.crit                       -/var/log/news/news.crit
news.err                        -/var/log/news/news.err
news.notice                     -/var/log/news/news.notice
# enable this, if you want to keep all news messages
# in one file
#news.*                         -/var/log/news.all 
   
 
#
# Warnings in one file
#
*.=warning;*.=err               -/var/log/warn
*.crit                           /var/log/warn
 
#
# save the rest in one file
#
*.*;mail.none;news.none         -/var/log/messages
 
#
# enable this, if you want to keep all messages
# in one file
#*.*                            -/var/log/allmessages
 
#
# Some foreign boot scripts require local7
#
local0,local1.*                 -/var/log/localmessages
local2,local3.*                 -/var/log/localmessages
local4,local5.*                 -/var/log/localmessages
local6,local7.*                 -/var/log/localmessages

我来解释一下。我们注意下面内容。 

kern.warning;*.err;authpriv.none         /dev/tty10
kern.warning;*.err;authpriv.none        |/dev/xconsole
*.emerg                          *

mail.*                          -/var/log/mail
mail.info                       -/var/log/mail.info
mail.warning                    -/var/log/mail.warn
mail.err                         /var/log/mail.err

先来说明几个syslog的术语。

  1. 设备(facility):就是发送日志的那些设备。比如这里的kern.warning里的kern,这个就是说明这里的信息是关于内核的。比如mail.info里的mail,就是说这是和mail有关的。
  2. 级别(level):说白了,就是决定哪些信息记录,那些信息不记录。比如kern.warning里的warning就是级别,这个意思是记录内核的警告信息。又比如mail.err就是记录邮件的错误信息。
  3. 选择域(selector):由一个和多个设备级别组成。传递给syslog的日志信息会和配置文件中的选择域比较。像mail.err和起来就是选择域
  4. 动作(action):对传递来的与选择域匹配的信息处理。你可以选择把信息记录进文件,或者传给服务器,或打印屏幕。

可以看到,第一列的内容是选择域,第二列的内容是信息目的地。

下面是是一些设备的说明

  • auth :与询问用户密码有关的的活动(su,loging)
  • authpriv :和auth一样,只是日志记录只有特定的用户才能看见
  • console :捕获直接发送到系统终端的消息
  • cron :来自 cron 系统调度程序的消息
  • daemon :系统守护程序 catch-all
  • ftp 与 ftp :守护程序有关的信息
  • kern :内核信息
  • lpr :来自打印机的信息
  • mail :与邮件有关的信息
  • news :于网络新闻协议有关的信息
  • ntp :于网络时间协议有关的信息
  • local0-local7 :站点定义的本地设备

下面是一些级别的说明

  • emerg :系统无法使用
  • alaert :必须立即行动
  • crit :关键条件
  • err :错误条件
  • warning :警告条件
  • notice :正常但是重要的条件
  • info :信息性条件


logwatch

安装

源里面有这个软件,直接安装就可以了 

zypper in logwatch

配置

其实这个完全不用配置就可以很好的工作。它会自动运行,你可以查看/etc/cron.d/dmeventd文件。里面会有如下信息 

30 * * * * root /usr/sbin/logwatch --service dmeventd

不懂上面信息的同学可以查看wiki自动化任务


当你希望更灵活的使用系统日志时,这个也是可以满足绝大多数要求的。你可以在/etc/logwatch/conf/logfiles下创建一个配置文件,在/etc/logwatch/conf/services下定义服务器过滤,在/etc/logwatch/scripts下创建过滤器。

你会发现有一个/etc/logwatch/conf/logwatch.conf文件,里面的内容是: 

# Local configuration options go here (defaults are in /usr/share/logwatch/default.conf/logwatch.conf)

查看/usr/share/logwatch/default.conf/logwatch.conf文件 


########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to kirk@kaybee.org.
#
########################################################
 
# NOTE:
#   All these options are the defaults if you run logwatch with no
#   command-line arguments.  You can override all of these on the
#   command-line.
 
# You can put comments anywhere you want to.  They are effective for the
# rest of the line.
 
# this is in the format of <name> = <value>.  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.
 
# Yes = True  = On  = 1
# No  = False = Off = 0
 
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log
 
# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch
 
#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
Output = stdout
#To make Html the default formatting Format = html
Format = text
#To make Base64 [aka uuencode] Encode = base64
Encode = none 
 
# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = root
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed.  For example, to send the report
# for hostname host1 to user@example.com, use:
#Mailto_host1 = user@example.com
# Multiple recipients can be specified by separating them with a space. 

# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = Logwatch
 
# if set, the results will be saved in <filename> instead of mailed
# or displayed. Be sure to set Output = file also.
#Filename = /tmp/logwatch
 
# Use archives?  If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No
# Range = All
 
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday 
  
 
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
 
 
# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on.  This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
Service = "-zz-network"     # Prevents execution of zz-network service, which
                            # prints useful network configuration info.
Service = "-zz-sys"         # Prevents execution of zz-sys service, which
                            # prints useful system configuration info.
Service = "-eximstats"      # Prevents execution of eximstats service, which
                            # is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages   # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog    # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb        # PAM_pwdb messages - usually quite a bit
#Service = pam             # General PAM messages... usually not many
 
# You can also choose to use the 'LogFile' option.  This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages.  This will run all the filters that
# process that logfile.  This option is probably not too useful to
# most people.  Setting 'Service' to 'All' above analyzes all LogFiles
# anyways...

#
# By default we assume that all Unix systems have sendmail or a sendmail-like MTA.
# The mailer code prints a header with To: From: and Subject:.
# At this point you can change the mailer to anything that can handle this output
# stream.
# TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "/usr/sbin/sendmail -t"

#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed.  The hostname
# can also be overridden on the commandline (with --hostname option).  This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes
 
# vi: shiftwidth=3 tabstop=3 et

如果你有什么特殊的要求的话照着说明配置就可以了,这个东西是可以输出组织的非常漂亮的日志。

取自“https://zh.opensuse.org/index.php?title=SDB:系统日志&oldid=7499