一、前言
linux的系统日志用的不多,我们就挑几个比较常用的大概讲一下。
二、分类讲解
2.1 /var/log/messages
这是个杂项日志,记录很多服务的日志。我们打开看一下。
系统日志会默认自动切割,比如在我的机器上就被切割成这样了:
[root@ruanwenwu-001 log]# ls /var/log/messages* /var/log/messages /var/log/messages-20171219 /var/log/messages-20180122 /var/log/messages-20171215 /var/log/messages-20171224
控制切割的配置文件是/etc/logrotate.conf
# see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # use date as a suffix of the rotated file dateext # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp and btmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp minsize 1M rotate 1 }
...
2.2 dmesg
这个命令的内容存放在内存中。之所以讲到这个命令,是因为当硬件出现故障时,会写日志到这里。
[root@ruanwenwu-001 log]# dmesg|head -n 10 [ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Linux version 3.10.0-514.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Tue Nov 22 16:42:41 UTC 2016 [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-514.el7.x86_64 root=UUID=604bc673-7f8d-4355-919f-ed6740a8efc8 ro crashkernel=auto rhgb quiet LANG=zh_CN.UTF-8 [ 0.000000] Disabled fast string operations [ 0.000000] e820: BIOS-provided physical RAM map: [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable [ 0.000000] BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved
注意/var/log/dmesg和dmesg没有任何关系。/var/log/dmesg存放系统的一些启动日志。
2.3 last
last命令用来记录服务器上的成功登陆。
[root@ruanwenwu-001 log]# last|head -n 10 root pts/0 192.168.38.1 Wed Jan 24 17:23 still logged in root pts/0 192.168.38.1 Wed Jan 24 17:23 - 17:23 (00:00) root pts/2 192.168.38.1 Mon Jan 22 15:22 - 16:19 (2+00:57) root pts/3 192.168.38.1 Mon Jan 22 15:22 - 15:22 (00:00) root pts/2 192.168.38.1 Mon Jan 22 15:21 - 15:22 (00:00) root pts/1 192.168.38.1 Mon Jan 22 15:16 - 18:00 (02:43) root pts/0 192.168.38.1 Tue Dec 26 15:53 - 17:56 (27+02:03) root tty1 Tue Dec 26 09:03 still logged in reboot system boot 3.10.0-514.el7.x Tue Dec 26 09:03 - 18:03 (29+09:00) root pts/1 192.168.38.1 Sun Dec 24 12:16 - 17:47 (05:31)
last命令实际上调用的是/var/log/wtmp。
2.4 lastb
lastb用来记录失败的登录。
[root@ruanwenwu-001 log]# lastb|head -n 10 root pts/2 Wed Jan 24 11:44 - 11:44 (00:00) root pts/2 Wed Jan 24 11:44 - 11:44 (00:00) root pts/2 Wed Jan 24 11:43 - 11:43 (00:00)
当我们的服务器遭遇到暴力破解时,就要看看这里了。
2.5 /var/log/secure
系统的安全日志。比如我们登录成功和失败,都会在这里记录。