Linux操作系统的日志管理之rsyslog实战案例
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.日志介绍
1>.什么是日志
历史事件:
时间,地点,人物,事件
日志级别:
事件的关键性程度,Loglevel
2>.常见的系统日志服务
sysklogd日志服务(CentOS 5及之前版本使用) syslogd: system application 记录应用日志 klogd: linux kernel 记录内核日志 事件记录格式: 日期时间 主机 进程[pid]: 事件内容 C/S架构: 通过TCP或UDP协议的服务完成日志记录传送,将分布在不同主 机的日志实现集中管理 rsyslog日志服务(CentOS6和7版本使用),其主要特性如下所示: 多线程 UDP, TCP, SSL, TLS, RELP MySQL, PGSQL, Oracle实现日志存储 强大的过滤器,可实现过滤记录日志信息中任意部分 自定义输出格式 ELK(elasticsearch, logstash, kibana) 非关系型分布式数据库 基于apache软件基金会jakarta项目组的项目lucene Elasticsearch是个开源分布式搜索引擎 Logstash对日志进行收集、分析,并将其存储供以后使用 kibana 可以提供的日志分析友好的 Web 界面
3>.博主推荐阅读
https://www.cnblogs.com/yinzhengjie/p/7745560.html
二.rsyslog介绍
1>.常见术语
[root@node101.yinzhengjie.org.cn ~]# man logger LOGGER(1) User Commands LOGGER(1) NAME logger - a shell command interface to the syslog(3) system log module SYNOPSIS logger [options] [message] DESCRIPTION logger makes entries in the system log. It provides a shell command interface to the syslog(3) system log module. OPTIONS -n, --server server Write to the specified remote syslog server instead of to the builtin syslog routines. Unless --udp or --tcp is specified the logger will first try to use UDP, but if it fails a TCP connection is attempted. -d, --udp Use datagram (UDP) only. By default the connection is tried to syslog port defined in /etc/services, which is often 514. -T, --tcp Use stream (TCP) only. By default the connection is tried to syslog-conn port defined in /etc/services, which is often 601. -P, --port port Use the specified port. When this option is not specified, the port defaults to syslog for udp and to syslog- conn for tcp connections. -i, --id Log the process ID of the logger process with each line. -f, --file file Log the contents of the specified file. This option cannot be combined with a command-line message. -h, --help Display a help text and exit. -p, --priority priority Enter the message into the log with the specified priority. The priority may be specified numerically or as a facility.level pair. For example, -p local3.info logs the message as informational in the local3 facility. The default is user.notice. -S, --size size Sets the maximum permitted message size. The default is 1KiB, which is the limit traditionally used and specified in RFC 3164. When selecting a maximum message size, it is important to ensure that the receiver supports the max size as well, otherwise messages may become truncated. -s, --stderr Output the message to standard error as well as to the system log. -t, --tag tag Mark every line to be logged with the specified tag. The default tag is the name of the user logged in on the terminal (or a user name based on effective user ID). -u, --socket socket Write to the specified socket instead of to the builtin syslog routines. -V, --version Display version information and exit. -- End the argument list. This is to allow the message to start with a hyphen (-). message Write the message to log; if not specified, and the -f flag is not provided, standard input is logged. The logger utility exits 0 on success, and >0 if an error occurs. FACILITIES AND LEVELS Valid facility names are: auth authpriv for security information of a sensitive nature cron daemon ftp kern cannot be generated from userspace process, automatically converted to user lpr mail news syslog user uucp local0 to local7 security deprecated synonym for auth Valid level names are: emerg alert crit err warning notice info debug panic deprecated synonym for emerg error deprecated synonym for err warn deprecated synonym for warning For the priority order and intended purposes of these facilities and levels, see syslog(3). EXAMPLES logger System rebooted logger -p local0.notice -t HOSTIDM -f /dev/idmc logger -n loghost.example.com System rebooted SEE ALSO syslog(3), syslogd(8) STANDARDS The logger command is expected to be IEEE Std 1003.2 ("POSIX.2") compatible. AVAILABILITY The logger command is part of the util-linux package and is available from Linux Kernel Archive ⟨ftp://ftp.kernel.org /pub/linux/utils/util-linux/⟩. util-linux April 2013 LOGGER(1) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
2>.facility(从功能或程序上对日志进行归类)
Valid facility names are: auth authpriv for security information of a sensitive nature cron daemon ftp kern cannot be generated from userspace process, automatically converted to user lpr mail news syslog user uucp local0 to local7 security deprecated synonym for auth
3>.Priority(优先级别,从低到高排序)
Valid level names are: debug info notice warning warn deprecated synonym for warning err error deprecated synonym for err crit alert emerg panic deprecated synonym for emerg
4>.可参考帮助信息
[root@node101.yinzhengjie.org.cn ~]# man 3 syslog
三.rsyslog系统日志服务
1>.安装rsyslog软件
[root@node101.yinzhengjie.org.cn ~]# yum -y install syslog Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 7.6 kB 00:00:00 * base: mirrors.aliyun.com * epel: mirrors.tuna.tsinghua.edu.cn * extras: mirrors.aliyun.com * updates: mirror.bit.edu.cn base | 3.6 kB 00:00:00 epel | 5.4 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/3): epel/x86_64/updateinfo | 1.0 MB 00:00:00 (2/3): updates/7/x86_64/primary_db | 5.8 MB 00:00:02 (3/3): epel/x86_64/primary_db | 6.9 MB 00:00:14 Resolving Dependencies --> Running transaction check ---> Package rsyslog.x86_64 0:8.24.0-34.el7 will be updated ---> Package rsyslog.x86_64 0:8.24.0-41.el7_7.2 will be an update --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================== Updating: rsyslog x86_64 8.24.0-41.el7_7.2 updates 616 k Transaction Summary =================================================================================================================================== Upgrade 1 Package Total download size: 616 k Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. rsyslog-8.24.0-41.el7_7.2.x86_ FAILED ] 0.0 B/s | 30 kB --:--:-- ETA http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: [Errno 12] Timeout on http://mirror.lzu.edu.cn/centos/7.7.1908/updates/x86_64/Packages/rsyslog-8.24.0-41.el7_7.2.x86_64.rpm: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds') Trying other mirror. rsyslog-8.24.0-41.el7_7.2.x86_64.rpm | 616 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : rsyslog-8.24.0-41.el7_7.2.x86_64 1/2 Cleanup : rsyslog-8.24.0-34.el7.x86_64 2/2 Verifying : rsyslog-8.24.0-41.el7_7.2.x86_64 1/2 Verifying : rsyslog-8.24.0-34.el7.x86_64 2/2 Updated: rsyslog.x86_64 0:8.24.0-41.el7_7.2 Complete! [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -qi rsyslog Name : rsyslog Version : 8.24.0 Release : 41.el7_7.2 Architecture: x86_64 Install Date: Thu 12 Dec 2019 11:05:01 PM EST Group : System Environment/Daemons Size : 2002500 License : (GPLv3+ and ASL 2.0) Signature : RSA/SHA256, Mon 21 Oct 2019 10:51:54 AM EDT, Key ID 24c6a8a7f4a80eb5 Source RPM : rsyslog-8.24.0-41.el7_7.2.src.rpm Build Date : Fri 18 Oct 2019 12:12:28 PM EDT Build Host : x86-02.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.rsyslog.com/ Summary : Enhanced system logging and kernel message trapping daemon Description : Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control. It is compatible with stock sysklogd and can be used as a drop-in replacement. Rsyslog is simple to set up, with advanced features suitable for enterprise-class, encryption-protected syslog relay chains. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -ql rsyslog /etc/logrotate.d/syslog /etc/pki/rsyslog /etc/rsyslog.conf /etc/rsyslog.d /etc/sysconfig/rsyslog /usr/bin/rsyslog-recover-qi.pl /usr/lib/systemd/system/rsyslog.service /usr/lib64/rsyslog /usr/lib64/rsyslog/imdiag.so /usr/lib64/rsyslog/imfile.so /usr/lib64/rsyslog/imjournal.so /usr/lib64/rsyslog/imklog.so /usr/lib64/rsyslog/immark.so /usr/lib64/rsyslog/impstats.so /usr/lib64/rsyslog/imptcp.so /usr/lib64/rsyslog/imtcp.so /usr/lib64/rsyslog/imudp.so /usr/lib64/rsyslog/imuxsock.so /usr/lib64/rsyslog/lmnet.so /usr/lib64/rsyslog/lmnetstrms.so /usr/lib64/rsyslog/lmnsd_ptcp.so /usr/lib64/rsyslog/lmregexp.so /usr/lib64/rsyslog/lmstrmsrv.so /usr/lib64/rsyslog/lmtcpclt.so /usr/lib64/rsyslog/lmtcpsrv.so /usr/lib64/rsyslog/lmzlibw.so /usr/lib64/rsyslog/mmanon.so /usr/lib64/rsyslog/mmcount.so /usr/lib64/rsyslog/mmexternal.so /usr/lib64/rsyslog/mmutf8fix.so /usr/lib64/rsyslog/omjournal.so /usr/lib64/rsyslog/ommail.so /usr/lib64/rsyslog/omprog.so /usr/lib64/rsyslog/omruleset.so /usr/lib64/rsyslog/omstdout.so /usr/lib64/rsyslog/omtesting.so /usr/lib64/rsyslog/omuxsock.so /usr/lib64/rsyslog/pmaixforwardedfrom.so /usr/lib64/rsyslog/pmcisconames.so /usr/lib64/rsyslog/pmlastmsg.so /usr/lib64/rsyslog/pmrfc3164sd.so /usr/lib64/rsyslog/pmsnare.so /usr/sbin/rsyslogd /usr/share/doc/rsyslog-8.24.0 /usr/share/doc/rsyslog-8.24.0/AUTHORS /usr/share/doc/rsyslog-8.24.0/COPYING /usr/share/doc/rsyslog-8.24.0/COPYING.ASL20 /usr/share/doc/rsyslog-8.24.0/COPYING.LESSER /usr/share/doc/rsyslog-8.24.0/ChangeLog /usr/share/man/man5/rsyslog.conf.5.gz /usr/share/man/man8/rsyslogd.8.gz /var/lib/rsyslog [root@node101.yinzhengjie.org.cn ~]#
2>.rsyslog服务概述
程序包: rsyslog 主程序: /usr/sbin/rsyslogd CentOS 6: service rsyslog {start|stop|restart|status} CentOS 7: /usr/lib/systemd/system/rsyslog.service 配置文件: /etc/rsyslog.conf,/etc/rsyslog.d/*.conf 库文件: /lib64/rsyslog/*.so
[root@node101.yinzhengjie.org.cn ~]# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-12-12 23:05:01 EST; 16min ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Main PID: 13400 (rsyslogd) CGroup: /system.slice/rsyslog.service └─13400 /usr/sbin/rsyslogd -n Dec 12 23:05:01 node101.yinzhengjie.org.cn systemd[1]: Starting System Logging Service... Dec 12 23:05:01 node101.yinzhengjie.org.cn rsyslogd[13400]: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pi...start Dec 12 23:05:01 node101.yinzhengjie.org.cn systemd[1]: Started System Logging Service. Hint: Some lines were ellipsized, use -l to show in full. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
3>./etc/rsyslog.conf的配置文件格式
/etc/rsyslog.conf的配置文件格式是由三部分组成,如下所示: MODULES: 相关模块配置 GLOBAL DIRECTIVES: 全局配置 RULES: 日志记录相关的规则配置 默认配置文件参数说明(红色的表示MODULES相关配置,蓝色的表示全局配置,粉色的表示日志记录相关规则配置): [root@node101.yinzhengjie.org.cn ~]# egrep -v "^#|^$" /etc/rsyslog.conf $ModLoad imuxsock #支持本地系统日志记录 $ModLoad imjournal #提供对系统日志的访问 $WorkDirectory /var/lib/rsyslog #指定日志存放为止 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat #使用默认时间戳格式 $IncludeConfig /etc/rsyslog.d/*.conf #加载"/etc/rsyslog.d/*.conf "配置文件 $OmitLocalLogging on #通过本地日志套接字关闭消息接收,本地消息现在通过imjournal检索。 $IMJournalStateFile imjournal.state #在日志中存储位置的文件 *.info;mail.none;authpriv.none;cron.none /var/log/messages #记录info级别或更高级别的任何内容(邮件,身份验证,周期性任务日志除外,因为下面已经有单独将他们存放在指定的配置文件啦),不要记录私人身份验证消息哟,系统默认记录在"/var/log/messages" authpriv.* /var/log/secure #把权限认证的所有日志级别均记录到"/var/log/secure"文件中。 mail.* -/var/log/maillog #有邮件所有日志级别均记录到"/var/log/maillog"文件中,其中前面的"-"表示异步写入文件。 cron.* /var/log/cron #记录cron服务的所有日志级别到"/var/log/cron"文件中。 *.emerg :omusrmsg:* #每个人都会收到紧急(emerg)信息 uucp,news.crit /var/log/spooler #将crit及更高级别的新闻错误保存在"/var/log/spooler" local7.* /var/log/boot.log #将启动消息也保存到"/var/log/boot.log" [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/rsyslog.conf # rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### [root@node101.yinzhengjie.org.cn ~]#
4>.RULES配置格式
RULES配置格式: facility.priority; facility.priority... target facility: *: 所有的facility facility1,facility2,facility3,...:指定的facility列表 priority: *: 所有级别 none:没有级别,即不记录 PRIORITY:指定级别(含)以上的所有级别 =PRIORITY:仅记录指定级别的日志信息 target: 文件路径:通常在/var/log/,文件路径前的-表示异步写入,一般不推荐将重要的日志异步写入,所谓的异步写入是指先将数据库写入buffer,间隔时间断后才真正写入磁盘,可能存在丢失日志的风险,但写入效率高。 用户:将日志事件通知给指定的用户,* 表示登录的所有用户 日志服务器:@host,把日志送往至指定的远程服务器记录 管道: | COMMAND,转发给其它命令处理
四.配置sshd服务的日志案例(前提是sshd服务有调用rsyslog服务的日志接口,如果你自己开发的软件不支持则rsyslog就管不着啦,比如apache,nginx均有自己的日志实现方式,它们不用系统日志记录)
1>.修改sshd服务默认的日志类型并通过rsyslog服务记录
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config |grep SyslogFacility #我们直到sshd服务将日志类别定义为"AUTHPRIV" SyslogFacility AUTHPRIV [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/rsyslog.conf |grep authpriv #我们查看rsyslog服务将"AUTHPRIV"类别的日志单独记录到"/var/log/secure"文件中 *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# tail -20 /var/log/secure #的确如此,我们在该日志文件中找到了有关sshd服务的日志,但除了sshd日志外还有其他服务对应"AUTHPRIV"日志级别的信息也保存到该文件啦。 Dec 12 19:13:09 node101 sshd[981]: Accepted password for root from 172.30.1.2 port 62044 ssh2 Dec 12 19:13:09 node101 sshd[981]: pam_unix(sshd:session): session opened for user root by (uid=0) Dec 12 19:48:45 node101 su: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory Dec 12 19:48:45 node101 su: PAM adding faulty module: /usr/lib64/security/pam_fprintd.so Dec 12 19:48:45 node101 su: pam_unix(su-l:session): session opened for user yinzhengjie by root(uid=0) Dec 12 19:50:40 node101 su: pam_unix(su-l:session): session closed for user yinzhengjie Dec 12 20:09:40 node101 sshd[981]: pam_systemd(sshd:session): Failed to release session: Interrupted system call Dec 12 20:09:40 node101 sshd[981]: pam_unix(sshd:session): session closed for user root Dec 12 20:12:36 node101 sshd[4562]: Accepted password for root from 172.30.1.2 port 62441 ssh2 Dec 12 20:12:36 node101 sshd[4562]: pam_unix(sshd:session): session opened for user root by (uid=0) Dec 12 20:51:47 node101 useradd[6579]: new group: name=jason, GID=1001 Dec 12 20:51:47 node101 useradd[6579]: new user: name=jason, UID=1001, GID=1001, home=/home/jason, shell=/bin/bash Dec 12 20:53:18 node101 userdel[6663]: delete user 'jason' Dec 12 20:53:18 node101 userdel[6663]: removed group 'jason' owned by 'jason' Dec 12 20:53:18 node101 userdel[6663]: removed shadow group 'jason' owned by 'jason' Dec 12 22:03:16 node101 sshd[4562]: pam_unix(sshd:session): session closed for user root Dec 12 22:06:15 node101 sshd[10398]: Accepted password for root from 172.30.1.2 port 64529 ssh2 Dec 12 22:06:15 node101 sshd[10398]: pam_unix(sshd:session): session opened for user root by (uid=0) Dec 12 23:04:05 node101 sshd[13301]: Accepted password for root from 172.30.1.2 port 49462 ssh2 Dec 12 23:04:05 node101 sshd[13301]: pam_unix(sshd:session): session opened for user root by (uid=0) [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config |grep SyslogFacility #默认sshd的日志类别为AUTHPRIV SyslogFacility AUTHPRIV [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# vim /etc/ssh/sshd_config [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/ssh/sshd_config |grep SyslogFacility #我们将默认的日志类注释掉,我们直到local0-7是可以自定义的日志类别,而local7已经被保存boot日志了,因此我们可用的只有local0-6啦,于是我这里将sshd服务日志类型定义为自定义类型local0。 SyslogFacility local0 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# grep local0 /etc/rsyslog.conf #我们将自定义日志类型local0对应的所有日志级别日志记录到"/var/log/sshd.log"中 local0.* /var/log/sshd.log [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log #我们发现修改了配置文件后并没有生成"/var/log/sshd.log"文件,那是因为配置还没有生效,需要重启服务 ls: cannot access /var/log/sshd.log: No such file or directory [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl restart sshd rsyslog #注意,咱们修改了sshd服务和rsyslog服务的配置文件,因此我们需要重启这2个服务 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /var/log/sshd.log #我们重启服务后就存在该文件啦 -rw------- 1 root root 143 Dec 13 00:26 /var/log/sshd.log [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log #重启后发现文件立即就记录类容啦 Dec 13 00:26:23 node101 sshd[17428]: Server listening on 0.0.0.0 port 22. Dec 13 00:26:23 node101 sshd[17428]: Server listening on :: port 22. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ssh 127.0.0.1 #于是我们使用ssh连接一下本机在观察日志是否有记录 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:uv+7B8M+Muy0u0bnGOplDlSUE4lRiinkGDgEdRk7ChA. ECDSA key fingerprint is MD5:b8:16:3f:d7:e2:7d:68:70:f5:bf:d2:d0:0c:af:db:16. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. root@127.0.0.1's password: Last login: Thu Dec 12 23:04:05 2019 from 172.30.1.2 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# exit logout Connection to 127.0.0.1 closed. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /var/log/sshd.log #果不其然,的确有日志记录啦~ Dec 13 00:26:23 node101 sshd[17428]: Server listening on 0.0.0.0 port 22. Dec 13 00:26:23 node101 sshd[17428]: Server listening on :: port 22. Dec 13 00:27:21 node101 sshd[17480]: Accepted password for root from 127.0.0.1 port 58598 ssh2 Dec 13 00:27:26 node101 sshd[17480]: Received disconnect from 127.0.0.1 port 58598:11: disconnected by user Dec 13 00:27:26 node101 sshd[17480]: Disconnected from 127.0.0.1 port 58598 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
2>.logger命令使用案例
[root@node101.yinzhengjie.org.cn ~]# logger -p local0.info "ssh event start" #我们往local0日志类型发一条info级别信息,消息内容为"ssh event start" [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# tail -1 /var/log/sshd.log #很显然,上面的日志被rsyslog服务记录到local0类型所对应存储的位置了 Dec 13 00:33:53 node101 root: ssh event start [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
五.远程日志收集
1>.启用网络日志服务
2>.
3>.