本文共 6600 字,大约阅读时间需要 22 分钟。
##日志记录系统每天发生的各种各样的事情,比如监控系统的状况,排查系统的故障等。你可以通过日志来检查错误发生的原因,或者受到攻击时留下的痕迹。日志的主要功能是审计和监测,还有实时的监测系统状态,监测和追踪入侵者
## 经常查看的系统文件是 /var/log/message,它是系统核心日志文件
Linux系统日志
./var/log/messages
./etc/logrotate.conf 日志分割文件
./var/log/dmesg
./last 命令,调用的是/var/log/wtmp
./lastb命令查看登录失败的用户,对应的文件是/var/log/btmp
./var/logsecure
/var/log/messages 这个是经常查看的日志文件 核心系统日志文件,包含启动时间的引导消息,以及系统运行的其他状态消息,I/O错误 网络错误和其他系统错误都会记录到这个文件下
[root@yzllinux123 ~]# less /var/log/messages #查看系统日志文件的信息
Jan 29 07:01:01 yzllinux123 systemd: Started Session 3 of user root. Jan 29 07:01:01 yzllinux123 systemd: Starting Session 3 of user root. Jan 29 07:12:33 yzllinux123 systemd-logind: Removed session 1. Jan 29 07:12:33 yzllinux123 systemd: Removed slice User Slice of root. Jan 29 07:12:33 yzllinux123 systemd: Stopping User Slice of root. Jan 29 07:12:40 yzllinux123 systemd: Created slice User Slice of root. Jan 29 07:12:40 yzllinux123 systemd: Starting User Slice of root. Jan 29 07:12:40 yzllinux123 systemd: Started Session 4 of user root. Jan 29 07:12:40 yzllinux123 systemd-logind: New session 4 of user root./etc/logrotate.conf #日志切割配置文件
[root@yzllinux123 ~]# cat /etc/logrotate.conf #查看日志切割配置文件内容
# see "man logrotate" for details # rotate log files weekly weekly# keep 4 weeks worth of backlogs
rotate 4# create new (empty) log files after rotating old ones
create# use date as a suffix of the rotated file
dateext# uncomment this if you want your log files compressed
#compress# RPM packages drop log rotation information into this directory
include /etc/logrotate.d# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp { monthly create 0664 root utmp minsize 1M rotate 1 }/var/log/btmp {
missingok monthly create 0600 root utmp rotate 1 }# system-specific logs may be also be configured here.
[root@yzllinux123 ~]# cat /etc/logrotate.conf #查看日志切割配置文件
# see "man logrotate" for details # rotate log files weekly weekly# keep 4 weeks worth of backlogs
rotate 4# create new (empty) log files after rotating old ones
create# use date as a suffix of the rotated file
dateext# uncomment this if you want your log files compressed
#compress# RPM packages drop log rotation information into this directory
include /etc/logrotate.d# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp { monthly create 0664 root utmp minsize 1M rotate 1 }/var/log/btmp {
missingok monthly create 0600 root utmp rotate 1 }# system-specific logs may be also be configured here.
[root@yzllinux123 ~]# du -sh /etc/logrotate.conf #du -sh 查看切割文件的大小
4.0K /etc/logrotate.confdmesg 命令 它可以显示系统的启动信息,如果你的某个硬件有问题(比如有网卡),这个命令也可以看到
[root@yzllinux123 ~]# dmesg |head #列出系统硬件信息
[ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Linux version 3.10.0-123.el7.x86_64 () (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014 [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-123.el7.x86_64 root=UUID=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet.UTF-8 [ 0.000000] Disabled fast string operations [ 0.000000] e820: BIOS-provided physical RAM map: [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009efff] usable [ 0.000000] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reserved [root@yzllinux123 ~]# ^C/var/log/dmesg 日志 # 记录系统启动的日志
[root@yzllinux123 ~]# cat /var/log/dmesg |head #系统启动日志
[ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Linux version 3.10.0-123.el7.x86_64 () (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014 [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-123.el7.x86_64 root=UUID=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet.UTF-8 [ 0.000000] Disabled fast string operations [ 0.000000] e820: BIOS-provided physical RAM map: [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009efff] usable [ 0.000000] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reservedlast 命令 查看正确的登录
[root@yzllinux123 ~]# last |head #查看正确的登录历史 谁 怎么登录 时间 等
root pts/0 192.168.12.1 Thu Feb 1 05:00 still logged in reboot system boot 3.10.0-123.el7.x Thu Feb 1 04:59 - 06:04 (01:05) root pts/0 192.168.12.1 Mon Jan 29 07:12 - crash (2+21:46) root pts/0 192.168.12.1 Mon Jan 29 05:01 - 07:12 (02:10) reboot system boot 3.10.0-123.el7.x Mon Jan 29 05:01 - 06:04 (3+01:03) root pts/0 192.168.12.1 Fri Jan 26 08:00 - crash (2+21:00) reboot system boot 3.10.0-123.el7.x Fri Jan 26 07:58 - 06:04 (5+22:05) root tty1 Fri Jan 26 07:58 - 07:58 (00:00) root pts/0 192.168.12.1 Fri Jan 26 07:29 - down (00:28) reboot system boot 3.10.0-123.el7.x Fri Jan 26 07:28 - 07:58 (00:29)lastb #记录的是登录失败的信息
[root@yzllinux123 ~]# lastb |head #登录错误的信息
btmp begins Thu Feb 1 05:32:02 2018
/var/log/secure #记录验证和授权等方面的信息
[root@yzllinux123 ~]# cat /var/log/secure
Jan 29 07:12:33 yzllinux123 sshd[2131]: pam_unix(sshd:session): session closed for user root Jan 29 07:12:40 yzllinux123 sshd[2538]: Accepted password for root from 192.168.12.1 port 52861 ssh2 Jan 29 07:12:40 yzllinux123 sshd[2538]: pam_unix(sshd:session): session opened for user root by (uid=0) Feb 1 04:59:25 yzllinux123 polkitd[677]: Loading rules from directory /etc/polkit-1/rules.d Feb 1 04:59:25 yzllinux123 polkitd[677]: Loading rules from directory /usr/share/polkit-1/rules.d Feb 1 04:59:25 yzllinux123 polkitd[677]: Finished loading, compiling and executing 2 rules Feb 1 04:59:25 yzllinux123 polkitd[677]: Acquired the name org.freedesktop.PolicyKit1 on the system bus Feb 1 04:59:31 yzllinux123 sshd[1107]: Server listening on 0.0.0.0 port 22. Feb 1 04:59:31 yzllinux123 sshd[1107]: Server listening on :: port 22. Feb 1 05:00:11 yzllinux123 sshd[2128]: Accepted password for root from 192.168.12.1 port 51159 ssh2 Feb 1 05:00:11 yzllinux123 sshd[2128]: pam_unix(sshd:session): session opened for user root by (uid=0)screen 工具 (虚拟终端)
为了不让一个任务中断 除了我们一直在线 还可以把任务丢在后台运行 使用:nohup +运行的日志 +&
还有一个办法 就是 screen 虚拟终端
首先我们需要安装screen # yum install -y screen
安装完成之后,我们只需要输入#screen 然后回车 就进入虚拟终端
然后按Ctrl +A键 在按d 键退出screen会话
#screen -ls #是查看已经打开的screen 会话
#screen -r +编号 #是再次打开screen会话
#exit 是结束screen会话
本文转自 yzllinux博客,原文链接: http://blog.51cto.com/12947851/2067548 如需转载请自行联系原作者