linux系统日志

##日志记录系统每天发生的各种各样的事情，比如监控系统的状况，排查系统的故障等。你可以通过日志来检查错误发生的原因，或者受到攻击时留下的痕迹。日志的主要功能是审计和监测，还有实时的监测系统状态，监测和追踪入侵者

## 经常查看的系统文件是 /var/log/message,它是系统核心日志文件

Linux系统日志

./var/log/messages

./etc/logrotate.conf 日志分割文件

./var/log/dmesg

./last 命令，调用的是/var/log/wtmp

./lastb命令查看登录失败的用户，对应的文件是/var/log/btmp

./var/logsecure

/var/log/messages  这个是经常查看的日志文件  核心系统日志文件，包含启动时间的引导消息，以及系统运行的其他状态消息，I/O错误 网络错误和其他系统错误都会记录到这个文件下

[root@yzllinux123 ~]# less /var/log/messages    #查看系统日志文件的信息
Jan 29 07:01:01 yzllinux123 systemd: Started Session 3 of user root.
Jan 29 07:01:01 yzllinux123 systemd: Starting Session 3 of user root.
Jan 29 07:12:33 yzllinux123 systemd-logind: Removed session 1.
Jan 29 07:12:33 yzllinux123 systemd: Removed slice User Slice of root.
Jan 29 07:12:33 yzllinux123 systemd: Stopping User Slice of root.
Jan 29 07:12:40 yzllinux123 systemd: Created slice User Slice of root.
Jan 29 07:12:40 yzllinux123 systemd: Starting User Slice of root.
Jan 29 07:12:40 yzllinux123 systemd: Started Session 4 of user root.
Jan 29 07:12:40 yzllinux123 systemd-logind: New session 4 of user root.

/etc/logrotate.conf  #日志切割配置文件

[root@yzllinux123 ~]# cat /etc/logrotate.conf  #查看日志切割配置文件内容
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
 minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

[root@yzllinux123 ~]# cat /etc/logrotate.conf  #查看日志切割配置文件
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
 minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

[root@yzllinux123 ~]# du -sh /etc/logrotate.conf   #du -sh 查看切割文件的大小
4.0K /etc/logrotate.conf

dmesg 命令  它可以显示系统的启动信息，如果你的某个硬件有问题（比如有网卡），这个命令也可以看到

[root@yzllinux123 ~]# dmesg |head   #列出系统硬件信息
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.0-123.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-123.el7.x86_64 root=UUID=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet.UTF-8
[    0.000000] Disabled fast string operations
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009efff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reserved
[root@yzllinux123 ~]# ^C

/var/log/dmesg  日志  #  记录系统启动的日志

[root@yzllinux123 ~]# cat /var/log/dmesg |head    #系统启动日志
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.0-123.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-123.el7.x86_64 root=UUID=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet.UTF-8
[    0.000000] Disabled fast string operations
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009efff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reserved

last 命令  查看正确的登录

[root@yzllinux123 ~]# last |head  #查看正确的登录历史  谁 怎么登录 时间 等
root     pts/0        192.168.12.1     Thu Feb  1 05:00   still logged in   
reboot   system boot  3.10.0-123.el7.x Thu Feb  1 04:59 - 06:04  (01:05)    
root     pts/0        192.168.12.1     Mon Jan 29 07:12 - crash (2+21:46)   
root     pts/0        192.168.12.1     Mon Jan 29 05:01 - 07:12  (02:10)    
reboot   system boot  3.10.0-123.el7.x Mon Jan 29 05:01 - 06:04 (3+01:03)   
root     pts/0        192.168.12.1     Fri Jan 26 08:00 - crash (2+21:00)   
reboot   system boot  3.10.0-123.el7.x Fri Jan 26 07:58 - 06:04 (5+22:05)   
root     tty1                          Fri Jan 26 07:58 - 07:58  (00:00)    
root     pts/0        192.168.12.1     Fri Jan 26 07:29 - down   (00:28)    
reboot   system boot  3.10.0-123.el7.x Fri Jan 26 07:28 - 07:58  (00:29)

lastb  #记录的是登录失败的信息

[root@yzllinux123 ~]# lastb |head  #登录错误的信息

btmp begins Thu Feb  1 05:32:02 2018

/var/log/secure  #记录验证和授权等方面的信息

[root@yzllinux123 ~]# cat /var/log/secure
Jan 29 07:12:33 yzllinux123 sshd[2131]: pam_unix(sshd:session): session closed for user root
Jan 29 07:12:40 yzllinux123 sshd[2538]: Accepted password for root from 192.168.12.1 port 52861 ssh2
Jan 29 07:12:40 yzllinux123 sshd[2538]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb  1 04:59:25 yzllinux123 polkitd[677]: Loading rules from directory /etc/polkit-1/rules.d
Feb  1 04:59:25 yzllinux123 polkitd[677]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb  1 04:59:25 yzllinux123 polkitd[677]: Finished loading, compiling and executing 2 rules
Feb  1 04:59:25 yzllinux123 polkitd[677]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb  1 04:59:31 yzllinux123 sshd[1107]: Server listening on 0.0.0.0 port 22.
Feb  1 04:59:31 yzllinux123 sshd[1107]: Server listening on :: port 22.
Feb  1 05:00:11 yzllinux123 sshd[2128]: Accepted password for root from 192.168.12.1 port 51159 ssh2
Feb  1 05:00:11 yzllinux123 sshd[2128]: pam_unix(sshd:session): session opened for user root by (uid=0)

screen 工具  (虚拟终端)

为了不让一个任务中断 除了我们一直在线  还可以把任务丢在后台运行  使用：nohup +运行的日志 +&

还有一个办法 就是 screen  虚拟终端

首先我们需要安装screen  # yum install -y screen

安装完成之后，我们只需要输入#screen  然后回车 就进入虚拟终端

然后按Ctrl +A键 在按d 键退出screen会话

#screen -ls #是查看已经打开的screen 会话

#screen -r +编号  #是再次打开screen会话

#exit 是结束screen会话

本文转自 yzllinux 51CTO博客，原文链接：http://blog.51cto.com/12947851/2067548，如需转载请自行联系原作者