Linux 系统日志

/var/log/messages

核心系统日志文件，包含了系统启动时的引导消息，以及系统运行时的其他状态消息。I/O错误、网络错误和其他系统错误都会记录到这个文件中。

故障诊断时首先要查看的文件

守护进程：rsyslogd这个进程关闭后，就不产生/var/log/messages日志

通过logrotate工具的控制来实现日志切割每星期切割一次

logrotate工具配置文件：/etc/logrotate.conf

[root@jinkai rsync]# cat /etc/logrotate.conf

.# see "man logrotate" for details

.# rotate log files weekly

weekly

.# keep 4 weeks worth of backlogs

rotate 4

.# create new (empty) log files after rotating old ones

create

.# use date as a suffix of the rotated file

dateext

.# uncomment this if you want your log files compressed

#compress

.# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

.# no packages own wtmp and btmp -- we'll rotate them here

/var/log/wtmp {

monthly

create 0664 root utmp

minsize 1M

rotate 1

}

/var/log/btmp {

missingok

monthly

create 0600 root utmp

rotate 1

}

.# system-specific logs may be also be configured here.

[root@jinkai rsync]#

dmesg命令

显示系统启动的信息，如果你的硬件有故障，这个命令可以查看

[root@jinkai rsync]# dmesg | head -5

[ 0.000000] Initializing cgroup subsys cpuset

[ 0.000000] Initializing cgroup subsys cpu

[ 0.000000] Initializing cgroup subsys cpuacct

[ 0.000000] Linux version 3.10.0-957.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) ) #1 SMP Thu Nov 8 23:39:32 UTC 2018

[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-957.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=zh_CN.UTF-8

[root@jinkai rsync]#

安全日志

last命令查看登录linux的历史信息(读取的是/var/log/wtmp)

[root@jinkai rsync]# last |head -5

root pts/0 192.168.111.1 Tue Sep 1 12:28 still logged in

root pts/0 192.168.111.1 Mon Aug 31 21:41 - 10:45 (13:03)

reboot system boot 3.10.0-957.el7.x Mon Aug 31 21:41 - 23:45 (1+02:03)

root pts/0 192.168.111.1 Mon Aug 31 21:35 - 21:36 (00:00)

reboot system boot 3.10.0-957.el7.x Mon Aug 31 21:35 - 23:45 (1+02:09)

从左至右依次为账户名称、登录终端、登录客户端IP、登录日期及时长

lastb

查看登录失败的日志信息，调用文件/var/log/btmp

[root@jinkai rsync]# lastb

root ssh:notty 192.168.111.137 Tue Sep 1 23:51 - 23:51 (00:00)

root ssh:notty 192.168.111.137 Tue Sep 1 23:51 - 23:51 (00:00)

btmp begins Tue Sep 1 23:51:24 2020

/var/log/secure

登录系统成功或者失败时，相关的信息都会记录在这个日志里

[root@jinkai rsync]# head -5 /var/log/secure

Aug 30 22:08:04 jinkai groupadd[7798]: group added to /etc/group: name=tcpdump, GID=72

Aug 30 22:08:04 jinkai groupadd[7798]: group added to /etc/gshadow: name=tcpdump

Aug 30 22:08:04 jinkai groupadd[7798]: new group: name=tcpdump, GID=72

Aug 30 22:08:04 jinkai useradd[7803]: new user: name=tcpdump, UID=72, GID=72, home=/, shell=/sbin/nologin

Aug 30 22:11:11 jinkai sshd[7843]: Connection closed by 192.168.111.1 port 61342 [preauth]

screen 工具介绍

screen是一个可以在多个进程之间多路复用一个物理终端的窗口管理器

用户可以在一个screen会话中创建多个screen窗口，在每一个screen窗口中就像操作一个真实的SSH连接窗口一样

安装包

yum install -y screen

新建一个screen终端

screen

在终端运行脚本或命令后

切换回正常模式

先按ctrl+a键，按完后再按d键(只是退出，并没有结束，结束screen会话要按Ctrl+D键或者输入exit)

查看screen的id

screen -ls

[root@jinkai rsync]# screen -ls

There are screens on:

10889.pts-0.jinkai (Detached)

10874.pts-0.jinkai (Detached)

2 Sockets in /var/run/screen/S-root.

返回其中一个screen

格式：screen -r ID号

[root@jinkai rsync]# screen -r 10889

新建一个别名screen，方便寻找所需要的screen

screen -S jinkai

[root@jinkai rsync]# screen -S jinkai

[detached from 10908.jinkai]

[root@jinkai rsync]# screen -ls

There are screens on:

10908.jinkai (Detached)

10889.pts-0.jinkai (Detached)

10874.pts-0.jinkai (Detached)

3 Sockets in /var/run/screen/S-root.

[root@jinkai rsync]# screen -r jinkai

[detached from 10908.jinkai

nohup

运行脚本sh时，只在当前终端显示生效，一旦断开终端也就是ssh，那么脚本就会失效；

那么可以使用nohup 掉到后台执行sh脚本，断开终端也能执行；

格式：

nohup sh 脚本目录 &

nohup sh /usr/local/sbin/sleep.sh &