Linux学习-67-日志服务器设置和日志分析工具（logwatch）安装及使用

15.5 日志服务器设置过程

使用“@IP：端口”或“@@IP：端口”的格式可以把日志发送到远程主机上。可以解决：管理几十台服务器，每天的重要工作就是查看这些服务器的日志，可是每台服务器单独登录，并且查看日志非常烦琐，可以把几十台服务器的日志集中到一台日志服务器上，这样每天只要登录这台日志服务器，就可以查看所有服务器的日志，要方便得多。
如何实现日志服务器的功能呢？我们首先需要分清服务器端和客户端。假设服务器端的服务器 IP 地址是 192.168.0.210，主机名是 localhost.localdomain；客户端的服务器 IP 地址是 192.168.0.211，主机名是 www1。我们现在要做的是把 192.168.0.211 的日志保存在 192.168.0.210 这台服务器上。测试过程如下：

#服务器端设定（192.168.0.210）：
[root@CncLucZK ~]# vi /etc/rsyslog.conf
…省略部分输出…#加载TCP摸块,允许使用TCP的514编口接收采用TCP协议转发的日志
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#取消这两句话的注释，允许服务器使用TCP 514端口接收日志…省略部分输出…
[root@CncLucZK ~]# service rsyslog restart
#重启rsyslog日志服务
[root@CncLucZK ~]# netstat -tlun | grep 514
tcp 0 0 0.0.0.0：514 0.0.0.0：* LISTEN
#查看514端口已经打开
#客户端设置（192.168.0.211）：
[root@www ~]# vi /etc/rsyslog.conf
#修改日志服务配置文件
*.* @@192.168.0.210：514
#把所有日志采用TCP协议发送到192.168.0.210的514端口上
[root@www ~]# service rsyslog restart
#重启日志服务

这样日志服务器和客户端就搭建完成了，以后 192.168.0.211 这台客户机上所产生的所有日志都会记录到 192.168.0.210 上。比如：

#在客户机上(192.168.0.211)
[root@www ~]# useradd zk
#添加zk用户提示符的主机名是www)
#在服务器(192.168.0.210)上
[root@CncLucZK ~]# vi /var/log/secure
#査看服务器的secure日志(注意:主机名是CncLucZK)
Aug 8 23:00:57 www sshd【1408]: Server listening on 0.0.0.0 port 22.
Aug 8 23:00:57 www sshd[1408]: Server listening on :: port 22.
Aug 8 23:01:58 www sshd[1630]: Accepted password for root from 192.168.0.101 port 7036 ssh2
Aug 8 23:01:58 www sshd[1630]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 8 23:03:03 www useradd[1654]: new group: name=zk, GID-505
Aug 8 23:03:03 www useradd[1654]: new user: name=zk, UXD=505, GID=505,
home=/home/zk, shell=/bin/bash
Aug 8 23:03:09 www passwd: pam_unix(passwd:chauthtok): password changed for zk
#注意：查看到的日志内容的主机名是www，说明我们虽然查看的是服务器的日志文件，但是在其中可以看到客户机的日志内容

需要注意的是，日志服务是通过主机名来区别不同的服务器的。所以，如果我们配置了日志服务，则需要给所有的服务器分配不同的主机名。

15.8 日志分析工具（logwatch）安装及使用

日志是非常重要的系统文件，管理员每天的重要工作就是分析和查看服务器的日志，判断服务器的健康状态。但是进行手工日志管理又是一项非常枯燥的工作，所以会利用日志分析工具。这些日志分析工具会详细地查看日志，同时分析这些日志，并且把分析的结果通过邮件的方式发送给 root 用户。这样，我们每天只要查看日志分析工具的邮件，就可以知道服务器的基本情况，而不用挨个检查日志了。这样系统管理员就可以从繁重的日常工作中解脱出来，去处理更加重要的工作。
在 CentOS 中自带了一个日志分析工具，就是 logwatch。不过这个工具默认没有安装（因为我们选择的是“Basic Server”），所以需要手工安装。安装命令如下：

[root@CncLucZK httpd]# yum -y install logwatch
...
Installed:logwatch-7.4.3-11.el8.noarch                     mailx-12.5-29.el8.x86_64                     perl-Date-Manip-6.60-2.el8.noarch                perl-Sys-CPU-0.61-14.el8.x86_64              perl-Sys-MemInfo-0.99-6.el8.x86_64

安装完成之后，需要手工生成 logwatch 的配置文件。默认配置文件是 /etc/logwatch/conf/logwatch.conf，不过这个配置文件是空的，需要把模板配置文件复制过来。命令如下：

[root@CncLucZK httpd]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
cp: overwrite '/etc/logwatch/conf/logwatch.conf'? y
#查看配置文件
[root@CncLucZK httpd]# cat /etc/logwatch/conf/logwatch.conf
...
# this is in the format of <name> = <value>.  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.# Yes = True  = On  = 1
# No  = False = Off = 0# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log                                          #logwatch会分析和统计/var/log/中的日志# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch                               #指定logwatch的临时目录#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
Output = stdout
#To make Html the default formatting Format = html
Format = text
#To make Base64 [aka uuencode] Encode = base64
Encode = none# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = root                                              #日志的分析结果，给root用户发送邮件
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed.  For example, to send the report
# for hostname host1 to user@example.com, use:
#Mailto_host1 = user@example.com
# Multiple recipients can be specified by separating them with a space.# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = Logwatch# if set, the results will be saved in <filename> instead of mailed
# or displayed. Be sure to set Output = file also.
#Filename = /tmp/logwatch                                  #邮件的发送者是Logwatch，在接收邮件时显示#Save = /tmp/logwatch
#如果开启这一项，日志分析就不会发送邮件，而是保存在/tmp/logwatch文件中# Use archives?  If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No                                             #日志文件是否存档，默认情况下，该选项设置为“是”。要关闭“存档”，请取消注释此项。
# Range = All# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday                                          #分析哪天的日志。可以识别“All”“Today”“Yesterday”，用来分析“所有日志”“今天日志”“昨天日志”# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low                                               #日志的详细程度。可以识别“Low”“Med”“High”。也可以用数字表示，范围为0～10，“0”代表最不详细，“10”代表最详细# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on.  This should be left as All for
# most people.
Service = All                                              #分析和监控所有日志
# You can also disable certain services (when specifying all)#但是不监控“-zz-network”服务的日志。“-服务名”表示不分析和监控此服务的日志
Service = "-zz-network"     # Prevents execution of zz-network service, which# prints useful network configuration info.
Service = "-zz-sys"         # Prevents execution of zz-sys service, which        # prints useful system configuration info.
Service = "-eximstats"      # Prevents execution of eximstats service, which# is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages   # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog    # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb        # PAM_pwdb messages - usually quite a bit
#Service = pam             # General PAM messages... usually not many# You can also choose to use the 'LogFile' option.  This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages.  This will run all the filters that
# process that logfile.  This option is probably not too useful to
# most people.  Setting 'Service' to 'All' above analyzes all LogFiles
# anyways...#
# By default we assume that all Unix systems have sendmail or a sendmail-like MTA.
# The mailer code prints a header with To: From: and Subject:.
# At this point you can change the mailer to anything that can handle this output
# stream.
# TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "/usr/sbin/sendmail -t"#
# With this option set to a comma separted list of hostnames, only log entries
# for these particular hosts will be processed.  This can allow a log host to
# process only its own logs, or Logwatch can be run once per a set of hosts
# included in the logfiles.
# Example: HostLimit = hosta,hostb,myhost
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = myhost# vi: shiftwidth=3 tabstop=3 et

这个配置文件基本不需要修改（实验时把 Range 项改为了 All，否则一会儿的实验可以分析的日志过少），它就会默认每天执行。每天执行是 crond 服务的作用，logwatch 一旦安装，就会在 /etc/cron.daily/ 目录中建立“0logwatch”文件，用于在每天定时执行 logwatch 命令，分析和监控相关日志。

[root@CncLucZK httpd]# ll /etc/cron.daily
total 8
-rwxr-xr-x  1 root root 434 May  8  2021 0logwatch
-rwxr-xr-x. 1 root root 189 Jan  4  2018 logrotate

想要让这个日志分析马上执行，则只需执行 logrotate 命令即可。命令如下：

[root@CncLucZK httpd]# logwatch ################### Logwatch 7.4.3 (04/27/16) #################### Processing Initiated: Sun Oct 30 23:02:28 2022Date Range Processed: yesterday( 2022-Oct-29 )Period is day.Detail Level of Output: 0Type of Output/Format: stdout / textLogfiles for Host: CncLucZK################################################################## --------------------- httpd Begin ------------------------ Connection attempts using mod_proxy:212.224.88.178 -> google.com:443: 1 Time(s)89.248.165.52 -> 85.206.160.115:80: 1 Time(s)89.248.165.52 -> hotmail-com.olc.protection.outlook.com:25: 1 Time(s)A total of 11 sites probed the server 123.56.155.157138.197.219.196178.159.37.113205.210.31.262.233.50.17566.240.205.3468.183.8.8289.248.163.13289.248.163.16789.248.165.5292.255.85.183Requests with error response codes400 Bad Requestnull: 12 Time(s)*: 1 Time(s)/: 1 Time(s)X\xd4>\x12\x98\xc4<\xe0\x13\xcf: 1 Time(s)default.asp: 1 Time(s)403 Forbidden/: 39 Time(s)/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: 1 Time(s)/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: 1 Time(s)http://passport.baidu.com/: 1 Time(s)404 Not Found/: 4 Time(s)/boaform/admin/formLogin: 4 Time(s)/favicon.ico: 4 Time(s)/.env: 3 Time(s).../start.jsa: 1 Time(s)/start.jsp: 1 Time(s)http://www.qq.com/404/search_children.js: 1 Time(s)405 Method Not Allowed85.206.160.115:80: 1 Time(s)google.com:443: 1 Time(s)hotmail-com.olc.protection.outlook.com:25: 1 Time(s)408 Request Timeoutnull: 5 Time(s)---------------------- httpd End ------------------------- --------------------- pam_unix Begin ------------------------ systemd-user:Unknown Entries:session opened for user root by (uid=0): 192 Time(s)session closed for user root: 76 Time(s)---------------------- pam_unix End ------------------------- #分析SSHD的日志。可以知道哪些IP地址连接过服务器--------------------- SSHD Begin ------------------------ Illegal users from:20.78.70.5: 9 times34.90.223.166 (166.223.90.34.bc.googleusercontent.com): 6 times35.237.33.195 (195.33.237.35.bc.googleusercontent.com): 21 times36.90.149.125: 70 times...193.142.146.35: 2 times204.48.16.71: 24 timesUsers logging in through sshd:root:110.19.110.72: 2 times110.19.110.50: 1 time**Unmatched Entries**Connection reset by authenticating user root 120.195.180.186 port 49648 [preauth] : 1 time(s)Connection reset by authenticating user root 120.195.180.186 port 62395 [preauth] : 1 time(s)
...error: maximum authentication attempts exceeded for invalid user ftpuser from 89.109.32.143 port 8884 ssh2 [preauth] : 1 time(s)Disconnecting invalid user usuario 89.109.32.143 port 2282: Too many authentication failures [preauth] : 1 time(s)Connection reset by authenticating user root 120.195.180.186 port 55708 [preauth] : 1 time(s)error: maximum authentication attempts exceeded for admin from 89.109.32.143 port 61258 ssh2 [preauth] : 1 time(s)Unable to negotiate with 123.56.155.157 port 53120: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth] : 1 time(s)...---------------------- SSHD End ------------------------- --------------------- Systemd Begin ------------------------ **Unmatched Entries**Closed D-Bus User Message Bus Socket.: 192 Time(s)Configuration file /usr/lib/systemd/system/qcloud-srv.service is marked executable. Please remove executable permission bits. Proceeding anyway.: 1 Time(s)user-runtime-dir@0.service: Unit not needed anymore. Stopping.: 522 Time(s)user@0.service: Killing process 1956033 (systemctl) with signal SIGKILL.: 1 Time(s)user@0.service: Killing process 1958181 (systemctl) with signal SIGKILL.: 1 Time(s)...user@0.service: Killing process 2100486 (systemctl) with signal SIGKILL.: 1 Time(s)---------------------- Systemd End ------------------------- #统计磁盘空间情况--------------------- Disk Space Begin ------------------------ Filesystem      Size  Used Avail Use% Mounted ondevtmpfs        902M     0  902M   0% /dev/dev/vda1        50G  8.7G   39G  19% /---------------------- Disk Space End ------------------------- ###################### Logwatch End #########################

有了这个日志分析工具，日志管理工作就会轻松很多。当然，在 Linux 中可以支持很多日志分析工具，我们在这里只介绍了 CentOS 自带的 logwatch，大家可以根据自己的习惯选择相应的日志分析工具。

参考文献:
Linux日志分析工具（logwatch）安装及使用

下一篇：Linux学习-68-日志转储logrotate命令(logrotate配置文件)

Linux学习-67-日志服务器设置和日志分析工具（logwatch）安装及使用相关推荐

华为日志服务器配置文件,配置日志服务器
配置日志服务器内容精选换一换您可以通过云日志服务,查看访问七层共享型负载均衡请求的详细日志记录,分析负载均衡的响应状态码,快速定位异常的后端服务器.您已经创建了七层负载均衡.您已经开通了云日志服 ...
配置php.ini文件，关闭错误提示，打开错误日志，设置错误日志路径（亲测）
配置php.ini文件,关闭错误提示,打开错误日志,设置错误日志路径打开php.ini配置文件: 找到display_errors = On:修改为:display_errors = Off: 找到 ...
Linux学习之云服务器搭建嵌入式Linux开发环境
Linux学习之云服务器搭建嵌入式Linux开发环境第一步:购买云服务器进入腾讯云官方网站腾讯云官方网站选择云+校园云+校园进入控制台将云服务器系统设置为Ubuntu系统使用Xshell6 ...
linux中DNS服务器查看域名,如何在Linux中查看DNS服务器设置
1. 前言 DNS(域名系统)是非常重要的基础网络服务,如邮件服务器.互联网浏览和流媒体服务,如Netflix和Spotify等网络服务都依赖于它. 它在一个叫做DNS服务器的特殊计算机上工作-它保存 ...
linux学习之centos（三）：mysql数据库的安装和配置
前言:mysql简介说到数据库,我们大多想到的是关系型数据库,比如mysql.oracle.sqlserver等等,这些数据库软件在windows上安装都非常的方便,在Linux上如果要安装数据库, ...
linux最小系统安装教程,Linux 学习笔记 1 使用最小的系统，从分区安装系统开始，...
Linux 学习笔记 1 使用最小的系统,从分区安装系统开始, 我们常用的linux系统在安装过程中大多都省略了对系统进行分区的操作,以至于后期,不了解什么是分区以及分区当中最基本的一些概念, 我们不 ...
如何关闭rsyslog服务?_Linux日志服务器设置过程
我们知道,使用"@IP:端口"或"@@IP:端口"的格式可以把日志发送到远程主机上,那么这么做有什么意义吗?假设我需要管理几十台服务器,那么我每天的重要工作就是 ...
文件服务器内存日志,服务器内存使用日志
服务器内存使用日志内容精选换一换本地使用远程桌面连接登录Windows server 2012云服务器,报错:122.112...,服务器频繁掉线,Windows登录进程意外中断.系统资源不足或 ...
Linux系统中svn服务器设置开机启动
安装完svn服务器后虽然好用但是因为经常重启Linux服务器,每次重启完就要去手动启动svn服务器,很是麻烦,于是在网上找了一些方法后,自己把svn服务器设置成开机启动步骤一:安装svn服务器: h ...

Linux学习-67-日志服务器设置和日志分析工具（logwatch）安装及使用

15.5 日志服务器设置过程

15.8 日志分析工具（logwatch）安装及使用

下一篇：Linux学习-68-日志转储logrotate命令(logrotate配置文件)

Linux学习-67-日志服务器设置和日志分析工具（logwatch）安装及使用相关推荐

最新文章

热门文章