Chapter 3 log management in Linux system

Posted by metalspawned on Mon, 03 Jan 2022 03:54:29 +0100

Preparation before experiment
rm -fr /etc/ssh/sshd_config
dnf reinstall openssh-server -y
systemctl disable --now firewalld

1.journald

Service Name: SYSTEMd journal service journalctl
Default log storage path: / run/log

1.systemctl status systemd-journald.service: View service status

2. Default storage path: the name of the directory is the machine code

Usage of the journalctl command

journalctl 
journalctl -n 3     ##Displays the latest 3 entries in the log
journalctl --since "2021-01-20 10:00:00"  ##Show logs after 10:00
journalctl --until "2021-01-20 10:05:59"  ##Show log to 10:05
journalctl -o                             ##Set how logs are displayed
           ##      short displays logs in standard classic mode
           ##      verbose displays all bytes of the log
           ##      export binary format suitable for outgoing and backup
           ##      Display output in JSON JS format
journalctl -p
           ##Critical issue log for 0 emerg system 
           ##1. Information to be changed immediately in alert system
           ##2. The severity of crit will cause the system software to fail to work normally, and the failure of some hardware will cause the software to fail to work normally
           ##3 err program error
           ##4 warning program warning
           ##5 notice ordinary log and normal log of important information
           ##6 info general information
           ##7 debug program error message
journalctl -F      PRIORITY  ##View controllable log levels
journalctl -u      sshd      ##Specify viewing service
journalctl --disk-usage      ##View log size
journalctl --vacuum-size=1G  ##Set the log storage size and how many hard disks are used to store logs
journalctl --vacuum-time=1W  ##Maximum storage time of logs in the system
journalctl -f                ##Monitor the log, generate one, display and view one
journalctl _PID=893          ##View the log about PID=893

1.journalctl

 2.journalctl -n 3 ## displays the latest 3 entries in the log
journalctl --since "2021-01-20 10:00:00" ## displays the logs after 10:00
journalctl --until "2021-01-20 10:05:59" ## display the log to 10:05

3.journalctl -o ## sets the display mode of the log
## short displays logs in standard classic mode
## verbose displays all bytes of the log
## export binary format suitable for outgoing and backup
Display output in ## json # js format

 4.journalctl -p
Critical problem log of ##0# emerg system
Information to be changed immediately in ##1# alert system
The ##2#crit severity level will cause the system software to fail to work normally, and the failure of some hardware will cause the software to fail to work normally
##3#err program error
##4# warning program warning
##5; notice general log of important information, normal log
##6 info general information
Error message of ##7# debug program

 5. journalctl -F ## PRIORITY # view controllable log levels

6.journalctl -u ## sshd # specify viewing service

7. Journalctl -- disk usage ## view log size

Journalctl -- Vacuum size = 1g ## set the log storage size and how many hard disks are used to store logs
Journalctl -- vacuum time = 1W ## maximum storage time of logs in the system
journalctl -f ## monitoring log, generating one, displaying and viewing one

 8.journalctl _PID=893 ## view the log about PID=893

Using journaled service to store logs permanently

The default log in the system is: / run/log/journal
By default, the log will be cleared after system restart

mkdir /var/log/journal    ##Create a hard disk directory to store logs
chgrp systemd-journal /var/log/journal
ls -ld /var/log/journal/
chmod 2775 /var/log/journal  ##Change to the system D-JOURNAL group
                             ##Ensure that the new file also belongs to this group 
cd /var/log/journal/      ##Transfer to current directory
cd ea6e1822adaf414891a444e2a3fa22d4
ls
pwd
systemctl restart systemd-journald.service
##When the service restarts, the log storage path will be specified to: / var/log/journal
cd
date
reboot ##restart
journalctl ##You can see that the log before restart is still running
           ##The directory before 12:17 indicates that the transfer is successfully collected in / var/log

Test: 
1.View the log before proceeding with the above steps
2.Restart the system
3.View the log again
4.You can see that the log will not be saved. You can only see the log after restart
5.After completing the above operations, restart the system again to see that the log is saved
ls
rm -rf ea6e1822adaf414891a444e2a3fa22d4   
##Delete logging
##If the collected logs are deleted, the previous logs will be cleared
journalctl ##view log
systemctl restart systemd-journald.service
journalctl ##Unable to view the pre boot log

view log

Specific operation:

View effect:

2.rsyslog

##Create a second virtual machine with ip 172.25 two hundred and fifty-four point two one one
##The client builds a bridge and the server configures a network card

The host is connected to two virtual machines

Receiver: remove the comment on lines 19 and 20

Sender: Line 47 plus

Both sides
 systemctl restart rsyslog.service 
>/var/log/messages
send out: logger ****   Generate test log
 receive: tail -f /var/log/messages

3.timedatectl

Local time CST
Universal time UTC London time
West Fourth District: see the sun four hours later than London
Hardware time RTC time
Time zone value time zone

 1. Actions in time source

systemctl stop firewalld
vim /etc/chrony.conf 
systmctl restart chrony.service

Actions in the configuration file:

Client:

systemctl stop firewalld
vim /etc/chrony.conf 
systmctl restart chrony.service

In the configuration file:

Finally, view the results: enter watch -n 1 date on the server and client respectively

Topics: Linux

Hot Topics

©2024 Programmer Think