Linux上的日志系统
syslog
syslog-ng: 开源
日志系统:syslog()
A:
B:
D:
syslog服务进程:
syslogd: 系统,非内核产生的信息
klogd:内核,专门负责记录内核产生的日志信息
kernel --> 物理终端(/dev/console) --> /var/log/dmesg
# dmesg
# cat /var/log/dmesg
/sbin/init
/var/log/messages: 系统标准错误日志信息;非内核产生引导信息;各子系统产生的信息;日志量很大,需要滚动处理
/var/log/maillog: 邮件系统产生的日志信息;
/var/log/secure:
日志需要滚动(日志切割):
messages messages.1 messages.2 messages.3
syslog:
syslogd
klogd
配置文件:/etc/syslog.conf
[root@localhost ~]# chkconfig --list syslog
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost ~]# service syslog status
syslogd (pid 3885) is running...
klogd (pid 3888) is running...
[root@localhost ~]#
[root@localhost ~]# cat /etc/logrotate.conf (日志滚动定义目录)
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs (滚动次数)
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we‘ll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
minsize 1M
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
[root@localhost ~]# cd /etc/logrotate.d/
[root@localhost logrotate.d]# ls
acpid conman cups iscsiuiolog mgetty ppp psacct rpm subscription-manager syslog up2date wpa_supplicant yum
[root@localhost logrotate.d]# cat yum
/var/log/yum.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
[root@localhost logrotate.d]# cat cups
/var/log/cups/*_log {
missingok
notifempty
sharedscripts
}
[root@localhost logrotate.d]#
[root@localhost logrotate.d]# tail /var/log/secure (登陆相关日志)
Mar 22 07:50:14 localhost sshd[4212]: Received signal 15; terminating.
Mar 22 07:50:14 localhost sshd[4587]: Exiting on signal 15
Mar 22 07:50:14 localhost sshd[4587]: pam_unix(sshd:session): session closed for user root
Mar 23 06:35:05 localhost sshd[4212]: Server listening on :: port 22.
Mar 23 06:35:05 localhost sshd[4212]: Server listening on 0.0.0.0 port 22.
Mar 23 06:39:34 localhost sshd[4607]: Address 192.168.1.18 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 23 06:39:34 localhost sshd[4607]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.18 user=root
Mar 23 06:39:36 localhost sshd[4607]: Failed password for root from 192.168.1.18 port 6506 ssh2
Mar 23 06:39:37 localhost sshd[4607]: Accepted password for root from 192.168.1.18 port 6506 ssh2
Mar 23 06:39:37 localhost sshd[4607]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@localhost logrotate.d]#
日志信息来源:
配置文件定义格式为: facility.priority action
facility,可以理解为日志的来源或设备目前常用的facility有以下几种:
auth # 认证相关的
authpriv # 权限,授权相关的
cron # 任务计划相关的
daemon # 守护进程相关的
kern # 内核相关的
lpr # 打印相关的
mail # 邮件相关的
mark # 标记相关的
news # 新闻相关的
security # 安全相关的,与auth 类似
syslog # syslog自己的
user # 用户相关的
uucp # unix to unix cp 相关的
local0 到 local7 # 用户自定义使用
* # *表示所有的facility
priority(log level)日志的级别,一般有以下几种级别(从低到高)
debug # 程序或系统的调试信息
info # 一般信息
notice # 不影响正常功能,需要注意的消息
warning/warn # 可能影响系统功能,需要提醒用户的重要事件
err/error # 错误信息
crit # 比较严重的
alert # 必须马上处理的
emerg/panic # 会导致系统不可用的
* # 表示所有的日志级别
none # 跟* 相反,表示啥也没有
action(动作)日志记录的位置
系统上的绝对路径 # 普通文件 如: /var/log/xxx
| # 管道 通过管道送给其他的命令处理
终端 # 终端 如:/dev/console
@HOST # 远程主机 如: @10.0.0.1
用户 # 系统用户 如: root
* # 登录到系统上的所有用户,一般emerg级别的日志是这样定义的
定义格式例子:
mail.info /var/log/mail.log # 表示将mail相关的,级别为info及
# info以上级别的信息记录到/var/log/mail.log文件中
auth.=info @10.0.0.1 # 表示将auth相关的,基本为info的信息记录到10.0.0.1主机上去
# 前提是10.0.0.1要能接收其他主机发来的日志信息
user.!=error # 表示记录user相关的,不包括error级别的信息
user.!error # 与user.error相反
*.info # 表示记录所有的日志信息的info级别
mail.* # 表示记录mail相关的所有级别的信息
*.* # 你懂的.
cron.info;mail.info # 多个日志来源可以用";" 隔开
cron,mail.info # 与cron.info;mail.info 是一个意思
mail.*;mail.!=info # 表示记录mail相关的所有级别的信息,但是不包括info级别的
[root@localhost ~]# cat /etc/syslog.conf (系统日志定义方式)
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don‘t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages (除mail,authpri,cron之外所有信息保存到/var/log/messages )
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog (异步写出,先保存到内存,然后写入磁盘;并非立即写入磁盘)
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg * (通知所有用户)
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
[root@localhost ~]#
自行定义收集日志信息
[root@localhost ~]# vim /etc/syslog.conf
[root@localhost ~]# service syslog reload (不重启服务,读取配置文件)
Reloading syslogd... [ OK ]
Reloading klogd... [ OK ]
[root@localhost ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don‘t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.info /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
[root@localhost ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables ‘MARK‘ messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-r -m 0" (只需要增加-r,即可作为日志服务器,接收其他主机发送过来的日志)
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with ‘ksymoops‘
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
[root@localhost ~]# service syslog reload (需要重启syslog服务)
Reloading syslogd... [ OK ]
Reloading klogd... [ OK ]
[root@localhost ~]#
[root@localhost ~]# cd busybox-1.20.2
[root@localhost busybox-1.20.2]# ls _install/sbin/
acpid bootchartd findfs halt ifenslave loadkmap man mkfs.minix nameif rmmod start-stop-daemon sysctl watchdog
adjtimex depmod freeramdisk hdparm ifup logread mdev mkfs.vfat pivot_root route sulogin syslogd zcip
arp devmem fsck hwclock init losetup mkdosfs mkswap poweroff runlevel swapoff tunctl
blkid fbsplash fsck.minix ifconfig insmod lsmod mke2fs modinfo raidautorun setconsole swapon udhcpc
blockdev fdisk getty ifdown klogd makedevs mkfs.ext2 modprobe reboot slattach switch_root vconfig
[root@localhost busybox-1.20.2]# ls _install/sbin/ | grep log
klogd
logread
sulogin
syslogd
[root@localhost busybox-1.20.2]#
telnet: 远程登录协议, 23/tcp
C/S
S:telnet服务器
C:telnet客户端
ssh: Secure SHell, 应用层协议,22/tcp
通信过程及认证过程是加密的,主机认证
用户认证过程加密
数据传输过程加密
ssh v1, v2
man-in-middle
sshv2
认证过程:
基于口令认证
基于密钥认证:
协议:规范
实现:服务器端、客户端
Linux: openSSH
C/S
服务器端:sshd, 配置文件/etc/ssh/sshd_config
客户端:ssh, 配置文件/etc/ssh/ssh_config
ssh-keygen: 密钥生成器
ssh-copy-id: 将公钥传输至远程服务器
scp:跨主机安全复制工具
ssh:
ssh USERNAME@HOST
ssh -l USERNAME HOST
ssh USERNAME@HOST ‘COMMAND‘
scp将本地文件加密复制到远程客户端:
scp SRC DEST
-r
-a
scp USERNAME@HOST:/path/to/somefile /path/to/local
scp /path/to/local USERNAME@HOST:/path/to/somewhere
基于密钥认证:
主机密钥保存在 /root/.ssh/目录
ssh-keygen:生成一对公钥和私钥;
ssh-keygen -t rsa
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
-f /path/to/KEY_FILE
-P ‘‘: 指定加密私钥的密码
ssh-keygen -t rsa -f .ssh/id_rsa -P ‘‘ 直接生成密钥
.ssh权限为700 chmod 700 .ssh/
cat id_rsa.pub >> .ssh/authorized_keys
公钥追加保存到远程主机某用户的家目录下的.ssh/authorized_keys文件或.ssh/authorized_keys2文件中
ssh-copy-id
-i ~/.ssh/id_rsa.pub
ssh-copy-id -i ~/.ssh/id_rsa.pub USERNAME@HOST (直接复制公钥到目的主机;不是所有主机都支持ssh-copy-id,-i指定具体文件)
dropbear: 嵌入式系统专用的ssh服务器端和客户端工具
服务器端:dropbear
dropbearkey
客户端:dbclient
dropbear默认使用nsswitch实现名称解析
/etc/nsswitch.conf
/lib/libnss_files*
/usr/lib/libnss3.so
/usr/lib/libnss_files*
dropbear会在用户登录检查其默认shell是否当前系统的安全shell
/etc/shells
主机密钥默认位置:
/etc/dropbear/
RSA: dropbear_rsa_host_key
长度可变, 只要是8的整数倍,默认为1024
DSS: dropbear_dss_host_key
长度固定,默认为1024
dropbearkey
-t rsa|dsa
-f /path/to/KEY_FILE
-s SIZE
linux-syslog,ssh,ssh-keygen,dropbear
原文地址:http://f1yinsky.blog.51cto.com/12568071/1910195
