One 、 Log cutting

stay linux The log under will be scrolled regularly , We can cut the log with specified size online （ dynamic ）, If the log is static . For example, there is no application to write content into it . Then we can use split Tools for cutting ; among Logrotate Support automatic segmentation by time and size , To prevent the log file from being too large .

logrotate Configuration files mainly include ：

/etc/logrotate.conf as well as /etc/logrotate.d/ Detailed configuration files under this subdirectory .

logrotate The execution of by crond Called by the service .

[root@tiehao ~]# vim /etc/cron.daily/logrotate # see logrotate The script content

logrotate The program is run by cron The scheduled task starts at the specified time

The log is big , If you let the log record indefinitely It's a terrible thing , Over time, there are hundreds of megabytes of disk space , If you want to find a piece of available information ： dredge for a needle in the sea

Log cutting :

Reach a certain size on that day , We classify the logs , Keep a backup of the previous log , The generated log creates a file with the same name to save the new log .

It means to rename the current log and restart it syslog then syslog Created again maillog Continue operation . The renamed log becomes similar to maillog-05-07 In the form of .

1、logrotate Configuration file details centos7 System

Edit profile

[root@tiehao log]# vim /etc/logrotate.conf

explain ：( Global parameter )

weekly ： Perform cutting every week , Or perform log cutting once a week

rotate： Indicates the maximum number of recent historical files saved after log segmentation [rəʊˈteɪt] rotate

（rotate 4 Keep recent 4 Log , Former , The first 5,6,7 Wait, delete ）

create ：   Specify the permissions and primary group of the newly created file

dateext ： Use the cutting file with date suffix # You can go to /var/log Look at the individual configuration information under the directory

/var/log/btmp { The name and path of the specified log file

missingok  If the file is missing , No error will be reported

monthly    Rotate once a month

create 0664 root utmp Set up btmp The permissions of this log file , Belong to , Generic group

minsize 1M The document exceeds 1M For cutting （ Division ）, So you should know that it does not necessarily split every month , It depends on the file size

rotate 1 After log segmentation, the history file can be saved up to 1 Share , Do not include logs currently in use

Description of other parameters ：

monthly: Log files will be rotated on a monthly basis . Other available values are ‘daily’,‘weekly’ perhaps ‘yearly’.

rotate 5: Store... At one time 5 An archive log . For the sixth archive , The oldest archive will be deleted .

compress: After the round robin task is completed , The rotated archive will use gzip Compress .

delaycompress: Always with compress Use options together ,delaycompress Option indication logrotate Don't put the most

Near archive compression , The compression will be carried out in the next cycle . This is useful when you or any software still needs to read the latest archive .

missingok: During the log rotation , Any mistakes will be ignored , for example “ The file could not be found ” Or something like that .

notifempty: If the log file is empty , Rotation will not take place .

create 644 root root: Create a new log file with the specified permissions , meanwhile logrotate It will also rename the original log file .

postrotate/endscript: After all the other instructions have been completed ,postrotate and endscript The command specified in it will be executed . under these circumstances ,rsyslogd The process will immediately read its configuration again and continue to run .

/var/lib/logrotate/status Default record in logrotate Last rotation of log files .

2、 Use logrotate Conduct ssh Log segmentation

Defined ssh Logs are stored in /var/log/sshd Based on the implementation of ：

[root@tiehao ~]# vim /etc/logrotate.d/sshd # Create a sshd The configuration file , Insert content ：

/var/log/sshd.log {

missingok

weekly

create 0600 root root

minsize 1M

rotate 3

}

[root@tiehao ~]#systemctl restart rsyslog

[root@tiehao ~]# logrotate -d /etc/logrotate.d/sshd # Preview , No actual polling （ cutting ）

[root@tiehao ~]# logrotate -vf /etc/logrotate.d/sshd  # Forced polling （ cutting ）, That is, even if the rotation conditions are not met , You can also add -f To coerce logrotate Round robin log file .

-v Display during execution of instructions

-f Enforcement

[root@tiehao ~]# ls /var/log/sshd*

/var/log/sshd.log /var/log/sshd.log.1 /var/log/sshd.log.2 /var/log/sshd.log.3

Check the log file size again , Have been to 0

[root@tiehao ~]# ll -h /var/log/sshd.log

-rw------- 1 root root 0 5 month 22 00:49 /var/log/sshd.log

3、 Use logrotate Conduct nginx Log segmentation

[root@tiehao nginx]# vim /etc/logrotate.d/nginx

/usr/local/nginx/logs/*.log { # Specify log file location , You can use regular matching

daily # Call frequency , Yes ：daily,weekly,monthly Optional

rotate 5 # Store... At one time 5 An archive log . For the sixth archive , The oldest archive will be deleted .

sharedscripts # After all log files are rotated, execute the script uniformly ,

postrotate # The start flag for executing the command

if [ -f /usr/local/nginx/logs/nginx.pid ]; then # Judge nginx Whether to start

/usr/local/nginx/sbin/nginx -s reload

# Give Way nginx Reload the configuration file , Generate a new log file , If nginx No operation without startup

fi

endscript # End of command execution flag

}

No cutting logs ： journal 150G 了 ...

Two 、 Configure remote log server - Realize centralized log management

Experimental Topology ：

---

server End configuration

[root@tiehao ~]# vim /etc/rsyslog.conf   # Use TCP Way of agreement , Collect the logs

Change ：19 #$ModLoad imtcp

20 #$InputTCPServerRun 514

by ：

19 $ModLoad imtcp

20 $InputTCPServerRun 514

Centos8 Put it down 2 Line comment removed

24 #module(load="imtcp") # needs to be done just once

25 #input(type="imtcp" port="514")

notes ： Use UDP agreement Fast Data integrity is not guaranteed , Use TCP agreement reliable . complete

[root@tiehao ~]# systemctl restart rsyslog # Restart rsyslog

View the status of service listening ：

[root@tiehao ~]# netstat -anlpt| grep 514

tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 45631/rsyslogd

tcp6 0 0 :::514 :::* LISTEN 45631/rsyslogd

Server side validation :

Close the server selinux And the firewall

[root@tiehao ~]# getenforce

Enforcing

[root@tiehao ~]# setenforce 0 # close selinux function

[root@tiehao ~]#getenforce

Permissive

[root@tiehao ~]# systemctl stop firewalld

[root@tiehao ~]# systemctl status firewalld

[root@tiehao ~]# iptables -F # Clear firewall rules

client End configuration :

Sign in tiehao64 client

[root@tiehao64 ~]# vim /etc/rsyslog.conf # stay 90 After line , Insert

*.* @@192.168.1.63:514 # Write to the server ip Address

notes ： *.* Logs for all categories and levels ; @@192.168.1.63:514 Operation end tcp The log server of the protocol IP And port .

restart rsyslog service

[root@tiehao64 ~]# systemctl restart rsyslog.service

The server checks the log ：

[root@tiehao ~]# tail -f /var/log/messages | grep tiehao64 --color   # Dynamic view log .

On the client side tiehao64 To test

grammar ：logger Log to simulate sending

[root@tiehao64 ~]# logger "aaaaa"

Check the log on the server

[root@tiehao ~]# tail -f /var/log/messages | grep tiehao64 --color

# Server side to view messages

May 21 16:32:16 tiehao64 root: aaaaa

notes ：

summary ： Server usage udp agreement , There can only be one in this line in the configuration file used by the client @

*.* @192.168.1.64:514

Server usage tcp agreement , This line in the configuration file used by the client must have two @@

*.* @@192.168.1.64:514