从红帽7开始的两套日志系统

botang

1. [root@classroom 例子]# systemctl status rsyslog
   
2. ● rsyslog.service - System Logging Service
   
3.    Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   
4.    Active: active (running) since Mon 2020-11-16 15:25:27 CST; 6h ago
   
5.      Docs: man:rsyslogd(8)
   
6.            http://www.rsyslog.com/doc/
   
7. Main PID: 1585 (rsyslogd)
   
8.     Tasks: 3 (limit: 26213)
   
9.    Memory: 6.9M
   
10.    CGroup: /system.slice/rsyslog.service
    
11.            └─1585 /usr/sbin/rsyslogd -n
    
12. 
    
13. 11月 16 15:25:26 classroom.example.com systemd[1]: Starting System Logging Service...
    
14. 11月 16 15:25:27 classroom.example.com rsyslogd[1585]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.37>
    
15. 11月 16 15:25:27 classroom.example.com systemd[1]: Started System Logging Service.
    
16. 11月 16 15:25:27 classroom.example.com rsyslogd[1585]: [origin software="rsyslogd" swVersion="8.37.0-9.el8" x-pid="1585" x-info="http://www.>
    
17. [root@classroom 例子]# systemctl | grep journal
    
18.   systemd-journal-flush.service                                                             loaded active exited    Flush Journal to Persistent Storage                                                               
    
19.   systemd-journald.service                                                                  loaded active running   Journal Service                                                                                    
    
20.   systemd-journald-dev-log.socket                                                           loaded active running   Journal Socket (/dev/log)                                                                          
    
21.   systemd-journald.socket                                                                   loaded active running   Journal Socket                                                                                    
    
22. [root@classroom 例子]# systemctl status systemd-journald
    
23. ● systemd-journald.service - Journal Service
    
24.    Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled)
    
25.    Active: active (running) since Mon 2020-11-16 15:25:14 CST; 6h ago
    
26.      Docs: man:systemd-journald.service(8)
    
27.            man:journald.conf(5)
    
28. Main PID: 656 (systemd-journal)
    
29.    Status: "Processing requests..."
    
30.     Tasks: 1 (limit: 26213)
    
31.    Memory: 13.3M
    
32.    CGroup: /system.slice/systemd-journald.service
    
33.            └─656 /usr/lib/systemd/systemd-journald
    
34. 
    
35. 11月 16 15:25:14 classroom.example.com systemd-journald[656]: Journal started
    
36. 11月 16 15:25:14 classroom.example.com systemd-journald[656]: Runtime journal (/run/log/journal/fb086255a1e94490acaa4181501e2d31) is 8.0M, m>
    
37. 11月 16 15:25:14 classroom.example.com systemd-jou

复制代码

systemd-journald进程的组是：
systemd-journal:x:190:

1. journalctl -xe

复制代码

1. journalctl -xb

复制代码

1. journalctl -p err -x

复制代码

内核空间  （dmesg)

1. [ 8077.814883] br0: port 6(enp0s20u4) entered learning state
   
2. [ 8093.174808] br0: port 6(enp0s20u4) entered forwarding state
   
3. [ 8093.174814] br0: topology change detected, propagating
   
4. [ 8403.750418] rfkill: input handler disabled
   
5. [ 8510.196195] EXT4-fs (dm-14): mounted filesystem with ordered data mode. Opts: (null)
   
6. [ 8657.807897] snd_hda_intel 0000:00:1b.0: IRQ timing workaround is activated for card #1. Suggest a bigger bdl_pos_adj.
   
7. [ 9800.221598] perf: interrupt took too long (3133 > 3128), lowering kernel.perf_event_max_sample_rate to 63000
   
8. [11898.564239] br0: port 7(vnet5) entered blocking state
   
9. [11898.564241] br0: port 7(vnet5) entered disabled state
   
10. [11898.564303] device vnet5 entered promiscuous mode
    
11. [11898.564481] br0: port 7(vnet5) entered blocking state
    
12. [11898.564483] br0: port 7(vnet5) entered listening state
    
13. [11898.740958] device-mapper: core: qemu-kvm: sending ioctl 5326 to DM device without required privilege.
    
14. [11913.699279] br0: port 7(vnet5) entered learning state
    
15. [11929.060203] br0: port 7(vnet5) entered forwarding state
    
16. [11929.060206] br0: topology change detected, propagating
    
17. [12187.029128] br0: port 7(vnet5) entered disabled state
    
18. [12187.038012] device vnet5 left promiscuous mode
    
19. [12187.038028] br0: port 7(vnet5) entered disabled state
    
20. [12946.323478] perf: interrupt took too long (3923 > 3916), lowering kernel.perf_event_max_sample_rate to 50000
    
21. [13130.090080] usb 3-6: new high-speed USB device number 10 using xhci_hcd
    
22. [13130.138829] usb 3-6: New USB device found, idVendor=0bc2, idProduct=231a, bcdDevice= 7.10
    
23. [13130.138831] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    
24. [13130.138833] usb 3-6: Product: Expansion
    
25. [13130.138834] usb 3-6: Manufacturer: Seagate
    
26. [13130.138835] usb 3-6: SerialNumber: NAA8QP6G
    
27. [13130.142316] scsi host7: uas
    
28. [13130.142960] scsi 7:0:0:0: Direct-Access     Seagate  Expansion        0710 PQ: 0 ANSI: 6
    
29. [13130.144110] sd 7:0:0:0: Attached scsi generic sg12 type 0
    
30. [13133.971592] sd 7:0:0:0: [sdc] 3907029167 512-byte logical blocks: (2.00 TB/1.82 TiB)
    
31. [13133.971594] sd 7:0:0:0: [sdc] 4096-byte physical blocks
    
32. [13133.971744] sd 7:0:0:0: [sdc] Write Protect is off
    
33. [13133.971746] sd 7:0:0:0: [sdc] Mode Sense: 53 00 00 08
    
34. [13133.972062] sd 7:0:0:0: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
    
35. [13133.972311] sd 7:0:0:0: [sdc] Optimal transfer size 33553920 bytes not a multiple of physical block size (4096 bytes)
    
36. [13134.314339]  sdc: sdc1
    
37. [13134.316736] sd 7:0:0:0: [sdc] Attached SCSI disk
    
38. [13228.403420] usb 3-6: USB disconnect, device number 10
    
39. [13228.409336] sd 7:0:0:0: [sdc] Synchronizing SCSI cache
    
40. [13228.530590] sd 7:0:0:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=DID_ERROR driverbyte=DRIVER_OK
    
41. [13566.518234] snd_hda_intel 0000:00:1b.0: Unstable LPIB (393600 >= 24600); disabling LPIB delay counting
    

复制代码

welcome to redhat enterprise linux .   boot.log :

1. [  OK  ] Started Berkeley Internet Name Domain (DNS).
   
2. [  OK  ] Reached target Host and Network Name Lookups.
   
3. [  OK  ] Created slice system-systemd\x2dcoredump.slice.
   
4. [  OK  ] Started Process Core Dump (PID 1211/UID 0).
   
5. [  OK  ] Started VDO volume services.
   
6. [  OK  ] Started update of the root trust anchor for DNSSEC validation in unbound.
   
7. [  OK  ] Started System Security Services Daemon.
   
8. [  OK  ] Reached target User and Group Name Lookups.
   
9.          Starting Accounts Service...
   
10.          Starting Login Service...
    
11.          Starting Permit User Sessions...
    
12. [  OK  ] Started Permit User Sessions.
    
13. [  OK  ] Started Command Scheduler.
    
14. [  OK  ] Started Job spooling tools.
    
15. [  OK  ] Started SYSV: The Oracle Secure Backup services daemon enables automatic.
    
16.          Starting ohasd.service...
    
17. [  OK  ] Started Accounts Service.
    
18. [  OK  ] Started ohasd.service.
    
19. [  OK  ] Started Login Service.
    
20.          Starting Virtualization daemon...
    
21. [  OK  ] Created slice system-user\x2druntime\x2ddir.slice.
    
22. [  OK  ] Started /run/user/500 mount wrapper.
    
23. [  OK  ] Created slice User Slice of UID 500.
    
24. [  OK  ] Started Session c1 of user oracle.
    
25.          Starting User Manager for UID 500...
    
26. [  OK  ] Started Disk Manager.
    
27. [  OK  ] Started Dynamic System Tuning Daemon.
    
28. [  OK  ] Started User Manager for UID 500.
    
29.          Stopping User Manager for UID 500...
    
30. [  OK  ] Stopped User Manager for UID 500.
    
31.          Stopping /run/user/500 mount wrapper...
    
32. [  OK  ] Removed slice User Slice of UID 500.
    
33. [  OK  ] Started OpenSSH server daemon.
    
34. [  OK  ] Stopped /run/user/500 mount wrapper.
    
35. [  OK  ] Started Virtualization daemon.
    
36.          Starting WPA supplicant...
    
37. [  OK  ] Started WPA supplicant.
    
38. [  OK  ] Started Certificate monitoring and PKI enrollment.
    
39. [  OK  ] Started Network Manager Wait Online.
    
40. [  OK  ] Reached target Network is Online.
    
41.          Starting NFS Mount Daemon...
    
42.          Starting NFS status monitor for NFSv2/3 locking....
    
43.          Starting System Logging Service...
    
44.          Starting Crash recovery kernel arming...
    
45. [  OK  ] Started System Logging Service.
    
46. [  OK  ] Started NFS status monitor for NFSv2/3 locking..
    
47. [  OK  ] Started NFS Mount Daemon.
    
48.          Starting NFS server and services...
    
49. [  OK  ] Started NFS server and services.
    
50.          Starting Notify NFS peers of a restart...
    
51. [  OK  ] Started Notify NFS peers of a restart.
    
52. [  OK  ] Created slice system-dirsrv.slice.
    
53.          Starting 389 Directory Server EXAMPLE-COM....
    
54. [  OK  ] Started Crash recovery kernel arming.
    
55. [  OK  ] Started 389 Directory Server EXAMPLE-COM..
    
56.          Starting Kerberos 5 KDC...
    
57. [  OK  ] Stopped Kerberos 5 KDC.
    
58.          Stopping 389 Directory Server EXAMPLE-COM....
    
59. [  OK  ] Stopped 389 Directory Server EXAMPLE-COM..
    
60. [  OK  ] Started /etc/rc.d/rc.local Compatibility.
    
61.          Starting GNOME Display Manager...
    
62.          Starting Hold until boot process finishes up...
    
63. [FAILED] Failed to start Identity, Policy, Audit.
    
64. See 'systemctl status ipa.service' for details.
    
65. [  OK  ] Started GNOME Display Manager.
    

复制代码

用户空间


/var/log/messages......

时间：地点：人物（进程） ：起因-经过-结果

1. ov 15 10:14:03 classroom rsyslogd[1591]: [origin software="rsyslogd" swVersion="8.37.0-9.el8" x-pid="1591" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
   
2. Nov 15 10:14:03 classroom rhsmd[13487]: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date.
   
3. Nov 15 10:14:10 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
   
4. Nov 15 10:14:20 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
   
5. Nov 15 10:14:30 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
   
6. Nov 15 10:14:40 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
   
7. Nov 15 10:14:50 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
   
8. Nov 15 10:15:00 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
   
9. Nov 15 10:15:10 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
   
10. Nov 15 10:15:19 classroom named[1171]: client @0x7f661009ee20 192.168.0.141#62322 (pan.baidu.com): query (cache) 'pan.baidu.com/A/IN' denied
    
11. Nov 15 10:15:20 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
12. Nov 15 10:15:30 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
13. Nov 15 10:15:40 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
14. Nov 15 10:15:50 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
15. Nov 15 10:15:54 classroom named[1171]: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:38::a#53
    
16. Nov 15 10:15:54 classroom named[1171]: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:32::a#53
    
17. Nov 15 10:15:54 classroom named[1171]: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:36::a#53
    
18. Nov 15 10:15:54 classroom named[1171]: network unreachable resolving 'safebrowsing.googleapis.com/A/IN': 2001:4860:4802:34::a#53
    
19. Nov 15 10:15:58 classroom named[1171]: client @0x7f661009ee20 192.168.0.141#50980 (tongji.flash.cn): query (cache) 'tongji.flash.cn/A/IN' denied
    
20. Nov 15 10:16:00 classroom named[1171]: client @0x7f661009ee20 192.168.0.141#49521 (s.f.360.cn): query (cache) 's.f.360.cn/A/IN' denied
    
21. Nov 15 10:16:00 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
22. Nov 15 10:16:01 classroom named[1171]: client @0x7f661009ee20 192.168.0.141#63491 (hm.baidu.com): query (cache) 'hm.baidu.com/A/IN' denied
    
23. Nov 15 10:16:10 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
24. Nov 15 10:16:20 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
25. Nov 15 10:16:30 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
26. Nov 15 10:16:40 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
27. Nov 15 10:16:50 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
28. Nov 15 10:17:00 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
29. Nov 15 10:17:03 classroom named[1171]: client @0x7f661009ee20 192.168.0.141#56308 (pan.baidu.com): query (cache) 'pan.baidu.com/A/IN' denied
    
30. Nov 15 10:17:10 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
31. Nov 15 10:17:20 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
32. Nov 15 10:17:30 classroom init.ohasd[1127]: /etc/init.d/init.ohasd:行264: 警告:command substitution: ignored null byte in input
    
33. Nov 15 10:17:31 classroom named[1171]: client @0x7f661009ee20 192.168.0.141#6

复制代码

dhcpd和dns这两个服务器的日志是混在之上的，其他服务器有自己的文件夹和下面的日志文件，ftp服务器的日志是xferlog.1。


journalctl一个内存中的文件，冗余了一遍上面这一整套东西，包括服务器日志。

日志滚动的原理：
1. 有一个二进制的用来删掉（一段时间，具体多少时间看logrotate.conf）陈旧日志的程序：/usr/sbin/logrotate

1. [root@servera etc]# which logrotate
   
2. /usr/sbin/logrotate
   
3. [root@servera etc]# file /usr/sbin/logrotate
   
4. /usr/sbin/logrotate: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=3ad872a040dc8938f1c2e5dda41300bfff8dc688, stripped
   

复制代码

1. [root@servera etc]# vim /etc/logrotate.conf

复制代码

  

1. # see "man logrotate" for details
   
2. # rotate log files weekly
   
3. weekly
   
4. 
   
5. # keep 4 weeks worth of backlogs
   
6. rotate 4
   
7. 
   
8. # create new (empty) log files after rotating old ones
   
9. create
   
10. 
    
11. # use date as a suffix of the rotated file
    
12. dateext
    
13. 
    
14. # uncomment this if you want your log files compressed
    
15. #compress
    
16. 
    
17. # RPM packages drop log rotation information into this directory
    
18. include /etc/logrotate.d
    
19. 
    
20. # system-specific logs may be also be configured here.
    

复制代码

2. 谁来调度/usr/sbin/logrotate
/etc/crontab（空文件）
-->/etc/cron.d/ 有一个文件叫：0hourly

1. # Run the hourly jobs
   
2. SHELL=/bin/bash
   
3. PATH=/sbin:/bin:/usr/sbin:/usr/bin
   
4. MAILTO=root
   
5. 01 * * * * root run-parts /etc/cron.hourly
   

复制代码

去看/etc/cron.hourly有什么东东：

1. [root@servera cron.hourly]# ls
   
2. 0anacron
   

复制代码

检查有无错过cron的运行：

1. #!/bin/sh
   
2. # Check whether 0anacron was run today already
   
3. if test -r /var/spool/anacron/cron.daily; then
   
4.     day=`cat /var/spool/anacron/cron.daily`
   
5. fi
   
6. if [ `date +%Y%m%d` = "$day" ]; then
   
7.     exit 0
   
8. fi
   
9. 
   
10. # Do not run jobs when on battery power
    
11. online=1
    
12. for psupply in AC ADP0 ; do
    
13.     sysfile="/sys/class/power_supply/$psupply/online"
    
14. 
    
15.     if [ -f $sysfile ] ; then
    
16.         if [ `cat $sysfile 2>/dev/null`x = 1x ]; then
    
17.             online=1
    
18.             break
    
19.         else
    
20.             online=0
    
21.         fi
    
22.     fi
    
23. done
    
24. if [ $online = 0 ]; then
    
25.     exit 0
    
26. fi
    
27. /usr/sbin/anacron -s
    

复制代码

/usr/sbin/anacron的配置文件是4列：
"/etc/anacrontab"

1. # /etc/anacrontab: configuration file for anacron
   
2.   
   
3. # See anacron(8) and anacrontab(5) for details.
   
4. 
   
5. SHELL=/bin/sh
   
6. PATH=/sbin:/bin:/usr/sbin:/usr/bin
   
7. MAILTO=root
   
8. # the maximal random delay added to the base delay of the jobs
   
9. RANDOM_DELAY=45
   
10. # the jobs will be started during the following hours only
    
11. START_HOURS_RANGE=3-22
    
12. 
    
13. #period in days   delay in minutes   job-identifier   command
    
14. 1       5       cron.daily              nice run-parts /etc/cron.daily
    
15. 7       25      cron.weekly             nice run-parts /etc/cron.weekly
    
16. @monthly 45     cron.monthly            nice run-parts /etc/cron.monthly                                                                                                                                 
    
17.                                                                                                                                     
    
18. 
    

复制代码

某种意义上说cron.daily/cron.weekly/cron.monthly都是由cron.hourly调度的。


/etc/cron.daily:
logrotate:

1. #!/bin/sh
   
2.   
   
3. /usr/sbin/logrotate /etc/logrotate.conf
   
4. EXITVALUE=$?
   
5. if [ $EXITVALUE != 0 ]; then
   
6.     /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
   
7. fi
   
8. exit $EXITVALUE
   

复制代码