CentOS日志的简单介绍详解程序员
2023-06-13 09:20:04 时间
在CentOS7中,系统的日志消息由两个服务负责处理:system-journald和rsyslog。
(1).常见的日志及作用
/var/log目录里存放了一些特定于系统和服务的日志文件,由rsyslog维护。下面介绍一些改目录下的常用日志文件及其总用
/var/log/message 大多数系统日志消息记录都在此处。但不包括与身份验证,电子邮件处理相关的定期作业任务等
/var/log/secure 安全和身份验证相关的信息以及登录失败的日志文件。主要ssh远程连接产生的日志。
/var/log/wtmp 是一个二进制文件,记录每个用户的登录次数和持续时间等信息,可以用last命令查看其中内容
/var/log/btmp 与/var/log/wtmp类似,但记录的是错误登录系统的日志,使用lastb命令查看其中内容。如果此文件大于1M,就需要注意是否有人在暴力破解
1)实例1:查看哪个IP地址经常暴力破解系统用户密码
首先,我们先用远程连接软件SCRT连接并输错密码,再使用ssh命令尝试连接并输错三次密码,模拟暴力破解。
[[email protected] ~]# ssh [email protected] The authenticity of host 192.168.1.6 (192.168.1.6) cant be established. ECDSA key fingerprint is SHA256:r8TKDXZGzdWkjGnXtfb/YGwCTYViIh9PvJxjrkA4hXU. ECDSA key fingerprint is MD5:99:ea:1a:2c:c3:81:de:6c:95:b2:86:c1:d0:7e:60:96. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 192.168.1.6 (ECDSA) to the list of known hosts. [email protected]s password: Permission denied, please try again. [email protected]s password: Permission denied, please try again. [email protected]s password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
之后,我们就可以使用vim查看/var/log/secure文件了,此处演示就直接使用tail查看最后几行。
[[email protected] ~]# tail /var/log/secure Apr 14 21:43:32 xuexi sshd[65782]: pam_succeed_if(sshd:auth): requirement "uid = 1000" not met by user "root" Apr 14 21:43:35 xuexi sshd[65782]: Failed password for root from 192.168.1.6 port 42396 ssh2 Apr 14 21:43:38 xuexi unix_chkpwd[65785]: password check failed for user (root) Apr 14 21:43:38 xuexi sshd[65782]: pam_succeed_if(sshd:auth): requirement "uid = 1000" not met by user "root" Apr 14 21:43:39 xuexi sshd[65782]: Failed password for root from 192.168.1.6 port 42396 ssh2 Apr 14 21:43:43 xuexi unix_chkpwd[65786]: password check failed for user (root) Apr 14 21:43:43 xuexi sshd[65782]: pam_succeed_if(sshd:auth): requirement "uid = 1000" not met by user "root" Apr 14 21:43:45 xuexi sshd[65782]: Failed password for root from 192.168.1.6 port 42396 ssh2 Apr 14 21:43:45 xuexi sshd[65782]: Connection closed by 192.168.1.6 port 42396 [preauth] Apr 14 21:43:45 xuexi sshd[65782]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xuexi user=root
这里可以注意下第二行、第五行、第八行。这三行都是时间+主机名+服务+错误信息的格式。通过这个格式(或者说是规律)可以过滤出我们想要的信息。
[[email protected] ~]# grep Failed /var/log/secure | awk {print $11} | uniq
192.168.1.4
192.168.1.6
[[email protected] ~]# grep Failed /var/log/secure | awk {print $11} | uniq -c
2 192.168.1.4
3 192.168.1.6
说明:awk {print $11} ,以空格作为分隔符,打印第11列的数据。uniq命令用于报告或忽略文件中的重复行,-c选项表示显示该行重复出现的次数。
2)使用last命令查看/var/log/wtmp的文件内容
可以直接使用last命令查看
[[email protected] ~]# last xf pts/0 :0 Sun Apr 14 21:33 still logged in xf :0 :0 Sun Apr 14 13:56 still logged in reboot system boot 3.10.0-957.10.1. Sun Apr 14 13:55 - 23:11 (09:15) reboot system boot 3.10.0-957.10.1. Sun Apr 14 13:53 - 23:11 (09:17) xf :0 :0 Sun Apr 14 13:49 - crash (00:03) reboot system boot 3.10.0-957.10.1. Sun Apr 14 13:47 - 23:11 (09:23) xf pts/0 :0 Tue Apr 9 21:47 - 22:33 (00:46) xf pts/0 :0 Tue Apr 9 21:21 - 21:45 (00:23) xf :0 :0 Tue Apr 9 21:21 - 22:33 (01:12) reboot system boot 3.10.0-957.10.1. Tue Apr 9 21:19 - 22:33 (01:14) xf :0 :0 Fri Apr 5 22:27 - 22:29 (00:01) reboot system boot 3.10.0-957.10.1. Fri Apr 5 22:26 - 22:29 (00:02) root pts/0 :0 Fri Apr 5 22:03 - 22:25 (00:22) root :0 :0 Fri Apr 5 22:02 - down (00:23) reboot system boot 3.10.0-862.el7.x Fri Apr 5 22:01 - 22:26 (00:24) reboot system boot 3.10.0-862.el7.x Fri Apr 5 22:00 - 22:26 (00:25) root :0 :0 Fri Apr 5 21:56 - 22:00 (00:03) root tty2 Tue Dec 11 21:48 - 21:48 (00:00) xf pts/0 :0 Tue Dec 11 21:42 - 21:55 (115+00:13) xf :0 :0 Tue Dec 11 21:41 - 21:56 (115+00:14) reboot system boot 3.10.0-862.el7.x Tue Dec 11 21:18 - 22:00 (115+00:41) xf pts/0 :0 Tue Dec 11 21:04 - 21:18 (00:14) xf :0 :0 Tue Dec 11 21:00 - down (00:18) reboot system boot 3.10.0-862.el7.x Tue Dec 11 20:50 - 21:18 (00:27) xf :0 :0 Mon Dec 10 22:06 - 22:07 (00:00) reboot system boot 3.10.0-862.el7.x Mon Dec 10 22:05 - 21:18 (23:13) xf pts/0 :0 Mon Dec 10 21:34 - 22:04 (00:29) xf :0 :0 Mon Dec 10 21:34 - crash (00:30) reboot system boot 3.10.0-862.el7.x Mon Dec 10 21:33 - 21:18 (23:44) xf pts/0 :0 Mon Dec 10 20:59 - 21:33 (00:34) xf pts/0 :0 Mon Dec 10 20:55 - 20:59 (00:03) xf :0 :0 Mon Dec 10 20:54 - 21:33 (00:38) reboot system boot 3.10.0-862.el7.x Mon Dec 10 20:52 - 21:33 (00:40) xf :0 :0 Sun Dec 9 15:54 - 16:09 (00:15) reboot system boot 3.10.0-862.el7.x Sun Dec 9 15:49 - 16:09 (00:20) wtmp begins Sun Dec 9 15:49:03 2018
也可使用last -f /var/log/wtmp命令查看
[[email protected] ~]# last -f /var/log/wtmp xf pts/0 :0 Sun Apr 14 21:33 still logged in xf :0 :0 Sun Apr 14 13:56 still logged in reboot system boot 3.10.0-957.10.1. Sun Apr 14 13:55 - 23:11 (09:16) reboot system boot 3.10.0-957.10.1. Sun Apr 14 13:53 - 23:11 (09:18) xf :0 :0 Sun Apr 14 13:49 - crash (00:03) reboot system boot 3.10.0-957.10.1. Sun Apr 14 13:47 - 23:11 (09:24) xf pts/0 :0 Tue Apr 9 21:47 - 22:33 (00:46) xf pts/0 :0 Tue Apr 9 21:21 - 21:45 (00:23) xf :0 :0 Tue Apr 9 21:21 - 22:33 (01:12) reboot system boot 3.10.0-957.10.1. Tue Apr 9 21:19 - 22:33 (01:14) xf :0 :0 Fri Apr 5 22:27 - 22:29 (00:01) reboot system boot 3.10.0-957.10.1. Fri Apr 5 22:26 - 22:29 (00:02) root pts/0 :0 Fri Apr 5 22:03 - 22:25 (00:22) root :0 :0 Fri Apr 5 22:02 - down (00:23) reboot system boot 3.10.0-862.el7.x Fri Apr 5 22:01 - 22:26 (00:24) reboot system boot 3.10.0-862.el7.x Fri Apr 5 22:00 - 22:26 (00:25) root :0 :0 Fri Apr 5 21:56 - 22:00 (00:03) root tty2 Tue Dec 11 21:48 - 21:48 (00:00) xf pts/0 :0 Tue Dec 11 21:42 - 21:55 (115+00:13) xf :0 :0 Tue Dec 11 21:41 - 21:56 (115+00:14) reboot system boot 3.10.0-862.el7.x Tue Dec 11 21:18 - 22:00 (115+00:41) xf pts/0 :0 Tue Dec 11 21:04 - 21:18 (00:14) xf :0 :0 Tue Dec 11 21:00 - down (00:18) reboot system boot 3.10.0-862.el7.x Tue Dec 11 20:50 - 21:18 (00:27) xf :0 :0 Mon Dec 10 22:06 - 22:07 (00:00) reboot system boot 3.10.0-862.el7.x Mon Dec 10 22:05 - 21:18 (23:13) xf pts/0 :0 Mon Dec 10 21:34 - 22:04 (00:29) xf :0 :0 Mon Dec 10 21:34 - crash (00:30) reboot system boot 3.10.0-862.el7.x Mon Dec 10 21:33 - 21:18 (23:44) xf pts/0 :0 Mon Dec 10 20:59 - 21:33 (00:34) xf pts/0 :0 Mon Dec 10 20:55 - 20:59 (00:03) xf :0 :0 Mon Dec 10 20:54 - 21:33 (00:38) reboot system boot 3.10.0-862.el7.x Mon Dec 10 20:52 - 21:33 (00:40) xf :0 :0 Sun Dec 9 15:54 - 16:09 (00:15) reboot system boot 3.10.0-862.el7.x Sun Dec 9 15:49 - 16:09 (00:20) wtmp begins Sun Dec 9 15:49:03 2018
3)使用lastb查看/var/log/btmp文件
[[email protected] ~]# lastb root ssh:notty xuexi Sun Apr 14 21:43 - 21:43 (00:00) root ssh:notty xuexi Sun Apr 14 21:43 - 21:43 (00:00) root ssh:notty xuexi Sun Apr 14 21:43 - 21:43 (00:00) root ssh:notty pc Sun Apr 14 21:41 - 21:41 (00:00) root ssh:notty pc Sun Apr 14 21:41 - 21:41 (00:00) btmp begins Sun Apr 14 21:41:08 2019 [[email protected] ~]# lastb | uniq -c 3 root ssh:notty xuexi Sun Apr 14 21:43 - 21:43 (00:00) 2 root ssh:notty pc Sun Apr 14 21:41 - 21:41 (00:00) 1 btmp begins Sun Apr 14 21:41:08 2019
发现问题后,使用命令将其IP地址加入规则,阻止其继续暴力破解。
CentOS6使用如下命令,临时添加到防火墙规则中。如果想永久添加,需要在之后追加一条命令service iptables save
iptables -A INPUT -i eth0 -s 192.168.128.137 -j DROP //-A INPUT是追加到INPUT链中,-j DROP是抛弃所有包
而CentOS7使用如下命令:
[[email protected] ~]# firewall-cmd --permanent --add-rich-rule=rule family="ipv4" source address="192.168.128.137" drop success [[email protected] ~]# firewall-cmd --reload success
4)清空/var/log/btmp文件
方法一
[[email protected] ~]# /var/log/btmp
方法二
[[email protected] ~]# rm -rf /var/log/btmp [[email protected] ~]# touch /var/log/btmp [[email protected] ~]# systemctl restart rsyslog.service //必须重启
(2).rsyslog日志服务
1)日志的分类和级别
分类:
2)rsyslog日志服务
在rhel5服务名叫syslog,配置文件为/etc/syslog.conf。到了rhel6/rhel7时,服务名叫rsyslog,配置文件是/etc/rsyslog.conf。
我们查看一下/etc/syslog.conf配置文件
[[email protected] ~]# grep -vE "^$|^#" /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log
这里涉及一个最重要的日志输入规则:分类.级别 存放的绝对路径。其中级别还有单独规则,如果.级别则是指记录高于等于某个级别的日志(严重性高于等于,编码低于等于);如果.=级别则是指记录等于某个级别的日志;如果.!级别则是指除某个级别外全部记录;如果.none则是指排除某个类别。
现在我们再回头看上面的配置信息:
//所有高于等于info级别的信息,除了邮件,除了安全认证,除了定时计划任务,都存放到/var/log/message *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log
注意:-/var/log/maillog这里的减号是由于以前的邮件比较多,先将数据存储到内存中,达到一定大小再全部写入硬盘,减少I/O的消耗。如果关机不当,数据会消失。
除了上面的配置信息外,还需要注意两个配置信息,如下:
#$UDPServerRun 514 //去掉注释就是允许514端口接收使用UDP协议转发过来的日志 #$InputTCPServerRun 514 //去掉注释就只允许514端口接收使用TCP协议转发过来的日志
3)自定义日志类型和存储位置
这里需要用到local0~local7的自定义分类。我们以sshd为例。
首先我们需要使用vim打开sshd服务的配置文件,进行修改配置
[[email protected] ~]# vim /etc/ssh/sshd_config
然后找到如下位置,将其更改为我们需要的分类local0
#SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
修改后,如下所示
#SyslogFacility AUTH SyslogFacility local0 #SyslogFacility AUTHPRIV #LogLevel INFO
保存并退出。
接着我们需要使用vim打开rsyslog服务的配置文件,进行修改配置
[[email protected] ~]# vim /etc/rsyslog.conf
在最后添加一行
local0.* /var/log/sshd.log
保存并退出。
最后重启sshd和rsyslog两个服务
[[email protected] ~]# systemctl restart sshd [[email protected] ~]# systemctl restart rsyslog.service
注意:如果SELinux开着,请手动创建/var/log/sshd.log文件。
2828.html
服务器部署程序员系统优化网站设置运维相关文章
- centos 日志审计_CentOS7 – 审计日志[通俗易懂]
- CentOS 6.4安装(超级详细图解教程)
- centos 强制关闭端口占用
- centos安装mysql客户端安装_CENTOS安装MYSQL
- Centos安装mysql rpm包
- linux系统管理初学者指南 基于centos 7.6下载_centos查看运行的进程
- Centos安装redis_redis编译安装
- ubuntu与Centos添加开启启动
- whatsns商业版微信语音Linux-centos下ffmpeg安装如何amr转mp3播放
- 详解CentOS 7 引导过程与服务管理
- CentOS安装SQL Server vNext CTP1教程
- CentOS配置远程日志服务器详解程序员
- CentOS下的日志切割详解程序员
- CentOS将发展车载应用?特别兴趣小组已获批准
- 查看CentOS系统下mysql版本:从运维的角度(centos查看mysql版本)
- CentOS安装Oracle数据库的步骤(centos安装oracle)
- CentOS下安装MySQL步骤指南(centos下安装mysql)
- 【CentOS】重启MySQL:一步一步教程(centos重启mysql)
- 在CentOS 5.6 上安装 Lighttpd + PHP5 + MySQL
- 如何在CentOS上安装Spacewalk
- 如何在Ubuntu和CentOS上安装Microsoft Teams Linux
- CentOS安装MySQL 解决复杂数据库问题(centos安装mysql)
- apache ab测试与centos系统优化
- 如何通过CentOS快速启动MySQL(centos启动mysql)
- 怎么安装CentOS下MySQL的安装教程(centos里mysql)
- Centos下安装MySQL简易指南(centos选mysql)
- 如何完成CentOS系统上MySQL的卸载(cenos卸载mysql)
- CentOS下LighttpdWeb服务器安装与配置方法