寻找大小超过10MB的.log文件:(find命令会延伸到子目录的)
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log"
/var/log/cloud-init.log
/var/log/udcenter.log
/tmp/jnLogGlobal.log
显示各个指定文件的大小:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" | xargs du -sh
11M /var/log/cloud-init.log
11M /var/log/udcenter.log
14M /tmp/jnLogGlobal.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \;
11M /var/log/cloud-init.log
11M /var/log/udcenter.log
14M /tmp/jnLogGlobal.log
排序:(从小到大)
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" | xargs du -sh |sort -h
11M /var/log/cloud-init.log
11M /var/log/udcenter.log
14M /tmp/jnLogGlobal.log
排序:(从小到大)
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \; |sort -h
11M /var/log/cloud-init.log
11M /var/log/udcenter.log
14M /tmp/jnLogGlobal.log
安装压缩软件、解压软件:(zip包)
yum -y install zip
yum -y install unzip
[root@iZj6c1a39n0ss415rjbuoqZ ~]# which zip
/usr/bin/zip
[root@iZj6c1a39n0ss415rjbuoqZ ~]#
[root@iZj6c1a39n0ss415rjbuoqZ ~]# which unzip
/usr/bin/unzip
压缩日志文件:(最好是先切换到日志文件所在目录再进行压缩)
[root@iZj6c1a39n0ss415rjbuoqZ ~]# cd /var/log
[root@iZj6c1a39n0ss415rjbuoqZ log]# zip -r /home/backup/cloud-init.zip cloud-init.log
adding: cloud-init.log (deflated 90%)
[root@iZj6c1a39n0ss415rjbuoqZ log]# zip -r /home/backup/udcenter.zip udcenter.log
adding: udcenter.log (deflated 96%)
[root@iZj6c1a39n0ss415rjbuoqZ log]# cd /tmp
[root@iZj6c1a39n0ss415rjbuoqZ tmp]# zip -r /home/backup/jnLogGlobal.zip jnLogGlobal.log
adding: jnLogGlobal.log (deflated 96%)
原日志文件压缩后,大小是不变的:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \;
11M /var/log/cloud-init.log
11M /var/log/udcenter.log
14M /tmp/jnLogGlobal.log
压缩出来的文件比原文件小很多:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -ah /home/backup/*.zip
1000K /home/backup/cloud-init.zip
532K /home/backup/jnLogGlobal.zip
392K /home/backup/udcenter.zip
排序:(从小到大)
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -ah /home/backup/*.zip |sort -h
392K /home/backup/udcenter.zip
532K /home/backup/jnLogGlobal.zip
1000K /home/backup/cloud-init.zip
清空指定的日志文件:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /var/log/cloud-init.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /var/log/udcenter.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /tmp/jnLogGlobal.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]#
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \;
[root@iZj6c1a39n0ss415rjbuoqZ ~]#
解压日志文件:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# cd /home/backup/
[root@iZj6c1a39n0ss415rjbuoqZ backup]#
[root@iZj6c1a39n0ss415rjbuoqZ backup]# unzip cloud-init.zip
Archive: cloud-init.zip
inflating: cloud-init.log
[root@iZj6c1a39n0ss415rjbuoqZ backup]# unzip jnLogGlobal.zip
Archive: jnLogGlobal.zip
inflating: jnLogGlobal.log
[root@iZj6c1a39n0ss415rjbuoqZ backup]# unzip udcenter.zip
Archive: udcenter.zip
inflating: udcenter.log
[root@iZj6c1a39n0ss415rjbuoqZ backup]# pwd
/home/backup
[root@iZj6c1a39n0ss415rjbuoqZ backup]# ls -lh *.log
-rw-r--r-- 1 root root 11M Oct 2 02:08 cloud-init.log
-rw------- 1 root root 14M Oct 2 10:01 jnLogGlobal.log
-rw------- 1 root root 11M Oct 2 09:56 udcenter.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \;
11M /home/backup/cloud-init.log
14M /home/backup/jnLogGlobal.log
11M /home/backup/udcenter.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" | xargs du -sh
11M /home/backup/cloud-init.log
14M /home/backup/jnLogGlobal.log
11M /home/backup/udcenter.log
######
######
系统默认已经开启rsyslog服务,rsyslog服务会将所有系统日志自动记录到/var/log/messages文件中;系统日志永久保留,在做故障诊断时可以查看该文件。
[root@iZj6c1a39n0ss415rjbuoqZ ~]# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/messages
180K /var/log/messages
[root@iZj6c1a39n0ss415rjbuoqZ ~]# tail /var/log/messages
Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: piix4_smbus 0000:00:01.3: SMBus Host Controller at 0x700, revision 0
Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: IPv6: Loaded, but administratively disabled, reboot required to enable
Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: type=1305 audit(1601575709.332:3): audit_pid=969 old=0 auid=4294967295 ses=4294967295 res=1
Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ irqbalance: Balancing is ineffective on systems with a single cpu. Shutting down
Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2055]: ntpd 4.2.6p5@1.2349-o Wed Dec 19 20:22:34 UTC 2018 (1)
Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2056]: proto: precision = 0.157 usec
Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2056]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2056]: restrict: error in address '::' on line 10. Ignoring...
字段格式和含义,如下:
1. 事件的日期和时间
2. 事件的来源主机
3. 产生这个事件的程序[进程号]
4. 实际的日志信息
/var/log/messages 是可以清空的:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /var/log/messages
[root@iZj6c1a39n0ss415rjbuoqZ ~]#
[root@iZj6c1a39n0ss415rjbuoqZ ~]# tail /var/log/messages
[root@iZj6c1a39n0ss415rjbuoqZ ~]#
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/messages
4.0K /var/log/messages
[root@iZj6c1a39n0ss415rjbuoqZ ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@iZj6c1a39n0ss415rjbuoqZ ~]# cat /var/log/messages
Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ kernel: Kernel logging (proc) stopped.
Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1003" x-info="http://www.rsyslog.com"] exiting on signal 15.
Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ kernel: imklog 5.8.10, log source = /proc/kmsg started.
Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="26175" x-info="http://www.rsyslog.com"] start
######
udit审计配置
系统默认开启audit审计功能,并监控所有用户的登录信息:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# chkconfig --list auditd
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log
784K /var/log/audit/audit.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]# tail /var/log/audit/audit.log
type=LOGIN msg=audit(1601604061.048:158): pid=5556 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=9
type=USER_START msg=audit(1601604061.048:159): user pid=5556 uid=0 auid=0 ses=9 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1601604061.062:160): user pid=5556 uid=0 auid=0 ses=9 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1601604061.062:161): user pid=5556 uid=0 auid=0 ses=9 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_START msg=audit(1601605433.074:162): user pid=11935 uid=0 auid=0 ses=8 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=183.38.13.148 addr=183.38.13.148 terminal=/dev/pts/1 res=success'
type=CRYPTO_KEY_USER msg=audit(1601605433.074:163): user pid=11935 uid=0 auid=0 ses=8 msg='op=destroy kind=server fp=66:b6:65:94:a7:cc:a2:1a:01:a7:47:09:f9:93:31:8b direction=? spid=11935 suid=0 exe="/usr/sbin/sshd" hostname=? addr=183.38.13.148 terminal=pts/1 res=success'
type=CRYPTO_KEY_USER msg=audit(1601605433.074:164): user pid=11935 uid=0 auid=0 ses=8 msg='op=destroy kind=server fp=ed:fa:ce:e4:15:c7:1d:37:a2:bf:dd:3d:10:f4:54:67 direction=? spid=11935 suid=0 exe="/usr/sbin/sshd" hostname=? addr=183.38.13.148 terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1601605433.075:165): user pid=11935 uid=0 auid=0 ses=8 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=183.38.13.148 addr=183.38.13.148 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1601605606.729:166): user pid=12691 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=66:b6:65:94:a7:cc:a2:1a:01:a7:47:09:f9:93:31:8b direction=? spid=12691 suid=0 exe="/usr/sbin/sshd" hostname=? addr=47.97.16.6 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1601605606.729:167): user pid=12691 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ed:fa:ce:e4:15:c7:1d:37:a2:bf:dd:3d:10:f4:54:67 direction=? spid=12691 suid=0 exe="/usr/sbin/sshd" hostname=? addr=47.97.16.6 terminal=? res=success'
添加规则到 /etc/audit/audit.rules 文件中,实现监控所有用户的登录行为、所有操作,以及Shell脚本中的命令:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# vi /etc/audit/audit.rules
追加:
-a exit,always -F arch=b64 -S execve -k exec
-a exit,always -F arch=b32 -S execve -k exec
确认规则:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -S execve -k exec
-a exit,always -F arch=b32 -S execve -k exec
使新规则生效:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
新规则生效后,使用 ausearch -k exec 来列出用户操作的记录:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# touch 88.txt
[root@iZj6c1a39n0ss415rjbuoqZ ~]# ausearch -k exec &> 8.txt
注释:把记录导入文本中,方便查找。
[root@iZj6c1a39n0ss415rjbuoqZ ~]# cat 8.txt |grep -B4 88.txt
time->Fri Oct 2 10:49:40 2020
type=PATH msg=audit(1601606980.033:2234): item=1 name=(null) inode=655363 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1601606980.033:2234): item=0 name="/bin/touch" inode=786497 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1601606980.033:2234): cwd="/root"
type=EXECVE msg=audit(1601606980.033:2234): argc=2 a0="touch" a1="88.txt"
注释:grep -B4 显示关键字所在行,以及其前4行。
[root@iZj6c1a39n0ss415rjbuoqZ ~]# cat 8.txt |grep -A1 88.txt
type=EXECVE msg=audit(1601606980.033:2234): argc=2 a0="touch" a1="88.txt"
type=SYSCALL msg=audit(1601606980.033:2234): arch=c000003e syscall=59 success=yes exit=0 a0=f61b30 a1=f3a6e0 a2=f41f10 a3=7fffb6882d70 items=2 ppid=11935 pid=19080 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8 comm="touch" exe="/bin/touch" key="exec"
注释:grep -A1 显示关键字所在行,以及其后一行。
[root@iZj6c1a39n0ss415rjbuoqZ ~]# su - zhuohua
[zhuohua@iZj6c1a39n0ss415rjbuoqZ ~]$
[zhuohua@iZj6c1a39n0ss415rjbuoqZ ~]$ mkdir -p dir8
[root@iZj6c1a39n0ss415rjbuoqZ ~]# ausearch -k exec &> 6.txt
[root@iZj6c1a39n0ss415rjbuoqZ ~]# cat 6.txt |grep -C4 dir8
time->Fri Oct 2 11:02:49 2020
type=PATH msg=audit(1601607769.165:6202): item=1 name=(null) inode=655363 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1601607769.165:6202): item=0 name="/bin/mkdir" inode=786483 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1601607769.165:6202): cwd="/home/zhuohua"
type=EXECVE msg=audit(1601607769.165:6202): argc=3 a0="mkdir" a1="-p" a2="dir8"
type=SYSCALL msg=audit(1601607769.165:6202): arch=c000003e syscall=59 success=yes exit=0 a0=a3bd90 a1=a43c00 a2=a45f20 a3=7ffd47936310 items=2 ppid=21539 pid=22757 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts1 ses=8 comm="mkdir" exe="/bin/mkdir" key="exec"
----
time->Fri Oct 2 11:02:51 2020
type=PATH msg=audit(1601607771.102:6210): item=1 name=(null) inode=655363 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
注释:grep -C4 显示关键字所在行,以及其前后各4行。
/var/log/audit/audit.log 是可以删除的:
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log
212K /var/log/audit/audit.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]#
[root@iZj6c1a39n0ss415rjbuoqZ ~]# rm -rf /var/log/audit/audit.log
[root@iZj6c1a39n0ss415rjbuoqZ ~]#
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log
du: cannot access `/var/log/audit/audit.log': No such file or directory
[root@iZj6c1a39n0ss415rjbuoqZ ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
[root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log
16K /var/log/audit/audit.log
相关文章:
Linux常用命令(一)
Linux常用命令(二)
系统安全
#################################
#################################
亲,学习研究也要劳逸结合哦,来我微店逛逛,买点东西好好犒劳犒劳自己和家人吧^_^^_^
苏泊尔电压力锅家用智能5L高压饭煲特价
苏泊尔电磁炉火锅家用智能正品学生电池炉灶特价炒菜
苏泊尔电蒸锅多功能家用蒸气锅三层大容量电蒸笼蒸锅蒸菜自动断电
|
