blog.zhuohua.store - Powered by Discuz! Board

标题: 日志文件 [打印本页]

作者: admin 时间: 2020-1-17 12:21 标题: 日志文件

寻找大小超过10MB的.log文件：（find命令会延伸到子目录的） [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" /var/log/cloud-init.log /var/log/udcenter.log /tmp/jnLogGlobal.log 显示各个指定文件的大小： [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" | xargs du -sh 11M /var/log/cloud-init.log 11M /var/log/udcenter.log 14M /tmp/jnLogGlobal.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \; 11M /var/log/cloud-init.log 11M /var/log/udcenter.log 14M /tmp/jnLogGlobal.log 排序：（从小到大） [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" | xargs du -sh |sort -h 11M /var/log/cloud-init.log 11M /var/log/udcenter.log 14M /tmp/jnLogGlobal.log 排序：（从小到大） [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \; |sort -h 11M /var/log/cloud-init.log 11M /var/log/udcenter.log 14M /tmp/jnLogGlobal.log 安装压缩软件、解压软件：（zip包） yum -y install zip yum -y install unzip [root@iZj6c1a39n0ss415rjbuoqZ ~]# which zip /usr/bin/zip [root@iZj6c1a39n0ss415rjbuoqZ ~]# [root@iZj6c1a39n0ss415rjbuoqZ ~]# which unzip /usr/bin/unzip 压缩日志文件：（最好是先切换到日志文件所在目录再进行压缩） [root@iZj6c1a39n0ss415rjbuoqZ ~]# cd /var/log [root@iZj6c1a39n0ss415rjbuoqZ log]# zip -r /home/backup/cloud-init.zip cloud-init.log adding: cloud-init.log (deflated 90%) [root@iZj6c1a39n0ss415rjbuoqZ log]# zip -r /home/backup/udcenter.zip udcenter.log adding: udcenter.log (deflated 96%) [root@iZj6c1a39n0ss415rjbuoqZ log]# cd /tmp [root@iZj6c1a39n0ss415rjbuoqZ tmp]# zip -r /home/backup/jnLogGlobal.zip jnLogGlobal.log adding: jnLogGlobal.log (deflated 96%) 原日志文件压缩后，大小是不变的： [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \; 11M /var/log/cloud-init.log 11M /var/log/udcenter.log 14M /tmp/jnLogGlobal.log 压缩出来的文件比原文件小很多： [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -ah /home/backup/*.zip 1000K /home/backup/cloud-init.zip 532K /home/backup/jnLogGlobal.zip 392K /home/backup/udcenter.zip 排序：（从小到大） [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -ah /home/backup/*.zip |sort -h 392K /home/backup/udcenter.zip 532K /home/backup/jnLogGlobal.zip 1000K /home/backup/cloud-init.zip 清空指定的日志文件： [root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /var/log/cloud-init.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /var/log/udcenter.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /tmp/jnLogGlobal.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \; [root@iZj6c1a39n0ss415rjbuoqZ ~]# 解压日志文件： [root@iZj6c1a39n0ss415rjbuoqZ ~]# cd /home/backup/ [root@iZj6c1a39n0ss415rjbuoqZ backup]# [root@iZj6c1a39n0ss415rjbuoqZ backup]# unzip cloud-init.zip Archive: cloud-init.zip inflating: cloud-init.log [root@iZj6c1a39n0ss415rjbuoqZ backup]# unzip jnLogGlobal.zip Archive: jnLogGlobal.zip inflating: jnLogGlobal.log [root@iZj6c1a39n0ss415rjbuoqZ backup]# unzip udcenter.zip Archive: udcenter.zip inflating: udcenter.log [root@iZj6c1a39n0ss415rjbuoqZ backup]# pwd /home/backup [root@iZj6c1a39n0ss415rjbuoqZ backup]# ls -lh *.log -rw-r--r-- 1 root root 11M Oct 2 02:08 cloud-init.log -rw------- 1 root root 14M Oct 2 10:01 jnLogGlobal.log -rw------- 1 root root 11M Oct 2 09:56 udcenter.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" -exec du -sh {} \; 11M /home/backup/cloud-init.log 14M /home/backup/jnLogGlobal.log 11M /home/backup/udcenter.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# find / -size +10M -a -name "*.log" | xargs du -sh 11M /home/backup/cloud-init.log 14M /home/backup/jnLogGlobal.log 11M /home/backup/udcenter.log ###### ###### 系统默认已经开启rsyslog服务，rsyslog服务会将所有系统日志自动记录到/var/log/messages文件中；系统日志永久保留，在做故障诊断时可以查看该文件。 [root@iZj6c1a39n0ss415rjbuoqZ ~]# chkconfig --list rsyslog rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/messages 180K /var/log/messages [root@iZj6c1a39n0ss415rjbuoqZ ~]# tail /var/log/messages Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: piix4_smbus 0000:00:01.3: SMBus Host Controller at 0x700, revision 0 Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max) Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: IPv6: Loaded, but administratively disabled, reboot required to enable Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ kernel: type=1305 audit(1601575709.332:3): audit_pid=969 old=0 auid=4294967295 ses=4294967295 res=1 Oct 2 02:08:29 iZj6c1a39n0ss415rjbuoqZ irqbalance: Balancing is ineffective on systems with a single cpu. Shutting down Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2055]: ntpd 4.2.6p5@1.2349-o Wed Dec 19 20:22:34 UTC 2018 (1) Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2056]: proto: precision = 0.157 usec Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2056]: 0.0.0.0 c01d 0d kern kernel time sync enabled Oct 2 02:08:42 iZj6c1a39n0ss415rjbuoqZ ntpd[2056]: restrict: error in address '::' on line 10. Ignoring... 字段格式和含义，如下： 1. 事件的日期和时间 2. 事件的来源主机 3. 产生这个事件的程序[进程号] 4. 实际的日志信息 /var/log/messages 是可以清空的： [root@iZj6c1a39n0ss415rjbuoqZ ~]# echo > /var/log/messages [root@iZj6c1a39n0ss415rjbuoqZ ~]# [root@iZj6c1a39n0ss415rjbuoqZ ~]# tail /var/log/messages [root@iZj6c1a39n0ss415rjbuoqZ ~]# [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/messages 4.0K /var/log/messages [root@iZj6c1a39n0ss415rjbuoqZ ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@iZj6c1a39n0ss415rjbuoqZ ~]# cat /var/log/messages Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ kernel: Kernel logging (proc) stopped. Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1003" x-info="http://www.rsyslog.com"] exiting on signal 15. Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ kernel: imklog 5.8.10, log source = /proc/kmsg started. Oct 2 11:14:45 iZj6c1a39n0ss415rjbuoqZ rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="26175" x-info="http://www.rsyslog.com"] start ###### udit审计配置系统默认开启audit审计功能，并监控所有用户的登录信息： [root@iZj6c1a39n0ss415rjbuoqZ ~]# chkconfig --list auditd auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log 784K /var/log/audit/audit.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# tail /var/log/audit/audit.log type=LOGIN msg=audit(1601604061.048:158): pid=5556 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=9 type=USER_START msg=audit(1601604061.048:159): user pid=5556 uid=0 auid=0 ses=9 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1601604061.062:160): user pid=5556 uid=0 auid=0 ses=9 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1601604061.062:161): user pid=5556 uid=0 auid=0 ses=9 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_START msg=audit(1601605433.074:162): user pid=11935 uid=0 auid=0 ses=8 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=183.38.13.148 addr=183.38.13.148 terminal=/dev/pts/1 res=success' type=CRYPTO_KEY_USER msg=audit(1601605433.074:163): user pid=11935 uid=0 auid=0 ses=8 msg='op=destroy kind=server fp=66:b6:65:94:a7:cc:a2:1a:01:a7:47:09:f9:93:31:8b direction=? spid=11935 suid=0 exe="/usr/sbin/sshd" hostname=? addr=183.38.13.148 terminal=pts/1 res=success' type=CRYPTO_KEY_USER msg=audit(1601605433.074:164): user pid=11935 uid=0 auid=0 ses=8 msg='op=destroy kind=server fp=ed:fa:ce:e4:15:c7:1d:37:a2:bf:dd:3d:10:f4:54:67 direction=? spid=11935 suid=0 exe="/usr/sbin/sshd" hostname=? addr=183.38.13.148 terminal=pts/1 res=success' type=CRED_REFR msg=audit(1601605433.075:165): user pid=11935 uid=0 auid=0 ses=8 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=183.38.13.148 addr=183.38.13.148 terminal=ssh res=success' type=CRYPTO_KEY_USER msg=audit(1601605606.729:166): user pid=12691 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=66:b6:65:94:a7:cc:a2:1a:01:a7:47:09:f9:93:31:8b direction=? spid=12691 suid=0 exe="/usr/sbin/sshd" hostname=? addr=47.97.16.6 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1601605606.729:167): user pid=12691 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ed:fa:ce:e4:15:c7:1d:37:a2:bf:dd:3d:10:f4:54:67 direction=? spid=12691 suid=0 exe="/usr/sbin/sshd" hostname=? addr=47.97.16.6 terminal=? res=success' 添加规则到 /etc/audit/audit.rules 文件中，实现监控所有用户的登录行为、所有操作，以及Shell脚本中的命令： [root@iZj6c1a39n0ss415rjbuoqZ ~]# vi /etc/audit/audit.rules 追加： -a exit,always -F arch=b64 -S execve -k exec -a exit,always -F arch=b32 -S execve -k exec 确认规则： [root@iZj6c1a39n0ss415rjbuoqZ ~]# cat /etc/audit/audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page -a exit,always -F arch=b64 -S execve -k exec -a exit,always -F arch=b32 -S execve -k exec 使新规则生效： [root@iZj6c1a39n0ss415rjbuoqZ ~]# service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] 新规则生效后，使用 ausearch -k exec 来列出用户操作的记录： [root@iZj6c1a39n0ss415rjbuoqZ ~]# touch 88.txt [root@iZj6c1a39n0ss415rjbuoqZ ~]# ausearch -k exec &> 8.txt 注释：把记录导入文本中，方便查找。 [root@iZj6c1a39n0ss415rjbuoqZ ~]# cat 8.txt |grep -B4 88.txt time->Fri Oct 2 10:49:40 2020 type=PATH msg=audit(1601606980.033:2234): item=1 name=(null) inode=655363 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1601606980.033:2234): item=0 name="/bin/touch" inode=786497 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1601606980.033:2234): cwd="/root" type=EXECVE msg=audit(1601606980.033:2234): argc=2 a0="touch" a1="88.txt" 注释：grep -B4 显示关键字所在行，以及其前4行。 [root@iZj6c1a39n0ss415rjbuoqZ ~]# cat 8.txt |grep -A1 88.txt type=EXECVE msg=audit(1601606980.033:2234): argc=2 a0="touch" a1="88.txt" type=SYSCALL msg=audit(1601606980.033:2234): arch=c000003e syscall=59 success=yes exit=0 a0=f61b30 a1=f3a6e0 a2=f41f10 a3=7fffb6882d70 items=2 ppid=11935 pid=19080 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8 comm="touch" exe="/bin/touch" key="exec" 注释：grep -A1 显示关键字所在行，以及其后一行。 [root@iZj6c1a39n0ss415rjbuoqZ ~]# su - zhuohua [zhuohua@iZj6c1a39n0ss415rjbuoqZ ~]$ [zhuohua@iZj6c1a39n0ss415rjbuoqZ ~]$ mkdir -p dir8 [root@iZj6c1a39n0ss415rjbuoqZ ~]# ausearch -k exec &> 6.txt [root@iZj6c1a39n0ss415rjbuoqZ ~]# cat 6.txt |grep -C4 dir8 time->Fri Oct 2 11:02:49 2020 type=PATH msg=audit(1601607769.165:6202): item=1 name=(null) inode=655363 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1601607769.165:6202): item=0 name="/bin/mkdir" inode=786483 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1601607769.165:6202): cwd="/home/zhuohua" type=EXECVE msg=audit(1601607769.165:6202): argc=3 a0="mkdir" a1="-p" a2="dir8" type=SYSCALL msg=audit(1601607769.165:6202): arch=c000003e syscall=59 success=yes exit=0 a0=a3bd90 a1=a43c00 a2=a45f20 a3=7ffd47936310 items=2 ppid=21539 pid=22757 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts1 ses=8 comm="mkdir" exe="/bin/mkdir" key="exec" ---- time->Fri Oct 2 11:02:51 2020 type=PATH msg=audit(1601607771.102:6210): item=1 name=(null) inode=655363 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 注释：grep -C4 显示关键字所在行，以及其前后各4行。 /var/log/audit/audit.log 是可以删除的： [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log 212K /var/log/audit/audit.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# [root@iZj6c1a39n0ss415rjbuoqZ ~]# rm -rf /var/log/audit/audit.log [root@iZj6c1a39n0ss415rjbuoqZ ~]# [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log du: cannot access `/var/log/audit/audit.log': No such file or directory [root@iZj6c1a39n0ss415rjbuoqZ ~]# service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] [root@iZj6c1a39n0ss415rjbuoqZ ~]# du -sh /var/log/audit/audit.log 16K /var/log/audit/audit.log 相关文章： Linux常用命令（一） Linux常用命令（二）系统安全 ################################# ################################# 亲，学习研究也要劳逸结合哦，来我微店逛逛，买点东西好好犒劳犒劳自己和家人吧^_^^_^ 苏泊尔电压力锅家用智能5L高压饭煲特价

苏泊尔电磁炉火锅家用智能正品学生电池炉灶特价炒菜

苏泊尔电蒸锅多功能家用蒸气锅三层大容量电蒸笼蒸锅蒸菜自动断电

图片附件: diancilu.png (2020-1-17 12:21, 480.76 KB) / 下载次数 59
http://blog.zhuohua.store/attachment.php?aid=3790&k=d9396a303eb497f5859fcab46c6cfcde&t=1714680306&sid=DHPxX5

图片附件: dianfanbao.png (2020-1-17 12:21, 427.46 KB) / 下载次数 48
http://blog.zhuohua.store/attachment.php?aid=3791&k=88eee15bc942cf3c00a6b86a6b57181d&t=1714680306&sid=DHPxX5

图片附件: dianzhengguo.png (2020-1-17 12:21, 402.44 KB) / 下载次数 51
http://blog.zhuohua.store/attachment.php?aid=3792&k=0c439c77e04c7364e14e348ab092c821&t=1714680306&sid=DHPxX5

欢迎光临 blog.zhuohua.store (http://blog.zhuohua.store/)