15.5 日志服务器设置过程
- 使用“@IP:端口”或“@@IP:端口”的格式可以把日志发送到远程主机上。可以解决:管理几十台服务器,每天的重要工作就是查看这些服务器的日志,可是每台服务器单独登录,并且查看日志非常烦琐,可以把几十台服务器的日志集中到一台日志服务器上,这样每天只要登录这台日志服务器,就可以查看所有服务器的日志,要方便得多。
- 如何实现日志服务器的功能呢?我们首先需要分清服务器端和客户端。假设服务器端的服务器 IP 地址是 192.168.0.210,主机名是 localhost.localdomain;客户端的服务器 IP 地址是 192.168.0.211,主机名是 www1。我们现在要做的是把 192.168.0.211 的日志保存在 192.168.0.210 这台服务器上。测试过程如下:
#服务器端设定(192.168.0.210):
[root@CncLucZK ~]# vi /etc/rsyslog.conf
…省略部分输出…
#加载TCP摸块,允许使用TCP的514编口接收采用TCP协议转发的日志
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#取消这两句话的注释,允许服务器使用TCP 514端口接收日志
…省略部分输出…
[root@CncLucZK ~]# service rsyslog restart
#重启rsyslog日志服务
[root@CncLucZK ~]# netstat -tlun | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
#查看514端口已经打开
#客户端设置(192.168.0.211):
[root@www ~]# vi /etc/rsyslog.conf
#修改日志服务配置文件
*.* @@192.168.0.210:514
#把所有日志采用TCP协议发送到192.168.0.210的514端口上
[root@www ~]# service rsyslog restart
#重启日志服务
- 这样日志服务器和客户端就搭建完成了,以后 192.168.0.211 这台客户机上所产生的所有日志都会记录到 192.168.0.210 上。比如:
#在客户机上(192.168.0.211)
[root@www ~]# useradd zk
#添加zk用户提示符的主机名是www)
#在服务器(192.168.0.210)上
[root@CncLucZK ~]# vi /var/log/secure
#査看服务器的secure日志(注意:主机名是CncLucZK)
Aug 8 23:00:57 www sshd【1408]: Server listening on 0.0.0.0 port 22.
Aug 8 23:00:57 www sshd[1408]: Server listening on :: port 22.
Aug 8 23:01:58 www sshd[1630]: Accepted password for root from 192.168.0.101 port 7036 ssh2
Aug 8 23:01:58 www sshd[1630]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 8 23:03:03 www useradd[1654]: new group: name=zk, GID-505
Aug 8 23:03:03 www useradd[1654]: new user: name=zk, UXD=505, GID=505,
home=/home/zk, shell=/bin/bash
Aug 8 23:03:09 www passwd: pam_unix(passwd:chauthtok): password changed for zk
#注意:查看到的日志内容的主机名是www,说明我们虽然查看的是服务器的日志文件,但是在其中可以看到客户机的日志内容
15.8 日志分析工具(logwatch)安装及使用
- 日志是非常重要的系统文件,管理员每天的重要工作就是分析和查看服务器的日志,判断服务器的健康状态。但是进行手工日志管理又是一项非常枯燥的工作,所以会利用日志分析工具。这些日志分析工具会详细地查看日志,同时分析这些日志,并且把分析的结果通过邮件的方式发送给 root 用户。这样,我们每天只要查看日志分析工具的邮件,就可以知道服务器的基本情况,而不用挨个检查日志了。这样系统管理员就可以从繁重的日常工作中解脱出来,去处理更加重要的工作。
- 在 CentOS 中自带了一个日志分析工具,就是 logwatch。不过这个工具默认没有安装(因为我们选择的是“Basic Server”),所以需要手工安装。安装命令如下:
[root@CncLucZK httpd]# yum -y install logwatch
...
Installed:
logwatch-7.4.3-11.el8.noarch mailx-12.5-29.el8.x86_64
perl-Date-Manip-6.60-2.el8.noarch perl-Sys-CPU-0.61-14.el8.x86_64
perl-Sys-MemInfo-0.99-6.el8.x86_64
- 安装完成之后,需要手工生成 logwatch 的配置文件。默认配置文件是 /etc/logwatch/conf/logwatch.conf,不过这个配置文件是空的,需要把模板配置文件复制过来。命令如下:
[root@CncLucZK httpd]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
cp: overwrite '/etc/logwatch/conf/logwatch.conf'? y
#查看配置文件
[root@CncLucZK httpd]# cat /etc/logwatch/conf/logwatch.conf
...
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log #logwatch会分析和统计/var/log/中的日志
# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch #指定logwatch的临时目录
#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
Output = stdout
#To make Html the default formatting Format = html
Format = text
#To make Base64 [aka uuencode] Encode = base64
Encode = none
# Default person to mail reports to. Can be a local account or a
# complete email address. Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = root #日志的分析结果,给root用户发送邮件
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed. For example, to send the report
# for hostname host1 to user@example.com, use:
#Mailto_host1 = user@example.com
# Multiple recipients can be specified by separating them with a space.
# Default person to mail reports from. Can be a local account or a
# complete email address.
MailFrom = Logwatch
# if set, the results will be saved in <filename> instead of mailed
# or displayed. Be sure to set Output = file also.
#Filename = /tmp/logwatch #邮件的发送者是Logwatch,在接收邮件时显示
#Save = /tmp/logwatch
#如果开启这一项,日志分析就不会发送邮件,而是保存在/tmp/logwatch文件中
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No #日志文件是否存档,默认情况下,该选项设置为“是”。要关闭“存档”,请取消注释此项。
# Range = All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday #分析哪天的日志。可以识别“All”“Today”“Yesterday”,用来分析“所有日志”“今天日志”“昨天日志”
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low #日志的详细程度。可以识别“Low”“Med”“High”。也可以用数字表示,范围为0~10,“0”代表最不详细,“10”代表最详细
# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All #分析和监控所有日志
# You can also disable certain services (when specifying all)
#但是不监控“-zz-network”服务的日志。“-服务名”表示不分析和监控此服务的日志
Service = "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.
Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.
Service = "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyzes all LogFiles
# anyways...
#
# By default we assume that all Unix systems have sendmail or a sendmail-like MTA.
# The mailer code prints a header with To: From: and Subject:.
# At this point you can change the mailer to anything that can handle this output
# stream.
# TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "/usr/sbin/sendmail -t"
#
# With this option set to a comma separted list of hostnames, only log entries
# for these particular hosts will be processed. This can allow a log host to
# process only its own logs, or Logwatch can be run once per a set of hosts
# included in the logfiles.
# Example: HostLimit = hosta,hostb,myhost
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = myhost
# vi: shiftwidth=3 tabstop=3 et
- 这个配置文件基本不需要修改(实验时把 Range 项改为了 All,否则一会儿的实验可以分析的日志过少),它就会默认每天执行。每天执行是 crond 服务的作用,logwatch 一旦安装,就会在 /etc/cron.daily/ 目录中建立“0logwatch”文件,用于在每天定时执行 logwatch 命令,分析和监控相关日志。
[root@CncLucZK httpd]# ll /etc/cron.daily
total 8
-rwxr-xr-x 1 root root 434 May 8 2021 0logwatch
-rwxr-xr-x. 1 root root 189 Jan 4 2018 logrotate
- 想要让这个日志分析马上执行,则只需执行 logrotate 命令即可。命令如下:
[root@CncLucZK httpd]# logwatch
################### Logwatch 7.4.3 (04/27/16) ####################
Processing Initiated: Sun Oct 30 23:02:28 2022
Date Range Processed: yesterday
( 2022-Oct-29 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: CncLucZK
##################################################################
--------------------- httpd Begin ------------------------
Connection attempts using mod_proxy:
212.224.88.178 -> google.com:443: 1 Time(s)
89.248.165.52 -> 85.206.160.115:80: 1 Time(s)
89.248.165.52 -> hotmail-com.olc.protection.outlook.com:25: 1 Time(s)
A total of 11 sites probed the server
123.56.155.157
138.197.219.196
178.159.37.113
205.210.31.2
62.233.50.175
66.240.205.34
68.183.8.82
89.248.163.132
89.248.163.167
89.248.165.52
92.255.85.183
Requests with error response codes
400 Bad Request
null: 12 Time(s)
*: 1 Time(s)
/: 1 Time(s)
X\xd4>\x12\x98\xc4<\xe0\x13\xcf: 1 Time(s)
default.asp: 1 Time(s)
403 Forbidden
/: 39 Time(s)
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: 1 Time(s)
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: 1 Time(s)
http://passport.baidu.com/: 1 Time(s)
404 Not Found
/: 4 Time(s)
/boaform/admin/formLogin: 4 Time(s)
/favicon.ico: 4 Time(s)
/.env: 3 Time(s)
...
/start.jsa: 1 Time(s)
/start.jsp: 1 Time(s)
http://www.qq.com/404/search_children.js: 1 Time(s)
405 Method Not Allowed
85.206.160.115:80: 1 Time(s)
google.com:443: 1 Time(s)
hotmail-com.olc.protection.outlook.com:25: 1 Time(s)
408 Request Timeout
null: 5 Time(s)
---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------
systemd-user:
Unknown Entries:
session opened for user root by (uid=0): 192 Time(s)
session closed for user root: 76 Time(s)
---------------------- pam_unix End -------------------------
#分析SSHD的日志。可以知道哪些IP地址连接过服务器
--------------------- SSHD Begin ------------------------
Illegal users from:
20.78.70.5: 9 times
34.90.223.166 (166.223.90.34.bc.googleusercontent.com): 6 times
35.237.33.195 (195.33.237.35.bc.googleusercontent.com): 21 times
36.90.149.125: 70 times
...
193.142.146.35: 2 times
204.48.16.71: 24 times
Users logging in through sshd:
root:
110.19.110.72: 2 times
110.19.110.50: 1 time
**Unmatched Entries**
Connection reset by authenticating user root 120.195.180.186 port 49648 [preauth] : 1 time(s)
Connection reset by authenticating user root 120.195.180.186 port 62395 [preauth] : 1 time(s)
...
error: maximum authentication attempts exceeded for invalid user ftpuser from 89.109.32.143 port 8884 ssh2 [preauth] : 1 time(s)
Disconnecting invalid user usuario 89.109.32.143 port 2282: Too many authentication failures [preauth] : 1 time(s)
Connection reset by authenticating user root 120.195.180.186 port 55708 [preauth] : 1 time(s)
error: maximum authentication attempts exceeded for admin from 89.109.32.143 port 61258 ssh2 [preauth] : 1 time(s)
Unable to negotiate with 123.56.155.157 port 53120: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth] : 1 time(s)
...
---------------------- SSHD End -------------------------
--------------------- Systemd Begin ------------------------
**Unmatched Entries**
Closed D-Bus User Message Bus Socket.: 192 Time(s)
Configuration file /usr/lib/systemd/system/qcloud-srv.service is marked executable. Please remove executable permission bits. Proceeding anyway.: 1 Time(s)
user-runtime-dir@0.service: Unit not needed anymore. Stopping.: 522 Time(s)
user@0.service: Killing process 1956033 (systemctl) with signal SIGKILL.: 1 Time(s)
user@0.service: Killing process 1958181 (systemctl) with signal SIGKILL.: 1 Time(s)
...
user@0.service: Killing process 2100486 (systemctl) with signal SIGKILL.: 1 Time(s)
---------------------- Systemd End -------------------------
#统计磁盘空间情况
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
devtmpfs 902M 0 902M 0% /dev
/dev/vda1 50G 8.7G 39G 19% /
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
- 有了这个日志分析工具,日志管理工作就会轻松很多。当然,在 Linux 中可以支持很多日志分析工具,我们在这里只介绍了 CentOS 自带的 logwatch,大家可以根据自己的习惯选择相应的日志分析工具。
参考文献:
Linux日志分析工具(logwatch)安装及使用