当前位置: 首页 > 工具软件 > Logwatch > 使用案例 >

Linux学习-67-日志服务器设置和日志分析工具(logwatch)安装及使用

傅星光
2023-12-01

15.5 日志服务器设置过程

  • 使用“@IP:端口”或“@@IP:端口”的格式可以把日志发送到远程主机上。可以解决:管理几十台服务器,每天的重要工作就是查看这些服务器的日志,可是每台服务器单独登录,并且查看日志非常烦琐,可以把几十台服务器的日志集中到一台日志服务器上,这样每天只要登录这台日志服务器,就可以查看所有服务器的日志,要方便得多。
  • 如何实现日志服务器的功能呢?我们首先需要分清服务器端和客户端。假设服务器端的服务器 IP 地址是 192.168.0.210,主机名是 localhost.localdomain;客户端的服务器 IP 地址是 192.168.0.211,主机名是 www1。我们现在要做的是把 192.168.0.211 的日志保存在 192.168.0.210 这台服务器上。测试过程如下:
#服务器端设定(192.168.0.210):
[root@CncLucZK ~]# vi /etc/rsyslog.conf
…省略部分输出…

#加载TCP摸块,允许使用TCP的514编口接收采用TCP协议转发的日志
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#取消这两句话的注释,允许服务器使用TCP 514端口接收日志

…省略部分输出…
[root@CncLucZK ~]# service rsyslog restart
#重启rsyslog日志服务
[root@CncLucZK ~]# netstat -tlun | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
#查看514端口已经打开
#客户端设置(192.168.0.211):
[root@www ~]# vi /etc/rsyslog.conf
#修改日志服务配置文件
*.* @@192.168.0.210:514
#把所有日志采用TCP协议发送到192.168.0.210的514端口上
[root@www ~]# service rsyslog restart
#重启日志服务
  • 这样日志服务器和客户端就搭建完成了,以后 192.168.0.211 这台客户机上所产生的所有日志都会记录到 192.168.0.210 上。比如:
#在客户机上(192.168.0.211)
[root@www ~]# useradd zk
#添加zk用户提示符的主机名是www)
#在服务器(192.168.0.210)上
[root@CncLucZK ~]# vi /var/log/secure
#査看服务器的secure日志(注意:主机名是CncLucZK)
Aug 8 23:00:57 www sshd【1408]: Server listening on 0.0.0.0 port 22.
Aug 8 23:00:57 www sshd[1408]: Server listening on :: port 22.
Aug 8 23:01:58 www sshd[1630]: Accepted password for root from 192.168.0.101 port 7036 ssh2
Aug 8 23:01:58 www sshd[1630]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 8 23:03:03 www useradd[1654]: new group: name=zk, GID-505
Aug 8 23:03:03 www useradd[1654]: new user: name=zk, UXD=505, GID=505,
home=/home/zk, shell=/bin/bash
Aug 8 23:03:09 www passwd: pam_unix(passwd:chauthtok): password changed for zk
#注意:查看到的日志内容的主机名是www,说明我们虽然查看的是服务器的日志文件,但是在其中可以看到客户机的日志内容

需要注意的是,日志服务是通过主机名来区别不同的服务器的。所以,如果我们配置了日志服务,则需要给所有的服务器分配不同的主机名。

15.8 日志分析工具(logwatch)安装及使用

  • 日志是非常重要的系统文件,管理员每天的重要工作就是分析和查看服务器的日志,判断服务器的健康状态。但是进行手工日志管理又是一项非常枯燥的工作,所以会利用日志分析工具。这些日志分析工具会详细地查看日志,同时分析这些日志,并且把分析的结果通过邮件的方式发送给 root 用户。这样,我们每天只要查看日志分析工具的邮件,就可以知道服务器的基本情况,而不用挨个检查日志了。这样系统管理员就可以从繁重的日常工作中解脱出来,去处理更加重要的工作。
  • 在 CentOS 中自带了一个日志分析工具,就是 logwatch。不过这个工具默认没有安装(因为我们选择的是“Basic Server”),所以需要手工安装。安装命令如下:
[root@CncLucZK httpd]# yum -y install logwatch
...
Installed:
  logwatch-7.4.3-11.el8.noarch                     mailx-12.5-29.el8.x86_64                     
  perl-Date-Manip-6.60-2.el8.noarch                perl-Sys-CPU-0.61-14.el8.x86_64              
  perl-Sys-MemInfo-0.99-6.el8.x86_64    
  • 安装完成之后,需要手工生成 logwatch 的配置文件。默认配置文件是 /etc/logwatch/conf/logwatch.conf,不过这个配置文件是空的,需要把模板配置文件复制过来。命令如下:
[root@CncLucZK httpd]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
cp: overwrite '/etc/logwatch/conf/logwatch.conf'? y
#查看配置文件
[root@CncLucZK httpd]# cat /etc/logwatch/conf/logwatch.conf
...
# this is in the format of <name> = <value>.  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1
# No  = False = Off = 0

# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log											#logwatch会分析和统计/var/log/中的日志

# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch								#指定logwatch的临时目录

#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
Output = stdout
#To make Html the default formatting Format = html
Format = text
#To make Base64 [aka uuencode] Encode = base64
Encode = none

# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = root												#日志的分析结果,给root用户发送邮件
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed.  For example, to send the report
# for hostname host1 to user@example.com, use:
#Mailto_host1 = user@example.com
# Multiple recipients can be specified by separating them with a space.

# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = Logwatch

# if set, the results will be saved in <filename> instead of mailed
# or displayed. Be sure to set Output = file also.
#Filename = /tmp/logwatch									#邮件的发送者是Logwatch,在接收邮件时显示

#Save = /tmp/logwatch
#如果开启这一项,日志分析就不会发送邮件,而是保存在/tmp/logwatch文件中

# Use archives?  If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No												#日志文件是否存档,默认情况下,该选项设置为“是”。要关闭“存档”,请取消注释此项。
# Range = All

# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday											#分析哪天的日志。可以识别“All”“Today”“Yesterday”,用来分析“所有日志”“今天日志”“昨天日志”

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low												#日志的详细程度。可以识别“Low”“Med”“High”。也可以用数字表示,范围为0~10,“0”代表最不详细,“10”代表最详细


# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on.  This should be left as All for
# most people.
Service = All												#分析和监控所有日志
# You can also disable certain services (when specifying all)

#但是不监控“-zz-network”服务的日志。“-服务名”表示不分析和监控此服务的日志
Service = "-zz-network"     # Prevents execution of zz-network service, which
                            # prints useful network configuration info.
Service = "-zz-sys"         # Prevents execution of zz-sys service, which		
                            # prints useful system configuration info.
Service = "-eximstats"      # Prevents execution of eximstats service, which
                            # is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages   # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog    # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb        # PAM_pwdb messages - usually quite a bit
#Service = pam             # General PAM messages... usually not many

# You can also choose to use the 'LogFile' option.  This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages.  This will run all the filters that
# process that logfile.  This option is probably not too useful to
# most people.  Setting 'Service' to 'All' above analyzes all LogFiles
# anyways...

#
# By default we assume that all Unix systems have sendmail or a sendmail-like MTA.
# The mailer code prints a header with To: From: and Subject:.
# At this point you can change the mailer to anything that can handle this output
# stream.
# TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "/usr/sbin/sendmail -t"

#
# With this option set to a comma separted list of hostnames, only log entries
# for these particular hosts will be processed.  This can allow a log host to
# process only its own logs, or Logwatch can be run once per a set of hosts
# included in the logfiles.
# Example: HostLimit = hosta,hostb,myhost
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = myhost

# vi: shiftwidth=3 tabstop=3 et

  • 这个配置文件基本不需要修改(实验时把 Range 项改为了 All,否则一会儿的实验可以分析的日志过少),它就会默认每天执行。每天执行是 crond 服务的作用,logwatch 一旦安装,就会在 /etc/cron.daily/ 目录中建立“0logwatch”文件,用于在每天定时执行 logwatch 命令,分析和监控相关日志。
[root@CncLucZK httpd]# ll /etc/cron.daily
total 8
-rwxr-xr-x  1 root root 434 May  8  2021 0logwatch
-rwxr-xr-x. 1 root root 189 Jan  4  2018 logrotate

  • 想要让这个日志分析马上执行,则只需执行 logrotate 命令即可。命令如下:
[root@CncLucZK httpd]# logwatch 
 ################### Logwatch 7.4.3 (04/27/16) #################### 
        Processing Initiated: Sun Oct 30 23:02:28 2022
        Date Range Processed: yesterday
                              ( 2022-Oct-29 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: stdout / text
        Logfiles for Host: CncLucZK
 ################################################################## 
 
 --------------------- httpd Begin ------------------------ 

 Connection attempts using mod_proxy:
    212.224.88.178 -> google.com:443: 1 Time(s)
    89.248.165.52 -> 85.206.160.115:80: 1 Time(s)
    89.248.165.52 -> hotmail-com.olc.protection.outlook.com:25: 1 Time(s)
 
 A total of 11 sites probed the server 
    123.56.155.157
    138.197.219.196
    178.159.37.113
    205.210.31.2
    62.233.50.175
    66.240.205.34
    68.183.8.82
    89.248.163.132
    89.248.163.167
    89.248.165.52
    92.255.85.183
 
 Requests with error response codes
    400 Bad Request
       null: 12 Time(s)
       *: 1 Time(s)
       /: 1 Time(s)
       X\xd4>\x12\x98\xc4<\xe0\x13\xcf: 1 Time(s)
       default.asp: 1 Time(s)
    403 Forbidden
       /: 39 Time(s)
       /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: 1 Time(s)
       /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: 1 Time(s)
       http://passport.baidu.com/: 1 Time(s)
    404 Not Found
       /: 4 Time(s)
       /boaform/admin/formLogin: 4 Time(s)
       /favicon.ico: 4 Time(s)
       /.env: 3 Time(s)
     	...
       /start.jsa: 1 Time(s)
       /start.jsp: 1 Time(s)
       http://www.qq.com/404/search_children.js: 1 Time(s)
    405 Method Not Allowed
       85.206.160.115:80: 1 Time(s)
       google.com:443: 1 Time(s)
       hotmail-com.olc.protection.outlook.com:25: 1 Time(s)
    408 Request Timeout
       null: 5 Time(s)
 
 ---------------------- httpd End ------------------------- 

 
 --------------------- pam_unix Begin ------------------------ 

 systemd-user:
    Unknown Entries:
       session opened for user root by (uid=0): 192 Time(s)
       session closed for user root: 76 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 #分析SSHD的日志。可以知道哪些IP地址连接过服务器
 --------------------- SSHD Begin ------------------------ 

 
 Illegal users from:
    20.78.70.5: 9 times
    34.90.223.166 (166.223.90.34.bc.googleusercontent.com): 6 times
    35.237.33.195 (195.33.237.35.bc.googleusercontent.com): 21 times
    36.90.149.125: 70 times
    ...
    193.142.146.35: 2 times
    204.48.16.71: 24 times
 
 Users logging in through sshd:
    root:
       110.19.110.72: 2 times
       110.19.110.50: 1 time
 
 **Unmatched Entries**
 Connection reset by authenticating user root 120.195.180.186 port 49648 [preauth] : 1 time(s)
 Connection reset by authenticating user root 120.195.180.186 port 62395 [preauth] : 1 time(s)
...
 error: maximum authentication attempts exceeded for invalid user ftpuser from 89.109.32.143 port 8884 ssh2 [preauth] : 1 time(s)
 Disconnecting invalid user usuario 89.109.32.143 port 2282: Too many authentication failures [preauth] : 1 time(s)
 Connection reset by authenticating user root 120.195.180.186 port 55708 [preauth] : 1 time(s)
 error: maximum authentication attempts exceeded for admin from 89.109.32.143 port 61258 ssh2 [preauth] : 1 time(s)
 Unable to negotiate with 123.56.155.157 port 53120: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth] : 1 time(s)
 ...
 
 ---------------------- SSHD End ------------------------- 

 
 --------------------- Systemd Begin ------------------------ 

 
 
 **Unmatched Entries**
    Closed D-Bus User Message Bus Socket.: 192 Time(s)
    Configuration file /usr/lib/systemd/system/qcloud-srv.service is marked executable. Please remove executable permission bits. Proceeding anyway.: 1 Time(s)
    user-runtime-dir@0.service: Unit not needed anymore. Stopping.: 522 Time(s)
    user@0.service: Killing process 1956033 (systemctl) with signal SIGKILL.: 1 Time(s)
    user@0.service: Killing process 1958181 (systemctl) with signal SIGKILL.: 1 Time(s)
   ...
    user@0.service: Killing process 2100486 (systemctl) with signal SIGKILL.: 1 Time(s)
 
 ---------------------- Systemd End ------------------------- 

 #统计磁盘空间情况
 --------------------- Disk Space Begin ------------------------ 

 Filesystem      Size  Used Avail Use% Mounted on
 devtmpfs        902M     0  902M   0% /dev
 /dev/vda1        50G  8.7G   39G  19% /
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End ######################### 

  • 有了这个日志分析工具,日志管理工作就会轻松很多。当然,在 Linux 中可以支持很多日志分析工具,我们在这里只介绍了 CentOS 自带的 logwatch,大家可以根据自己的习惯选择相应的日志分析工具。

参考文献:
Linux日志分析工具(logwatch)安装及使用

下一篇:Linux学习-68-日志转储logrotate命令(logrotate配置文件)

 类似资料: