日志轮转工具主要用于解决日志文件过大的问题,需要制定规则让文件自动保存。
auth.log
auth.log.1
auth.log.2.gz
auth.log.3.gz
auth.log.4.gz
系统日志保存rsyslog
rsyslog 能够获取系统的日志,基于配置文件定义的规则来做处理,最后可以输出到对应的文件中或者发送到远程的日志服务器.
在linux上是以服务的形式运行
这里可以看到这个服务的一些细节。
- 实际上运行的是
/usr/sbin/rsyslogd -n -iNONE - 可通过man方法查看命令用法
(base) ➜ ~ systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-05-05 22:39:29 CST; 32min ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 1011 (rsyslogd)
Tasks: 4 (limit: 4915)
Memory: 4.4M
CGroup: /system.slice/rsyslog.service
└─1011 /usr/sbin/rsyslogd -n -iNONE
5月 05 22:39:29 darcyaf-computer systemd[1]: Starting System Logging Service...
5月 05 22:39:29 darcyaf-computer rsyslogd[1011]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1901.0]
5月 05 22:39:29 darcyaf-computer systemd[1]: Started System Logging Service.
5月 05 22:39:29 darcyaf-computer rsyslogd[1011]: rsyslogd's groupid changed to 109
5月 05 22:39:29 darcyaf-computer rsyslogd[1011]: rsyslogd's userid changed to 104
5月 05 22:39:29 darcyaf-computer rsyslogd[1011]: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="1011" x-info="https://www.rsyslog.com"] start
继续man,可以看到配置文件主要是/etc/rsyslog.conf
引入了imuxsock和imklog分别用来处理本地系统日志和内核日志信息流。
在/etc/rsyslog.d/50-default.conf中,主要监控了授权,邮件,内核日志。
监控的规则由selector.action的格式组成,也可以配置发送到专门的日志服务器.
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
这里也定义了.指向的是/var/log/syslog这个目录
logger --priority info hello world 这样就会将日志打印到以上的目录中去了.
:~# cat /var/log/syslog |grep hello
May 6 17:35:53 iZbp14iz399actlm root: hello world
logrotate
这里将所有的文件输出到某个文件,当文件愈来愈大怎么处理,这时就要靠logrotate了
logrotate是以cronjob的方式来运行的 /etc/cron.daily/logrotate,每天运行一次
cat /var/lib/logrotate/status这个文件记录了每个需要rotate的文件的当前状态
logrotate state -- version 2
"/var/log/nginx/error.log" 2020-5-6-6:25:1
"/var/log/syslog" 2020-5-6-6:25:1
"/var/log/dpkg.log" 2020-5-1-6:25:1
"/var/log/unattended-upgrades/unattended-upgrades.log" 2020-5-6-6:0:0
"/var/log/unattended-upgrades/unattended-upgrades-shutdown.log" 2020-3-29-6:0:0
"/var/log/auth.log" 2020-5-4-6:25:1
"/var/log/apt/term.log" 2020-5-1-6:25:1
"/var/log/php7.3-fpm.log" 2020-5-3-6:25:1
"/var/log/apt/history.log" 2020-5-1-6:25:1
"/var/log/mysql/error.log" 2020-5-6-6:25:1
rotate 7指保存近7天的日志
compress是做压缩处理
daily每日做一次rotate
cat /etc/logrotate.d/rsyslog
/var/log/syslog
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.info
cat /etc/logrotate.conf
默认定义了日志会每周会做一次rotate
# see "man logrotate" for details
# rotate log files weekly
weekly
# use the syslog group by default, since this is the owning group
# of /var/log/syslog.
su root syslog
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
总结
至此差不多了,
我参考了其他博客,由于es等的出现,rsyslog使用可能少了,但是如果需要监控像ssh等系统日志等还是用的这个传到日志服务器等,最后再传到elk.
如果需要添加自定义的rotate,直接在/etc/logrotate.d/目录下添加即可.
