10.34 linux系统日志 10.35 screen工具

liunx系统日志

内容：
• /var/log/messages
• /etc/logrotate.conf 日志切割配置文件
参考http://www.javashuo.com/article/p-tauwscem-r.html
• dmesg命令
• /var/log/dmesg 日志
• last命令，调用的文件/var/log/wtmp
• lastb命令查看登陆失败的用户，对应的文件时/var/log/btmp
• /var/log/secure /var/log/messages 系统的总日志syslog； 是作故障诊断是首要查看的日志文件，系统有一个轮回机制，每个星期切换一个日志，切换后的日志名字相似于messages-20170930，会存放在/var/log/目录下面

那系统为何有这个切割机制呢，是由于linux系统里面有个服务 logrotate ；防止系统日志无限制增大。

---

实战：

/etc/logrotate.conf 日志切割配置文件

[root@linux-128 ~]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly                            \\每周切割一次

# keep 4 weeks worth of backlogs
rotate 4                            \\保留4个， 一个月

# create new (empty) log files after rotating old ones
create				\\切割完后建立一个新文件

# use date as a suffix of the rotated file
dateext				\\后缀

# uncomment this if you want your log files compressed
#compress        		\\是否要压缩，.tar.gz

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d            \\还包含其余目录/etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly	
    create 0664 root utmp
	minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

咱们看下刚配置文件里面提到的/etc/logrotate.d

[root@linux-128 ~]# ls /etc/logrotate.d
chrony  ppp  syslog  wpa_supplicant  yum

查看/logrotate.d/目录下面的 syslog

[root@linux-128 ~]# cat /etc/logrotate.
logrotate.conf  logrotate.d/
[root@linux-128 ~]# cat /etc/logrotate.d/syslog
/var/log/cron    
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    missingok
    sharedscripts
    postrotate
	/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

/var/log/messages对应的服务是syslogd，/bin/kill -HUP重启

---

dmesh命令

• 显示系统的启动信息，若是你的某个硬件有问题好比网卡，这个命令就能够查看到

• dmesh -c 清楚内容

---

安全日志

last 命令

• last 命令是来查看历史正确的登录信息，调用的文件是/var/log/wtmp，这个文件是二进制文件，不能用cat，more，less，head，tail查看

• lastd 命令是查看历史登录失败的信息，调用文件是/var/log/btmp

/var/log/secure 文件也是登录相关的日志，里面也会记录正确和失败登录信息，好比遇到暴力破解均可以看到

[root@linux-128 ~]# tail -5  /var/log/secure
Apr  4 12:51:13 linux-128 polkitd[545]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr  4 12:51:34 linux-128 sshd[1333]: Server listening on 0.0.0.0 port 22.
Apr  4 12:51:34 linux-128 sshd[1333]: Server listening on :: port 22.
Apr  4 12:52:56 linux-128 sshd[2737]: Accepted publickey for root from 192.168.88.1 port 49461 ssh2: RSA 96:50:9f:6b:eb:62:48:cf:ef:f2:51:6f:bc:03:9e:72
Apr  4 12:52:56 linux-128 sshd[2737]: pam_unix(sshd:session): session opened for user root by (uid=0)

实验：A机器上 用tail -f /var/log/secure 动态查看；B机器上远程连接A机器
ssh root@192.168.88.128 ；而后密码输入错误，A机器上就能查看出来

---

screen命令

内容：
• 为了避免让一个任务意外中断
• nohup command &
• screen是一个虚拟终端
• yum install -y screen
• screen直接回车就进入了虚拟终端
• ctral a组合键再按d退出虚拟终端，但不是结束
• screen -ls 查看虚拟终端列表
• screen -r id 进入指定的终端
• screen -S aming
• screen -r aming
• screen -wipe aming #删除会话

---

实战：

[root@linux-128 ~]# screen
[detached from 2863.pts-0.linux-128]
[1]+  完成                  nohup sleep 100
[root@linux-128 ~]# screen -ls
There is a screen on:
	2863.pts-0.linux-128	(Detached)
1 Socket in /var/run/screen/S-root.

[root@linux-128 ~]# screen
[detached from 2882.pts-0.linux-128]
[root@linux-128 ~]# screen -ls
There are screens on:
	2882.pts-0.linux-128	(Detached)
	2863.pts-0.linux-128	(Detached)
2 Sockets in /var/run/screen/S-root.

[root@linux-128 ~]# screen -r 2882
[detached from 2882.pts-0.linux-128]

[root@linux-128 ~]# screen -S "wuzhou"
[detached from 2917.wuzhou]
[root@linux-128 ~]# screen -ls
There are screens on:
	2917.wuzhou	(Detached)
	2900.pts-0.linux-128	(Detached)
	2882.pts-0.linux-128	(Detached)
	2863.pts-0.linux-128	(Detached)
4 Sockets in /var/run/screen/S-root.

[root@linux-128 ~]# screen -r wuzhou
[detached from 2917.wuzhou]

若是想关闭某个screen，先进入指定的screen，输入ctrl+d 或者 输入exit退出