Linux学习67日志服务器设置和日志分析工具（logwatch）安装及使用

15.5 日志服务器设置过程

• 使用“&＃64;IP&＃xff1a;端口”或“&＃64;&＃64;IP&＃xff1a;端口”的格式可以把日志发送到远程主机上。可以解决&＃xff1a;管理几十台服务器&＃xff0c;每天的重要工作就是查看这些服务器的日志&＃xff0c;可是每台服务器单独登录&＃xff0c;并且查看日志非常烦琐&＃xff0c;可以把几十台服务器的日志集中到一台日志服务器上&＃xff0c;这样每天只要登录这台日志服务器&＃xff0c;就可以查看所有服务器的日志&＃xff0c;要方便得多。
• 如何实现日志服务器的功能呢&＃xff1f;我们首先需要分清服务器端和客户端。假设服务器端的服务器 IP 地址是 192.168.0.210&＃xff0c;主机名是 localhost.localdomain&＃xff1b;客户端的服务器 IP 地址是 192.168.0.211&＃xff0c;主机名是 www1。我们现在要做的是把 192.168.0.211 的日志保存在 192.168.0.210 这台服务器上。测试过程如下&＃xff1a;

#服务器端设定&＃xff08;192.168.0.210&＃xff09;&＃xff1a;
[root&＃64;CncLucZK ~]# vi /etc/rsyslog.conf
…省略部分输出…
#加载TCP摸块,允许使用TCP的514编口接收采用TCP协议转发的日志
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load&＃61;"imtcp") # needs to be done just once
input(type&＃61;"imtcp" port&＃61;"514")
#取消这两句话的注释&＃xff0c;允许服务器使用TCP 514端口接收日志
…省略部分输出…
[root&＃64;CncLucZK ~]# service rsyslog restart
#重启rsyslog日志服务
[root&＃64;CncLucZK ~]# netstat -tlun | grep 514
tcp 0 0 0.0.0.0&＃xff1a;514 0.0.0.0&＃xff1a;* LISTEN
#查看514端口已经打开
#客户端设置&＃xff08;192.168.0.211&＃xff09;&＃xff1a;
[root&＃64;www ~]# vi /etc/rsyslog.conf
#修改日志服务配置文件
*.* &＃64;&＃64;192.168.0.210&＃xff1a;514
#把所有日志采用TCP协议发送到192.168.0.210的514端口上
[root&＃64;www ~]# service rsyslog restart
#重启日志服务


• 这样日志服务器和客户端就搭建完成了&＃xff0c;以后 192.168.0.211 这台客户机上所产生的所有日志都会记录到 192.168.0.210 上。比如&＃xff1a;

#在客户机上(192.168.0.211)
[root&＃64;www ~]# useradd zk
#添加zk用户提示符的主机名是www)
#在服务器(192.168.0.210)上
[root&＃64;CncLucZK ~]# vi /var/log/secure
#査看服务器的secure日志(注意:主机名是CncLucZK)
Aug 8 23:00:57 www sshd【1408]: Server listening on 0.0.0.0 port 22.
Aug 8 23:00:57 www sshd[1408]: Server listening on :: port 22.
Aug 8 23:01:58 www sshd[1630]: Accepted password for root from 192.168.0.101 port 7036 ssh2
Aug 8 23:01:58 www sshd[1630]: pam_unix(sshd:session): session opened for user root by (uid&＃61;0)
Aug 8 23:03:03 www useradd[1654]: new group: name&＃61;zk, GID-505
Aug 8 23:03:03 www useradd[1654]: new user: name&＃61;zk, UXD&＃61;505, GID&＃61;505,
home&＃61;/home/zk, shell&＃61;/bin/bash
Aug 8 23:03:09 www passwd: pam_unix(passwd:chauthtok): password changed for zk
#注意&＃xff1a;查看到的日志内容的主机名是www&＃xff0c;说明我们虽然查看的是服务器的日志文件&＃xff0c;但是在其中可以看到客户机的日志内容


需要注意的是&＃xff0c;日志服务是通过主机名来区别不同的服务器的。所以&＃xff0c;如果我们配置了日志服务&＃xff0c;则需要给所有的服务器分配不同的主机名。

15.8 日志分析工具&＃xff08;logwatch&＃xff09;安装及使用

• 日志是非常重要的系统文件&＃xff0c;管理员每天的重要工作就是分析和查看服务器的日志&＃xff0c;判断服务器的健康状态。但是进行手工日志管理又是一项非常枯燥的工作&＃xff0c;所以会利用日志分析工具。这些日志分析工具会详细地查看日志&＃xff0c;同时分析这些日志&＃xff0c;并且把分析的结果通过邮件的方式发送给 root 用户。这样&＃xff0c;我们每天只要查看日志分析工具的邮件&＃xff0c;就可以知道服务器的基本情况&＃xff0c;而不用挨个检查日志了。这样系统管理员就可以从繁重的日常工作中解脱出来&＃xff0c;去处理更加重要的工作。
• 在 CentOS 中自带了一个日志分析工具&＃xff0c;就是 logwatch。不过这个工具默认没有安装&＃xff08;因为我们选择的是“Basic Server”&＃xff09;&＃xff0c;所以需要手工安装。安装命令如下&＃xff1a;

[root&＃64;CncLucZK httpd]# yum -y install logwatch
...
Installed:
logwatch-7.4.3-11.el8.noarch mailx-12.5-29.el8.x86_64
perl-Date-Manip-6.60-2.el8.noarch perl-Sys-CPU-0.61-14.el8.x86_64
perl-Sys-MemInfo-0.99-6.el8.x86_64


• 安装完成之后&＃xff0c;需要手工生成 logwatch 的配置文件。默认配置文件是 /etc/logwatch/conf/logwatch.conf&＃xff0c;不过这个配置文件是空的&＃xff0c;需要把模板配置文件复制过来。命令如下&＃xff1a;

[root&＃64;CncLucZK httpd]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
cp: overwrite &＃39;/etc/logwatch/conf/logwatch.conf&＃39;? y
#查看配置文件
[root&＃64;CncLucZK httpd]# cat /etc/logwatch/conf/logwatch.conf
...
# this is in the format of &＃61; . Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the &＃61; sign
# is removed. Everything is case *insensitive*.
# Yes &＃61; True &＃61; On &＃61; 1
# No &＃61; False &＃61; Off &＃61; 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir &＃61; /var/log #logwatch会分析和统计/var/log/中的日志
# You can override the default temp directory (/tmp) here
TmpDir &＃61; /var/cache/logwatch #指定logwatch的临时目录
#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output &＃61; mail to save to file set Output &＃61; file
Output &＃61; stdout
#To make Html the default formatting Format &＃61; html
Format &＃61; text
#To make Base64 [aka uuencode] Encode &＃61; base64
Encode &＃61; none
# Default person to mail reports to. Can be a local account or a
# complete email address. Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo &＃61; root #日志的分析结果&＃xff0c;给root用户发送邮件
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed. For example, to send the report
# for hostname host1 to user&＃64;example.com, use:
#Mailto_host1 &＃61; user&＃64;example.com
# Multiple recipients can be specified by separating them with a space.
# Default person to mail reports from. Can be a local account or a
# complete email address.
MailFrom &＃61; Logwatch
# if set, the results will be saved in instead of mailed
# or displayed. Be sure to set Output &＃61; file also.
#Filename &＃61; /tmp/logwatch #邮件的发送者是Logwatch&＃xff0c;在接收邮件时显示
#Save &＃61; /tmp/logwatch
#如果开启这一项&＃xff0c;日志分析就不会发送邮件&＃xff0c;而是保存在/tmp/logwatch文件中
# Use archives? If set to &＃39;Yes&＃39;, the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# &＃39;Yesterday&＃39; or &＃39;Today&＃39;... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives &＃61; No #日志文件是否存档&＃xff0c;默认情况下&＃xff0c;该选项设置为“是”。要关闭“存档”&＃xff0c;请取消注释此项。
# Range &＃61; All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range &＃61; yesterday #分析哪天的日志。可以识别“All”“Today”“Yesterday”&＃xff0c;用来分析“所有日志”“今天日志”“昨天日志”
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low &＃61; 0
# Med &＃61; 5
# High &＃61; 10
Detail &＃61; Low #日志的详细程度。可以识别“Low”“Med”“High”。也可以用数字表示&＃xff0c;范围为0&＃xff5e;10&＃xff0c;“0”代表最不详细&＃xff0c;“10”代表最详细
# The &＃39;Service&＃39; option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or &＃39;All&＃39;.
# The default service(s) to report on. This should be left as All for
# most people.
Service &＃61; All #分析和监控所有日志
# You can also disable certain services (when specifying all)
#但是不监控“-zz-network”服务的日志。“-服务名”表示不分析和监控此服务的日志
Service &＃61; "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.
Service &＃61; "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.
Service &＃61; "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service &＃61; ftpd-messages # Processes ftpd messages in /var/log/messages
#Service &＃61; ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service &＃61; pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service &＃61; pam # General PAM messages... usually not many
# You can also choose to use the &＃39;LogFile&＃39; option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile &＃61; messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting &＃39;Service&＃39; to &＃39;All&＃39; above analyzes all LogFiles
# anyways...
#
# By default we assume that all Unix systems have sendmail or a sendmail-like MTA.
# The mailer code prints a header with To: From: and Subject:.
# At this point you can change the mailer to anything that can handle this output
# stream.
# TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer &＃61; "/usr/sbin/sendmail -t"
#
# With this option set to a comma separted list of hostnames, only log entries
# for these particular hosts will be processed. This can allow a log host to
# process only its own logs, or Logwatch can be run once per a set of hosts
# included in the logfiles.
# Example: HostLimit &＃61; hosta,hostb,myhost
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit &＃61; myhost
# vi: shiftwidth&＃61;3 tabstop&＃61;3 et


• 这个配置文件基本不需要修改&＃xff08;实验时把 Range 项改为了 All&＃xff0c;否则一会儿的实验可以分析的日志过少&＃xff09;&＃xff0c;它就会默认每天执行。每天执行是 crond 服务的作用&＃xff0c;logwatch 一旦安装&＃xff0c;就会在 /etc/cron.daily/ 目录中建立“0logwatch”文件&＃xff0c;用于在每天定时执行 logwatch 命令&＃xff0c;分析和监控相关日志。

[root&＃64;CncLucZK httpd]# ll /etc/cron.daily
total 8
-rwxr-xr-x 1 root root 434 May 8 2021 0logwatch
-rwxr-xr-x. 1 root root 189 Jan 4 2018 logrotate


• 想要让这个日志分析马上执行&＃xff0c;则只需执行 logrotate 命令即可。命令如下&＃xff1a;

[root&＃64;CncLucZK httpd]# logwatch
################### Logwatch 7.4.3 (04/27/16) ####################
Processing Initiated: Sun Oct 30 23:02:28 2022
Date Range Processed: yesterday
( 2022-Oct-29 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: CncLucZK
##################################################################

--------------------- httpd Begin ------------------------
Connection attempts using mod_proxy:
212.224.88.178 -> google.com:443: 1 Time(s)
89.248.165.52 -> 85.206.160.115:80: 1 Time(s)
89.248.165.52 -> hotmail-com.olc.protection.outlook.com:25: 1 Time(s)

A total of 11 sites probed the server
123.56.155.157
138.197.219.196
178.159.37.113
205.210.31.2
62.233.50.175
66.240.205.34
68.183.8.82
89.248.163.132
89.248.163.167
89.248.165.52
92.255.85.183

Requests with error response codes
400 Bad Request
null: 12 Time(s)
*: 1 Time(s)
/: 1 Time(s)
X\xd4>\x12\x98\xc4<\xe0\x13\xcf: 1 Time(s)
default.asp: 1 Time(s)
403 Forbidden
/: 39 Time(s)
/?&＃61;PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: 1 Time(s)
/?&＃61;PHPE9568F36-D428-11d2-A769-00AA001ACF42: 1 Time(s)
http://passport.baidu.com/: 1 Time(s)
404 Not Found
/: 4 Time(s)
/boaform/admin/formLogin: 4 Time(s)
/favicon.ico: 4 Time(s)
/.env: 3 Time(s)
...
/start.jsa: 1 Time(s)
/start.jsp: 1 Time(s)
http://www.qq.com/404/search_children.js: 1 Time(s)
405 Method Not Allowed
85.206.160.115:80: 1 Time(s)
google.com:443: 1 Time(s)
hotmail-com.olc.protection.outlook.com:25: 1 Time(s)
408 Request Timeout
null: 5 Time(s)

---------------------- httpd End -------------------------

--------------------- pam_unix Begin ------------------------
systemd-user:
Unknown Entries:
session opened for user root by (uid&＃61;0): 192 Time(s)
session closed for user root: 76 Time(s)


---------------------- pam_unix End -------------------------
#分析SSHD的日志。可以知道哪些IP地址连接过服务器
--------------------- SSHD Begin ------------------------

Illegal users from:
20.78.70.5: 9 times
34.90.223.166 (166.223.90.34.bc.googleusercontent.com): 6 times
35.237.33.195 (195.33.237.35.bc.googleusercontent.com): 21 times
36.90.149.125: 70 times
...
193.142.146.35: 2 times
204.48.16.71: 24 times

Users logging in through sshd:
root:
110.19.110.72: 2 times
110.19.110.50: 1 time

**Unmatched Entries**
Connection reset by authenticating user root 120.195.180.186 port 49648 [preauth] : 1 time(s)
Connection reset by authenticating user root 120.195.180.186 port 62395 [preauth] : 1 time(s)
...
error: maximum authentication attempts exceeded for invalid user ftpuser from 89.109.32.143 port 8884 ssh2 [preauth] : 1 time(s)
Disconnecting invalid user usuario 89.109.32.143 port 2282: Too many authentication failures [preauth] : 1 time(s)
Connection reset by authenticating user root 120.195.180.186 port 55708 [preauth] : 1 time(s)
error: maximum authentication attempts exceeded for admin from 89.109.32.143 port 61258 ssh2 [preauth] : 1 time(s)
Unable to negotiate with 123.56.155.157 port 53120: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth] : 1 time(s)
...

---------------------- SSHD End -------------------------

--------------------- Systemd Begin ------------------------


**Unmatched Entries**
Closed D-Bus User Message Bus Socket.: 192 Time(s)
Configuration file /usr/lib/systemd/system/qcloud-srv.service is marked executable. Please remove executable permission bits. Proceeding anyway.: 1 Time(s)
user-runtime-dir&＃64;0.service: Unit not needed anymore. Stopping.: 522 Time(s)
user&＃64;0.service: Killing process 1956033 (systemctl) with signal SIGKILL.: 1 Time(s)
user&＃64;0.service: Killing process 1958181 (systemctl) with signal SIGKILL.: 1 Time(s)
...
user&＃64;0.service: Killing process 2100486 (systemctl) with signal SIGKILL.: 1 Time(s)

---------------------- Systemd End -------------------------
#统计磁盘空间情况
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
devtmpfs 902M 0 902M 0% /dev
/dev/vda1 50G 8.7G 39G 19% /


---------------------- Disk Space End -------------------------

###################### Logwatch End #########################


• 有了这个日志分析工具&＃xff0c;日志管理工作就会轻松很多。当然&＃xff0c;在 Linux 中可以支持很多日志分析工具&＃xff0c;我们在这里只介绍了 CentOS 自带的 logwatch&＃xff0c;大家可以根据自己的习惯选择相应的日志分析工具。

参考文献:
Linux日志分析工具&＃xff08;logwatch&＃xff09;安装及使用

下一篇&＃xff1a;Linux学习-68-日志转储logrotate命令(logrotate配置文件)