/var/log/user.log
该日志文件的范围是什么?它仅与当前登录的用户相关还是与多个用户以及哪些用户相关?
该日志文件的内容是什么?我应该何时查看它?
/var/log/user.log
该日志文件的范围是什么?它仅与当前登录的用户相关还是与多个用户以及哪些用户相关?
该日志文件的内容是什么?我应该何时查看它?
所以,我正在使用 tail -F (或 tail --follow=filename)。现在,它的工作方式与宣传的一样,当发生翻转时,它将移动到新文件。
这很棒,可以帮助我跟踪我的日志。问题是我想知道尾部何时从旧文件移动到新文件。
情况如下:
我有一个巨大的日志文件,需要 15 分钟才能处理。现在假设在第 5 分钟,发生了翻转。Tail 打开文件描述,并使用它来完成拖尾过程,然后移动到新的过程。
现在,我保留了上次记录的文件和行的历史记录。我通过增加进程的行数来做到这一点(它的多进程程序,但我还能做什么?)。
问题是,翻转后,新文件从第 0 行开始,但我的 line_number 已经增加到 500 万。因此,对于这个包含 100 个日志的新文件,我将行号存储为 5,000,100。
我使用看门狗来查找文件何时翻转以将行号重置为 0,但如果在初始运行期间发生翻转,例如在 15 分钟运行的 5 分钟标记处,那么我仍然会得到 3mil+ 的数字。
由于 line_number 用于从上次离开的位置继续,以防程序意外终止,这可能意味着数据丢失。
请注意:我正在从 python (CPython) 运行此命令
我一直假设这journalctl
是系统日志的综合聚合器,但我发现这是不正确的。
例如,dmesg
在 systemd 完全激活之前提供系统日志记录,并提供更精确的硬件状态和进程视图。
知识渊博的系统管理员在 Linux 中是否使用其他标准或有用的系统日志记录工具?
我在下面有一个日志文件夹/var/USER/mylogs
,每天都有格式为 的日志文件"DATE-mylogile.log"
。日期格式为"%d-%m-%Y"
.
因此,在我的文件夹中,我有以下日志文件:
12-01-2024-mylogfile.log
13-01-2024-mylogfile.log
14.01-2024-mylogfile.log
...
现在我想使用 logrotate 来旋转日志。我的测试配置如下所示:
/var/USER/mylogs/*.log {
weekly
rotate 4
compress
missingok
dateext
dateformat -%d-%m-%Y
}
但是当 logrotate 运行时,它会为每个日志文件创建 gz-Archive,例如:
12.01-2024-mylogfile.log-12-03-2024.gz
13.01-2024-mylogfile.log-13-03-2024.gz
14.01-2024-mylogfile.log-14-03-2024.gz
但我希望 logrotate 每周创建一个 gz-Archive,其中包括一周中的所有单个日志文件,这样就只有一个 gz-Archive,如下所示:
mylogfile.log-14-03-2024.gz
但我被困住了 - 那么这可能吗?我该怎么做?
注意:日志记录已禁用,但通知仍然出现!
我想要一个干净的日志,只显示我的 Docker 容器的错误,但 nginx 只是在命令行中充斥着噪音,即使我禁用了所有内容,是否有任何优雅的方法(例如不使用 grep 作为入口点)来禁用这些通知?
我已经在使用NGINX_ENTRYPOINT_QUIET_LOGS=1
环境变量、-q
参数并完全禁用错误日志(这不是最终目标,仅用于测试)。
$ docker run -e "NGINX_ENTRYPOINT_QUIET_LOGS=1" nginx:alpine "nginx" "-q" "-g" "daemon off; error_log /dev/null emerg;"
2024/02/15 09:38:02 [notice] 1#1: using the "epoll" event method
2024/02/15 09:38:02 [notice] 1#1: nginx/1.25.4
2024/02/15 09:38:02 [notice] 1#1: built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r10)
2024/02/15 09:38:02 [notice] 1#1: OS: Linux 6.7.4-arch1-1
2024/02/15 09:38:02 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1073741816:1073741816
2024/02/15 09:38:02 [notice] 1#1: start worker processes
2024/02/15 09:38:02 [notice] 1#1: start worker process 30
2024/02/15 09:38:02 [notice] 1#1: start worker process 31
2024/02/15 09:38:02 [notice] 1#1: start worker process 32
2024/02/15 09:38:02 [notice] 1#1: start worker process 33
2024/02/15 09:38:02 [notice] 1#1: start worker process 34
2024/02/15 09:38:02 [notice] 1#1: start worker process 35
2024/02/15 09:38:02 [notice] 1#1: start worker process 36
2024/02/15 09:38:02 [notice] 1#1: start worker process 37
2024/02/15 09:38:02 [notice] 1#1: start worker process 38
2024/02/15 09:38:02 [notice] 1#1: start worker process 39
2024/02/15 09:38:02 [notice] 1#1: start worker process 40
2024/02/15 09:38:02 [notice] 1#1: start worker process 41
2024/02/15 09:38:02 [notice] 1#1: start worker process 42
2024/02/15 09:38:02 [notice] 1#1: start worker process 43
2024/02/15 09:38:02 [notice] 1#1: start worker process 44
2024/02/15 09:38:02 [notice] 1#1: start worker process 45
2024/02/15 09:38:02 [notice] 1#1: start worker process 46
2024/02/15 09:38:02 [notice] 1#1: start worker process 47
2024/02/15 09:38:02 [notice] 1#1: start worker process 48
2024/02/15 09:38:02 [notice] 1#1: start worker process 49
2024/02/15 09:38:02 [notice] 1#1: start worker process 50
2024/02/15 09:38:02 [notice] 1#1: start worker process 51
2024/02/15 09:38:02 [notice] 1#1: start worker process 52
2024/02/15 09:38:02 [notice] 1#1: start worker process 53
^C2024/02/15 09:38:04 [notice] 1#1: signal 2 (SIGINT) received, exiting
2024/02/15 09:38:04 [notice] 30#30: exiting
2024/02/15 09:38:04 [notice] 32#32: exiting
2024/02/15 09:38:04 [notice] 33#33: exiting
2024/02/15 09:38:04 [notice] 39#39: exiting
2024/02/15 09:38:04 [notice] 37#37: exiting
2024/02/15 09:38:04 [notice] 40#40: exiting
2024/02/15 09:38:04 [notice] 38#38: exiting
2024/02/15 09:38:04 [notice] 31#31: exiting
2024/02/15 09:38:04 [notice] 42#42: exiting
2024/02/15 09:38:04 [notice] 43#43: exiting
2024/02/15 09:38:04 [notice] 35#35: exiting
2024/02/15 09:38:04 [notice] 34#34: exiting
2024/02/15 09:38:04 [notice] 46#46: exiting
2024/02/15 09:38:04 [notice] 36#36: exiting
2024/02/15 09:38:04 [notice] 45#45: exiting
2024/02/15 09:38:04 [notice] 47#47: exiting
2024/02/15 09:38:04 [notice] 49#49: exiting
2024/02/15 09:38:04 [notice] 48#48: exiting
2024/02/15 09:38:04 [notice] 41#41: exiting
2024/02/15 09:38:04 [notice] 44#44: exiting
2024/02/15 09:38:04 [notice] 51#51: exiting
2024/02/15 09:38:04 [notice] 50#50: exiting
2024/02/15 09:38:04 [notice] 52#52: exiting
2024/02/15 09:38:04 [notice] 53#53: exiting
2024/02/15 09:38:04 [notice] 36#36: exit
2024/02/15 09:38:04 [notice] 33#33: exit
2024/02/15 09:38:04 [notice] 30#30: exit
2024/02/15 09:38:04 [notice] 49#49: exit
2024/02/15 09:38:04 [notice] 41#41: exit
2024/02/15 09:38:04 [notice] 37#37: exit
2024/02/15 09:38:04 [notice] 42#42: exit
2024/02/15 09:38:04 [notice] 43#43: exit
2024/02/15 09:38:04 [notice] 35#35: exit
2024/02/15 09:38:04 [notice] 52#52: exit
2024/02/15 09:38:04 [notice] 31#31: exit
2024/02/15 09:38:04 [notice] 34#34: exit
2024/02/15 09:38:04 [notice] 45#45: exit
2024/02/15 09:38:04 [notice] 44#44: exit
2024/02/15 09:38:04 [notice] 46#46: exit
2024/02/15 09:38:04 [notice] 39#39: exit
2024/02/15 09:38:04 [notice] 50#50: exit
2024/02/15 09:38:04 [notice] 32#32: exit
2024/02/15 09:38:04 [notice] 53#53: exit
2024/02/15 09:38:04 [notice] 40#40: exit
2024/02/15 09:38:04 [notice] 48#48: exit
2024/02/15 09:38:04 [notice] 51#51: exit
2024/02/15 09:38:04 [notice] 47#47: exit
2024/02/15 09:38:04 [notice] 38#38: exit
2024/02/15 09:38:04 [notice] 1#1: signal 14 (SIGALRM) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 40
2024/02/15 09:38:04 [notice] 1#1: worker process 40 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 42 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 42
2024/02/15 09:38:04 [notice] 1#1: worker process 39 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 37
2024/02/15 09:38:04 [notice] 1#1: worker process 37 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 46 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 46
2024/02/15 09:38:04 [notice] 1#1: worker process 32 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 48 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 47
2024/02/15 09:38:04 [notice] 1#1: worker process 47 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 44
2024/02/15 09:38:04 [notice] 1#1: worker process 44 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 50
2024/02/15 09:38:04 [notice] 1#1: worker process 45 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 50 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 45
2024/02/15 09:38:04 [notice] 1#1: worker process 51 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 33
2024/02/15 09:38:04 [notice] 1#1: worker process 33 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 43 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 34 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 34
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 52
2024/02/15 09:38:04 [notice] 1#1: worker process 52 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 31
2024/02/15 09:38:04 [notice] 1#1: worker process 31 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 36
2024/02/15 09:38:04 [notice] 1#1: worker process 36 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 41 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 53 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 49
2024/02/15 09:38:04 [notice] 1#1: worker process 30 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 38 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: worker process 49 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: signal 29 (SIGIO) received
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 30
2024/02/15 09:38:04 [notice] 1#1: signal 17 (SIGCHLD) received from 35
2024/02/15 09:38:04 [notice] 1#1: worker process 35 exited with code 0
2024/02/15 09:38:04 [notice] 1#1: exit
PS:问题从nginx版本1.20.0开始。版本1.19.10(最新的1.19版本)没有这些通知,但出于安全漏洞的考虑,我不想使用这样的旧版本。
然而,更改日志中并未提及此更改http://nginx.org/en/CHANGES-1.20:
Changes with nginx 1.20.0 20 Apr 2021
*) 1.20.x stable branch.
PPS:使用此测试禁用所有日志记录error_log /dev/null emerg;
,这些消息似乎是由 nginx 在正常日志记录之外发出的。
今天,我在 bind9 日志目录中看到很多日志(空!)文件。
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.1.2 update-debug.log.3.1.1.1.1.2
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.1.2.1 update-debug.log.3.1.1.1.1.2.1
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.2 update-debug.log.3.1.1.1.2
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.2.1 update-debug.log.3.1.1.1.2.1
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.2 update-debug.log.3.1.1.2
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.2 querylog.2.1.1.1.2.1.1.1.1.1.2.1.2.1 update-debug.log.3.1.1.2.1
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.2.1 querylog.2.1.1.1.2.1.1.1.1.1.2.2 update-debug.log.3.1.2
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.2 querylog.2.1.1.1.2.1.1.1.1.1.2.2.1 update-debug.log.3.1.2.1
querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.2.1 querylog.2.1.1.1.2.1.1.1.1.1.3 update-debug.log.3.2
querylog.1.1.1.2.2.1.1.1.2.1.1.1.2 querylog.2.1.1.1.2.1.1.1.1.1.3.1 update-debug.log.3.2.1
该列表不完整,有 7000 多个文件。这是登录named.conf的配置
logging {
channel update_debug {
file "/var/log/update-debug.log";
severity debug 1;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named-auth.info";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel querylog {
file "/var/log/querylog";
severity debug 1;
print-category yes;
print-severity yes;
print-time yes;
};
category update { update_debug; };
category security { security_info; };
category queries { querylog; };
};
如何避免这种碎片化?
我的目标是将所有日志发送到一个远程源并仍然记录本地日志,然后将所有 AuditD 日志发送到端口 20002 上的自己的源。但由于某种原因,我的auditd 日志仍然以我的 syslogs 发送到端口 20000 结束
/etc/rsyslog.conf:
cat /etc/rsyslog.conf
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
local7.* ~
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
*.=debug;\
auth,authpriv.none;\
mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail.none -/var/log/messages
*.emerg :omusrmsg:*
/etc/rsyslog.d/rsyslog_d_all.conf:
*.*;!local7.* action(type="omfwd" target="10.10.1.23" port="20000" protocol="tcp")
rsyslog_d_auditd.conf:
$ModLoad imfile
local7.* action(type="omfwd" target="10.10.1.23" port="20002" protocol="tcp")
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
我正在编写一个 shell 脚本,它利用 Linuxlogger
来记录输出。根据该文档,我相信日志记录将发送到/var/log/syslog
Linux 上,而 Linux 将var/logs/system.log
在 Mac 上。
这是我的测试脚本的简化版本:
#!/bin/bash
n=$RANDOM
logger "testing: $n is a random number."
运行它然后查看时,system.log
我没有看到任何消息。但是,如果我搜索“testing”,我会在 Mac OS 中看到消息:Console.app
我的问题是:这些日志存储在 Mac 文件系统的什么位置?它们一定在某个地方,但我似乎找不到它们。他们肯定不在/var/log/system.log
。
我正在运行 RHEL 的 STIG 版本,但我无法弄清楚我所有的逻辑卷是如何映射的。
/dev/mapper/vg1_audit
似乎指向/dev/dm-2
/dev/vg1/lv_audit
似乎也映射到/dev/dm-2
运行lsblk
显示这些卷安装在 上/var/log/audit
,但我在cat
每个卷上运行时看到不同的结果。
当 Icat /var/log/audit.log
和 时audit.log.1
,它们是空白的(因为我用 清除了它们truncate
)。但是,运行 a cat /dev/mapper/vg1_audit
and时/dev/dm-2
,它会打印出一个包含日志数据的巨大文件。
我不确定这个日志存储在哪里或谁在写入它。我也无法使用truncate
FWIW 清除它。
我想知道在Syslog
协议中编写时间戳(和日志消息的其他部分)的过程是什么意思。换句话说,是Syslog
设置日志消息的时间戳(接收消息的确切时间)还是发送消息的进程(发送消息的确切时间)?