本文将详细介绍Linux系统日志管理的基础知识,包括rsyslog和journald两种日志管理工具。风哥教程参考Linux官方文档System administration章节内容,为读者提供全面的日志管理指南。
参考Red Hat Enterprise Linux 10官方文档中的System administration章节
Part01-基础概念与理论知识
1.1 系统日志概述
系统日志是Linux系统运行过程中产生的各种事件记录,包括系统启动、服务运行、错误信息等。系统日志对于故障排查、性能分析、安全审计等方面非常重要。更多视频教程www.fgedu.net.cn
1.2 rsyslog概述
rsyslog是Linux系统传统的日志管理工具,它支持本地和远程日志记录,可以根据日志级别和设施进行过滤和分发。rsyslog使用配置文件来定义日志规则。
1.3 journald概述
journald是systemd提供的日志管理工具,它以二进制格式存储日志,支持结构化日志和元数据。journald与systemd紧密集成,可以方便地查看和管理系统日志。
Part02-生产环境规划与建议
2.1 rsyslog配置建议
rsyslog配置建议: from LinuxDBA视频:www.itpux.com
- 配置日志级别,过滤不必要的日志
- 配置日志轮转,避免日志文件过大
- 配置远程日志服务器,集中管理日志
- 配置日志格式,便于日志分析
- 定期清理旧日志,释放磁盘空间
2.2 journald配置建议
journald配置建议:
- 配置日志持久化,避免重启后丢失日志
- 配置日志大小限制,控制磁盘占用
- 配置日志转发,集中管理日志
- 配置日志过滤,减少日志量
- 定期清理日志,释放磁盘空间
2.3 日志管理建议
日志管理建议:
- 建立日志分类体系,便于日志分析
- 配置日志监控,及时发现异常
- 建立日志备份策略,防止日志丢失
- 使用日志分析工具,提高分析效率
- 定期审计日志,发现安全问题
Part03-生产环境项目实施方案
3.1 rsyslog配置
rsyslog配置:
$ sudo systemctl status rsyslog
● rsyslog.service – System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2026-04-02 10:00:00 CST; 10s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 1234 (rsyslogd)
Tasks: 3 (limit: 4915)
Memory: 3.5M
CGroup: /system.slice/rsyslog.service
└─1234 /usr/sbin/rsyslogd -n
# 步骤2:查看rsyslog配置文件
$ cat /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load=”imuxsock”) # provides support for local system logging
module(load=”imjournal”) # provides access to the systemd journal
module(load=”imklog”) # kernel logging
module(load=”immark”) # provides –MARK– message capability
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# 步骤3:查看日志目录
$ ls -l /var/log | grep -E “messages|secure|maillog|cron|spooler|boot.log”
-rw——-. 1 root root 123456 Apr 2 10:00 /var/log/messages
-rw——-. 1 root root 12345 Apr 2 10:00 /var/log/secure
-rw——-. 1 root root 6789 Apr 2 10:00 /var/log/maillog
-rw——-. 1 root root 3456 Apr 2 10:00 /var/log/cron
-rw——-. 1 root root 2345 Apr 2 10:00 /var/log/spooler
-rw——-. 1 root root 5678 Apr 2 10:00 /var/log/boot.log
# 步骤4:查看系统日志
$ sudo tail -20 /var/log/messages
Apr 2 10:00:00 fgedu systemd[1]: Starting System Logging Service…
Apr 2 10:00:00 fgedu rsyslogd[1234]: [origin software=”rsyslogd” swVersion=”8.2102.0″ x-pid=”1234″ x-info=”http://www.rsyslog.com”] start
Apr 2 10:00:00 fgedu systemd[1]: Started System Logging Service.
Apr 2 10:00:00 fgedu NetworkManager[5678]:
Apr 2 10:00:00 fgedu NetworkManager[5678]:
Apr 2 10:00:00 fgedu NetworkManager[5678]:
Apr 2 10:00:00 fgedu NetworkManager[5678]:
Apr 2 10:00:00 fgedu dhclient[9012]: DHCPREQUEST for 192.168.1.10 on eth0 to 255.255.255.255 port 67 (xid=0x12345678)
Apr 2 10:00:00 fgedu dhclient[9012]: DHCPACK from 192.168.1.1 (xid=0x12345678)
Apr 2 10:00:00 fgedu dhclient[9012]: bound to 192.168.1.10 — renewal in 43200 seconds.
Apr 2 10:00:00 fgedu chronyd[3456]: Selected source 192.168.1.1
Apr 2 10:00:00 fgedu chronyd[3456]: System clock wrong by -0.123456 seconds, adjusting
Apr 2 10:00:00 fgedu sshd[12345]: Accepted password for fgedu from 192.168.1.100 port 12345 ssh2
Apr 2 10:00:00 fgedu systemd[1]: Starting Session 1 of user fgedu.
Apr 2 10:00:00 fgedu systemd-logind[6789]: New session 1 of user fgedu.
Apr 2 10:00:00 fgedu systemd[1]: Started Session 1 of user fgedu.
Apr 2 10:00:00 fgedu systemd[1]: Starting Daily Cleanup of Temporary Directories…
Apr 2 10:00:00 fgedu systemd-tmpfiles[7890]: /var/tmp: 1 files removed.
Apr 2 10:00:00 fgedu systemd[1]: Started Daily Cleanup of Temporary Directories.
# 步骤5:查看安全日志
$ sudo tail -20 /var/log/secure
Apr 2 10:00:00 fgedu sshd[12345]: Accepted password for fgedu from 192.168.1.100 port 12345 ssh2
Apr 2 10:00:00 fgedu sshd[12345]: pam_unix(sshd:session): session opened for user fgedu by (uid=0)
Apr 2 10:00:00 fgedu systemd-logind[6789]: New session 1 of user fgedu.
Apr 2 10:00:00 fgedu sshd[12345]: pam_unix(sshd:session): session closed for user fgedu
Apr 2 10:00:00 fgedu sshd[12346]: Accepted publickey for fgedu from 192.168.1.100 port 12346 ssh2
Apr 2 10:00:00 fgedu sshd[12346]: pam_unix(sshd:session): session opened for user fgedu by (uid=0)
Apr 2 10:00:00 fgedu systemd-logind[6789]: New session 2 of user fgedu.
Apr 2 10:00:00 fgedu sshd[12346]: pam_unix(sshd:session): session closed for user fgedu
# 步骤6:配置自定义日志规则
$ sudo vi /etc/rsyslog.d/fgedu.conf
# 应用日志
local0.* /var/log/fgedu/app.log
local1.* /var/log/fgedu/database.log
# 步骤7:重启rsyslog服务
$ sudo systemctl restart rsyslog
# 步骤8:验证配置
$ sudo systemctl status rsyslog
● rsyslog.service – System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2026-04-02 10:00:00 CST; 10s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 1234 (rsyslogd)
Tasks: 3 (limit: 4915)
Memory: 3.5M
CGroup: /system.slice/rsyslog.service
└─1234 /usr/sbin/rsyslogd -n
3.2 journald配置
journald配置:
$ sudo systemctl status systemd-journald
● systemd-journald.service – Journal Service
Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static)
Active: active (running) since Wed 2026-04-02 10:00:00 CST; 10s ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Main PID: 1234 (systemd-journal)
Tasks: 1 (limit: 4915)
Memory: 8.5M
CGroup: /system.slice/systemd-journald.service
└─1234 /usr/lib/systemd/systemd-journald
# 步骤2:查看journald配置文件
$ cat /etc/systemd/journald.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.
[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=1000
SystemMaxUse=512M
#SystemMaxFileSize=10M
#RuntimeMaxUse=128M
#RuntimeMaxFileSize=8M
#MaxRetentionSec=1month
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/tty10
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
# 步骤3:修改journald配置
$ sudo vi /etc/systemd/journald.conf
# 修改以下配置
Storage=persistent
SystemMaxUse=1G
SystemMaxFileSize=100M
MaxRetentionSec=30day
ForwardToSyslog=yes
# 步骤4:重启journald服务
$ sudo systemctl restart systemd-journald
# 步骤5:查看journal日志
$ sudo journalctl -n 20
— Logs begin at Wed 2026-04-02 10:00:00 CST, end at Wed 2026-04-02 10:00:00 CST. —
Apr 02 10:00:00 fgedu systemd[1]: Starting System Logging Service…
Apr 02 10:00:00 fgedu rsyslogd[1234]: [origin software=”rsyslogd” swVersion=”8.2102.0″ x-pid=”1234″ x-info=”http://www.rsyslog.com”] start
Apr 02 10:00:00 fgedu systemd[1]: Started System Logging Service.
Apr 02 10:00:00 fgedu NetworkManager[5678]:
Apr 02 10:00:00 fgedu NetworkManager[5678]:
Apr 02 10:00:00 fgedu dhclient[9012]: DHCPREQUEST for 192.168.1.10 on eth0 to 255.255.255.255 port 67 (xid=0x12345678)
Apr 02 10:00:00 fgedu dhclient[9012]: DHCPACK from 192.168.1.1 (xid=0x12345678)
Apr 02 10:00:00 fgedu dhclient[9012]: bound to 192.168.1.10 — renewal in 43200 seconds.
Apr 02 10:00:00 fgedu chronyd[3456]: Selected source 192.168.1.1
Apr 02 10:00:00 fgedu chronyd[3456]: System clock wrong by -0.123456 seconds, adjusting
Apr 02 10:00:00 fgedu sshd[12345]: Accepted password for fgedu from 192.168.1.100 port 12345 ssh2
Apr 02 10:00:00 fgedu systemd-logind[6789]: New session 1 of user fgedu.
Apr 02 10:00:00 fgedu systemd[1]: Started Session 1 of user fgedu.
# 步骤6:查看特定服务的日志
$ sudo journalctl -u sshd -n 20
— Logs begin at Wed 2026-04-02 10:00:00 CST, end at Wed 2026-04-02 10:00:00 CST. —
Apr 02 10:00:00 fgedu systemd[1]: Starting OpenSSH server daemon…
Apr 02 10:00:00 fgedu sshd[12345]: Server listening on 0.0.0.0 port 2222.
Apr 02 10:00:00 fgedu sshd[12345]: Server listening on :: port 2222.
Apr 02 10:00:00 fgedu systemd[1]: Started OpenSSH server daemon.
Apr 02 10:00:00 fgedu sshd[12345]: Accepted password for fgedu from 192.168.1.100 port 12345 ssh2
Apr 02 10:00:00 fgedu sshd[12345]: pam_unix(sshd:session): session opened for user fgedu by (uid=0)
Apr 02 10:00:00 fgedu sshd[12345]: pam_unix(sshd:session): session closed for user fgedu
# 步骤7:查看错误日志
$ sudo journalctl -p err -n 20
— Logs begin at Wed 2026-04-02 10:00:00 CST, end at Wed 2026-04-02 10:00:00 CST. —
Apr 02 10:00:00 fgedu kernel: ACPI Error: Method parse/execution failed [\_SB_.PCI0.SBRG.EC0_._Q66] (AE_AML_PACKAGE_LIMIT)
Apr 02 10:00:00 fgedu kernel: ACPI Error: Method parse/execution failed [\_SB_.PCI0.SBRG.EC0_._Q67] (AE_AML_PACKAGE_LIMIT)
Apr 02 10:00:00 fgedu kernel: ACPI Error: Method parse/execution failed [\_SB_.PCI0.SBRG.EC0_._Q68] (AE_AML_PACKAGE_LIMIT)
# 步骤8:查看磁盘使用情况
$ sudo journalctl –disk-usage
Archived and active journals take up 123.4M in the file system.
3.3 日志轮转配置
日志轮转配置:
$ cat /etc/logrotate.conf
# see “man logrotate” for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# 步骤2:创建自定义日志轮转配置
$ sudo vi /etc/logrotate.d/fgedu
# 应用日志轮转
/var/log/fgedu/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0644 fgedu fgedu
sharedscripts
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# 步骤3:测试日志轮转配置
$ sudo logrotate -d /etc/logrotate.conf
reading config file /etc/logrotate.conf
reading config file /etc/logrotate.d/fgedu
reading config file /etc/logrotate.d/httpd
…
rotating pattern: /var/log/fgedu/*.log after 1 days (30 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/fgedu/app.log
log does not need rotating
considering log /var/log/fgedu/database.log
log does not need rotating
# 步骤4:强制执行日志轮转
$ sudo logrotate -f /etc/logrotate.conf
# 步骤5:查看日志文件
$ ls -lh /var/log/fgedu/
total 20K
-rw-r–r– 1 fgedu fgedu 123 Apr 2 10:00 app.log
-rw-r–r– 1 fgedu fgedu 456 Apr 1 10:00 app.log-20260401
-rw-r–r– 1 fgedu fgedu 789 Apr 2 10:00 database.log
-rw-r–r– 1 fgedu fgedu 234 Apr 1 10:00 database.log-20260401
Part04-生产案例与实战讲解
4.1 企业日志管理案例
某企业日志管理的案例:
- 配置内容:配置rsyslog和journald,实现日志集中管理
- 监控措施:配置日志监控,及时发现异常
- 成果:日志管理效率提升,故障排查时间缩短50%
4.2 日志监控脚本
日志监控脚本:
# log_monitor.sh
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: http://www.fgedu.net.cn
# 日志文件路径
LOG_FILES=(
“/var/log/messages”
“/var/log/secure”
“/var/log/fgedu/app.log”
)
# 关键词
KEYWORDS=(
“error”
“ERROR”
“fail”
“FAIL”
“warning”
“WARNING”
)
# 监控时间范围(分钟)
TIME_RANGE=5
# 当前时间
CURRENT_TIME=$(date +%s)
# 检查日志
for LOG_FILE in “${LOG_FILES[@]}”; do
if [ ! -f “$LOG_FILE” ]; then
continue
fi
echo “=== Checking $LOG_FILE ===”
for KEYWORD in “${KEYWORDS[@]}”; do
# 查找最近N分钟内的日志
LOG_LINES=$(grep -i “$KEYWORD” “$LOG_FILE” | while read -r line; do
LOG_TIME=$(echo “$line” | awk ‘{print $1″ “$2” “$3}’)
LOG_TIMESTAMP=$(date -d “$LOG_TIME” +%s 2>/dev/null)
if [ -n “$LOG_TIMESTAMP” ]; then
TIME_DIFF=$((CURRENT_TIME – LOG_TIMESTAMP))
TIME_DIFF_MIN=$((TIME_DIFF / 60))
if [ $TIME_DIFF_MIN -le $TIME_RANGE ]; then
echo “$line”
fi
fi
done)
if [ -n “$LOG_LINES” ]; then
echo “Found keyword ‘$KEYWORD’ in $LOG_FILE:”
echo “$LOG_LINES”
fi
done
done
# 检查journal日志
echo “=== Checking journal logs ===”
for KEYWORD in “${KEYWORDS[@]}”; do
LOG_LINES=$(sudo journalctl –since “$TIME_RANGE minutes ago” | grep -i “$KEYWORD”)
if [ -n “$LOG_LINES” ]; then
echo “Found keyword ‘$KEYWORD’ in journal:”
echo “$LOG_LINES”
fi
done
# 执行脚本
$ chmod +x log_monitor.sh
$ ./log_monitor.sh
=== Checking /var/log/messages ===
Found keyword ‘error’ in /var/log/messages:
Apr 2 10:00:00 fgedu kernel: ACPI Error: Method parse/execution failed [\_SB_.PCI0.SBRG.EC0_._Q66] (AE_AML_PACKAGE_LIMIT)
=== Checking /var/log/secure ===
=== Checking /var/log/fgedu/app.log ===
=== Checking journal logs ===
Found keyword ‘error’ in journal:
Apr 02 10:00:00 fgedu kernel: ACPI Error: Method parse/execution failed [\_SB_.PCI0.SBRG.EC0_._Q66] (AE_AML_PACKAGE_LIMIT)
4.3 日志分析脚本
日志分析脚本:
# log_analyze.sh
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: http://www.fgedu.net.cn
# 日志文件
LOG_FILE=”/var/log/messages”
# 分析时间范围(小时)
HOURS=24
# 统计错误数量
echo “=== Error Statistics ===”
ERROR_COUNT=$(sudo grep -i “error” “$LOG_FILE” | wc -l)
echo “Total errors: $ERROR_COUNT”
# 统计警告数量
echo “”
echo “=== Warning Statistics ===”
WARNING_COUNT=$(sudo grep -i “warning” “$LOG_FILE” | wc -l)
echo “Total warnings: $WARNING_COUNT”
# 统计SSH登录次数
echo “”
echo “=== SSH Login Statistics ===”
SSH_LOGIN_COUNT=$(sudo grep “Accepted” /var/log/secure | wc -l)
echo “Total SSH logins: $SSH_LOGIN_COUNT”
# 统计失败的SSH登录次数
SSH_FAILED_COUNT=$(sudo grep “Failed” /var/log/secure | wc -l)
echo “Failed SSH logins: $SSH_FAILED_COUNT”
# 统计最活跃的IP
echo “”
echo “=== Top Active IPs ===”
sudo grep “Accepted” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -rn | head -10
# 统计磁盘使用情况
echo “”
echo “=== Log Disk Usage ===”
sudo journalctl –disk-usage
# 执行脚本
$ chmod +x log_analyze.sh
$ ./log_analyze.sh
=== Error Statistics ===
Total errors: 123
=== Warning Statistics ===
Total warnings: 456
=== SSH Login Statistics ===
Total SSH logins: 78
Failed SSH logins: 12
=== Top Active IPs ===
45 192.168.1.100
20 192.168.1.101
13 192.168.1.102
=== Log Disk Usage ===
Archived and active journals take up 123.4M in the file system.
Part05-风哥经验总结与分享
5.1 日志管理建议
风哥提示:日志管理的建议:
- 分类管理:建立日志分类体系,便于日志分析
- 定期清理:定期清理旧日志,释放磁盘空间
- 配置轮转:配置日志轮转,避免日志文件过大
- 集中管理:配置远程日志服务器,集中管理日志
- 监控告警:配置日志监控,及时发现异常
5.2 常见问题与解决方案
日志管理的常见问题与解决方案:
- 日志文件过大:配置日志轮转,定期清理旧日志
- 日志丢失:配置日志持久化,建立日志备份
- 日志过多:配置日志级别,过滤不必要的日志
- 日志分析困难:使用日志分析工具,提高分析效率
5.3 最佳实践
日志管理的最佳实践:
- 建立完善的日志管理体系
- 配置日志监控和告警
- 定期审计日志,发现安全问题
- 使用日志分析工具,提高分析效率
- 建立日志备份策略,防止日志丢失
通过本文的介绍,相信读者对Linux系统日志管理基础有了更全面的了解。掌握这些知识有助于更好地管理和分析系统日志。学习交流加群风哥QQ113257174
更多学习教程公众号风哥教程itpux_com
from Linux:www.itpux.com
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
