# 系统日志管理的主要内容
# 日志配置：配置日志级别、日志格式、日志存储
# 日志查询：查询和分析系统日志
# 日志轮转：配置日志轮转策略
# 日志分析：分析日志找出问题和趋势
# 日志备份：备份重要日志
# 日志监控：监控日志异常

# 日志配置

# 1. 查看rsyslog配置
[root@localhost ~]# cat /etc/rsyslog.conf
# rsyslog configuration file

# Load modules
module(load=”imuxsock”)
module(load=”imjournal”)
module(load=”omjournal”)

# Include all config files in /etc/rsyslog.d/
include(file=”/etc/rsyslog.d/*.conf”)

# Log all kernel messages to the console
kern.* /dev/console

# Log anything (except mail) of level info or higher.
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# 2. 创建自定义日志配置
[root@localhost ~]# cat > /etc/rsyslog.d/99-custom.conf << 'EOF' # 自定义日志配置 # 应用程序日志 if $programname == 'myapp' then /var/log/myapp.log & stop # 错误日志 if $syslogseverity-text == 'error' then /var/log/error.log & stop # 警告日志 if $syslogseverity-text == 'warning' then /var/log/warning.log & stop EOF # 3. 重启rsyslog服务 [root@localhost ~]# systemctl restart rsyslog # 4. 查看rsyslog服务状态 [root@localhost ~]# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled) Active: active (running) since Fri 2026-04-03 09:00:00 CST; 1h ago Docs: man:rsyslogd(8) https://www.rsyslog.com/doc/ Main PID: 1234 (rsyslogd) Tasks: 3 (limit: 4915) Memory: 12.5M CPU: 123ms CGroup: /system.slice/rsyslog.service └─1234 /usr/sbin/rsyslogd -n Apr 03 09:00:00 localhost systemd[1]: Starting System Logging Service... Apr 03 09:00:00 localhost rsyslogd[1234]: [origin software="rsyslogd" swVersion="8.2102.0" x-pid="1234" x-info="https://www.rsyslog.com"] start Apr 03 09:00:00 localhost systemd[1]: Started System Logging Service. # 5. 查看日志目录 [root@localhost ~]# ls -lh /var/log/ total 100M -rw-------. 1 root root 10M Apr 3 10:00 anaconda -rw-------. 1 root root 10M Apr 3 10:00 audit.log -rw-------. 1 root root 10M Apr 3 10:00 boot.log -rw-------. 1 root root 10M Apr 3 10:00 btmp -rw-------. 1 root root 10M Apr 3 10:00 cron -rw-------. 1 root root 10M Apr 3 10:00 dmesg -rw-------. 1 root root 10M Apr 3 10:00 firewalld -rw-------. 1 root root 10M Apr 3 10:00 grubby_prune_debug -rw-------. 1 root root 10M Apr 3 10:00 lastlog -rw-------. 1 root root 10M Apr 3 10:00 maillog -rw-------. 1 root root 10M Apr 3 10:00 messages -rw-------. 1 root root 10M Apr 3 10:00 secure -rw-------. 1 root root 10M Apr 3 10:00 spooler -rw-------. 1 root root 10M Apr 3 10:00 tuned -rw-------. 1 root root 10M Apr 3 10:00 wtmp -rw-------. 1 root root 10M Apr 3 10:00 yum.log

# 日志查询

# 1. 查看系统日志
[root@localhost ~]# tail -f /var/log/messages
Apr 3 10:00:00 localhost systemd[1]: Starting System Logging Service…
Apr 3 10:00:00 localhost rsyslogd[1234]: [origin software=”rsyslogd” swVersion=”8.2102.0″ x-pid=”1234″ x-info=”https://www.rsyslog.com”] start
Apr 3 10:00:00 localhost systemd[1]: Started System Logging Service.
Apr 3 10:00:00 localhost systemd[1]: Starting Network Manager…
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): starting
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring kernel netlink event
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring udev event
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring DHCPv6 event
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring IPv6 RA event
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): starting DNS plugin
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): DNS plugin starting
Apr 3 10:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): DNS plugin started

# 2. 查看安全日志
[root@localhost ~]# tail -f /var/log/secure
Apr 3 10:00:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 22 ssh2
Apr 3 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 3 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session closed for user root
Apr 3 10:00:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 22 ssh2
Apr 3 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 3 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session closed for user root

# 3. 查看认证日志
[root@localhost ~]# journalctl -u sshd -f
Apr 03 10:00:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 22 ssh2
Apr 03 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 03 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session closed for user root
Apr 03 10:00:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 22 ssh2
Apr 03 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 03 10:00:00 localhost sshd[1234]: pam_unix(sshd:session): session closed for user root

# 4. 查看内核日志
[root@localhost ~]# dmesg | tail -20
[12345.678901] ACPI: Core revision 20220331
[12345.678902] ACPI: All ACPI Tables successfully acquired
[12345.678903] ACPI: DSDT 0000000000000000 v02 BOCHS BXPCDSDT 00000001 BXPC 00000001
[12345.678904] ACPI: XSDT 0000000000000000 v01 BOCHS BXPCXSDT 00000001 BXPC 00000001
[12345.678905] ACPI: FACP 0000000000000000 v05 BOCHS BXPCFACP 00000001 BXPC 00000001
[12345.678906] ACPI: DSDT 0000000000000000 v02 BOCHS BXPCDSDT 00000001 BXPC 00000001
[12345.678907] ACPI: FACS 0000000000000000 v01 BOCHS BXPCFACS 00000001 BXPC 00000001
[12345.678908] ACPI: APIC 0000000000000000 v05 BOCHS BXPCAPIC 00000001 BXPC 00000001
[12345.678909] ACPI: HPET 0000000000000000 v01 BOCHS BXPCHPET 00000001 BXPC 00000001
[12345.678910] ACPI: SSDT 0000000000000000 v01 BOCHS BXPCSSDT 00000001 BXPC 00000001
[12345.678911] ACPI: Reserving FACP memory region at [mem 0x7ff00000-0x7ff00fff]
[12345.678912] ACPI: Reserving DSDT memory region at [mem 0x7ff01000-0x7ffeffff]
[12345.678913] ACPI: Reserving FACS memory region at [mem 0x7fff0000-0x7fff0fff]
[12345.678914] ACPI: Reserving APIC memory region at [mem 0x7fff1000-0x7fff1fff]
[12345.678915] ACPI: Reserving HPET memory region at [mem 0x7fff2000-0x7fff2fff]
[12345.678916] ACPI: Reserving SSDT memory region at [mem 0x7fff3000-0x7fff3fff]

# 5. 查看特定时间范围的日志
[root@localhost ~]# journalctl –since “2026-04-03 09:00:00” –until “2026-04-03 10:00:00″
Apr 03 09:00:00 localhost systemd[1]: Starting System Logging Service…
Apr 03 09:00:00 localhost rsyslogd[1234]: [origin software=”rsyslogd” swVersion=”8.2102.0″ x-pid=”1234″ x-info=”https://www.rsyslog.com”] start
Apr 03 09:00:00 localhost systemd[1]: Started System Logging Service.
Apr 03 09:00:00 localhost systemd[1]: Starting Network Manager…
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): starting
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring kernel netlink event
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring udev event
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring DHCPv6 event
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): monitoring IPv6 RA event
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): starting DNS plugin
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): DNS plugin starting
Apr 03 09:00:00 localhost NetworkManager[1234]: [1234567890] manager (0x7f1234567890): DNS plugin started

# 日志轮转

# 1. 查看logrotate配置
[root@localhost ~]# cat /etc/logrotate.conf
# see “man logrotate” for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}

# 2. 创建自定义日志轮转配置
[root@localhost ~]# cat > /etc/logrotate.d/myapp << 'EOF' # 自定义日志轮转配置 /var/log/myapp/*.log { daily rotate 30 compress delaycompress missingok notifempty create 0644 root root sharedscripts postrotate systemctl reload myapp > /dev/null 2>&1 || true
endscript
}
EOF

# 3. 测试日志轮转
[root@localhost ~]# logrotate -d /etc/logrotate.conf
reading config file /etc/logrotate.conf
reading config file /etc/logrotate.d/myapp
reading config file /etc/logrotate.d/syslog
reading config file /etc/logrotate.d/yum

Handling 1 logs

rotating pattern: /var/log/wtmp monthly (4 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/wtmp
log does not need rotating

rotating pattern: /var/log/btmp monthly (1 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/btmp
log does not need rotating

# 4. 手动执行日志轮转
[root@localhost ~]# logrotate -f /etc/logrotate.conf

# 5. 查看轮转后的日志
[root@localhost ~]# ls -lh /var/log/
total 100M
-rw——-. 1 root root 10M Apr 3 10:00 anaconda
-rw——-. 1 root root 10M Apr 3 10:00 audit.log
-rw——-. 1 root root 10M Apr 3 10:00 boot.log
-rw——-. 1 root root 10M Apr 3 10:00 boot.log-20260402
-rw——-. 1 root root 10M Apr 3 10:00 btmp
-rw——-. 1 root root 10M Apr 3 10:00 cron
-rw——-. 1 root root 10M Apr 3 10:00 cron-20260402
-rw——-. 1 root root 10M Apr 3 10:00 dmesg
-rw——-. 1 root root 10M Apr 3 10:00 firewalld
-rw——-. 1 root root 10M Apr 3 10:00 grubby_prune_debug
-rw——-. 1 root root 10M Apr 3 10:00 lastlog
-rw——-. 1 root root 10M Apr 3 10:00 maillog
-rw——-. 1 root root 10M Apr 3 10:00 messages
-rw——-. 1 root root 10M Apr 3 10:00 messages-20260402
-rw——-. 1 root root 10M Apr 3 10:00 secure
-rw——-. 1 root root 10M Apr 3 10:00 secure-20260402
-rw——-. 1 root root 10M Apr 3 10:00 spooler
-rw——-. 1 root root 10M Apr 3 10:00 tuned
-rw——-. 1 root root 10M Apr 3 10:00 wtmp
-rw——-. 1 root root 10M Apr 3 10:00 yum.log

# 日志分析

# 1. 统计错误日志数量
[root@localhost ~]# grep -i “error” /var/log/messages | wc -l
10

# 2. 统计警告日志数量
[root@localhost ~]# grep -i “warning” /var/log/messages | wc -l
20

# 3. 统计失败登录次数
[root@localhost ~]# grep “Failed password” /var/log/secure | wc -l
5

# 4. 查看最近10条错误日志
[root@localhost ~]# grep -i “error” /var/log/messages | tail -10
Apr 3 09:55:00 localhost myapp[1234]: ERROR: Connection failed
Apr 3 09:55:10 localhost myapp[1234]: ERROR: Timeout occurred
Apr 3 09:55:20 localhost myapp[1234]: ERROR: Invalid parameter
Apr 3 09:55:30 localhost myapp[1234]: ERROR: Permission denied
Apr 3 09:55:40 localhost myapp[1234]: ERROR: Disk full
Apr 3 09:55:50 localhost myapp[1234]: ERROR: Memory exhausted
Apr 3 09:56:00 localhost myapp[1234]: ERROR: Network unreachable
Apr 3 09:56:10 localhost myapp[1234]: ERROR: File not found
Apr 3 09:56:20 localhost myapp[1234]: ERROR: Service unavailable
Apr 3 09:56:30 localhost myapp[1234]: ERROR: Internal server error

# 5. 查看特定用户的登录日志
[root@localhost ~]# grep “root” /var/log/secure | grep “Accepted”
Apr 3 10:00:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 22 ssh2
Apr 3 10:00:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 22 ssh2
Apr 3 10:00:00 localhost sshd[1234]: Accepted password for root from 192.168.1.100 port 22 ssh2

# 6. 查看系统启动日志
[root@localhost ~]# journalctl -b
Apr 03 09:00:00 localhost systemd[1]: Starting system…
Apr 03 09:00:00 localhost kernel: Linux version 5.14.0-362.el9.x86_64 (mockbuild@x86-05.bsys.centos.org) (gcc version 11.2.1 20220127 (Red Hat 11.2.1-9), GNU ld version 2.35-9.el9) #1 SMP PREEMPT Wed Jan 11 18:35:18 UTC 2023
Apr 03 09:00:00 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-5.14.0-362.el9.x86_64 root=/dev/mapper/rootvg-rootlv ro crashkernel=auto resume=/dev/mapper/rootvg-swaplv rd.lvm.lv=rootvg/rootlv rd.lvm.lv=rootvg/swaplv rhgb quiet
Apr 03 09:00:00 localhost kernel: x86/fpu: Supporting XSAVE feature 0x001: ‘x87 floating point registers’
Apr 03 09:00:00 localhost kernel: x86/fpu: Supporting XSAVE feature 0x002: ‘SSE registers’
Apr 03 09:00:00 localhost kernel: x86/fpu: Supporting XSAVE feature 0x004: ‘AVX registers’
Apr 03 09:00:00 localhost kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Apr 03 09:00:00 localhost kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using ‘standard’ format.

# 实战案例：系统日志管理

# 1. 创建日志分析脚本
[root@localhost ~]# cat > /usr/local/bin/log-analysis.sh << 'EOF' #!/bin/bash # script.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn # 日志分析脚本 LOG_FILE="/var/log/log-analysis.log" REPORT_FILE="/var/log/log-analysis-report.txt" # 记录日志函数 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> $LOG_FILE
}

# 分析系统日志
analyze_system_log() {
log “Analyzing system log…”

echo “=== System Log Analysis ===” >> $REPORT_FILE
echo “” >> $REPORT_FILE

# 统计错误日志
ERROR_COUNT=$(grep -i “error” /var/log/messages | wc -l)
echo “Error count: $ERROR_COUNT” >> $REPORT_FILE

# 统计警告日志
WARNING_COUNT=$(grep -i “warning” /var/log/messages | wc -l)
echo “Warning count: $WARNING_COUNT” >> $REPORT_FILE

# 统计失败登录
FAILED_LOGIN=$(grep “Failed password” /var/log/secure | wc -l)
echo “Failed login count: $FAILED_LOGIN” >> $REPORT_FILE

echo “” >> $REPORT_FILE
}

# 分析应用日志
analyze_fgapp_log() {
log “Analyzing application log…”

echo “=== Application Log Analysis ===” >> $REPORT_FILE
echo “” >> $REPORT_FILE

# 统计应用错误
APP_ERROR_COUNT=$(grep -i “error” /var/log/myapp.log 2>/dev/null | wc -l)
echo “Application error count: $APP_ERROR_COUNT” >> $REPORT_FILE

# 统计应用警告
APP_WARNING_COUNT=$(grep -i “warning” /var/log/myapp.log 2>/dev/null | wc -l)
echo “Application warning count: $APP_WARNING_COUNT” >> $REPORT_FILE

echo “” >> $REPORT_FILE
}

# 分析磁盘空间
analyze_disk_space() {
log “Analyzing disk space…”

echo “=== Disk Space Analysis ===” >> $REPORT_FILE
echo “” >> $REPORT_FILE

# 检查磁盘使用率
df -h >> $REPORT_FILE

echo “” >> $REPORT_FILE
}

# 主函数
main() {
log “Starting log analysis…”

# 清空报告文件
> $REPORT_FILE

# 分析各项日志
analyze_system_log
analyze_fgapp_log
analyze_disk_space

log “Log analysis completed. Report saved to $REPORT_FILE”
}

# 执行主函数
main
EOF

# 2. 设置脚本执行权限
[root@localhost ~]# chmod +x /usr/local/bin/log-analysis.sh

# 3. 创建日志文件
[root@localhost ~]# touch /var/log/log-analysis.log
[root@localhost ~]# chmod 644 /var/log/log-analysis.log

# 4. 配置定时任务
[root@localhost ~]# echo “0 0 * * * root /usr/local/bin/log-analysis.sh” > /etc/cron.d/log-analysis

# 5. 重启cron服务
[root@localhost ~]# systemctl restart crond

# 6. 测试分析脚本
[root@localhost ~]# /usr/local/bin/log-analysis.sh

# 7. 查看报告
[root@localhost ~]# cat /var/log/log-analysis-report.txt
=== System Log Analysis ===

Error count: 10
Warning count: 20
Failed login count: 5

=== Application Log Analysis ===

Application error count: 15
Application warning count: 25

=== Disk Space Analysis ===

Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0G 0 4.0G 0% /dev
tmpfs 4.0G 0 4.0G 0% /dev/shm
tmpfs 4.0G 100M 3.9G 3% /run
/dev/mapper/rootvg-rootlv 100G 50G 50G 50% /
/dev/sda1 500M 100M 400M 20% /boot
/dev/mapper/rootvg-datalv 500G 400G 100G 80% /data

# 8. 查看日志
[root@localhost ~]# tail -f /var/log/log-analysis.log
[2026-04-03 10:00:00] Starting log analysis…
[2026-04-03 10:00:01] Analyzing system log…
[2026-04-03 10:00:02] Analyzing application log…
[2026-04-03 10:00:03] Analyzing disk space…
[2026-04-03 10:00:04] Log analysis completed. Report saved to /var/log/log-analysis-report.txt

# 9. 创建日志备份脚本
[root@localhost ~]# cat > /usr/local/bin/log-backup.sh << 'EOF' #!/bin/bash # 日志备份脚本 BACKUP_DIR="/backup/logs" DATE=$(date '+%Y%m%d') LOG_FILE="/var/log/log-backup.log" # 记录日志函数 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> $LOG_FILE
}

# 创建备份目录
mkdir -p $BACKUP_DIR

# 备份系统日志
backup_system_logs() {
log “Backing up system logs…”

tar -czf $BACKUP_DIR/system-logs-$DATE.tar.gz /var/log/messages /var/log/secure /var/log/cron
log “System logs backed up to $BACKUP_DIR/system-logs-$DATE.tar.gz”
}

# 备份应用日志
backup_fgapp_logs() {
log “Backing up application logs…”

tar -czf $BACKUP_DIR/app-logs-$DATE.tar.gz /var/log/myapp.log
log “Application logs backed up to $BACKUP_DIR/app-logs-$DATE.tar.gz”
}

# 清理旧备份
cleanup_old_backups() {
log “Cleaning up old backups…”

find $BACKUP_DIR -name “*.tar.gz” -mtime +30 -delete
log “Old backups cleaned up.”
}

# 主函数
main() {
log “Starting log backup…”

# 备份日志
backup_system_logs
backup_fgapp_logs

# 清理旧备份
cleanup_old_backups

log “Log backup completed.”
}

# 执行主函数
main
EOF

# 10. 设置脚本执行权限
[root@localhost ~]# chmod +x /usr/local/bin/log-backup.sh

# 11. 配置定时任务
[root@localhost ~]# echo “0 2 * * * root /usr/local/bin/log-backup.sh” > /etc/cron.d/log-backup

# 12. 重启cron服务
[root@localhost ~]# systemctl restart crond

# 13. 测试备份脚本
[root@localhost ~]# /usr/local/bin/log-backup.sh

# 14. 查看备份
[root@localhost ~]# ls -lh /backup/logs/
total 100M
-rw-r–r–. 1 root root 50M Apr 3 10:00 app-logs-20260403.tar.gz
-rw-r–r–. 1 root root 50M Apr 3 10:00 system-logs-20260403.tar.gz

# 15. 查看日志
[root@localhost ~]# tail -f /var/log/log-backup.log
[2026-04-03 10:00:00] Starting log backup…
[2026-04-03 10:00:01] Backing up system logs…
[2026-04-03 10:00:02] System logs backed up to /backup/logs/system-logs-20260403.tar.gz
[2026-04-03 10:00:03] Backing up application logs…
[2026-04-03 10:00:04] Application logs backed up to /backup/logs/app-logs-20260403.tar.gz
[2026-04-03 10:00:05] Cleaning up old backups…
[2026-04-03 10:00:06] Old backups cleaned up.
[2026-04-03 10:00:07] Log backup completed.