# 查看rsyslog配置
# cat /etc/rsyslog.conf
# rsyslog配置文件

# 模块加载
module(load=”imuxsock”) # 本地系统日志
module(load=”imjournal”) # 从journal读取
module(load=”imklog”) # 内核日志
module(load=”imudp”) # UDP输入
module(load=”imtcp”) # TCP输入

# 全局指令
global(workDirectory=”/var/lib/rsyslog”)

# 模板定义
template(name=”RemoteLogs” type=”string”
string=”/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log”)

# 规则定义
# 设施.级别 动作
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

# 配置远程日志服务器
# cat > /etc/rsyslog.d/remote.conf << 'EOF' # 接收远程日志 module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514") # 远程日志存储 $template RemoteLogs,"/var/log/remote/%fromhost-ip%/%PROGRAMNAME%.log" *.* ?RemoteLogs EOF # 发送日志到远程服务器 # cat > /etc/rsyslog.d/forward.conf << 'EOF' # 转发所有日志到远程服务器 *.* @@log-server.fgedu.net.cn:514 # 只转发特定设施 authpriv.* @@log-server.fgedu.net.cn:514 EOF # 重启rsyslog服务 # systemctl restart rsyslog # 验证配置 # rsyslogd -N1 rsyslogd: version 8.24.0, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye. # 日志优先级说明 # emerg - 紧急：系统不可用 # alert - 警报：必须立即处理 # crit - 严重：严重错误 # err - 错误：错误信息 # warn - 警告：警告信息 # notice - 通知：正常但重要 # info - 信息：一般信息 # debug - 调试：调试信息 # 日志设施说明 # auth - 认证相关 # authpriv- 授权相关 # cron - 计划任务 # daemon - 守护进程 # ftp - FTP服务 # kern - 内核消息 # local0-7- 本地自定义 # lpr - 打印服务 # mail - 邮件服务 # news - 新闻服务 # syslog - syslog内部 # user - 用户进程 # uucp - UUCP服务

# 查看所有日志
# journalctl
— Logs begin at Fri 2026-04-01 00:00:00 CST, end at Fri 2026-04-03 10:00:00 CST. —
Apr 01 00:00:00 fgedu-server kernel: Linux version 3.10.0-1160.el7.x86_64
Apr 01 00:00:01 fgedu-server kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-1160.el7.x86_64
Apr 01 00:00:01 fgedu-server systemd[1]: Starting System Logging Service…

# 查看内核日志
# journalctl -k
— Logs begin at Fri 2026-04-01 00:00:00 CST. —
Apr 01 00:00:00 fgedu-server kernel: Linux version 3.10.0-1160.el7.x86_64
Apr 01 00:00:00 fgedu-server kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-1160.el7.x86_64

# 查看本次启动日志
# journalctl -b

# 查看上次启动日志
# journalctl -b -1

# 实时查看日志
# journalctl -f
— Logs begin at Fri 2026-04-01 00:00:00 CST. —
Apr 03 10:00:00 fgedu-server sshd[12345]: Accepted publickey for root from 192.168.1.100

# 按时间过滤
# journalctl –since “2026-04-03 09:00:00”
# journalctl –until “2026-04-03 10:00:00”
# journalctl –since today
# journalctl –since yesterday
# journalctl –since “1 hour ago”

# 按服务过滤
# journalctl -u nginx.service
— Logs begin at Fri 2026-04-01 00:00:00 CST. —
Apr 03 10:00:00 fgedu-server systemd[1]: Starting The nginx HTTP and reverse proxy server…
Apr 03 10:00:00 fgedu-server systemd[1]: Started The nginx HTTP and reverse proxy server.

# 按优先级过滤
# journalctl -p err
— Logs begin at Fri 2026-04-01 00:00:00 CST. —
Apr 03 10:00:00 fgedu-server sshd[12345]: error: PAM: Authentication failure

# 按用户过滤
# journalctl _UID=0

# 按进程过滤
# journalctl _PID=1234

# 按可执行文件过滤
# journalctl /usr/sbin/sshd

# 查看日志磁盘使用
# journalctl –disk-usage
Archived and active journals take up 128.0M on disk.

# 清理日志
# journalctl –vacuum-size=100M
Vacuuming done, freed 28.0M of archived journals on disk.

# 按时间清理
# journalctl –vacuum-time=7d

# 配置journald
# cat /etc/systemd/journald.conf
[Journal]
Storage=auto
Compress=yes
Seal=yes
SplitMode=uid
RateLimitInterval=30s
RateLimitBurst=1000
SystemMaxUse=500M
SystemKeepFree=100M
SystemMaxFileSize=50M
RuntimeMaxUse=100M
RuntimeKeepFree=50M
RuntimeMaxFileSize=10M
MaxRetentionSec=1month
MaxFileSec=1week
ForwardToSyslog=yes
ForwardToKMsg=no
ForwardToConsole=no
ForwardToWall=yes
TTYPath=/dev/console
MaxLevelStore=debug
MaxLevelSyslog=debug
MaxLevelKMsg=notice
MaxLevelConsole=info
MaxLevelWall=emerg

# 重启journald
# systemctl restart systemd-journald

# 查看logrotate配置
# cat /etc/logrotate.conf
# see “man logrotate” for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# system-specific logs may be also be configured here.

# 查看应用日志轮转配置
# cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 nginx adm
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}

# 创建自定义日志轮转配置
# cat > /etc/logrotate.d/fgedu-app << 'EOF' /opt/app/logs/*.log { daily rotate 30 compress delaycompress missingok notifempty create 0644 app app dateext dateformat -%Y%m%d sharedscripts postrotate /bin/kill -HUP `cat /opt/app/logs/app.pid 2>/dev/null` 2>/dev/null || true
endscript
}
EOF

# 手动执行日志轮转
# logrotate -vf /etc/logrotate.conf
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file nginx
reading config file syslog

Handling 1 logs

rotating pattern: /var/log/nginx/*.log forced from command line (14 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/nginx/access.log
log needs rotating
rotating log /var/log/nginx/access.log, log->rotateCount is 14
dateext suffix ‘-20260403’
glob pattern ‘-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]’
renaming /var/log/nginx/access.log to /var/log/nginx/access.log-20260403
creating new /var/log/nginx/access.log mode = 0640 uid = 997 gid = 4

# 测试配置
# logrotate -d /etc/logrotate.d/nginx
reading config file nginx
Handling 1 logs

rotating pattern: /var/log/nginx/*.log weekly (14 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/nginx/access.log
log does not need rotating

# 查看轮转状态
# cat /var/lib/logrotate/logrotate.status
logrotate state — version 2
“/var/log/nginx/access.log” 2026-4-3
“/var/log/nginx/error.log” 2026-4-3
“/var/log/messages” 2026-4-2

# 日志轮转脚本
# cat > /opt/scripts/logrotate_custom.sh << 'EOF' #!/bin/bash LOG_DIR="/opt/app/logs" RETENTION_DAYS=30 COMPRESS_DAYS=7 echo "开始日志轮转: $(date)" # 轮转日志 find $LOG_DIR -name "*.log" -size +100M | while read log; do echo "轮转: $log" mv $log ${log}.$(date +%Y%m%d%H%M%S) touch $log chmod 644 $log done # 压缩旧日志 find $LOG_DIR -name "*.log.*" -mtime +$COMPRESS_DAYS -not -name "*.gz" | while read log; do echo "压缩: $log" gzip $log done # 删除过期日志 find $LOG_DIR -name "*.log.*.gz" -mtime +$RETENTION_DAYS | while read log; do echo "删除: $log" rm -f $log done echo "日志轮转完成: $(date)" EOF # chmod +x /opt/scripts/logrotate_custom.sh

# 分析登录失败
# grep “Failed password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr
50 192.168.1.100
25 192.168.1.101
10 192.168.1.102

# 分析成功登录
# grep “Accepted password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr
20 192.168.1.10
15 192.168.1.11
10 192.168.1.12

# 分析sudo使用
# grep “sudo:” /var/log/secure | tail -20
Apr 03 10:00:00 fgedu-server sudo: zhangsan : TTY=pts/0 ; PWD=/home/zhangsan ; USER=root ; COMMAND=/bin/ls
Apr 03 10:05:00 fgedu-server sudo: lisi : TTY=pts/1 ; PWD=/home/lisi ; USER=root ; COMMAND=/usr/bin/vim

# 分析系统错误
# grep -i “error\|fail\|critical” /var/log/messages | tail -20
Apr 03 10:00:00 fgedu-server kernel: sd 0:0:1:0: [sdb] Medium error
Apr 03 10:05:00 fgedu-server systemd[1]: Failed to start nginx.service.

# 分析Nginx访问日志
# awk ‘{print $1}’ /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -10
12345 192.168.1.100
9876 192.168.1.101
5432 192.168.1.102

# 分析HTTP状态码
# awk ‘{print $9}’ /var/log/nginx/access.log | sort | uniq -c | sort -nr
50000 200
1000 304
500 404
100 500
50 502

# 分析慢请求
# awk ‘$NF > 5 {print $0}’ /var/log/nginx/access.log | head -10
192.168.1.100 – – [03/Apr/2026:10:00:00 +0800] “GET /api/slow” 200 1234 “-” “Mozilla/5.0” 5.123

# 日志分析脚本
# cat > /opt/scripts/log_analysis.sh << 'EOF' #!/bin/bash LOG_DATE=$(date +%Y%m%d) REPORT_FILE="/var/log/log_analysis_${LOG_DATE}.txt" echo "日志分析报告 - $(date)" > $REPORT_FILE
echo “==========================================” >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “【登录分析】” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
echo “登录失败TOP10:” >> $REPORT_FILE
grep “Failed password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr | head -10 >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “登录成功TOP10:” >> $REPORT_FILE
grep “Accepted password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr | head -10 >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “【系统错误】” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
grep -i “error\|fail\|critical” /var/log/messages | tail -20 >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “【磁盘空间】” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
df -h >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “【日志文件大小】” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
du -sh /var/log/* >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “==========================================” >> $REPORT_FILE

echo “报告已生成: $REPORT_FILE”
EOF

# chmod +x /opt/scripts/log_analysis.sh

# 使用awk进行高级分析
# 分析特定时间段的请求
# awk ‘$4 >= “[03/Apr/2026:09:00:00” && $4 <= "[03/Apr/2026:10:00:00"' /var/log/nginx/access.log # 统计每个URL的访问量 # awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20 5000 /api/user/list 3000 /api/product/list 2000 /api/order/create

# 使用grep搜索
# 搜索关键词
# grep “error” /var/log/messages

# 忽略大小写
# grep -i “error” /var/log/messages

# 显示行号
# grep -n “error” /var/log/messages

# 显示上下文
# grep -C 5 “error” /var/log/messages

# 递归搜索
# grep -r “error” /var/log/

# 正则表达式搜索
# grep -E “error|fail|critical” /var/log/messages

# 使用find搜索
# 查找包含关键词的日志文件
# find /var/log -type f -exec grep -l “error” {} \;

# 使用journalctl搜索
# 搜索特定消息
# journalctl | grep “error”

# 搜索特定服务
# journalctl -u nginx.service | grep “error”

# 搜索特定时间范围
# journalctl –since “2026-04-03 09:00:00” –until “2026-04-03 10:00:00” | grep “error”

# 日志搜索脚本
# cat > /opt/scripts/log_search.sh << 'EOF' #!/bin/bash KEYWORD=$1 LOG_DIR=${2:-/var/log} if [ -z "$KEYWORD" ]; then echo "Usage: $0 [log_directory]”
exit 1
fi

echo “搜索关键词: $KEYWORD”
echo “搜索目录: $LOG_DIR”
echo “=========================================”

# 搜索所有日志文件
find $LOG_DIR -type f -name “*.log” -o -name “messages*” -o -name “secure*” | while read file; do
COUNT=$(grep -c “$KEYWORD” $file 2>/dev/null || echo 0)
if [ $COUNT -gt 0 ]; then
echo “”
echo “文件: $file (匹配: $COUNT 行)”
echo “—————————————-”
grep -n “$KEYWORD” $file | head -10
fi
done

echo “”
echo “=========================================”
EOF

# chmod +x /opt/scripts/log_search.sh

# 使用awk进行复杂搜索
# 搜索并格式化输出
# awk ‘/error/ {printf “%-20s %s\n”, $1, $0}’ /var/log/messages

# 搜索并统计
# awk ‘/error/ {count++} END {print “错误总数:”, count}’ /var/log/messages

# 使用sed处理日志
# 提取特定字段
# sed -n ‘s/.*from \([0-9.]*\).*/\1/p’ /var/log/secure | sort | uniq -c | sort -nr
50 192.168.1.100
25 192.168.1.101

# 实时监控日志
# tail -f /var/log/messages

# 监控多个日志
# tail -f /var/log/messages /var/log/secure

# 监控并过滤
# tail -f /var/log/messages | grep –line-buffered “error”

# 使用watch监控
# watch -n 5 ‘tail -20 /var/log/messages’

# 日志监控脚本
# cat > /opt/scripts/log_monitor.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/messages" ALERT_KEYWORDS="error|fail|critical|emergency" ALERT_EMAIL="admin@fgedu.net.cn" TEMP_FILE="/tmp/log_monitor.tmp" # 获取上次读取位置 if [ -f "$TEMP_FILE" ]; then LAST_POS=$(cat $TEMP_FILE) else LAST_POS=0 fi # 获取当前文件大小 CURRENT_SIZE=$(stat -c %s $LOG_FILE) # 如果文件被轮转，从头开始 if [ $CURRENT_SIZE -lt $LAST_POS ]; then LAST_POS=0 fi # 读取新增内容 if [ $CURRENT_SIZE -gt $LAST_POS ]; then NEW_CONTENT=$(tail -c +$((LAST_POS + 1)) $LOG_FILE) # 检查关键词 ALERTS=$(echo "$NEW_CONTENT" | grep -iE "$ALERT_KEYWORDS") if [ -n "$ALERTS" ]; then echo "发现异常日志:" echo "$ALERTS" # 发送告警 echo "$ALERTS" | mail -s "日志告警 - $(hostname)" $ALERT_EMAIL fi fi # 保存当前位置 echo $CURRENT_SIZE > $TEMP_FILE
EOF

# chmod +x /opt/scripts/log_monitor.sh

# 配置定时监控
# crontab -e
*/5 * * * * /opt/scripts/log_monitor.sh

# 使用journalctl实时监控
# journalctl -f | grep –line-buffered -i “error\|fail”

# 监控系统日志大小
# cat > /opt/scripts/log_size_monitor.sh << 'EOF' #!/bin/bash LOG_DIR="/var/log" THRESHOLD_MB=100 find $LOG_DIR -type f -size +${THRESHOLD_MB}M | while read file; do SIZE=$(du -h "$file" | awk '{print $1}') echo "警告: $file 大小超过 ${THRESHOLD_MB}MB (当前: $SIZE)" done EOF # chmod +x /opt/scripts/log_size_monitor.sh

# 配置rsyslog集中收集
# 服务端配置
# cat > /etc/rsyslog.d/server.conf << 'EOF' # 加载模块 module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514") # 定义模板 $template RemoteLogs,"/var/log/remote/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log" # 存储远程日志 *.* ?RemoteLogs # 本地日志也保存 *.* /var/log/messages EOF # 客户端配置 # cat > /etc/rsyslog.d/client.conf << 'EOF' # 转发所有日志到服务器 *.* @@log-server.fgedu.net.cn:514 # 本地也保存一份 *.* /var/log/messages EOF # 使用Filebeat收集日志 # cat > /etc/filebeat/filebeat.yml << 'EOF' filebeat.inputs: - type: log enabled: true paths: - /var/log/*.log - /var/log/messages - /var/log/secure fields: type: system fields_under_root: true - type: log enabled: true paths: - /var/log/nginx/*.log fields: type: nginx fields_under_root: true output.elasticsearch: hosts: ["elasticsearch.fgedu.net.cn:9200"] index: "fgedu-logs-%{+yyyy.MM.dd}" setup.kibana: host: "kibana.fgedu.net.cn:5601" EOF # 启动Filebeat # systemctl start filebeat # systemctl enable filebeat # 使用Logstash处理日志 # cat > /etc/logstash/conf.d/fgedu.conf << 'EOF' input { beats { port => 5044
}
}

filter {
if [type] == “nginx” {
grok {
match => { “message” => “%{COMBINEDAPACHELOG}” }
}
date {
match => [ “timestamp” , “dd/MMM/yyyy:HH:mm:ss Z” ]
}
}

if [type] == “system” {
grok {
match => { “message” => “%{SYSLOGBASE}” }
}
}
}

output {
elasticsearch {
hosts => [“elasticsearch.fgedu.net.cn:9200”]
index => “fgedu-%{[type]}-%{+YYYY.MM.dd}”
}
}
EOF

# 启动Logstash
# systemctl start logstash
# systemctl enable logstash

# 设置日志文件权限
# ls -la /var/log/messages
-rw——- 1 root root 123456 Apr 3 10:00 /var/log/messages

# 修改日志权限
# chmod 600 /var/log/messages
# chown root:root /var/log/messages

# 配置日志不可变属性
# chattr +a /var/log/messages

# 查看属性
# lsattr /var/log/messages
—–a———- /var/log/messages

# 移除属性
# chattr -a /var/log/messages

# 配置audit审计
# cat > /etc/audit/rules.d/audit.rules << 'EOF' # 监控文件变更 -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k identity # 监控用户活动 -w /var/log/secure -p wa -k logins -w /var/log/messages -p wa -k logs # 监控系统调用 -a always,exit -F arch=b64 -S execve -k exec -a always,exit -F arch=b64 -S open -k file_open # 监控网络连接 -a always,exit -F arch=b64 -S socket -k network EOF # 重启auditd # systemctl restart auditd # 查看审计日志 # ausearch -k identity # 日志安全检查脚本 # cat > /opt/scripts/log_security_check.sh << 'EOF' #!/bin/bash echo "日志安全检查" echo "==========================================" # 检查日志文件权限 echo "1. 检查日志文件权限" find /var/log -type f -perm /o+r | while read file; do echo "警告: $file 权限过于开放" done # 检查日志所有者 echo "" echo "2. 检查日志文件所有者" find /var/log -type f ! -user root | while read file; do echo "警告: $file 所有者不是root" done # 检查日志完整性 echo "" echo "3. 检查日志文件属性" lsattr /var/log/messages /var/log/secure 2>/dev/null

# 检查audit状态
echo “”
echo “4. 检查audit服务状态”
systemctl is-active auditd

# 检查日志大小
echo “”
echo “5. 检查日志文件大小”
du -sh /var/log/*

echo “”
echo “==========================================”
EOF

# chmod +x /opt/scripts/log_security_check.sh

# 日志管理最佳实践清单
# cat > /opt/docs/log_best_practices.md << 'EOF' # Linux日志管理最佳实践 ## 1. 日志收集 - 配置rsyslog收集系统日志 - 使用journald收集systemd日志 - 配置应用日志输出 - 实施集中式日志管理 ## 2. 日志轮转 - 配置logrotate自动轮转 - 设置合理的保留期限 - 压缩历史日志 - 监控日志文件大小 ## 3. 日志分析 - 定期分析关键日志 - 建立日志分析报告 - 使用工具自动化分析 - 关注异常和错误 ## 4. 日志监控 - 实时监控关键日志 - 配置关键词告警 - 监控日志文件大小 - 监控日志服务状态 ## 5. 日志安全 - 设置正确的文件权限 - 配置文件不可变属性 - 启用审计日志 - 保护敏感信息 ## 6. 日志备份 - 定期备份日志文件 - 异地存储备份 - 测试恢复流程 - 加密敏感日志 ## 7. 性能优化 - 优化日志级别 - 异步写入日志 - 合理配置缓冲 - 监控日志性能 ## 8. 文档管理 - 维护日志配置文档 - 记录日志格式说明 - 编写日志分析手册 - 定期更新文档 EOF # 日志健康检查脚本 # cat > /opt/scripts/log_health_check.sh << 'EOF' #!/bin/bash echo "日志系统健康检查" echo "==========================================" echo "检查时间: $(date)" echo "" # 1. 检查rsyslog服务 echo "1. rsyslog服务状态" systemctl is-active rsyslog # 2. 检查journald服务 echo "" echo "2. journald服务状态" systemctl is-active systemd-journald # 3. 检查日志文件 echo "" echo "3. 关键日志文件状态" for log in messages secure cron maillog; do if [ -f "/var/log/$log" ]; then SIZE=$(du -h /var/log/$log | awk '{print $1}') echo " $log: $SIZE" fi done # 4. 检查日志轮转 echo "" echo "4. logrotate状态" cat /var/lib/logrotate/logrotate.status | tail -5 # 5. 检查磁盘空间 echo "" echo "5. 日志目录磁盘使用" df -h /var/log # 6. 检查最近错误 echo "" echo "6. 最近24小时错误数" ERROR_COUNT=$(journalctl --since "24 hours ago" -p err | wc -l) echo " 错误数: $ERROR_COUNT" echo "" echo "==========================================" EOF # chmod +x /opt/scripts/log_health_check.sh