Linux学习-67-日志服务器设置和日志分析工具（logwatch）安装及使用

15.5 日志服务器设置过程

• 使用“@IP：端口”或“@@IP：端口”的格式可以把日志发送到远程主机上。可以解决：管理几十台服务器，每天的重要工作就是查看这些服务器的日志，可是每台服务器单独登录，并且查看日志非常烦琐，可以把几十台服务器的日志集中到一台日志服务器上，这样每天只要登录这台日志服务器，就可以查看所有服务器的日志，要方便得多。
• 如何实现日志服务器的功能呢？我们首先需要分清服务器端和客户端。假设服务器端的服务器 IP 地址是 192.168.0.210，主机名是 localhost.localdomain；客户端的服务器 IP 地址是 192.168.0.211，主机名是 www1。我们现在要做的是把 192.168.0.211 的日志保存在 192.168.0.210 这台服务器上。测试过程如下：

#服务器端设定（192.168.0.210）：
[root@CncLucZK ~]# vi /etc/rsyslog.conf
…省略部分输出…

#加载TCP摸块,允许使用TCP的514编口接收采用TCP协议转发的日志
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#取消这两句话的注释，允许服务器使用TCP 514端口接收日志

…省略部分输出…
[root@CncLucZK ~]# service rsyslog restart
#重启rsyslog日志服务
[root@CncLucZK ~]# netstat -tlun | grep 514
tcp 0 0 0.0.0.0：514 0.0.0.0：* LISTEN
#查看514端口已经打开
#客户端设置（192.168.0.211）：
[root@www ~]# vi /etc/rsyslog.conf
#修改日志服务配置文件
*.* @@192.168.0.210：514
#把所有日志采用TCP协议发送到192.168.0.210的514端口上
[root@www ~]# service rsyslog restart
#重启日志服务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

• 这样日志服务器和客户端就搭建完成了，以后 192.168.0.211 这台客户机上所产生的所有日志都会记录到 192.168.0.210 上。比如：

#在客户机上(192.168.0.211)
[root@www ~]# useradd zk
#添加zk用户提示符的主机名是www)
#在服务器(192.168.0.210)上
[root@CncLucZK ~]# vi /var/log/secure
#査看服务器的secure日志(注意:主机名是CncLucZK)
Aug 8 23:00:57 www sshd【1408]: Server listening on 0.0.0.0 port 22.
Aug 8 23:00:57 www sshd[1408]: Server listening on :: port 22.
Aug 8 23:01:58 www sshd[1630]: Accepted password for root from 192.168.0.101 port 7036 ssh2
Aug 8 23:01:58 www sshd[1630]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 8 23:03:03 www useradd[1654]: new group: name=zk, GID-505
Aug 8 23:03:03 www useradd[1654]: new user: name=zk, UXD=505, GID=505,
home=/home/zk, shell=/bin/bash
Aug 8 23:03:09 www passwd: pam_unix(passwd:chauthtok): password changed for zk
#注意：查看到的日志内容的主机名是www，说明我们虽然查看的是服务器的日志文件，但是在其中可以看到客户机的日志内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

需要注意的是，日志服务是通过主机名来区别不同的服务器的。所以，如果我们配置了日志服务，则需要给所有的服务器分配不同的主机名。

15.8 日志分析工具（logwatch）安装及使用

• 日志是非常重要的系统文件，管理员每天的重要工作就是分析和查看服务器的日志，判断服务器的健康状态。但是进行手工日志管理又是一项非常枯燥的工作，所以会利用日志分析工具。这些日志分析工具会详细地查看日志，同时分析这些日志，并且把分析的结果通过邮件的方式发送给 root 用户。这样，我们每天只要查看日志分析工具的邮件，就可以知道服务器的基本情况，而不用挨个检查日志了。这样系统管理员就可以从繁重的日常工作中解脱出来，去处理更加重要的工作。
• 在 CentOS 中自带了一个日志分析工具，就是 logwatch。不过这个工具默认没有安装（因为我们选择的是“Basic Server”），所以需要手工安装。安装命令如下：

[root@CncLucZK httpd]# yum -y install logwatch
...
Installed:
  logwatch-7.4.3-11.el8.noarch                     mailx-12.5-29.el8.x86_64                     
  perl-Date-Manip-6.60-2.el8.noarch                perl-Sys-CPU-0.61-14.el8.x86_64              
  perl-Sys-MemInfo-0.99-6.el8.x86_64    
1
2
3
4
5
6

• 安装完成之后，需要手工生成 logwatch 的配置文件。默认配置文件是 /etc/logwatch/conf/logwatch.conf，不过这个配置文件是空的，需要把模板配置文件复制过来。命令如下：

[root@CncLucZK httpd]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
cp: overwrite '/etc/logwatch/conf/logwatch.conf'? y
#查看配置文件
[root@CncLucZK httpd]# cat /etc/logwatch/conf/logwatch.conf
...
# this is in the format of  = .  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1
# No  = False = Off = 0

# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log											#logwatch会分析和统计/var/log/中的日志

# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch								#指定logwatch的临时目录

#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
Output = stdout
#To make Html the default formatting Format = html
Format = text
#To make Base64 [aka uuencode] Encode = base64
Encode = none

# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = root												#日志的分析结果，给root用户发送邮件
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed.  For example, to send the report
# for hostname host1 to user@example.com, use:
#Mailto_host1 = user@example.com
# Multiple recipients can be specified by separating them with a space.

# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = Logwatch

# if set, the results will be saved in  instead of mailed
# or displayed. Be sure to set Output = file also.
#Filename = /tmp/logwatch									#邮件的发送者是Logwatch，在接收邮件时显示

#Save = /tmp/logwatch
#如果开启这一项，日志分析就不会发送邮件，而是保存在/tmp/logwatch文件中

# Use archives?  If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No												#日志文件是否存档，默认情况下，该选项设置为“是”。要关闭“存档”，请取消注释此项。
# Range = All

# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday											#分析哪天的日志。可以识别“All”“Today”“Yesterday”，用来分析“所有日志”“今天日志”“昨天日志”

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low												#日志的详细程度。可以识别“Low”“Med”“High”。也可以用数字表示，范围为0～10，“0”代表最不详细，“10”代表最详细


# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on.  This should be left as All for
# most people.
Service = All												#分析和监控所有日志
# You can also disable certain services (when specifying all)

#但是不监控“-zz-network”服务的日志。“-服务名”表示不分析和监控此服务的日志
Service = "-zz-network"     # Prevents execution of zz-network service, which
                            # prints useful network configuration info.
Service = "-zz-sys"         # Prevents execution of zz-sys service, which		
                            # prints useful system configuration info.
Service = "-eximstats"      # Prevents execution of eximstats service, which
                            # is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages   # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog    # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb        # PAM_pwdb messages - usually quite a bit
#Service = pam             # General PAM messages... usually not many

# You can also choose to use the 'LogFile' option.  This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages.  This will run all the filters that
# process that logfile.  This option is probably not too useful to
# most people.  Setting 'Service' to 'All' above analyzes all LogFiles
# anyways...

#
# By default we assume that all Unix systems have sendmail or a sendmail-like MTA.
# The mailer code prints a header with To: From: and Subject:.
# At this point you can change the mailer to anything that can handle this output
# stream.
# TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "/usr/sbin/sendmail -t"

#
# With this option set to a comma separted list of hostnames, only log entries
# for these particular hosts will be processed.  This can allow a log host to
# process only its own logs, or Logwatch can be run once per a set of hosts
# included in the logfiles.
# Example: HostLimit = hosta,hostb,myhost
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = myhost

# vi: shiftwidth=3 tabstop=3 et

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

• 这个配置文件基本不需要修改（实验时把 Range 项改为了 All，否则一会儿的实验可以分析的日志过少），它就会默认每天执行。每天执行是 crond 服务的作用，logwatch 一旦安装，就会在 /etc/cron.daily/ 目录中建立“0logwatch”文件，用于在每天定时执行 logwatch 命令，分析和监控相关日志。

[root@CncLucZK httpd]# ll /etc/cron.daily
total 8
-rwxr-xr-x  1 root root 434 May  8  2021 0logwatch
-rwxr-xr-x. 1 root root 189 Jan  4  2018 logrotate

1
2
3
4
5

• 想要让这个日志分析马上执行，则只需执行 logrotate 命令即可。命令如下：

[root@CncLucZK httpd]# logwatch 
 ################### Logwatch 7.4.3 (04/27/16) #################### 
        Processing Initiated: Sun Oct 30 23:02:28 2022
        Date Range Processed: yesterday
                              ( 2022-Oct-29 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: stdout / text
        Logfiles for Host: CncLucZK
 ################################################################## 
 
 --------------------- httpd Begin ------------------------ 

 Connection attempts using mod_proxy:
    212.224.88.178 -> google.com:443: 1 Time(s)
    89.248.165.52 -> 85.206.160.115:80: 1 Time(s)
    89.248.165.52 -> hotmail-com.olc.protection.outlook.com:25: 1 Time(s)
 
 A total of 11 sites probed the server 
    123.56.155.157
    138.197.219.196
    178.159.37.113
    205.210.31.2
    62.233.50.175
    66.240.205.34
    68.183.8.82
    89.248.163.132
    89.248.163.167
    89.248.165.52
    92.255.85.183
 
 Requests with error response codes
    400 Bad Request
       null: 12 Time(s)
       *: 1 Time(s)
       /: 1 Time(s)
       X\xd4>\x12\x98\xc4<\xe0\x13\xcf: 1 Time(s)
       default.asp: 1 Time(s)
    403 Forbidden
       /: 39 Time(s)
       /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: 1 Time(s)
       /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: 1 Time(s)
       http://passport.baidu.com/: 1 Time(s)
    404 Not Found
       /: 4 Time(s)
       /boaform/admin/formLogin: 4 Time(s)
       /favicon.ico: 4 Time(s)
       /.env: 3 Time(s)
     	...
       /start.jsa: 1 Time(s)
       /start.jsp: 1 Time(s)
       http://www.qq.com/404/search_children.js: 1 Time(s)
    405 Method Not Allowed
       85.206.160.115:80: 1 Time(s)
       google.com:443: 1 Time(s)
       hotmail-com.olc.protection.outlook.com:25: 1 Time(s)
    408 Request Timeout
       null: 5 Time(s)
 
 ---------------------- httpd End ------------------------- 

 
 --------------------- pam_unix Begin ------------------------ 

 systemd-user:
    Unknown Entries:
       session opened for user root by (uid=0): 192 Time(s)
       session closed for user root: 76 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 #分析SSHD的日志。可以知道哪些IP地址连接过服务器
 --------------------- SSHD Begin ------------------------ 

 
 Illegal users from:
    20.78.70.5: 9 times
    34.90.223.166 (166.223.90.34.bc.googleusercontent.com): 6 times
    35.237.33.195 (195.33.237.35.bc.googleusercontent.com): 21 times
    36.90.149.125: 70 times
    ...
    193.142.146.35: 2 times
    204.48.16.71: 24 times
 
 Users logging in through sshd:
    root:
       110.19.110.72: 2 times
       110.19.110.50: 1 time
 
 **Unmatched Entries**
 Connection reset by authenticating user root 120.195.180.186 port 49648 [preauth] : 1 time(s)
 Connection reset by authenticating user root 120.195.180.186 port 62395 [preauth] : 1 time(s)
...
 error: maximum authentication attempts exceeded for invalid user ftpuser from 89.109.32.143 port 8884 ssh2 [preauth] : 1 time(s)
 Disconnecting invalid user usuario 89.109.32.143 port 2282: Too many authentication failures [preauth] : 1 time(s)
 Connection reset by authenticating user root 120.195.180.186 port 55708 [preauth] : 1 time(s)
 error: maximum authentication attempts exceeded for admin from 89.109.32.143 port 61258 ssh2 [preauth] : 1 time(s)
 Unable to negotiate with 123.56.155.157 port 53120: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth] : 1 time(s)
 ...
 
 ---------------------- SSHD End ------------------------- 

 
 --------------------- Systemd Begin ------------------------ 

 
 
 **Unmatched Entries**
    Closed D-Bus User Message Bus Socket.: 192 Time(s)
    Configuration file /usr/lib/systemd/system/qcloud-srv.service is marked executable. Please remove executable permission bits. Proceeding anyway.: 1 Time(s)
    user-runtime-dir@0.service: Unit not needed anymore. Stopping.: 522 Time(s)
    user@0.service: Killing process 1956033 (systemctl) with signal SIGKILL.: 1 Time(s)
    user@0.service: Killing process 1958181 (systemctl) with signal SIGKILL.: 1 Time(s)
   ...
    user@0.service: Killing process 2100486 (systemctl) with signal SIGKILL.: 1 Time(s)
 
 ---------------------- Systemd End ------------------------- 

 #统计磁盘空间情况
 --------------------- Disk Space Begin ------------------------ 

 Filesystem      Size  Used Avail Use% Mounted on
 devtmpfs        902M     0  902M   0% /dev
 /dev/vda1        50G  8.7G   39G  19% /
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End ######################### 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

• 有了这个日志分析工具，日志管理工作就会轻松很多。当然，在 Linux 中可以支持很多日志分析工具，我们在这里只介绍了 CentOS 自带的 logwatch，大家可以根据自己的习惯选择相应的日志分析工具。

参考文献:
Linux日志分析工具（logwatch）安装及使用

下一篇：Linux学习-68-日志转储logrotate命令(logrotate配置文件)