generating reports and analyzing logs 黃雁亭 陳麗雯 廖榆恬 1

Generating Reports and Analyzing Logs

黃雁亭陳麗雯廖榆恬

1

Outline

• Log Report• Syslogd• Configure the Syslog• Syslog Server• Logrotate• Summery

2

Log Report

• What is Log Report?• A report includes…..– Date, time, host, service& related function and

message.

• Ex:– May 28 11:23:48 ip005 su: pam_unix(su:session): session

opened for user root by imliving(uid=500)

3

Log Report (cont.)• Why log report?• You need to – Know the errors– See the actions

• Two types– Capture bad strings immediately, ignore the rest.– Ignore “okay” strings, report on what’s left.

4

Syslogd

• The service to reporting the log. • ps aux | grep syslog– USER PID %CPU %MEM VSZ RSS TTY STAT START TIME

COMMAND – root 4294 0.0 0.0 1716 568 ? Ss Mar31 0:00 syslogd -m 0

• chkconfig --list syslog– syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

5

Configure the Syslog

• /etc/syslog.conf– The service.– The level of the information.– The location of the file.

• Ex:– mail.info /var/log/maillog_info

6

Configure the Syslog (cont.)

• The main services are auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.

7

Configure the Syslog (cont.)• The level of the information– Info, notice, warning(warn)– Err(error), crit, alert– Emerg(panic)

• Symbol– .– .=– .!

8

Configure the Syslog (cont.)

• How to add the log report– vi /etc/syslog.conf– /etc/init.d/syslog restart

9

Syslog Server

Syslogd/etc/syslog.conf

cron mail auth ...

log

Syslogd/etc/sysconfig/

syslog

logClient

Server

10

Syslog Server (cont.)

• Server– vi /etc/sysconfig/syslog– SYSLOGD_OPTIONS="-m 0 -r" – /etc/init.d/syslog restart – netstat -lunp | grep syslog

• Client– vi /etc/syslog.conf– *.*@10.10.21.69 11

Logrotate

• Change the name of old log file.• Create a new empty log file.• Report the log on the new file.• Reserve the old file for a period of time.

12

Logrotate (cont.)

LogLog.1

Log

Log

Log

Log.1

Log.1

Log.1

Log.2

Log.2

Log.2

Log.3

Log.3 Log.4

1

2

3

4

13

Logrotate (cont.)

• vi /etc/logrotate.conf• Execute: logrotate [-vf] logfile– logrotate -v /etc/logrotate.conf– logrotate -vf /etc/logrotate.conf

14

Summary

• Log Report can see the action and the error.• Syslogd can classify the log report and

centralize the management.• Logrotate can keep the log file size not too

big.

15

Reference

• http://phorum.study-area.org/ 酷 ! 學園• http://linux.vbird.org/ 鳥哥的私房菜

16

Thanks for your listening.

17