Intro to Logs
日志种类
- Application Logs: Messages about specific applications, including status, errors, warnings, etc. 应用程序日志:有关特定应用程序的消息,包括状态、错误、警告等。
- Audit Logs: Activities related to operational procedures crucial for regulatory compliance.
审核日志:与对法规遵从性至关重要的操作程序相关的活动。 - Security Logs: Security events such as logins, permissions changes, firewall activity, etc.
安全日志:安全事件,例如登录、权限更改、防火墙活动等。 - Server Logs: Various logs a server generates, including system, event, error, and access logs.
服务器日志:服务器生成的各种日志,包括系统日志、事件日志、错误日志和访问日志。 - System Logs: Kernel activities, system errors, boot sequences, and hardware status.
系统日志:内核活动、系统错误、启动顺序和硬件状态。 - Network Logs: Network traffic, connections, and other network-related events.
网络日志:网络流量、连接和其他与网络相关的事件。 - Database Logs: Activities within a database system, such as queries and updates.
数据库日志:数据库系统内的活动,例如查询和更新。 - Web Server Logs: Requests processed by a web server, including URLs, response codes, etc.
Web 服务器日志:Web 服务器处理的请求,包括 URL、响应代码等。
日志格式
Semi-structured Logs:
These logs may contain structured and unstructured data, with predictable components accommodating free-form text. Examples include:
半结构化日志:这些日志可能包含结构化和非结构化数据,具有可预测的组件以容纳自由格式文本。示例包括
- Syslog Message Format: A widely adopted logging protocol for system and network logs.
- Windows Event Log (EVTX) Format: Proprietary Microsoft log for Windows systems.
Structured Logs:
Following a strict and standardised format, these logs are conducive to parsing and analysis. Typical structured log formats include:
结构化日志:遵循严格、标准化的格式,有利于解析和分析。典型的结构化日志格式包括:
- Field Delimited Formats: Comma-Separated Values (CSV) and Tab-Separated Values (TSV) are formats often used for tabular data.
- JavaScript Object Notation (JSON): Known for its readability and compatibility with modern programming languages.
- W3C Extended Log Format (ELF): Defined by the World Wide Web Consortium (W3C), customizable for web server logging. It is typically used by Microsoft Internet Information Services (IIS) Web Server.
- eXtensible Markup Language (XML): Flexible and customizable for creating standardized logging formats.
Unstructured Logs:
Comprising free-form text, these logs can be rich in context but may pose challenges in systematic parsing. Examples include:
非结构化日志:这些日志包含自由格式的文本,可以包含丰富的上下文,但可能会给系统解析带来挑战。示例包括:
- NCSA Common Log Format (CLF): A standardized web server log format for client requests. It is typically used by the Apache HTTP Server by default.(Apache)
- NCSA Combined Log Format (Combined): An extension of CLF, adding fields like referrer and user agent. It is typically used by Nginx HTTP Server by default. (Nginx)
日志标准
一堆额,废话
日志收集
- Identify Sources: List all potential log sources, such as servers, databases, applications, and network devices.
识别源:列出所有可能的日志源,例如服务器、数据库、应用程序和网络设备。 - Choose a Log Collector: Opt for a suitable log collector tool or software that aligns with your infrastructure.
选择日志收集器:选择适合您的基础架构的日志收集器工具或软件。 - Configure Collection Parameters: Ensure that time synchronisation is enabled through NTP to maintain accurate timelines, adjust settings to determine which events to log at what intervals, and prioritise based on importance.
配置收集参数:确保通过 NTP 启用时间同步以保持准确的时间线,调整设置以确定以什么时间间隔记录哪些事件,并根据重要性确定优先级。 - Test Collection: Once configured, run a test to ensure logs are appropriately collected from all sources.
测试收集:配置后,运行测试以确保从所有源正确收集日志。
纳尼,还有日志收集器,淦
然后叫你怎么管理日志??
跳了
用rsyslog收集日志
vim /etc/rsyslog.d/98-websrv-02-sshd.conf
$FileCreateMode 0644 |
sudo systemctl restart rsyslog
只能收集从这之后的日志啊
我还以为是取证呢
使用 logrotate 进行日志管理
sudo vim /etc/logrotate.d/98-websrv-02_sshd.conf
/var/log/websrv-02/rsyslog_sshd.log { |
原来这些日志是这样产生的
配置完了后
sudo logrotate -f /etc/logrotate.d/98-websrv-02_sshd.conf
