This article is my learning RHCE7.0 the notes, hoping to be helpful to everyone
System log architecture
Time processes and the operating system kernel needs to be able not happen diary. These logs can be used for system audit failures and problems of exclusion. By convention, these logs permanently stored in / var / log directory
RHEL7 log system
Red Hat Enterprise Linux are built based on the syslog protocol standard logging system. Many programs use the system record events and organize them to a log file. Red Hat Enterprise Linux 7 system log messages generated by the two services to handle, they are systemd-journald and rsyslog.
systemd-journald daemon provides an improved log management service can be collected early in the boot process, the standard output, system log, and error during the daemons up and running from the kernel message. These messages will be written a structured event log retention between not restart by default. This allows the system logs system log messages and missed time collected in a central database. System messages can be forwarded to rsyslog systemd-journald for further processing.
rsyslog service then depending on the type (or device) and prioritizing the system log messages to be written to their permanent file / var / log directory contained within.
/ Var / log directory kept by the various specific rsyslog maintain log files in the system and services.
Overview of system log files
Log File Usage
/ Var / log / messages on most systems log messages here. The exception is with authentication, message periodically run the mail processing related jobs as well as pure and debug related information.
/ Var / log / secure security and authentication related messages and error log files.
/ Var / log / maillog associated with the mail server log files.
/var/log/boot.log system startup messages related to this.
System log files
Many programs use syslog protocol to the time recording system. Each log message according to the device (type of message) and priority (severity of the message) classification. Available equipment is outlined in rsyslog.conf (5) man page in.
Eight priority follows the standardized and rating
Priority severity coding
0 emerg system unusable.
1 alert must be taken immediately.
2 crit serious condition.
3 err very serious error condition.
4 warning warning condition.
5 notice Normal but significant event.
6 info informational event.
7 debug level debug messages.
Rsyslogd service equipment usage log messages and priorities to determine how to deal with. This is configured through /etc/rsyslog.conf files, and /etc/rsyslog.d the * .conf files. Custom files and program administrators with the suffix .conf placed /etc/rsyslog.d directory to change rsyslogd rsyslog configuration without being covered by the update.
/etc/rsyslog.conf in ##### RULES ###### part of the package defined log messages saved locations related instructions. Each row represents the left side of the device and the seriousness of the instruction matching log messages. Equipment and severity field rsyslog.conf file may contain the * character as a wildcard, representing all devices and all severity levels. To the right of each line represents the log messages saved file. File Log messages are normally stored in / var / log directory in.
Log files by the rsyslog service maintenance, / var / log directory contains various log files specific to certain services.
For example, the Apache Web server or Samba will write their log files to / var / log directory in the corresponding subdirectory.
Rsyslog message processing may occur in a number of different log files, in order to avoid such a case, the severity of the field is set to none,
Directed to this device represents all messages are not added to the specified log file.
In addition to the log file messages to a file and foreign, they can also be printed to all logged-in user's terminal. In the default rsyslog.conf file for priority to do this for "emerg" all messages.
Log File Rotation
Logs logrotate utility "toggle" to prevent them from containing the / var / log / file system full. When rotated log file name extension will be used to rename, indicating the name of the extended rotation date: If you file after October 30, 2014 rotation, the original / var / log / messages file into / var / log / messages-20141030. After the round of the original file, it creates a new log file, and notifies the write operation of the service to him.
After the rotation several times (usually rotate four times), discard the original log files to free up disk space. logrotate cron job to run once a day program to see if there is any need for log rotation. Most log file rotation once a week, but the speed logrotate rotate files sometimes faster, sometimes slower, or rotate when the file reaches a certain size.
See on logrotate configuration logrotate (8) man page
Analysis of system log entries
rsyslog written system log file shows that the oldest message in the beginning of the file, display the latest news at the end of the file. Rsyslog managed by the log file of all log entries are recorded in a standard format. The following example describes the depth / var / log / secure log file log messages.
(1)Feb 11 20: 11: 48(2) localhost (3)sshd  (4)Failed password for student from 172.25.0.10 port 59344
(1) record the log entry timestamp
(2) send the message log host
(3) send the log messages or process
(4) the actual message sent
Use tail to monitor log files
One or more log file monitoring events, which is particularly helpful to reproduce the problem. tail -f / path / to / file command to output the last line 0 of the specified file and write the new file to be monitored continuously output them.
Send syslog messages using the logger
logger command can send a message to the rsyslog service. By default, the severity of his notice (user.notice) message is sent to the user device, unless specified by the -p option additionally. Testing is particularly useful for change rsyslog configuration.
To send a message to rsyslogd /var/log/boot.log and recorded in the log file, you can do:
logger -p local7.notice LOGSTRING
See systemd log entries
Find events by journalctl
systemd log log data is stored in a structured binary files with indexes in. This data contains additional information related to the event log. For example, system log time, which may include equipment and priority of the original message.
In the Red Hat Enterprise Linux 7, systemd default log storage will be cleared of its contents after a reboot / run / log in. This setting can be changed by the system administrator.
journalctl command from the beginning of the oldest log entry to display the full system log.
journalctl command in bold text to highlight priority notice or warning message in red text highlights the level or higher error messages.
The key to successful use of logs for troubleshooting and auditing that will limit the log search to show only the relevant output.
By default, journalctl -n shows the last 10 log entries. He could accept the last number of log entries via the optional parameter specifies the display. To display the last five log entries, you can run
journalctl -n 5
In the time of troubleshooting a problem, according to the priority filter log file output log entries very kind journalctl -p priority acceptable known name or number as an argument, displays all the specified level and higher-level entry.
journalctl -p err
Similar to the tail -f command, the last 10 lines journalctl -f output log, and a new log entries are written to the log output them to continue
When looking for a specific time of the event, the output is limited to a specific period of time is very useful, journalctl command has two options, you can limit the output to a particular time frame, respectively --since and --until option, both options accepted as YYYY-mM-DD hh format: mm: ss time parameters. If date is omitted, the command assumes the log for the day; if you omit the time portion is assumed to be from 00:00:00 a day, in addition to the date and time fields, these two options are also accepted yesterday, today and tomorrow as a parameter of the effective date.
Output all log entries recorded in the same day.
journalctl --since today
Output February 10, 2014 20:30:00 until February 13, 2014 12:00:00 log entries
journalctl --since "2014-02-10 20:30:00" --until "2014-02-13 12:00:00"
In addition to the visible contents of the log, the log entry also comes only when you turn on verbose output to see the field, all the additional fields appear in the query can be used to filter the log output. This can be used to reduce the output to find a specific event logs complex searches.
journalctl -o verbose
Other search options for a particular process or on-line event there
Name _COMM command
_EXE Path of the executable file
PID _PID process
_UID Users run the process UID
_SYSTEMD_UNIT Start systemd unit of the process
It can be combined into multiple options. Such as query and display systemd unit file sshd.service start the process with PID 1182 and all related log entries.
journalctl _SYSTEMD_UNIT = sshd.service _PID = 1182
Save systemd log
Permanent storage system log
By default, systemd logs stored in the / run / log / journal, and this means that when the system is restarted it will be cleared. The log is a new mechanism 7 in Red Hat Enterprise Linux, but for most installations, since the last log on to start detailed enough.
If there is / var / log / journal directory, the log records will be changed in this directory. The advantage of this is to start immediately after use historical data. However, even permanent log that not all data is permanently retained. The log has a built-in log rotation mechanism, will be starting in a month. In addition, the default size of the log file can not exceed 10% of the system, also can cause the file system free space falls below 15%. These values can then /etc/systemd/journald.conf adjust the current limit log file size to be recorded at the time systemd-journald process started by the following command to view the command displays the first two lines journalctl output:
journalctl | head -2
You can create / var / log / journal directory as the root user, so systemd log into a permanent log.
Ensure that / var / log / journal directory for all and privileges by the root user and group systemd-journal 2775
You need to reboot the system or the root user will be sent a special signal USR1 large systemd-journald process in
killall -USER1 systemd-journal
Because systemd journal is now permanently retained between restarts, you can display the system log messages since the last start since only by journal -b, to reduce the output.
journalctl -b -1 # said it will limit the output to the last boot
Keeping accurate time
For the purposes of log files across multiple systems analysis, correct synchronization system time is very important, Network Time Protocol (NTP) is used by the computer and the Internet to provide information for the correct time and a standard way. Computers can get the correct time information through public NTP services on the Internet
timedatectl # brief command displays the current events related to the system settings, such as the current system time, time zone and NTP synchronization settings.
timedatectl list-timezones # database system contains lists of known time zone
# Set the time zone timedatectl set-timezone
timedatectl set-time 9:00:00 # Setup Time
timedatectl set-ntp true | false # turn on or turn off NTP sync
chronyc sources -v # NTP server verification