This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Logcheck
这篇指南向你展示如何使用 logcheck 分析系统日志。
logcheck 入门
背景
logcheck 是 logsentry ——一个系统日志分析工具——的升级版本。另外 logcheck 还自带一个内置的数据库,包含了很多常见的、不是用户感兴趣的日志信息,用于消除噪音。这个工具的主要思路是,所有的信息都是用户感兴趣的,出了那些被明确标记为噪音的信心。logcheck 会定期给你发送一封你感兴趣的信息的摘要的电子邮件。
安装 logcheck
如果你安装过 logsentry,强烈建议你先卸载它。此外,你应该删除 /etc/logcheck 以避免权限和文件冲突的问题。
root #emerge -c logsentryroot #rm -rf /etc/logcheck现在你可以安装 logcheck。
root #emerge --ask app-admin/logcheck基本配置
logcheck 会创建一个单独的用户 "logcheck",以避免以 root 用户运行。事实上,如果是 root 用户程序会拒绝运行。为了允许程序分析日志,你需要确保日志对于 logcheck 是可读的。这是一个 syslog-ng 的例子:
This is a deprecated template. Help us update this template!
现在重新加载配置并确保修改如预期的正常工作。
root #/etc/init.d/syslog-ng reload
root #ls -l /var/log/messages-rw-r----- 1 root logcheck 1694438 Feb 12 12:18 /var/log/messages
你现在应当在 /etc/logcheck/logcheck.conf 中调整 基本的 logcheck 配置。
This is a deprecated template. Help us update this template!
你还需要在 (/etc/logcheck/logcheck.logfiles) 中告诉 logcheck 扫描那些日志文件。
This is a deprecated template. Help us update this template!
最后,启用 logcheck cron job。
root #nano -w /etc/cron.hourly/logcheck.cron关于 cron 的更多信息请查阅 Cron Guide。
恭喜!现在你将会定期收到重要日志信息的电子邮件了。一个信息的例子看起来如下:
This is a deprecated template. Help us update this template!
故障排除
通用提示
你可以使用 logcheck 的 -d 参数显示调试信息。例如:
root #su -s /bin/bash -c '/usr/sbin/logcheck -d' logcheckD: [1281318818] Turning debug mode on D: [1281318818] Sourcing - /etc/logcheck/logcheck.conf D: [1281318818] Finished getopts c:dhH:l:L:m:opr:RsS:tTuvw D: [1281318818] Trying to get lockfile: /var/lock/logcheck/logcheck.lock D: [1281318818] Running lockfile-touch /var/lock/logcheck/logcheck.lock D: [1281318818] cleanrules: /etc/logcheck/cracking.d/kernel ... D: [1281318818] cleanrules: /etc/logcheck/violations.d/su D: [1281318818] cleanrules: /etc/logcheck/violations.d/sudo ... D: [1281318825] logoutput called with file: /var/log/messages D: [1281318825] Running /usr/sbin/logtail2 on /var/log/messages D: [1281318825] Sorting logs D: [1281318825] Setting the Intro D: [1281318825] Checking for security alerts D: [1281318825] greplogoutput: kernel ... D: [1281318825] greplogoutput: returning 1 D: [1281318825] Checking for security events ... D: [1281318825] greplogoutput: su D: [1281318825] greplogoutput: Entries in checked D: [1281318825] cleanchecked - file: /tmp/logcheck.uIFLqU/violations-ignore/logcheck-su D: [1281318825] report: cat'ing - Security Events for su ... D: [1281318835] report: cat'ing - System Events D: [1281318835] Setting the footer text D: [1281318835] Sending report: 'localhost 2010-08-09 03:53 Security Events' to root D: [1281318835] cleanup: Killing lockfile-touch - 17979 D: [1281318835] cleanup: Removing lockfile: /var/lock/logcheck/logcheck.lock D: [1281318835] cleanup: Removing - /tmp/logcheck.uIFLqU
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: phajdan.jr, nightmorph
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.