日志服务器（8）

franket

发布于 2021-10-20 09:38:22

6930

发布于 2021-10-20 09:38:22

文章被收录于专栏：技术杂记

客户端操作测试

[root@h202 ~]# ls
anaconda-ks.cfg  Downloads           ip.log  Music     plot    Templates                         vmware-tools-distrib
Desktop          install.log         logger  packages  Public  Videos                            zk
Documents        install.log.syslog  mtools  Pictures  ruby    VMwareTools-9.6.2-1688356.tar.gz
[root@h202 ~]# echo abc 
abc
[root@h202 ~]# crontab -l 
no crontab for root
[root@h202 ~]# date
Tue May 10 22:03:59 CST 2016
[root@h202 ~]# pwd
/root
[root@h202 ~]# cd xxxxx
-bash: cd: xxxxx: No such file or directory
[root@h202 ~]# cat /etc/passwd | grep root 
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
[root@h202 ~]# grep root /etc/shadow
root:$6$Y7oPl.HJqPuiLgcO$.SEke/qishToW6PlZC.UewgjQaLp9YPPTFqvLbh47F6QUhHqPhrLT6fqdEfqYr6TIGyOl0XuAiUnlvJflixfO/:16545:0:99999:7:::
[root@h202 ~]#

服务端检查日志

[root@h105 ~]# tailf /var/log/messages
May 10 22:03:21 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]source /etc/bashrc
May 10 22:03:21 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]source /etc/bashrc
May 10 22:03:23 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]ls
May 10 22:03:40 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]echo abc
May 10 22:03:47 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]crontab -l
May 10 22:03:59 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]date
May 10 22:04:02 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]pwd
May 10 22:04:05 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]cd xxxxx
May 10 22:04:13 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]cat /etc/passwd | grep root
May 10 22:04:23 h202 root: [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]grep root /etc/shadow
...
...
...

通过这种方式已经可以实现操作审记了

查看服务端数据库中的日志

检查数据库确保数据也写了一份到mysql中

[root@h105 ~]# mysql -u root -p 
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.27-76.0 Percona Server (GPL), Release 76.0, Revision 5498987

Copyright (c) 2009-2015 Percona LLC and/or its affiliates
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use Syslog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------------+
| Tables_in_Syslog       |
+------------------------+
| SystemEvents           |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)

mysql> select count(*) from SystemEvents;
+----------+
| count(*) |
+----------+
|       54 |
+----------+
1 row in set (0.00 sec)

mysql> select *  from SystemEvents limit 5\G;
*************************** 1. row ***************************
                ID: 1
        CustomerID: NULL
        ReceivedAt: 2016-05-10 21:39:29
DeviceReportedTime: 2016-05-10 21:39:29
          Facility: 0
          Priority: 6
          FromHost: h105
           Message: imklog 5.8.10, log source = /proc/kmsg started.
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: kernel:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL
*************************** 2. row ***************************
                ID: 2
        CustomerID: NULL
        ReceivedAt: 2016-05-10 21:39:29
DeviceReportedTime: 2016-05-10 21:39:29
          Facility: 5
          Priority: 6
          FromHost: h105
           Message:  [origin software="rsyslogd" swVersion="5.8.10" x-pid="3230" x-info="http://www.rsyslog.com"] start
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: rsyslogd:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL
*************************** 3. row ***************************
                ID: 3
        CustomerID: NULL
        ReceivedAt: 2016-05-10 21:40:01
DeviceReportedTime: 2016-05-10 21:40:01
          Facility: 9
          Priority: 6
          FromHost: h105
           Message:  (root) CMD (/usr/lib64/sa/sa1 1 1)
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: CROND[3246]:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL
*************************** 4. row ***************************
                ID: 4
        CustomerID: NULL
        ReceivedAt: 2016-05-10 21:40:02
DeviceReportedTime: 2016-05-10 21:40:02
          Facility: 9
          Priority: 5
          FromHost: h105
           Message:  Job `cron.daily' started
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: anacron[2878]:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL
*************************** 5. row ***************************
                ID: 5
        CustomerID: NULL
        ReceivedAt: 2016-05-10 21:40:02
DeviceReportedTime: 2016-05-10 21:40:02
          Facility: 9
          Priority: 5
          FromHost: h105
           Message:  starting cups
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: run-parts(/etc/cron.daily)[3249]:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL
5 rows in set (0.00 sec)

ERROR: 
No query specified

mysql> 
mysql> select *  from SystemEvents where id=51 \G;
*************************** 1. row ***************************
                ID: 51
        CustomerID: NULL
        ReceivedAt: 2016-05-10 22:04:23
DeviceReportedTime: 2016-05-10 22:04:23
          Facility: 1
          Priority: 5
          FromHost: h202
           Message:  [euid=root]:root pts/1 2016-05-10 15:47 (192.168.100.1):[/root]grep root /etc/shadow
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: root:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL
1 row in set (0.01 sec)

ERROR: 
No query specified

mysql>

本文系转载，前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

数据库