概念
在Linux系统中,日志文件是系统运行过程中生成的记录,用于帮助系统管理员监控系统状态、排查问题、检测安全事件等。Linux系统日志文件通常存储在 /var/log 目录下,不同的日志文件记录不同类型的信息。
Linux系统核心日志文件
/var/log/messages
记录系统运行过程中的各种信息,包括硬件设备的检测、内核消息、服务启动和停止的状态等。这是一个综合性的系统日志文件,通常用于记录系统级别的事件。它包含了系统运行过程中产生的大部分信息,但不包括某些特定类型的信息(如认证信息)。
在大多数Linux发行版中(如Red Hat、CentOS、Fedora等),/var/log/messages 是默认的系统日志文件。
示例:
root@master-01:~# cat /var/log/messages
Apr 18 15:05:01 master-01 kernel: [5200270.501174][T1101624] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
Apr 18 15:05:25 master-01 kernel: [5200293.907489][T1058013] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
Apr 18 15:05:25 master-01 kernel: [5200293.912834][T1058013] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
Apr 18 15:05:25 master-01 kernel: [5200294.053987][T1101321] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
Apr 18 15:12:49 master-01 kernel: [5200738.730167][T1110236] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
Apr 18 15:12:50 master-01 kernel: [5200739.651862][T966957] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
Apr 18 15:12:50 master-01 kernel: [5200739.655153][T966957] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
Apr 18 15:12:50 master-01 kernel: [5200739.665883][T1110256] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
Apr 18 15:13:12 master-01 kernel: [5200760.882023][T1099873] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
/var/log/syslog
记录系统运行过程中的各种信息,包括内核消息、服务状态、用户活动等。/var/log/syslog 通常包含的内容比 /var/log/messages 更全面,它不仅记录系统事件,还包含用户活动和应用程序的日志信息。
在基于Debian的系统(如Ubuntu、Debian等)中,/var/log/syslog 是默认的系统日志文件。
示例:
root@master-01:~# cat /var/log/syslog
Apr 18 02:42:21 master-01 containerd[29864]: 2025-04-18 02:42:21.544 [INFO][151713] k8s.go 583: Releasing IP address(es) ContainerID="4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de"
Apr 18 02:42:21 master-01 containerd[29864]: 2025-04-18 02:42:21.544 [INFO][151713] utils.go 195: Calico CNI releasing IP address ContainerID="4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de"
Apr 18 02:42:21 master-01 containerd[29864]: 2025-04-18 02:42:21.561 [INFO][151740] ipam_plugin.go 416: Releasing address using handleID ContainerID="4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de" HandleID="k8s-pod-network.4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de" Workload="master--01-k8s-meego--bytedance--bits--river--public--def--577c769ddc--z8vmb-eth0"
Apr 18 02:42:21 master-01 containerd[29864]: time="2025-04-18T02:42:21+08:00" level=info msg="About to acquire host-wide IPAM lock." source="ipam_plugin.go:357"
Apr 18 02:42:21 master-01 containerd[29864]: time="2025-04-18T02:42:21+08:00" level=info msg="Acquired host-wide IPAM lock." source="ipam_plugin.go:372"
Apr 18 02:42:21 master-01 containerd[29864]: 2025-04-18 02:42:21.565 [WARNING][151740] ipam_plugin.go 433: Asked to release address but it doesn't exist. Ignoring ContainerID="4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de" HandleID="k8s-pod-network.4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de" Workload="master--01-k8s-meego--bytedance--bits--river--public--def--577c769ddc--z8vmb-eth0"
Apr 18 02:42:21 master-01 containerd[29864]: 2025-04-18 02:42:21.565 [INFO][151740] ipam_plugin.go 444: Releasing address using workloadID ContainerID="4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de" HandleID="k8s-pod-network.4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de" Workload="master--01-k8s-meego--bytedance--bits--river--public--def--577c769ddc--z8vmb-eth0"
Apr 18 02:42:21 master-01 containerd[29864]: time="2025-04-18T02:42:21+08:00" level=info msg="Released host-wide IPAM lock." source="ipam_plugin.go:378"
Apr 18 02:42:21 master-01 containerd[29864]: 2025-04-18 02:42:21.567 [INFO][151713] k8s.go 589: Teardown processing complete. ContainerID="4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de"
Apr 18 02:42:21 master-01 containerd[29864]: time="2025-04-18T02:42:21.571116330+08:00" level=warning msg="Failed to get podSandbox status for container event for sandboxID \\"4760ea90bd55a5807ca183f350d7710e646324735659cb1a8d11b672610604de\": an error occurred when try to find sandbox: not found. Sending the event with nil podSandboxStatus.
/var/log/auth.log(Debian系)或 /var/log/secure(Red Hat系)
记录与用户认证相关的信息,包括用户登录、密码验证、权限变更等。
这个日志文件对于检测非法登录尝试和用户权限问题非常重要。例如,如果有人尝试用错误的密码登录系统,相关信息会记录在这里。
示例:
root@master-01:~# cat /var/log/auth.log
Apr 13 21:55:41 master-01 sshd[4018065]: pam_unix(sshd:auth): check pass; user unknown
Apr 13 21:55:41 master-01 sshd[4018065]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.184.100.116
Apr 13 21:55:41 master-01 sshd[4017952]: Connection closed by invalid user bytedance 180.184.100.116 port 55066 [preauth]
Apr 13 21:55:44 master-01 sshd[4018065]: Failed password for invalid user bytedance from 180.184.100.116 port 55436 ssh2
Apr 13 21:55:45 master-01 sshd[4018163]: Invalid user bytedance from 180.184.100.116 port 55632
Apr 13 21:55:45 master-01 sshd[4018163]: pam_unix(sshd:auth): check pass; user unknown
Apr 13 21:55:45 master-01 sshd[4018163]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.184.100.116
Apr 13 21:55:45 master-01 sshd[4018065]: Connection closed by invalid user bytedance 180.184.100.116 port 55436 [preauth]
Apr 13 21:55:47 master-01 sshd[4018163]: Failed password for invalid user bytedance from 180.184.100.116 port 55632 ssh2
/var/log/dmesg
记录内核消息,主要用于记录系统启动时硬件的检测情况和内核的运行状态。
这个文件通常由内核直接管理,可以通过命令 dmesg 查看其内容。它对于排查硬件问题和内核相关错误非常有用。
root@master-01:~# dmesg
[5199718.443477] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
[5199718.446698] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
[5199718.694839] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
[5199731.304854] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
[5199731.344757] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
[5199731.717113] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
[5199762.021051] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
[5199762.024317] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
[5199762.272861] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
/var/log/cron
记录 cron 定时任务的运行情况,包括任务的执行时间、执行结果等。
这个文件对于监控和排查定时任务的问题非常有用。
示例:
root@master-01:~# cat /var/log/cron
Apr 18 11:00:00 hostname CRON[1234]: (root) CMD (command-to-run)
/var/log/lastlog
记录用户最后一次登录的信息,包括登录时间、登录终端等。
这个文件可以通过 lastlog 命令查看。
示例:
root@master-01:~# lastlog
Username Port From Latest
root pts/0 101.126.56.11 Fri Apr 18 15:02:09 +0800 2025
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
sync **Never logged in**
查看日志命令
查看日志有很多命令,例如cat、vi、vim等,但是当日志文件过大时,不建议采用cat、vi、vim命令,因为这些命令会占用cpu及内存,导致系统卡顿。
这个时候我们应该使用head、tail、less、more这四个命令
head
显示文件的头部信息,默认显示前10行内容
语法:
head [选项] 文件名
常用选项说明
- -n:指定显示文件的前N行,默认10行,这是最常用的选项
- -c:指定显示文件的前N个字符
示例:
# 默认显示前10行内容
root@master-01:~# head /var/log/syslog
Apr 18 00:00:01 master-01 rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="1332" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
Apr 18 00:00:01 master-01 systemd[1]: Started Rotate log files.
Apr 18 00:00:01 master-01 registry[29766]: time="2025-04-18T00:00:01.857112064+08:00" level=info msg="response completed" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=f940f0ec-f940-4e90-ae08-a3c68bd178db http.request.method=GET http.request.remoteaddr="10.3.0.28:26990" http.request.uri="/v2/larkprivate/bytedance.bits.user_public/blobs/sha256:dbda7c5a743e75f8dae27ac9b6adf734d7ea08a8a04445f4c90586ee732b63ab" http.request.useragent="containerd/v1.7.20" http.response.contenttype="application/octet-stream" http.response.duration=367.166533ms http.response.status=200 http.response.written=252821285
Apr 18 00:00:01 master-01 registry[29766]: 10.3.0.28 - - [18/Apr/2025:00:00:01 +0800] "GET /v2/larkprivate/bytedance.bits.user_public/blobs/sha256:dbda7c5a743e75f8dae27ac9b6adf734d7ea08a8a04445f4c90586ee732b63ab HTTP/1.1" 200 252821285 "" "containerd/v1.7.20"
Apr 18 00:00:02 master-01 kubelet[31400]: I0418 00:00:02.118970 31400 pod_startup_latency_tracker.go:102] "Observed pod startup duration" pod="default/meego-bytedance-bits-migration-public-def-7c676b59c4-qgd72" podStartSLOduration=-9.223371707735842e+09 pod.CreationTimestamp="2025-04-17 23:54:33 +0800 CST" firstStartedPulling="2025-04-17 23:59:43.921548557 +0800 CST m=+5121628.305810697" lastFinishedPulling="0001-01-01 00:00:00 +0000 UTC" observedRunningTime="2025-04-18 00:00:01.947985225 +0800 CST m=+5121646.332247382" watchObservedRunningTime="2025-04-18 00:00:02.118934354 +0800 CST m=+5121646.503196502"
Apr 18 00:00:05 master-01 kubelet[31400]: E0418 00:00:05.143945 31400 eviction_manager.go:593] "Eviction manager: pod failed to evict" err="timeout waiting to kill pod" pod="default/meego-bytedance-bits-bql-public-def-68c4bc849c-txdjq"
Apr 18 00:00:05 master-01 kubelet[31400]: I0418 00:00:05.143975 31400 eviction_manager.go:204] "Eviction manager: pods evicted, waiting for pod to be cleaned up" pods="[default/meego-bytedance-bits-bql-public-def-68c4bc849c-txdjq]"
Apr 18 00:00:06 master-01 registry[29766]: time="2025-04-18T00:00:06.536583529+08:00" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=1ba82cb8-d2f8-46a6-9bc8-867de5a4de67 http.request.method=GET http.request.remoteaddr="10.3.0.28:54514" http.request.uri="/v2/" http.request.useragent="Go-http-client/1.1"
Apr 18 00:00:06 master-01 registry[29766]: 10.3.0.28 - - [18/Apr/2025:00:00:06 +0800] "GET /v2/ HTTP/1.1" 401 87 "" "Go-http-client/1.1"
Apr 18 00:00:06 master-01 kernel: [5145977.194403][T3929279] overlayfs: NFS export requires "redirect_dir=nofollow" on non-upper mount, falling back to nfs_export=off.
root@master-01:~#
# 指定显示前5行内容
root@master-01:~# head -n 5 /var/log/syslog
Apr 18 00:00:01 master-01 rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="1332" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
Apr 18 00:00:01 master-01 systemd[1]: Started Rotate log files.
Apr 18 00:00:01 master-01 registry[29766]: time="2025-04-18T00:00:01.857112064+08:00" level=info msg="response completed" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=f940f0ec-f940-4e90-ae08-a3c68bd178db http.request.method=GET http.request.remoteaddr="10.3.0.28:26990" http.request.uri="/v2/larkprivate/bytedance.bits.user_public/blobs/sha256:dbda7c5a743e75f8dae27ac9b6adf734d7ea08a8a04445f4c90586ee732b63ab" http.request.useragent="containerd/v1.7.20" http.response.contenttype="application/octet-stream" http.response.duration=367.166533ms http.response.status=200 http.response.written=252821285
Apr 18 00:00:01 master-01 registry[29766]: 10.3.0.28 - - [18/Apr/2025:00:00:01 +0800] "GET /v2/larkprivate/bytedance.bits.user_public/blobs/sha256:dbda7c5a743e75f8dae27ac9b6adf734d7ea08a8a04445f4c90586ee732b63ab HTTP/1.1" 200 252821285 "" "containerd/v1.7.20"
Apr 18 00:00:02 master-01 kubelet[31400]: I0418 00:00:02.118970 31400 pod_startup_latency_tracker.go:102] "Observed pod startup duration" pod="default/meego-bytedance-bits-migration-public-def-7c676b59c4-qgd72" podStartSLOduration=-9.223371707735842e+09 pod.CreationTimestamp="2025-04-17 23:54:33 +0800 CST" firstStartedPulling="2025-04-17 23:59:43.921548557 +0800 CST m=+5121628.305810697" lastFinishedPulling="0001-01-01 00:00:00 +0000 UTC" observedRunningTime="2025-04-18 00:00:01.947985225 +0800 CST m=+5121646.332247382" watchObservedRunningTime="2025-04-18 00:00:02.118934354 +0800 CST m=+5121646.503196502"
tail
显示文件的尾部信息,默认显示后10行
语法
tail [选项] 文件名
常用选项说明:
- -n:指定显示文件的后N行,默认10行
- -f:实时监控文件的变化,当文件内容更新时,tail会自动显示新增的内容,最常用
- -c:指定显示文件的后N个字符
示例:
# 默认显示后10行内容
root@master-01:~# tail /var/log/syslog
Apr 18 15:41:41 master-01 registry[29766]: time="2025-04-18T15:41:41.29733102+08:00" level=info msg="response completed" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=50602835-b009-4fe0-84d4-5bb7b051ac36 http.request.method=GET http.request.remoteaddr="10.3.0.13:48422" http.request.uri="/v2/dc/meego.component.ssr/blobs/sha256:3d364c24bd4b23073464df3e986c84fbe49dd4ba425702aea2fee938f41be617" http.request.useragent="containerd/v1.7.20" http.response.contenttype="application/octet-stream" http.response.duration=81.484271ms http.response.status=200 http.response.written=9375912
Apr 18 15:41:41 master-01 registry[29766]: 10.3.0.13 - - [18/Apr/2025:15:41:41 +0800] "GET /v2/dc/meego.component.ssr/blobs/sha256:3d364c24bd4b23073464df3e986c84fbe49dd4ba425702aea2fee938f41be617 HTTP/1.1" 200 9375912 "" "containerd/v1.7.20"
Apr 18 15:41:41 master-01 registry[29766]: time="2025-04-18T15:41:41.386849575+08:00" level=info msg="authorized request" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=fcc56214-8346-41d2-9d23-cb12d2ab3e3a http.request.method=GET http.request.remoteaddr="10.3.0.13:48422" http.request.uri="/v2/dc/meego.component.ssr/blobs/sha256:6f8ed6279370767b6e25a753937101e03861f000ba89f13067f49b4f59af1b6d" http.request.useragent="containerd/v1.7.20" vars.digest="sha256:6f8ed6279370767b6e25a753937101e03861f000ba89f13067f49b4f59af1b6d" vars.name="dc/meego.component.ssr"
Apr 18 15:41:41 master-01 containerd[29864]: time="2025-04-18T15:41:41.699519045+08:00" level=error msg="collecting metrics for 456f3b98e0c6d31ae6e2e95f476689bf326cba5d75edbd8e4b211f9c27c858a9" error="cgroups: cgroup deleted: unknown"
Apr 18 15:41:42 master-01 registry[29766]: time="2025-04-18T15:41:42.364074963+08:00" level=info msg="response completed" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=fcc56214-8346-41d2-9d23-cb12d2ab3e3a http.request.method=GET http.request.remoteaddr="10.3.0.13:48422" http.request.uri="/v2/dc/meego.component.ssr/blobs/sha256:6f8ed6279370767b6e25a753937101e03861f000ba89f13067f49b4f59af1b6d" http.request.useragent="containerd/v1.7.20" http.response.contenttype="application/octet-stream" http.response.duration=1.047214177s http.response.status=200 http.response.written=577758195
Apr 18 15:41:42 master-01 registry[29766]: 10.3.0.13 - - [18/Apr/2025:15:41:41 +0800] "GET /v2/dc/meego.component.ssr/blobs/sha256:6f8ed6279370767b6e25a753937101e03861f000ba89f13067f49b4f59af1b6d HTTP/1.1" 200 577758195 "" "containerd/v1.7.20"
Apr 18 15:41:50 master-01 kubelet[31400]: I0418 15:41:50.969054 31400 image_gc_manager.go:312] "Disk usage on image filesystem is over the high threshold, trying to free bytes down to the low threshold" usage=85 highThreshold=85 amountToFree=10127867904 lowThreshold=80
Apr 18 15:41:50 master-01 kubelet[31400]: E0418 15:41:50.971171 31400 kubelet.go:1382] "Image garbage collection failed multiple times in a row" err="Failed to garbage collect required amount of images. Attempted to free 10127867904 bytes, but only found 0 bytes eligible to free."
Apr 18 15:41:51 master-01 containerd[29864]: time="2025-04-18T15:41:51.718029829+08:00" level=error msg="collecting metrics for 456f3b98e0c6d31ae6e2e95f476689bf326cba5d75edbd8e4b211f9c27c858a9" error="cgroups: cgroup deleted: unknown"
Apr 18 15:42:01 master-01 containerd[29864]: time="2025-04-18T15:42:01.740866578+08:00" level=error msg="collecting metrics for 456f3b98e0c6d31ae6e2e95f476689bf326cba5d75edbd8e4b211f9c27c858a9" error="cgroups: cgroup deleted: unknown"
# 指定显示后5行的内容
root@master-01:~# tail -n 5 /var/log/syslog
Apr 18 15:42:06 master-01 registry[29766]: 10.3.0.13 - - [18/Apr/2025:15:42:06 +0800] "GET /v2/larkprivate/bytedance.bits.user_public/blobs/sha256:93d5206170400f57c1f3b57c56beb22ebab609af44bd7335e6880962cfd5e125 HTTP/1.1" 200 2137 "" "containerd/v1.7.20"
Apr 18 15:42:06 master-01 registry[29766]: time="2025-04-18T15:42:06.333661489+08:00" level=info msg="authorized request" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=5891580a-2d84-435c-a908-cb296e199b7b http.request.method=GET http.request.remoteaddr="10.3.0.13:43656" http.request.uri="/v2/larkprivate/bytedance.bits.user_public/blobs/sha256:43d77a3ecc89b1cb6cebdd49083c63dfc24faac7309a55d2c8fd91dbd5d7fa4a" http.request.useragent="containerd/v1.7.20" vars.digest="sha256:43d77a3ecc89b1cb6cebdd49083c63dfc24faac7309a55d2c8fd91dbd5d7fa4a" vars.name="larkprivate/bytedance.bits.user_public"
Apr 18 15:42:06 master-01 registry[29766]: time="2025-04-18T15:42:06.343030264+08:00" level=info msg="response completed" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=5891580a-2d84-435c-a908-cb296e199b7b http.request.method=GET http.request.remoteaddr="10.3.0.13:43656" http.request.uri="/v2/larkprivate/bytedance.bits.user_public/blobs/sha256:43d77a3ecc89b1cb6cebdd49083c63dfc24faac7309a55d2c8fd91dbd5d7fa4a" http.request.useragent="containerd/v1.7.20" http.response.contenttype="application/octet-stream" http.response.duration=79.554385ms http.response.status=200 http.response.written=9374304
Apr 18 15:42:06 master-01 registry[29766]: 10.3.0.13 - - [18/Apr/2025:15:42:06 +0800] "GET /v2/larkprivate/bytedance.bits.user_public/blobs/sha256:43d77a3ecc89b1cb6cebdd49083c63dfc24faac7309a55d2c8fd91dbd5d7fa4a HTTP/1.1" 200 9374304 "" "containerd/v1.7.20"
Apr 18 15:42:11 master-01 containerd[29864]: time="2025-04-18T15:42:11.760033888+08:00" level=error msg="collecting metrics for 456f3b98e0c6d31ae6e2e95f476689bf326cba5d75edbd8e4b211f9c27c858a9" error="cgroups: cgroup deleted: unknown"
# 实时监控
root@master-01:~# tail -f /var/log/syslog
Apr 18 15:42:05 master-01 registry[29766]: 10.3.0.13 - - [18/Apr/2025:15:42:05 +0800] "GET /v2/larkprivate/bytedance.bits.user_public/blobs/sha256:dbda7c5a743e75f8dae27ac9b6adf734d7ea08a8a04445f4c90586ee732b63ab HTTP/1.1" 200 252821285 "" "containerd/v1.7.20"
Apr 18 15:42:06 master-01 registry[29766]: time="2025-04-18T15:42:06.044094175+08:00" level=info msg="response completed" go.version=go1.20.8 http.request.host="sealos.hub:5000" http.request.id=6a20742d-0b29-4aa9-a081-622579e34913 http.request.method=GET http.request.remoteaddr="10.3.0.13:43656" http.request.uri="/v2/larkprivate/bytedance.bits.user_public/blobs/sha256:3d82803473ffa929bd62ccff81e5f9695fd1dfe883dcaecad2d91c350a51f1a1" http.request.useragent="containerd/v1.7.20" http.response.contenttype="application/octet-stream" http.response.duration=269.30401ms http.response.status=200 http.response.written=87241090
Apr 18 15:42:06 master-01 registry[29766]: 10.3.0.13 - - [18/Apr/2025:15:42:05 +0800] "GET /v2/larkprivate/bytedance.bits.user_public/blobs/sha256:3d82803473ffa929bd62ccff81e5f9695fd1dfe883dcaecad2d91c350a51f1a1 HTTP/1.1" 200 87241090 "" "containerd/v1.7.20"
less
按页显示文件内容,到最后一页时会自动跳转至第一页
操作方式:
下一页:空格或CTRL+F(front)
前一页:CTRL+B(back)
搜索:/搜索内容
第一行:g
最后一行:G
第100行:100g或输入100回车
退出:按q
示例:
root@master-01:~# less /var/log/syslog
more
按页显示文件内容,到最后一页时退出
操作方式:
下一页:空格或CTRL+F(front)
前一页:CTRL+B(back)
搜索:/搜索内容
第一行:g
最后一行:G
第100行:100g或输入100回车
退出:按q
示例:
root@master-01:~# more /var/log/syslog
日志切割
在Linux系统中,日志切割(Log Rotation)是日志管理的重要环节,用于防止日志文件无限制增长,节省磁盘空间,同时便于日志的管理和分析。以下是几种常见的日志切割方法:
logrotate工具
logrotate 是一个 Linux系统日志的管理工具。可以对单个日志文件或者某个目录下的文件按时间 / 大小进行切割,压缩操作;指定日志保存数量;还可以在切割之后运行自定义命令。
logrotate 的主要功能是定期检查配置文件中指定的日志文件,并根据配置条件(如文件大小、日期等)对日志文件进行以下操作:
- 轮转:将当前日志文件重命名为一个新文件(通常是添加日期或序号)。
- 创建新日志文件:重新创建一个空的日志文件,以便程序继续写入。
- 压缩:对旧的日志文件进行压缩,节省磁盘空间。
- 删除旧日志:根据配置删除过期的日志文件。
- 执行脚本:在轮转前后执行自定义脚本,例如重新加载服务。
- logrotate 通常由 cron 定时任务触发,每天运行一次。
- 配置实例
logrotate 的主配置文件是 /etc/logrotate.conf,同时 /etc/logrotate.d/ 目录下可以存放针对特定应用程序的日志轮转配置文件。logrotate 会先读取主配置文件,再读取 /etc/logrotate.d/ 目录下的配置文件。
系统默认配置文件
以Debian系统为例:
查看主配置文件
root@master-01:~# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
查看/etc/logrotate.d目录下子配置文件
root@master-01:~# cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
配置文件详解
# 日志文件名,可以填写多个
/var/log/syslog
{
# 指定保留几个旧日志文件,这里指定保留7个旧日志文件
rotate 7
# 指定多长时间轮换一次,这里指定每天轮转一次,weekly指定一周轮转一次,monthly表示每月轮转一次
daily
# 如果日志文件丢失,不会报错
missingok
# 如果日志文件是空的,则不会进行轮转
notifempty
# 延迟压缩日志文件,直到下一次轮转,这样可以避免在轮转时立即压缩,减少磁盘I/O
delaycompress
# 压缩旧日志文件
compress
# 创建新日志文件时的权限、所有者和组
create 640 root adm
# 指定轮转后执行的脚本,例如,重新加载服务或发送通知。和endscript联合使用
postrotate
/usr/lib/rsyslog/rsyslog-rotate
# 脚本结束标识符,和postrotate联合使用
endscript
}
常用配置如下:
rotate:指定保留的旧日志文件数量。例如,rotate 4 表示保留4个旧日志文件。
daily/weekly/monthly:指定轮转的频率。daily 表示每天轮转一次,weekly 表示每周轮转一次,monthly 表示每月轮转一次。
size:根据日志文件的大小进行轮转。例如,size 100k 表示当文件大小超过100KB时进行轮转。
compress:对旧日志文件进行压缩。
delaycompress:延迟压缩,直到下一次轮转。这样可以避免在轮转时立即压缩,减少磁盘I/O。
missingok:如果日志文件丢失,不会报错。
notifempty:如果日志文件为空,不会进行轮转。
create:指定新日志文件的权限、所有者和组。例如,create 640 root adm。
sharedscripts:所有日志文件共享脚本(如 postrotate)。
postrotate 和 endscript:在轮转后执行的脚本。例如,重新加载服务或发送通知。
如何自动运行logrotate
logrotate 通常由 cron 定时任务自动运行。在 /etc/cron.daily/、/etc/cron.weekly/ 或 /etc/cron.monthly/ 目录下会有一个 logrotate 脚本,负责定期调用 logrotate 命令。我们只需要编写好logrotate配置文件即可。
实例:
root@master-01:~# cat /etc/cron.daily/logrotate
#!/bin/sh
# skip in favour of systemd timer
if [ -d /run/systemd/system ]; then
exit 0
fi
# this cronjob persists removals (but not purges)
if [ ! -x /usr/sbin/logrotate ]; then
exit 0
fi
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit $EXITVALUE
如何手动运行logrotate?
-
调试模式:
在强制执行 logrotate 之前,建议先使用调试模式来检查配置文件是否正确。调试模式不会实际执行轮转操作,但会显示将要执行的操作。这样可以避免因配置错误导致的问题。
# 语法
logrotate -d [logrotate配置文件]
# 调试所有日志文件
logrotate -d /etc/logrotate.conf
# 调试单个日志文件
logrotate -d /etc/logrotate.d/apt
-
强制轮转日志文件
强制轮转可能会导致日志文件被重复轮转,或者在某些情况下覆盖旧的日志文件
# 语法
logrotate -f [logrotate配置文件]
# 强制轮转所有日志文件
logrotate -f /etc/logrotate.conf
# 强制轮转单个日志文件
logrotate -f /etc/logrotate.d/apt
split工具
split 命令用于将一个大文件分割成多个小文件,支持按行数、文件大小或指定数量进行分割
基本语法
split [选项] [输入文件] [输出文件前缀]
常用选项:
- -l:按指定的行数分割文件
# 这将把 largefile.txt 分割成多个文件,每个文件包含 100 行,输出文件名为 outputfileaa、outputfileab 等
split -l 100 largefile.txt outputfile
- -b:按照指定的大小分割文件
# 这将把 largefile.txt 分割成多个文件,每个文件大小约为 10MB
split -b 10M largefile.txt outputfile
- -n:按指定的数量分割文件
# 这将把 largefile.txt 分割成 5 个文件
split -n 5 largefile.txt outputfile
- -a:指定生成的文件后缀长度
# 这将生成文件后缀为 3 位的文件,如 outputfileaaa、outputfileaab
split -l 100 -a 3 largefile.txt outputfile
- -d:使用数字后缀而不是字母
# 这将生成文件后缀为数字的文件,如 outputfile00、outputfile01
split -l 100 -d largefile.txt outputfile
