我有一台正在使用rsyslogd.当在 中查找特定用户运行的命令时/var/log/secure,我发现某些命令似乎被切断。
例如,您可以看到 JSON 的开头被截断:
Aug 19 16:31:28 server1.example.com journal: root[265681] : documentation","indices":[211,225]},{"text":"parsingJSON","indices":[226,238]},{"text":"GeoTagged","indices":[239,249]}]}},"entities":{"hashtags":[]}},{"created_at":"Thu May 10 17:41:57 +0000 2018","id_str":"994633657141813248","text":"Just another Extended Tweet with more than 140 characters, generated as a documentation example, showing that [\"tru? https://t.co/U7Se4NM7Eu","display_text_range":[0,140],"truncated":true,"user":{"id_str":"944480690","screen_name":"FloodSocial"},"extended_tweet":{"full_text":"Just another Extended Tweet with more than 140 characters, generated as a documentation example, showing that [\"truncated\": true] and the presence of an \"extended_tweet\" object with complete text and \"entities\" #documentation #parsingJSON #GeoTagged https://t.co/e9yhQTJSIA","display_text_range":[0,249],"entities":{"hashtags":[{"text":"documentation","indices":[211,225]},{"text":"parsingJSON","indices":[226,238]},{"text":"GeoTagged","indices":[239,249]}]}},"entities":{"hashtags":[]}}] [login: alice]
答案1
日志实际上被分割成多个部分。第二个冒号后面的部分最多为 1024 个字符。用户的登录名仅包含在最后一段中。