我有一台操作系统为 Centos 7 的服务器,正在查看日志文件,例如消息日志文件(“/var/log/messages”)我看到它主要充满了如下条目:
Aug 29 12:46:01 localhost systemd: Created slice user-48.slice.
Aug 29 12:46:01 localhost systemd: Starting user-48.slice.
Aug 29 12:46:01 localhost systemd: Started Session 984866 of user apache.
Aug 29 12:46:01 localhost systemd: Starting Session 984866 of user apache.
Aug 29 12:46:01 localhost systemd: Started Session 984868 of user apache.
Aug 29 12:46:01 localhost systemd: Starting Session 984868 of user apache.
Aug 29 12:46:01 localhost systemd: Started Session 984867 of user apache.
Aug 29 12:46:01 localhost systemd: Starting Session 984867 of user apache.
Aug 29 12:46:01 localhost systemd: Started Session 984869 of user apache.
Aug 29 12:46:01 localhost systemd: Starting Session 984869 of user apache.
Aug 29 12:46:02 localhost systemd: Removed slice user-48.slice.
Aug 29 12:46:02 localhost systemd: Stopping user-48.slice.
Aug 29 12:47:01 localhost kernel: audit_printk_skb: 51 callbacks suppressed
Aug 29 12:47:01 localhost kernel: type=1101 audit(1535543221.712:13161497): pid=45989 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="apache" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 29 12:47:01 localhost kernel: type=1101 audit(1535543221.712:13161499): pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="apache" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 29 12:47:01 localhost kernel: type=1101 audit(1535543221.743:13161500): pid=45991 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="apache" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 29 12:47:01 localhost kernel: type=1103 audit(1535543221.749:13161502): pid=45989 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="apache" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 29 12:47:01 localhost kernel: audit: audit_lost=6572998 audit_rate_limit=0 audit_backlog_limit=320
Aug 29 12:47:01 localhost kernel: audit: printk limit exceeded
现在,这些消息对我自己来说看起来不太有用,因此如果我是正确的话,我想停止记录它。
我想知道我对这些消息缺乏用处的假设是否正确,如果正确,我该如何阻止这些消息被记录?
我的/etc/rsyslog.conf内容:
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
我的系统日志:
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
missingok
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
答案1
我没有使用 CentOS,但它可能运行着systemd和journald。rsyslog每个文件都可以配置为日志记录,但最接近最终文件的/var/log/messages应该是/etc/rsyslog.conf。其中可能有一行,例如:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
您可以替换*.info为不同的级别,例如*.warning。(级别为:emerg alert crit err warning notice info debug)。您必须使用以下命令重新启动守护程序
sudo systemctl status rsyslogd
这就是您需要更改的全部内容,但为了完整性,这里还有另外 2 个通常不会更改的配置。
使用 systemd,您可能还会在 中登录压缩的二进制文件/var/log/journal/。这是通过文件/etc/systemd/journald.conf(以及其他文件,请参阅man journald.conf)配置的,您可以编辑该文件以添加行,例如,
MaxLevelSyslog=warning
降低默认级别debug,允许所有消息发送到 syslog,然后按照上述方法进行过滤。sudo systemctl restart systemd-journald如果您对此文件进行更改,则可能需要。
该文件/etc/systemd/system.conf(参见man systemd-system.conf)还有一行用于记录来自 systemd 的消息,默认情况下
LogLevel=info
也可以更改。您可能需要重新启动才能重新读取此文件。