Protokolle¶

System-Protokollierung.

Log-Verzeichnisse¶

System-Logs¶

/var/log/syslog          # System-Logs
/var/log/auth.log        # Authentifizierung
/var/log/kern.log        # Kernel-Logs
/var/log/dmesg           # Boot-Messages

Service-Logs¶

/var/log/nginx/          # Nginx-Logs
/var/log/apache2/        # Apache-Logs
/var/log/mail.log        # Mail-Logs
/var/log/mysql/          # MySQL-Logs

Application-Logs¶

/var/log/app/            # Application-Logs
/var/log/audit/          # Audit-Logs

Log-Rotation¶

Logrotate-Konfiguration¶

sudo nano /etc/logrotate.conf

weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 644 root root
include /etc/logrotate.d

Custom Logrotate¶

sudo nano /etc/logrotate.d/custom-app

/var/log/app/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 644 app app
    postrotate
        systemctl reload app
    endscript
}

Log-Analyse¶

Echtzeit-Überwachung¶

# System-Logs
sudo tail -f /var/log/syslog

# Auth-Logs
sudo tail -f /var/log/auth.log

# Webserver-Logs
sudo tail -f /var/log/nginx/access.log
sudo tail -f /var/log/nginx/error.log

Log-Suche¶

# Fehler suchen
grep -i error /var/log/syslog

# Bestimmte Zeitperiode
grep "2024-01-15" /var/log/syslog

# IP-Adressen in Logs
grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" /var/log/nginx/access.log

Log-Auswertung¶

# Top-10 IPs
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -10

# HTTP-Status-Codes
awk '{print $9}' /var/log/nginx/access.log | sort | uniq -c | sort -nr

# Fehler-Logs der letzten Stunde
find /var/log -name "*.log" -mmin -60 -exec grep -i error {} \;

Central Logging¶

Rsyslog-Konfiguration¶

sudo nano /etc/rsyslog.conf

# Remote Logging
*.* @@logserver.example.com:514

# Local Logging
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog

sudo systemctl restart rsyslog

Logstash (optional)¶

sudo apt install openjdk-11-jre
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install logstash

Log-Aufbewahrung¶

Aufbewahrungsrichtlinie¶

#!/bin/bash
# Log-Archivierung

LOG_DIR="/var/log"
ARCHIVE_DIR="/var/log/archives"
RETENTION_DAYS=90

# Alte Logs archivieren
find $LOG_DIR -name "*.log.*" -mtime +7 -exec mv {} $ARCHIVE_DIR/ \;

# Alte Archive löschen
find $ARCHIVE_DIR -name "*.gz" -mtime +$RETENTION_DAYS -delete

sudo chmod +x /usr/local/bin/archive-logs.sh
sudo nano /etc/cron.weekly/archive-logs

Zurück zur Monitoring-Übersicht