Ubuntu Syslog与系统监控工具

Ubuntu Syslog: Configuration and Core Concepts
Syslog is a standardized logging system used in Ubuntu to collect, store, and manage system logs (e.g., kernel messages, application logs, authentication events). The default implementation on Ubuntu is rsyslog, a powerful enhancement of the traditional syslogd service. Key components of syslog include:

• Log Sources: Applications and system components generate log messages (e.g., /var/log/syslog for general system logs, /var/log/auth.log for authentication events).
• Log Levels: Messages are categorized by severity (from debug for detailed debugging to emerg for critical system failures).
• Configuration: The primary config file for rsyslog is /etc/rsyslog.conf, where you define log destinations (files, remote servers), filters (by program name, severity), and formatting rules. For example, *.* /var/log/all.log sends all logs to a single file, while auth,authpriv.* /var/log/auth.log routes authentication logs to a dedicated file.

Common rsyslog tasks include:

• Installing rsyslog: Run sudo apt update && sudo apt install rsyslog (preinstalled on most Ubuntu versions).
• Enabling Remote Logging: Uncomment or add lines in /etc/rsyslog.conf to accept UDP (module(load="imudp") + input(type="imudp" port="514")) or TCP (module(load="imtcp") + input(type="imtcp" port="514")) logs. Restart the service with sudo systemctl restart rsyslog to apply changes.
• Rotating Logs: Use logrotate (configured in /etc/logrotate.d/rsyslog) to manage log file size and retention. A sample config limits /var/log/syslog to 100MB, keeps 4 rotated copies, and compresses old logs.

System Monitoring Tools for Ubuntu
System monitoring tools help track performance metrics (CPU, memory, disk, network) and troubleshoot issues. They can be integrated with syslog to forward alerts or logs for centralized analysis. Below are top recommendations:

1. Command-Line Tools (Lightweight, Scriptable)

• htop: An enhanced alternative to top, offering a color-coded interface, mouse support, and process management (kill, renice). Install with sudo apt install htop and run with htop.
• glances: A cross-platform tool providing real-time stats on CPU, memory, disk, network, and processes. Supports remote monitoring via Web interface (port 61208) or API. Install with sudo apt install glances and run with glances.
• vmstat: Reports virtual memory statistics (CPU usage, memory pages, disk I/O). Use vmstat 1 to update stats every second (e.g., procs shows running/waiting processes, io tracks disk read/write).
• iostat: Part of the sysstat package, it monitors CPU and disk I/O (reads/writes per second, latency). Install with sudo apt install sysstat and run iostat -x 1 for extended stats (e.g., %util shows disk utilization).
• sar: Collects and reports system activity data (CPU, memory, I/O) over time. Use sar -u 1 5 to monitor CPU usage every second for 5 intervals (part of sysstat).
  These tools are ideal for quick checks or scripting (e.g., logging stats to a file).

2. Graphical Tools (User-Friendly, Visual)

• GNOME System Monitor: Preinstalled on Ubuntu, it provides a GUI for monitoring CPU, memory, disk, and network usage. Access via “Activities” > “System Monitor”.
• Conky: A highly customizable desktop widget that displays system stats (CPU, memory, network) directly on the desktop. Configure with a .conkyrc file (e.g., top_name shows top processes, mem shows memory usage).
• Cockpit: A web-based tool for system management and monitoring. Install with sudo apt install cockpit and access via https://<server-ip>:9090 (login with system credentials). It provides dashboards for CPU, memory, disks, and services.

3. Integrated Logging & Monitoring (Centralized Management)

• Logwatch: Analyzes syslog files and generates daily/weekly reports (e.g., failed login attempts, disk space warnings). Install with sudo apt install logwatch and configure in /etc/logwatch/conf/logwatch.conf (set MailTo for email alerts, Detail for report depth). Run manually with logwatch --output text.
• Graylog: An open-source log management platform for centralized log collection, indexing, and analysis. It integrates with rsyslog (send logs via UDP/TCP) and provides dashboards, alerts, and search capabilities.
• Netdata: A real-time performance monitoring tool with a Web interface (port 19999). It tracks system metrics (CPU, memory, disk, network) and integrates with syslog for alerting. Install with Docker: docker run -d --name netdata -p 19999:19999 --network host netdata/netdata.

Integrating Syslog with Monitoring Tools
To correlate logs with system metrics, you can forward syslog messages to monitoring tools:

• rsyslog to Graylog: Configure rsyslog to send logs to Graylog’s UDP/TCP port (e.g., *.* @graylog-server:514). In Graylog, create an input for syslog and set the source to your Ubuntu server.
• glances to syslog: Enable syslog notifications in glances by editing /etc/glances/glances.conf (notify_syslog = True, syslog_facility = local0). Glances will send alerts (e.g., high CPU usage) to syslog, which can then be forwarded to a central log server.
• Logwatch to Email: Configure Logwatch to send reports via email by setting MailTo in /etc/logwatch/conf/logwatch.conf and adding SMTP settings in /etc/mail.rc (e.g., set smtp=smtp://smtp.example.com:587).