Linux 启动 cron 日志审计

原创

岳麓丹枫 2022-10-23 00:36:21 博主文章分类：Linux ©著作权

文章标签 linux 运维服务器 postgresql ubuntu 文章分类 运维

©著作权归作者所有：来自51CTO博客作者岳麓丹枫的原创作品，请联系作者获取转载授权，否则将追究法律责任

CentOS 系统

查看服务状态

 [root@localhost ~]# service rsyslog status
Redirecting to /bin/systemctl status  rsyslog.service
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled;  vendor preset: enabled)
   Active: active (running) since Fri 2022-10-14 17:43:55 CST; 5 days ago
 Main PID: 1796 (rsyslogd)
   Memory: 4.0M
   CGroup: /system.slice/rsyslog.service
           └─1796 /usr/sbin/rsyslogd -n

与 cron 审计相关

[root@localhost ~]# cat  /etc/rsyslog.conf  | grep cron
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# Log cron stuff
cron.*                                                  /var/log/cron

Ubuntu 系统

查看 rsyslog 状态

root@mp:/postgresql/test2# service
root@mp:/postgresql/test2# service rsyslog status
● rsyslog.service - System Logging Service
  Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-08-08 16:36:52 CST; 2 months 12 days ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
              man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 1869654 (rsyslogd)
      Tasks: 4 (limit: 230343)
     Memory: 21.4M
        CPU: 56.698s
     CGroup: /system.slice/rsyslog.service
            └─1869654 /usr/sbin/rsyslogd -n -iNONE

与 cron 审计相关

root@mp:/postgresql/test2# cat /etc/rsyslog.d/50-default.conf | grep cron
#cron.*                         /var/log/cron.log
#       cron,daemon.none;\
建议将其打开, 便于定位问题
sed -i '/^\#cron/ccron.*\t/var/log/cron' /etc/rsyslog.d/50-default.conf 
然后 
service rsyslog restart
等待一段时间, 后面在 cron 日志中就可以看到相关记录了
root@mp:/postgresql/test2# cat /var/log/cron.log
Oct 20 16:00:01 mp cron[1869645]: (*system*) RELOAD (/etc/crontab)
Oct 20 16:00:01 mp CRON[2290261]: (root) CMD (flock -xn '/tmp/dbbk.lock' -c '/usr/local/bin/dbbk.sh'  &>/dev/null )
root@mp:/postgresql/test2#

/var/log/cron.log 日志轮转

root@mp:/postgresql/test2# cat /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}
root@mp:/postgresql/test2#