服务器上没有 activity 每 5 秒记录一次
No activity on server with logging every 5 seconds
最近我注意到我服务器上的日志文件增长速度比我预期的要快。快速浏览后,我意识到 wtmp 正在积极占用我的磁盘 space。使用 utmpdump 命令(见下文)我发现 每 5 秒 记录新的 3 或 4 个日志。
# utmpdump /var/log/wtmp | tail -n 25
Utmp dump of /var/log/wtmp
[6] [00886] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:08 2018 MSK]
[8] [00885] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[6] [00889] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[8] [00886] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[6] [00890] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[8] [00889] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[6] [00897] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[8] [00890] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[6] [00898] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[8] [00897] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[6] [00899] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[8] [00898] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[6] [00900] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[8] [00899] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[6] [00901] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[8] [00900] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[6] [00902] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[8] [00901] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[6] [00906] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[8] [00902] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[6] [00907] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[8] [00906] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
[6] [00910] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
[8] [00907] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
[6] [00911] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
服务器上没有负载:
# w
17:34:03 up 17 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/2 cpe-75-177-130-5 17:24 0.00s 0.02s 0.00s w
并且没有奇怪的进程破坏:
# top
top - 17:35:08 up 18 min, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 28 total, 1 running, 27 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.3%us, 0.0%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2097152k total, 47060k used, 2050092k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 28024k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1141 root 20 0 11452 3536 2724 S 1.3 0.2 0:00.11 sshd
1 root 20 0 2844 1440 1228 S 0.0 0.1 0:00.27 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd/9506
3 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khelper/9506
72 root 16 -4 2560 600 364 S 0.0 0.0 0:00.00 udevd
98 root 18 -2 2556 604 364 S 0.0 0.0 0:00.00 udevd
99 root 18 -2 2556 604 364 S 0.0 0.0 0:00.00 udevd
458 root 20 0 9400 1008 520 S 0.0 0.0 0:00.02 sshd
469 root 20 0 3144 940 760 S 0.0 0.0 0:00.00 xinetd
483 root 20 0 6224 576 264 S 0.0 0.0 0:00.00 vsftpd
494 root 20 0 8704 864 468 S 0.0 0.0 0:00.00 saslauthd
496 root 20 0 8704 552 156 S 0.0 0.0 0:00.00 saslauthd
514 root 20 0 12352 1820 708 S 0.0 0.1 0:00.01 sendmail
521 smmsp 20 0 12152 1624 644 S 0.0 0.1 0:00.00 sendmail
533 root 20 0 25096 6956 3932 S 0.0 0.3 0:00.03 httpd
543 root 20 0 1964 496 436 S 0.0 0.0 0:00.00 mingetty
544 root 20 0 1964 488 436 S 0.0 0.0 0:00.00 mingetty
552 root 20 0 1964 492 436 S 0.0 0.0 0:00.00 mingetty
554 root 20 0 1964 488 436 S 0.0 0.0 0:00.00 mingetty
556 root 20 0 1964 492 436 S 0.0 0.0 0:00.00 mingetty
558 root 20 0 1964 492 436 S 0.0 0.0 0:00.00 mingetty
559 apache 20 0 25096 3676 628 S 0.0 0.2 0:00.00 httpd
831 root 20 0 12572 3652 2908 S 0.0 0.2 0:00.06 sshd
833 root 20 0 6372 1712 1472 S 0.0 0.1 0:00.02 bash
1136 root 20 0 2548 1076 892 R 0.0 0.1 0:00.00 top
1142 sshd 20 0 10744 1452 876 S 0.0 0.1 0:00.01 sshd
1145 root 20 0 1960 592 532 S 0.0 0.0 0:00.00 mingetty
1146 root 20 0 1960 596 532 S 0.0 0.0 0:00.00 mingetty
这些日志记录的背后是什么,为什么每5秒记录一次这样的任务?有没有办法停止记录那些 "dummy" 日志,只记录真实的登录日志?
记录 50 秒内的所有进程运行
for i in {1..10} ; do ps -efH | tee -a ~/tmp/pids-5.txt; sleep 5; done
然后转储 wtmp 内容并根据 pids-5.txt 检查第二列值。它应该告诉您 PID 属于哪个用户和命令。
然后你可以做一些事情来避免这些过程 运行.
最近我注意到我服务器上的日志文件增长速度比我预期的要快。快速浏览后,我意识到 wtmp 正在积极占用我的磁盘 space。使用 utmpdump 命令(见下文)我发现 每 5 秒 记录新的 3 或 4 个日志。
# utmpdump /var/log/wtmp | tail -n 25
Utmp dump of /var/log/wtmp
[6] [00886] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:08 2018 MSK]
[8] [00885] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[6] [00889] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[8] [00886] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[6] [00890] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:13 2018 MSK]
[8] [00889] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[6] [00897] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[8] [00890] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[6] [00898] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:18 2018 MSK]
[8] [00897] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[6] [00899] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[8] [00898] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[6] [00900] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:23 2018 MSK]
[8] [00899] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[6] [00901] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[8] [00900] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[6] [00902] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:28 2018 MSK]
[8] [00901] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[6] [00906] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[8] [00902] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[6] [00907] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:33 2018 MSK]
[8] [00906] [1 ] [ ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
[6] [00910] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
[8] [00907] [2 ] [ ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
[6] [00911] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Feb 07 17:26:38 2018 MSK]
服务器上没有负载:
# w
17:34:03 up 17 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/2 cpe-75-177-130-5 17:24 0.00s 0.02s 0.00s w
并且没有奇怪的进程破坏:
# top
top - 17:35:08 up 18 min, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 28 total, 1 running, 27 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.3%us, 0.0%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2097152k total, 47060k used, 2050092k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 28024k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1141 root 20 0 11452 3536 2724 S 1.3 0.2 0:00.11 sshd
1 root 20 0 2844 1440 1228 S 0.0 0.1 0:00.27 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd/9506
3 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khelper/9506
72 root 16 -4 2560 600 364 S 0.0 0.0 0:00.00 udevd
98 root 18 -2 2556 604 364 S 0.0 0.0 0:00.00 udevd
99 root 18 -2 2556 604 364 S 0.0 0.0 0:00.00 udevd
458 root 20 0 9400 1008 520 S 0.0 0.0 0:00.02 sshd
469 root 20 0 3144 940 760 S 0.0 0.0 0:00.00 xinetd
483 root 20 0 6224 576 264 S 0.0 0.0 0:00.00 vsftpd
494 root 20 0 8704 864 468 S 0.0 0.0 0:00.00 saslauthd
496 root 20 0 8704 552 156 S 0.0 0.0 0:00.00 saslauthd
514 root 20 0 12352 1820 708 S 0.0 0.1 0:00.01 sendmail
521 smmsp 20 0 12152 1624 644 S 0.0 0.1 0:00.00 sendmail
533 root 20 0 25096 6956 3932 S 0.0 0.3 0:00.03 httpd
543 root 20 0 1964 496 436 S 0.0 0.0 0:00.00 mingetty
544 root 20 0 1964 488 436 S 0.0 0.0 0:00.00 mingetty
552 root 20 0 1964 492 436 S 0.0 0.0 0:00.00 mingetty
554 root 20 0 1964 488 436 S 0.0 0.0 0:00.00 mingetty
556 root 20 0 1964 492 436 S 0.0 0.0 0:00.00 mingetty
558 root 20 0 1964 492 436 S 0.0 0.0 0:00.00 mingetty
559 apache 20 0 25096 3676 628 S 0.0 0.2 0:00.00 httpd
831 root 20 0 12572 3652 2908 S 0.0 0.2 0:00.06 sshd
833 root 20 0 6372 1712 1472 S 0.0 0.1 0:00.02 bash
1136 root 20 0 2548 1076 892 R 0.0 0.1 0:00.00 top
1142 sshd 20 0 10744 1452 876 S 0.0 0.1 0:00.01 sshd
1145 root 20 0 1960 592 532 S 0.0 0.0 0:00.00 mingetty
1146 root 20 0 1960 596 532 S 0.0 0.0 0:00.00 mingetty
这些日志记录的背后是什么,为什么每5秒记录一次这样的任务?有没有办法停止记录那些 "dummy" 日志,只记录真实的登录日志?
记录 50 秒内的所有进程运行
for i in {1..10} ; do ps -efH | tee -a ~/tmp/pids-5.txt; sleep 5; done
然后转储 wtmp 内容并根据 pids-5.txt 检查第二列值。它应该告诉您 PID 属于哪个用户和命令。 然后你可以做一些事情来避免这些过程 运行.