\uc548\ub155\ud558\uc138\uc694, \uc131\uc7a5\ud558\ub294 \uac1c\ubc1c\uc790 \uc5ec\ub7ec\ubd84!<\/p>\n\n\n\n
\uc11c\ubc84\uc5d0 \ubb38\uc81c\uac00 \uc0dd\uacbc\uc744 \ub54c \uc5ec\ub7ec\ubd84\uc740 \uc5b4\ub514\ubd80\ud130 \ubcf4\uc2dc\ub098\uc694? CPU? \uba54\ubaa8\ub9ac? \uc544\ub2c8\uba74 \uadf8\ub0e5… \uc7ac\uc2dc\uc791? \ud83d\ude05<\/p>\n\n\n\n
\uc2e4\uc81c\ub85c\ub294 \ub85c\uadf8<\/strong>\uac00 \ubaa8\ub4e0 \ubb38\uc81c\uc758 \ub2f5\uc744 \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4. \uc11c\ubc84\uac00 \ubb34\uc5c7\uc744 \ud558\uace0 \uc788\ub294\uc9c0, \uc5b4\ub5a4 \uc5d0\ub7ec\uac00 \ubc1c\uc0dd\ud588\ub294\uc9c0, \uc5b8\uc81c \ubb38\uc81c\uac00 \uc2dc\uc791\ub418\uc5c8\ub294\uc9c0… \ubaa8\ub4e0 \uac83\uc774 \ub85c\uadf8\uc5d0 \uae30\ub85d\ub418\uc5b4 \uc788\uc5b4\uc694.<\/p>\n\n\n\n \uc624\ub298\uc740 \uc81c\uac00 \uc2e4\ubb34\uc5d0\uc11c \uc218\uc5c6\uc774 \uacaa\uc5c8\ub358 \uc7a5\uc560 \uc0c1\ud669\ub4e4\uc744 \ud1b5\ud574 \ubc30\uc6b4 \ub85c\uadf8 \uad00\ub9ac\uc640 \ubaa8\ub2c8\ud130\ub9c1\uc758 \uc2e4\uc804 \ub178\ud558\uc6b0<\/strong>\ub97c \uacf5\uc720\ud558\uaca0\uc2b5\ub2c8\ub2e4. \uc774\ub860\ubcf4\ub2e4\ub294 “\uc9c0\uae08 \ub2f9\uc7a5 \ubb38\uc81c\ub97c \ucc3e\uace0 \ud574\uacb0\ud558\ub294”<\/strong> \uad00\uc810\uc5d0\uc11c \uc124\uba85\ud558\uaca0\uc2b5\ub2c8\ub2e4! \ud83d\udd0d<\/p>\n\n\n\n \ud604\ub300 \ub9ac\ub205\uc2a4 \uc2dc\uc2a4\ud15c\uc758 \ub85c\uae45\uc740 \ub450 \uc8fc\uc778\uacf5\uc774 \uc788\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n \ud575\uc2ec \uac1c\ub150:<\/strong><\/p>\n\n\n\n \ucd08\uae09\uc790\ub77c\uba74:<\/strong><\/p>\n\n\n\n \uc911\uae09\uc790\ub77c\uba74:<\/strong><\/p>\n\n\n\n \uace0\uae09\uc790\ub77c\uba74:<\/strong><\/p>\n\n\n\n \uae30\uc5b5\ud558\uc138\uc694<\/strong>: \ub85c\uadf8\ub294 \uc2dc\uc2a4\ud15c\uc774 \uc6b0\ub9ac\uc5d0\uac8c \ubcf4\ub0b4\ub294 \uba54\uc2dc\uc9c0\uc785\ub2c8\ub2e4. \uc774 \uba54\uc2dc\uc9c0\ub97c \uc798 \uc77d\uc744 \uc218 \uc788\ub2e4\uba74, \uc5ec\ub7ec\ubd84\uc740 \uc2dc\uc2a4\ud15c\uacfc \uc9c4\uc815\ud55c \ub300\ud654\ub97c \ub098\ub20c \uc218 \uc788\ub294 \uc6b4\uc601 \uc804\ubb38\uac00\uac00 \ub420 \uac83\uc785\ub2c8\ub2e4! \ud83d\udcca<\/p>\n\n\n\n \ub2e4\uc74c \ud3ec\uc2a4\ud2b8\uc5d0\uc11c\ub294 “Production \ud658\uacbd \uad6c\uc131\ub3c4 \uc124\uacc4\ubc95”\uc744 \ud1b5\ud574 \uc2e4\uc81c \uc11c\ube44\uc2a4 \uc6b4\uc601 \ud658\uacbd\uc744 \uc5b4\ub5bb\uac8c \uc124\uacc4\ud558\uace0 \uad00\ub9ac\ud558\ub294\uc9c0 \uc54c\uc544\ubcf4\uaca0\uc2b5\ub2c8\ub2e4. \uae30\ub300\ud574 \uc8fc\uc138\uc694!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" \uc548\ub155\ud558\uc138\uc694, \uc131\uc7a5\ud558\ub294 \uac1c\ubc1c\uc790 \uc5ec\ub7ec\ubd84! \uc11c\ubc84\uc5d0 \ubb38\uc81c\uac00 \uc0dd\uacbc\uc744 \ub54c \uc5ec\ub7ec\ubd84\uc740 \uc5b4\ub514\ubd80\ud130 \ubcf4\uc2dc\ub098\uc694? CPU? \uba54\ubaa8\ub9ac? \uc544\ub2c8\uba74 \uadf8\ub0e5… \uc7ac\uc2dc\uc791? \ud83d\ude05 \uc2e4\uc81c\ub85c\ub294 \ub85c\uadf8\uac00 \ubaa8\ub4e0 \ubb38\uc81c\uc758 \ub2f5\uc744 \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4. \uc11c\ubc84\uac00 \ubb34\uc5c7\uc744 \ud558\uace0 \uc788\ub294\uc9c0, \uc5b4\ub5a4 \uc5d0\ub7ec\uac00 \ubc1c\uc0dd\ud588\ub294\uc9c0, \uc5b8\uc81c \ubb38\uc81c\uac00 \uc2dc\uc791\ub418\uc5c8\ub294\uc9c0… \ubaa8\ub4e0 \uac83\uc774 \ub85c\uadf8\uc5d0 \uae30\ub85d\ub418\uc5b4 \uc788\uc5b4\uc694. \uc624\ub298\uc740 \uc81c\uac00 \uc2e4\ubb34\uc5d0\uc11c \uc218\uc5c6\uc774 \uacaa\uc5c8\ub358 \uc7a5\uc560 \uc0c1\ud669\ub4e4\uc744 \ud1b5\ud574 \ubc30\uc6b4 \ub85c\uadf8 \uad00\ub9ac\uc640 \ubaa8\ub2c8\ud130\ub9c1\uc758 \uc2e4\uc804 \ub178\ud558\uc6b0\ub97c \uacf5\uc720\ud558\uaca0\uc2b5\ub2c8\ub2e4. \uc774\ub860\ubcf4\ub2e4\ub294 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[54,56,55],"class_list":["post-26","post","type-post","status-publish","format-standard","hentry","category-linux","tag-54","tag-56","tag-55"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/26","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=26"}],"version-history":[{"count":3,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/26\/revisions"}],"predecessor-version":[{"id":60,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/26\/revisions\/60"}],"wp:attachment":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=26"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=26"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=26"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}1. \ub85c\uadf8\uc758 \uae30\ubcf8: \ub9ac\ub205\uc2a4 \ub85c\uae45 \uc2dc\uc2a4\ud15c \uc774\ud574\ud558\uae30<\/h2>\n\n\n\n
\ub85c\uadf8 \uc544\ud0a4\ud14d\ucc98: \ub204\uac00 \ubb34\uc5c7\uc744 \uc5b4\ub514\uc5d0 \uae30\ub85d\ud558\ub098?<\/h3>\n\n\n\n
# \ub85c\uadf8 \uc2dc\uc2a4\ud15c \uad6c\uc870\n\uc2dc\uc2a4\ud15c \uc774\ubca4\ud2b8 \u2192 systemd-journald \u2192 rsyslogd \u2192 \/var\/log \ud30c\uc77c\ub4e4\n \u2193\n \/run\/log\/journal (\ubc14\uc774\ub108\ub9ac)<\/code><\/pre>\n\n\n\n\n
\uc2e4\ubb34\uc5d0\uc11c \uc790\uc8fc \ud655\uc778\ud558\ub294 \ub85c\uadf8 \ud30c\uc77c\ub4e4<\/h3>\n\n\n\n
# \uc8fc\uc694 \uc2dc\uc2a4\ud15c \ub85c\uadf8 \uc704\uce58\uc640 \uc6a9\ub3c4\necho \"=== \ud575\uc2ec \ub85c\uadf8 \ud30c\uc77c\ub4e4 ===\"\n\n# 1. \uc2dc\uc2a4\ud15c \uc804\ubc18\uc801\uc778 \ub85c\uadf8\n\/var\/log\/messages # \ub300\ubd80\ubd84\uc758 \uc2dc\uc2a4\ud15c \uba54\uc2dc\uc9c0\n\/var\/log\/syslog # \uc2dc\uc2a4\ud15c \ub85c\uadf8 (Ubuntu\/Debian)\n\n# 2. \ubcf4\uc548 \uad00\ub828 \ub85c\uadf8\n\/var\/log\/secure # SSH, sudo, \uc778\uc99d \uad00\ub828 (RHEL\/CentOS)\n\/var\/log\/auth.log # \uc778\uc99d \ub85c\uadf8 (Ubuntu\/Debian)\n\n# 3. \uc11c\ube44\uc2a4\ubcc4 \ub85c\uadf8\n\/var\/log\/httpd\/ # Apache \uc6f9\uc11c\ubc84\n\/var\/log\/nginx\/ # Nginx \uc6f9\uc11c\ubc84\n\/var\/log\/mysql\/ # MySQL \ub370\uc774\ud130\ubca0\uc774\uc2a4\n\/var\/log\/postgresql\/ # PostgreSQL \ub370\uc774\ud130\ubca0\uc774\uc2a4\n\n# 4. \uc2dc\uc2a4\ud15c \ubd80\ud305 \ub85c\uadf8\n\/var\/log\/boot.log # \ubd80\ud305 \uacfc\uc815 \ub85c\uadf8\n\/var\/log\/dmesg # \ucee4\ub110 \uba54\uc2dc\uc9c0\n\n# 5. \ud06c\ub860 \uc791\uc5c5 \ub85c\uadf8\n\/var\/log\/cron # \uc2a4\ucf00\uc904 \uc791\uc5c5 \ub85c\uadf8<\/code><\/pre>\n\n\n\n\uc2e4\ubb34 \ud301: \ub85c\uadf8 \ud30c\uc77c \ube60\ub974\uac8c \ud30c\uc545\ud558\uae30<\/h3>\n\n\n\n
# \uac01 \ub85c\uadf8 \ud30c\uc77c\uc758 \ud06c\uae30\uc640 \ucd5c\uadfc \uc218\uc815 \uc2dc\uac04 \ud655\uc778\nls -lah \/var\/log\/ | head -10\n\n# \uac00\uc7a5 \ud070 \ub85c\uadf8 \ud30c\uc77c\ub4e4 \ucc3e\uae30\ndu -ah \/var\/log\/ | sort -hr | head -10\n\n# \uc624\ub298 \uc0dd\uc131\ub41c \ub85c\uadf8 \ud30c\uc77c\ub4e4\nfind \/var\/log -name \"*.log\" -mtime 0\n\n# \uc2e4\uc2dc\uac04\uc73c\ub85c \ubcc0\ud654\ud558\ub294 \ub85c\uadf8 \ud30c\uc77c\ub4e4 \ud655\uc778\nlsof +D \/var\/log | grep -v \"(deleted)\"<\/code><\/pre>\n\n\n\n2. journalctl: \ud604\ub300\uc801 \ub85c\uadf8 \ubd84\uc11d\uc758 \ud575\uc2ec \ub3c4\uad6c<\/h2>\n\n\n\n
\uae30\ubcf8 \uc0ac\uc6a9\ubc95\uacfc \ud575\uc2ec \uc635\uc158\ub4e4<\/h3>\n\n\n\n
# 1. \uc804\uccb4 \ub85c\uadf8 \ud655\uc778 (\uae30\ubcf8)\njournalctl\n\n# 2. \uc2e4\uc2dc\uac04 \ub85c\uadf8 \ubaa8\ub2c8\ud130\ub9c1 (\uac00\uc7a5 \ub9ce\uc774 \uc0ac\uc6a9!)\njournalctl -f\n\n# 3. \ucd5c\uadfc \ub85c\uadf8\ub9cc \ud655\uc778\njournalctl -n 50 # \ucd5c\uadfc 50\uc904\njournalctl --since today # \uc624\ub298\ubd80\ud130\njournalctl --since \"2024-01-15 14:00:00\"\n\n# 4. \ud2b9\uc815 \uae30\uac04 \ub85c\uadf8 \ud655\uc778\njournalctl --since \"2024-01-15\" --until \"2024-01-16\"\njournalctl --since \"1 hour ago\"\njournalctl --since \"30 minutes ago\"<\/code><\/pre>\n\n\n\n\uc11c\ube44\uc2a4\ubcc4 \ub85c\uadf8 \ubd84\uc11d<\/h3>\n\n\n\n
# \ud2b9\uc815 \uc11c\ube44\uc2a4 \ub85c\uadf8\ub9cc \ud655\uc778\njournalctl -u nginx\njournalctl -u mysql\njournalctl -u ssh\n\n# \uc5ec\ub7ec \uc11c\ube44\uc2a4 \ub3d9\uc2dc\uc5d0 \ud655\uc778\njournalctl -u nginx -u mysql\n\n# \uc11c\ube44\uc2a4 \ub85c\uadf8 \uc2e4\uc2dc\uac04 \ubaa8\ub2c8\ud130\ub9c1\njournalctl -u nginx -f\n\n# \uc11c\ube44\uc2a4 \ub85c\uadf8 with \uc6b0\uc120\uc21c\uc704\njournalctl -u nginx -p err # \uc5d0\ub7ec \ub808\ubca8\ub9cc\njournalctl -u nginx -p warning # \uacbd\uace0 \uc774\uc0c1\ub9cc<\/code><\/pre>\n\n\n\n\uc2e4\uc804 \uc2dc\ub098\ub9ac\uc624\ubcc4 \ub85c\uadf8 \ubd84\uc11d<\/h3>\n\n\n\n
\uc2dc\ub098\ub9ac\uc624 1: “\uc6f9\uc0ac\uc774\ud2b8\uac00 \uac11\uc790\uae30 \ub290\ub824\uc84c\uc5b4\uc694!”<\/h4>\n\n\n\n
# 1\ub2e8\uacc4: \uc6f9\uc11c\ubc84 \uc5d0\ub7ec \ub85c\uadf8 \ud655\uc778\njournalctl -u nginx -p err --since \"1 hour ago\"\n\n# 2\ub2e8\uacc4: \uc2dc\uc2a4\ud15c \uc790\uc6d0 \uad00\ub828 \ub85c\uadf8\njournalctl -p crit --since \"1 hour ago\"\n\n# 3\ub2e8\uacc4: \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uad00\ub828 \ub85c\uadf8\njournalctl -u mysql --since \"1 hour ago\" | grep -i \"slow|error|warning\"\n\n# 4\ub2e8\uacc4: \uba54\ubaa8\ub9ac\/\ub514\uc2a4\ud06c \uad00\ub828 \ub85c\uadf8\njournalctl -k --since \"1 hour ago\" | grep -i \"oom|memory|disk\"<\/code><\/pre>\n\n\n\n\uc2dc\ub098\ub9ac\uc624 2: “\uc11c\ubc84\uc5d0 \uc774\uc0c1\ud55c \uc811\uadfc\uc774 \uc788\uc5c8\ub098\uc694?”<\/h4>\n\n\n\n
# SSH \uc811\uadfc \uc2dc\ub3c4 \ubd84\uc11d\njournalctl -u ssh --since today | grep \"Failed password\"\n\n# \uc131\uacf5\ud55c \ub85c\uadf8\uc778 \ud655\uc778\njournalctl -u ssh --since today | grep \"Accepted\"\n\n# \ud2b9\uc815 IP\uc758 \ud65c\ub3d9 \ucd94\uc801\njournalctl --since today | grep \"192.168.1.100\"\n\n# sudo \uc0ac\uc6a9 \ub0b4\uc5ed \ud655\uc778\njournalctl --since today | grep sudo<\/code><\/pre>\n\n\n\n\uc2dc\ub098\ub9ac\uc624 3: “\uc11c\ube44\uc2a4\uac00 \uc790\uafb8 \uc7ac\uc2dc\uc791\ub3fc\uc694!”<\/h4>\n\n\n\n
# \uc11c\ube44\uc2a4 \uc2dc\uc791\/\uc911\uc9c0 \uc774\ub825 \ud655\uc778\njournalctl -u myapp --since \"24 hours ago\" | grep -E \"(Started|Stopped|Failed)\"\n\n# \uc2dc\uc2a4\ud15c \uc7ac\ubd80\ud305 \uc774\ub825\njournalctl --list-boots\n\n# \ud2b9\uc815 \ubd80\ud305 \uc138\uc158\uc758 \ub85c\uadf8\njournalctl -b -1 # \uc774\uc804 \ubd80\ud305\njournalctl -b 0 # \ud604\uc7ac \ubd80\ud305\n\n# \ud06c\ub798\uc2dc \uad00\ub828 \ub85c\uadf8\njournalctl -p crit --since \"24 hours ago\"<\/code><\/pre>\n\n\n\n\uace0\uae09 journalctl \ud65c\uc6a9\ubc95<\/h3>\n\n\n\n
# 1. JSON \ud615\ud0dc\ub85c \uc0c1\uc138 \uc815\ubcf4 \ud655\uc778\njournalctl -o json-pretty -n 5\n\n# 2. \ud2b9\uc815 \ud544\ub4dc\ub85c \ud544\ud130\ub9c1\njournalctl _PID=1234 # \ud2b9\uc815 \ud504\ub85c\uc138\uc2a4 ID\njournalctl _UID=1000 # \ud2b9\uc815 \uc0ac\uc6a9\uc790 ID\njournalctl _COMM=nginx # \ud2b9\uc815 \uba85\ub839\uc5b4\njournalctl PRIORITY=3 # \ud2b9\uc815 \uc6b0\uc120\uc21c\uc704 (3=err)\n\n# 3. \ub85c\uadf8 \ud06c\uae30 \uad00\ub9ac\njournalctl --disk-usage # \uc800\ub110 \ub85c\uadf8 \uc6a9\ub7c9 \ud655\uc778\nsudo journalctl --vacuum-time=30d # 30\uc77c \uc774\uc0c1 \ub85c\uadf8 \uc0ad\uc81c\nsudo journalctl --vacuum-size=1G # 1GB \uc774\uc0c1 \ub85c\uadf8 \uc0ad\uc81c\n\n# 4. \ub85c\uadf8 \ub0b4\ubcf4\ub0b4\uae30\njournalctl --since today -o export > system_logs_$(date +%Y%m%d).journal<\/code><\/pre>\n\n\n\n3. \uc804\ud1b5\uc801 \ub85c\uadf8 \ud30c\uc77c \ubd84\uc11d: grep, awk, sed \ub9c8\uc2a4\ud130\ud558\uae30<\/h2>\n\n\n\n
\ud575\uc2ec \ub85c\uadf8 \ubd84\uc11d \uba85\ub839\uc5b4\ub4e4<\/h3>\n\n\n\n
# 1. \uae30\ubcf8 \ub85c\uadf8 \uc77d\uae30\ntail -f \/var\/log\/messages # \uc2e4\uc2dc\uac04 \ubaa8\ub2c8\ud130\ub9c1\ntail -100 \/var\/log\/secure # \ub9c8\uc9c0\ub9c9 100\uc904\nhead -50 \/var\/log\/nginx\/access.log # \ucc98\uc74c 50\uc904\n\n# 2. \ub85c\uadf8 \uac80\uc0c9\uacfc \ud544\ud130\ub9c1\ngrep \"error\" \/var\/log\/messages\ngrep -i \"failed\" \/var\/log\/secure # \ub300\uc18c\ubb38\uc790 \uad6c\ubd84 \uc5c6\uc774\ngrep -v \"INFO\" \/var\/log\/app.log # INFO\uac00 \uc5c6\ub294 \uc904\ub9cc\ngrep -A 5 -B 5 \"ERROR\" \/var\/log\/app.log # \uc55e\ub4a4 5\uc904 \ud3ec\ud568\n\n# 3. \uc5ec\ub7ec \ud30c\uc77c\uc5d0\uc11c \ub3d9\uc2dc \uac80\uc0c9\ngrep -r \"database connection\" \/var\/log\/\nfind \/var\/log -name \"*.log\" -exec grep -l \"error\" {} ;<\/code><\/pre>\n\n\n\n\uc2e4\ubb34\uc5d0\uc11c \uc790\uc8fc \uc0ac\uc6a9\ud558\ub294 \ub85c\uadf8 \ubd84\uc11d \ud328\ud134<\/h3>\n\n\n\n
\uc6f9\uc11c\ubc84 \ub85c\uadf8 \ubd84\uc11d<\/h4>\n\n\n\n
# Nginx access \ub85c\uadf8 \ubd84\uc11d\n# \uac00\uc7a5 \ub9ce\uc774 \uc811\uadfc\ud55c IP \ucc3e\uae30\nawk '{print $1}' \/var\/log\/nginx\/access.log | sort | uniq -c | sort -nr | head -10\n\n# 404 \uc5d0\ub7ec\uac00 \ub9ce\uc740 \ud398\uc774\uc9c0 \ucc3e\uae30\ngrep \" 404 \" \/var\/log\/nginx\/access.log | awk '{print $7}' | sort | uniq -c | sort -nr\n\n# \uc2dc\uac04\ub300\ubcc4 \uc694\uccad \uc218 \ubd84\uc11d\nawk '{print $4}' \/var\/log\/nginx\/access.log | cut -d: -f2 | sort | uniq -c\n\n# \ud2b9\uc815 \uc2dc\uac04\ub300\uc758 \ub85c\uadf8\ub9cc \ud655\uc778\nawk '$4 ~ \/15\/Jan\/2024:14\/ {print}' \/var\/log\/nginx\/access.log\n\n# User-Agent \ubd84\uc11d (\ubd07 \ud0d0\uc9c0)\nawk -F'\"' '{print $6}' \/var\/log\/nginx\/access.log | sort | uniq -c | sort -nr | head -10<\/code><\/pre>\n\n\n\n\ubcf4\uc548 \ub85c\uadf8 \ubd84\uc11d<\/h4>\n\n\n\n
# SSH \ubb34\ucc28\ubcc4 \ub300\uc785 \uacf5\uaca9 \ud0d0\uc9c0\ngrep \"Failed password\" \/var\/log\/secure | awk '{print $11}' | sort | uniq -c | sort -nr\n\n# \uc131\uacf5\ud55c \ub85c\uadf8\uc778 \ud6c4 \ubc14\ub85c \uc2e4\ud328\ud55c \ucf00\uc774\uc2a4 (\uc758\uc2ec\uc2a4\ub7ec\uc6b4 \ud65c\ub3d9)\ngrep -E \"(Accepted|Failed)\" \/var\/log\/secure | grep -A1 \"Accepted\" | grep \"Failed\"\n\n# \ub8e8\ud2b8 \uacc4\uc815 \uc811\uadfc \uc2dc\ub3c4\ngrep \"Failed password for root\" \/var\/log\/secure\n\n# \uc0c8\ub85c\uc6b4 SSH \ud0a4 \ucd94\uac00 \uac10\uc9c0\ngrep \"Accepted publickey\" \/var\/log\/secure | awk '{print $9, $11}' | sort -u<\/code><\/pre>\n\n\n\n\uc2dc\uc2a4\ud15c \uc131\ub2a5 \ub85c\uadf8 \ubd84\uc11d<\/h4>\n\n\n\n
# Out of Memory \uc774\ubca4\ud2b8 \ucc3e\uae30\ndmesg | grep -i \"out of memory\"\ngrep -i \"oom\" \/var\/log\/messages\n\n# \ub514\uc2a4\ud06c \uad00\ub828 \uc5d0\ub7ec\ngrep -i \"disk|ata|scsi\" \/var\/log\/messages | grep -i error\n\n# \ub124\ud2b8\uc6cc\ud06c \uad00\ub828 \uc5d0\ub7ec\ngrep -i \"network|eth0|connection\" \/var\/log\/messages | grep -i error<\/code><\/pre>\n\n\n\n\ub85c\uadf8 \ubd84\uc11d \uc790\ub3d9\ud654 \uc2a4\ud06c\ub9bd\ud2b8<\/h3>\n\n\n\n
#!\/bin\/bash\n# log_analyzer.sh - \uc885\ud569 \ub85c\uadf8 \ubd84\uc11d \uc2a4\ud06c\ub9bd\ud2b8\n\nLOG_DATE=$(date +%Y%m%d)\nREPORT_FILE=\"\/tmp\/log_analysis_${LOG_DATE}.txt\"\n\necho \"=== \uc2dc\uc2a4\ud15c \ub85c\uadf8 \ubd84\uc11d \ub9ac\ud3ec\ud2b8 $(date) ===\" > $REPORT_FILE\n\n# 1. \uc2dc\uc2a4\ud15c \uc5d0\ub7ec \uc694\uc57d\necho \"1. \uc2dc\uc2a4\ud15c \uc5d0\ub7ec \uc694\uc57d:\" >> $REPORT_FILE\njournalctl -p err --since today --no-pager | wc -l >> $REPORT_FILE\necho \"\ucd1d \uc5d0\ub7ec \uc218: $(journalctl -p err --since today --no-pager | wc -l)\" >> $REPORT_FILE\n\n# 2. \uac00\uc7a5 \ub9ce\uc774 \ubc1c\uc0dd\ud55c \uc5d0\ub7ec\ub4e4\necho -e \"n2. \uc8fc\uc694 \uc5d0\ub7ec \uba54\uc2dc\uc9c0:\" >> $REPORT_FILE\njournalctl -p err --since today --no-pager | awk '{$1=$2=$3=\"\"; print $0}' | sort | uniq -c | sort -nr | head -5 >> $REPORT_FILE\n\n# 3. SSH \uc811\uadfc \ubd84\uc11d\necho -e \"n3. SSH \uc811\uadfc \ubd84\uc11d:\" >> $REPORT_FILE\necho \"\uc2e4\ud328\ud55c \ub85c\uadf8\uc778 \uc2dc\ub3c4: $(grep \"Failed password\" \/var\/log\/secure | grep \"$(date +%b %d)\" | wc -l)\" >> $REPORT_FILE\necho \"\uc131\uacf5\ud55c \ub85c\uadf8\uc778: $(grep \"Accepted\" \/var\/log\/secure | grep \"$(date +%b %d)\" | wc -l)\" >> $REPORT_FILE\n\n# 4. \uc0c1\uc704 \uacf5\uaca9\uc790 IP\necho -e \"n4. \uc0c1\uc704 \uacf5\uaca9\uc790 IP (\uc2e4\ud328\ud55c \ub85c\uadf8\uc778):\" >> $REPORT_FILE\ngrep \"Failed password\" \/var\/log\/secure | grep \"$(date +%b %d)\" | awk '{print $11}' | sort | uniq -c | sort -nr | head -5 >> $REPORT_FILE\n\n# 5. \ub514\uc2a4\ud06c \uc0ac\uc6a9\ub7c9\uacfc \ub85c\uadf8 \ud06c\uae30\necho -e \"n5. \ub85c\uadf8 \ud30c\uc77c \ud06c\uae30 \ubd84\uc11d:\" >> $REPORT_FILE\necho \"\uc804\uccb4 \/var\/log \uc0ac\uc6a9\ub7c9: $(du -sh \/var\/log | cut -f1)\" >> $REPORT_FILE\necho \"journalctl \uc0ac\uc6a9\ub7c9: $(journalctl --disk-usage | grep -o '[0-9.]*[KMGT]B')\" >> $REPORT_FILE\n\n# 6. \uc11c\ube44\uc2a4 \uc0c1\ud0dc \uc694\uc57d\necho -e \"n6. \uc8fc\uc694 \uc11c\ube44\uc2a4 \uc0c1\ud0dc:\" >> $REPORT_FILE\nfor service in nginx mysql ssh firewalld; do\n if systemctl is-active $service > \/dev\/null 2>&1; then\n echo \"$service: \uc815\uc0c1\" >> $REPORT_FILE\n else\n echo \"$service: \ube44\uc815\uc0c1\" >> $REPORT_FILE\n fi\ndone\n\necho \"\ubd84\uc11d \uc644\ub8cc: $REPORT_FILE\"\ncat $REPORT_FILE<\/code><\/pre>\n\n\n\n4. \uc2e4\uc2dc\uac04 \ubaa8\ub2c8\ud130\ub9c1\uacfc \uc54c\ub9bc \uc2dc\uc2a4\ud15c \uad6c\ucd95<\/h2>\n\n\n\n
\uc2e4\uc2dc\uac04 \ub85c\uadf8 \ubaa8\ub2c8\ud130\ub9c1 \ub300\uc2dc\ubcf4\ub4dc<\/h3>\n\n\n\n
# \uba40\ud2f0 \ud130\ubbf8\ub110 \ubaa8\ub2c8\ud130\ub9c1 \uc2a4\ud06c\ub9bd\ud2b8\n#!\/bin\/bash\n# monitor_dashboard.sh\n\n# \ud130\ubbf8\ub110\uc744 4\uac1c \uc601\uc5ed\uc73c\ub85c \ubd84\ud560\ud558\uc5ec \uc2e4\uc2dc\uac04 \ubaa8\ub2c8\ud130\ub9c1\ntmux new-session -d -s monitoring\n\n# \uc0c1\ub2e8 \uc88c\uce21: \uc2dc\uc2a4\ud15c \uc804\uccb4 \uc5d0\ub7ec \ub85c\uadf8\ntmux send-keys -t monitoring \"journalctl -f -p err\" Enter\n\n# \uc0c1\ub2e8 \uc6b0\uce21: \uc6f9\uc11c\ubc84 \ub85c\uadf8\ntmux split-window -h -t monitoring\ntmux send-keys -t monitoring \"tail -f \/var\/log\/nginx\/error.log\" Enter\n\n# \ud558\ub2e8 \uc88c\uce21: SSH \uc811\uadfc \ub85c\uadf8\ntmux split-window -v -t monitoring:0.0\ntmux send-keys -t monitoring \"journalctl -u ssh -f\" Enter\n\n# \ud558\ub2e8 \uc6b0\uce21: \uc2dc\uc2a4\ud15c \ub9ac\uc18c\uc2a4\ntmux split-window -v -t monitoring:0.1\ntmux send-keys -t monitoring \"htop\" Enter\n\n# \uc138\uc158 \uc811\uc18d\ntmux attach-session -t monitoring<\/code><\/pre>\n\n\n\n\ub85c\uadf8 \uae30\ubc18 \uc54c\ub9bc \uc2dc\uc2a4\ud15c<\/h3>\n\n\n\n
#!\/bin\/bash\n# log_alert_system.sh - \ub85c\uadf8 \uae30\ubc18 \uc2e4\uc2dc\uac04 \uc54c\ub9bc\n\nWEBHOOK_URL=\"YOUR_SLACK_WEBHOOK_URL\"\nALERT_LOG=\"\/var\/log\/alert_system.log\"\n\n# \uc2ac\ub799 \uc54c\ub9bc \ud568\uc218\nsend_slack_alert() {\n local message=\"$1\"\n local level=\"$2\"\n local emoji=\"\ud83d\udd34\"\n\n case $level in\n \"warning\") emoji=\"\u26a0\ufe0f\" ;;\n \"info\") emoji=\"\u2139\ufe0f\" ;;\n \"critical\") emoji=\"\ud83d\udea8\" ;;\n esac\n\n curl -X POST -H 'Content-type: application\/json' \n --data \"{\"text\":\"$emoji $message\"}\" \n $WEBHOOK_URL\n}\n\n# 1. SSH \ubb34\ucc28\ubcc4 \ub300\uc785 \uacf5\uaca9 \uac10\uc9c0\ncheck_ssh_attacks() {\n local attacks=$(grep \"Failed password\" \/var\/log\/secure | grep \"$(date +%b %d)\" | wc -l)\n\n if [ $attacks -gt 50 ]; then\n local top_attacker=$(grep \"Failed password\" \/var\/log\/secure | grep \"$(date +%b %d)\" | \n awk '{print $11}' | sort | uniq -c | sort -nr | head -1)\n send_slack_alert \"SSH \ubb34\ucc28\ubcc4 \ub300\uc785 \uacf5\uaca9 \uac10\uc9c0! \ucd1d $attacks \ud68c \uc2dc\ub3c4. \uc8fc\uc694 \uacf5\uaca9\uc790: $top_attacker\" \"critical\"\n fi\n}\n\n# 2. \uc2dc\uc2a4\ud15c \uc5d0\ub7ec \uae09\uc99d \uac10\uc9c0\ncheck_system_errors() {\n local errors=$(journalctl -p err --since \"10 minutes ago\" --no-pager | wc -l)\n\n if [ $errors -gt 20 ]; then\n send_slack_alert \"\uc2dc\uc2a4\ud15c \uc5d0\ub7ec \uae09\uc99d! \ucd5c\uadfc 10\ubd84\uac04 $errors \uac1c \uc5d0\ub7ec \ubc1c\uc0dd\" \"critical\"\n fi\n}\n\n# 3. \ub514\uc2a4\ud06c \uacf5\uac04 \ubd80\uc871 \uacbd\uace0\ncheck_disk_space() {\n local usage=$(df \/var\/log | tail -1 | awk '{print $5}' | sed 's\/%\/\/')\n\n if [ $usage -gt 90 ]; then\n send_slack_alert \"\ub85c\uadf8 \ub514\uc2a4\ud06c \uacf5\uac04 \ubd80\uc871! \ud604\uc7ac \uc0ac\uc6a9\ub960: ${usage}%\" \"warning\"\n fi\n}\n\n# 4. \uc911\uc694 \uc11c\ube44\uc2a4 \ub2e4\uc6b4 \uac10\uc9c0\ncheck_critical_services() {\n for service in nginx mysql ssh; do\n if ! systemctl is-active $service > \/dev\/null 2>&1; then\n send_slack_alert \"$service \uc11c\ube44\uc2a4\uac00 \uc911\uc9c0\ub418\uc5c8\uc2b5\ub2c8\ub2e4!\" \"critical\"\n fi\n done\n}\n\n# 5. OOM(Out of Memory) \uc774\ubca4\ud2b8 \uac10\uc9c0\ncheck_oom_events() {\n local oom_count=$(dmesg | grep -i \"killed process\" | grep \"$(date +%b %d)\" | wc -l)\n\n if [ $oom_count -gt 0 ]; then\n local killed_process=$(dmesg | grep -i \"killed process\" | tail -1 | awk '{print $NF}')\n send_slack_alert \"\uba54\ubaa8\ub9ac \ubd80\uc871\uc73c\ub85c \ud504\ub85c\uc138\uc2a4 \uc885\ub8cc! \uc885\ub8cc\ub41c \ud504\ub85c\uc138\uc2a4: $killed_process\" \"critical\"\n fi\n}\n\n# \uba54\uc778 \uc2e4\ud589\ubd80\nmain() {\n echo \"$(date): \ub85c\uadf8 \ubaa8\ub2c8\ud130\ub9c1 \uc2dc\uc791\" >> $ALERT_LOG\n\n check_ssh_attacks\n check_system_errors\n check_disk_space\n check_critical_services\n check_oom_events\n\n echo \"$(date): \ub85c\uadf8 \ubaa8\ub2c8\ud130\ub9c1 \uc644\ub8cc\" >> $ALERT_LOG\n}\n\n# crontab\uc5d0 \ub4f1\ub85d: *\/5 * * * * \/path\/to\/log_alert_system.sh\nmain<\/code><\/pre>\n\n\n\n\ub85c\uadf8 \uc21c\ud658(Log Rotation) \uad00\ub9ac<\/h3>\n\n\n\n
# logrotate \uc124\uc815 \ucd5c\uc801\ud654\nsudo nano \/etc\/logrotate.d\/custom-app\n\n# \ucee4\uc2a4\ud140 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub85c\uadf8 \uc21c\ud658 \uc124\uc815\n\/var\/log\/myapp\/*.log {\n daily # \ub9e4\uc77c \uc21c\ud658\n rotate 30 # 30\uac1c \ud30c\uc77c \ubcf4\uad00\n compress # \uc555\ucd95 \uc800\uc7a5\n delaycompress # \ub2e4\uc74c \uc21c\ud658 \ub54c \uc555\ucd95\n missingok # \ud30c\uc77c\uc774 \uc5c6\uc5b4\ub3c4 \uc5d0\ub7ec \uc5c6\uc74c\n notifempty # \ube48 \ud30c\uc77c\uc740 \uc21c\ud658\ud558\uc9c0 \uc54a\uc74c\n create 644 myapp myapp # \uc0c8 \ud30c\uc77c \uad8c\ud55c \uc124\uc815\n postrotate\n systemctl reload myapp\n endscript\n}\n\n# logrotate \ud14c\uc2a4\ud2b8\nsudo logrotate -d \/etc\/logrotate.d\/custom-app # \ub4dc\ub77c\uc774\ub7f0\nsudo logrotate -f \/etc\/logrotate.d\/custom-app # \uac15\uc81c \uc2e4\ud589<\/code><\/pre>\n\n\n\n5. \uc131\ub2a5 \ubaa8\ub2c8\ud130\ub9c1\uacfc \ud504\ub85c\ud30c\uc77c\ub9c1<\/h2>\n\n\n\n
\uc2dc\uc2a4\ud15c \uc131\ub2a5 \ub85c\uadf8 \ubd84\uc11d<\/h3>\n\n\n\n
# 1. CPU \uc0ac\uc6a9\ub960 \uc774\ub825 \ud655\uc778\nsar -u 1 10 # 1\ucd08\ub9c8\ub2e4 10\ubc88 CPU \uc0ac\uc6a9\ub960 \ud655\uc778\nsar -u -f \/var\/log\/sa\/sa$(date +%d) # \uc624\ub298\uc758 CPU \uc774\ub825\n\n# 2. \uba54\ubaa8\ub9ac \uc0ac\uc6a9 \ud328\ud134 \ubd84\uc11d\nsar -r 1 10 # \uba54\ubaa8\ub9ac \uc0ac\uc6a9\ub960\nfree -h && cat \/proc\/meminfo | grep -E \"(MemTotal|MemFree|MemAvailable|Buffers|Cached)\"\n\n# 3. \ub514\uc2a4\ud06c I\/O \ubd84\uc11d\niotop -o # I\/O \uc0ac\uc6a9\ub7c9\uc774 \ub192\uc740 \ud504\ub85c\uc138\uc2a4\ub9cc\niostat -x 1 5 # \ub514\uc2a4\ud06c I\/O \uc0c1\uc138 \ud1b5\uacc4\n\n# 4. \ub124\ud2b8\uc6cc\ud06c \uc5f0\uacb0 \uc0c1\ud0dc \ubd84\uc11d\nss -tuln | awk '{print $1}' | sort | uniq -c # \uc5f0\uacb0 \ud0c0\uc785\ubcc4 \ud1b5\uacc4\nnetstat -i # \uc778\ud130\ud398\uc774\uc2a4\ubcc4 \ud1b5\uacc4<\/code><\/pre>\n\n\n\n\uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uc131\ub2a5 \ubaa8\ub2c8\ud130\ub9c1<\/h3>\n\n\n\n
# 1. \ud504\ub85c\uc138\uc2a4\ubcc4 \ub9ac\uc18c\uc2a4 \uc0ac\uc6a9\ub7c9 \ucd94\uc801\npidstat -u -r -d 1 10 -p $(pgrep nginx) # nginx \ud504\ub85c\uc138\uc2a4 \ubaa8\ub2c8\ud130\ub9c1\n\n# 2. \uc2dc\uc2a4\ud15c \ucf5c \ucd94\uc801\nstrace -c -p $(pgrep nginx) # nginx\uc758 \uc2dc\uc2a4\ud15c \ucf5c \ud1b5\uacc4\nstrace -f -e trace=file nginx # \ud30c\uc77c \uad00\ub828 \uc2dc\uc2a4\ud15c \ucf5c\ub9cc\n\n# 3. \ub124\ud2b8\uc6cc\ud06c \uc5f0\uacb0 \ubaa8\ub2c8\ud130\ub9c1\nss -i # \uc18c\ucf13 \uc0c1\uc138 \uc815\ubcf4\nlsof -i :80 # 80 \ud3ec\ud2b8 \uc0ac\uc6a9 \ud504\ub85c\uc138\uc2a4<\/code><\/pre>\n\n\n\n\uc885\ud569 \ubaa8\ub2c8\ud130\ub9c1 \uc2a4\ud06c\ub9bd\ud2b8<\/h3>\n\n\n\n
#!\/bin\/bash\n# comprehensive_monitor.sh - \uc885\ud569 \uc2dc\uc2a4\ud15c \ubaa8\ub2c8\ud130\ub9c1\n\nREPORT_DIR=\"\/var\/log\/monitoring\"\nTIMESTAMP=$(date +%Y%m%d_%H%M%S)\nREPORT_FILE=\"$REPORT_DIR\/system_report_$TIMESTAMP.txt\"\n\nmkdir -p $REPORT_DIR\n\nexec > >(tee $REPORT_FILE)\nexec 2>&1\n\necho \"=== \uc885\ud569 \uc2dc\uc2a4\ud15c \ubaa8\ub2c8\ud130\ub9c1 \ub9ac\ud3ec\ud2b8 $(date) ===\"\n\n# 1. \uc2dc\uc2a4\ud15c \uae30\ubcf8 \uc815\ubcf4\necho -e \"n1. \uc2dc\uc2a4\ud15c \uae30\ubcf8 \uc815\ubcf4:\"\necho \"\ud638\uc2a4\ud2b8\uba85: $(hostname)\"\necho \"\uc6b4\uc601\uccb4\uc81c: $(cat \/etc\/os-release | grep PRETTY_NAME | cut -d'\"' -f2)\"\necho \"\ucee4\ub110: $(uname -r)\"\necho \"\uc5c5\ud0c0\uc784: $(uptime -p)\"\necho \"\ubd80\ud558 \ud3c9\uade0: $(uptime | cut -d':' -f4-)\"\n\n# 2. CPU \ubc0f \uba54\ubaa8\ub9ac \uc0c1\ud0dc\necho -e \"n2. CPU \ubc0f \uba54\ubaa8\ub9ac \uc0c1\ud0dc:\"\necho \"CPU \ucf54\uc5b4 \uc218: $(nproc)\"\necho \"CPU \uc0ac\uc6a9\ub960 (1\ubd84 \ud3c9\uade0): $(sar -u 1 1 | tail -1 | awk '{print 100-$8}')%\"\necho \"\uba54\ubaa8\ub9ac \uc0ac\uc6a9\ub960: $(free | grep Mem | awk '{printf \"%.1f%%\", $3\/$2 * 100.0}')\"\necho \"\uc2a4\uc651 \uc0ac\uc6a9\ub960: $(free | grep Swap | awk '{printf \"%.1f%%\", $3\/$2 * 100.0}')\"\n\n# 3. \ub514\uc2a4\ud06c \uc0ac\uc6a9\ub7c9\necho -e \"n3. \ub514\uc2a4\ud06c \uc0ac\uc6a9\ub7c9:\"\ndf -h | grep -v tmpfs | grep -v devtmpfs\n\n# 4. \ub124\ud2b8\uc6cc\ud06c \uc0c1\ud0dc\necho -e \"n4. \ub124\ud2b8\uc6cc\ud06c \uc0c1\ud0dc:\"\necho \"\ud65c\uc131 \uc5f0\uacb0 \uc218: $(ss -t state established | wc -l)\"\necho \"\ub9ac\uc2a4\ub2dd \ud3ec\ud2b8: $(ss -tuln | grep LISTEN | wc -l)\"\n\n# 5. \ud504\ub85c\uc138\uc2a4 TOP 10\necho -e \"n5. CPU \uc0ac\uc6a9\ub960 \uc0c1\uc704 \ud504\ub85c\uc138\uc2a4:\"\nps aux --sort=-%cpu | head -11\n\necho -e \"n6. \uba54\ubaa8\ub9ac \uc0ac\uc6a9\ub960 \uc0c1\uc704 \ud504\ub85c\uc138\uc2a4:\"\nps aux --sort=-%mem | head -11\n\n# 7. \ucd5c\uadfc \uc5d0\ub7ec \ub85c\uadf8\necho -e \"n7. \ucd5c\uadfc 1\uc2dc\uac04 \uc5d0\ub7ec \ub85c\uadf8 (\uc0c1\uc704 10\uac1c):\"\njournalctl -p err --since \"1 hour ago\" --no-pager | tail -10\n\n# 8. \uc11c\ube44\uc2a4 \uc0c1\ud0dc\necho -e \"n8. \uc8fc\uc694 \uc11c\ube44\uc2a4 \uc0c1\ud0dc:\"\nfor service in ssh nginx mysql docker; do\n if systemctl list-unit-files | grep -q \"^$service.service\"; then\n status=$(systemctl is-active $service 2>\/dev\/null || echo \"inactive\")\n echo \"$service: $status\"\n fi\ndone\n\n# 9. \ubcf4\uc548 \uc774\ubca4\ud2b8 \uc694\uc57d\necho -e \"n9. \ubcf4\uc548 \uc774\ubca4\ud2b8 \uc694\uc57d (\uc624\ub298):\"\necho \"SSH \ub85c\uadf8\uc778 \uc2e4\ud328: $(grep \"Failed password\" \/var\/log\/secure 2>\/dev\/null | grep \"$(date +%b %d)\" | wc -l)\"\necho \"SSH \ub85c\uadf8\uc778 \uc131\uacf5: $(grep \"Accepted\" \/var\/log\/secure 2>\/dev\/null | grep \"$(date +%b %d)\" | wc -l)\"\necho \"sudo \uc0ac\uc6a9: $(journalctl --since today | grep sudo | wc -l)\"\n\necho -e \"n=== \ub9ac\ud3ec\ud2b8 \uc644\ub8cc ===\"\necho \"\ub9ac\ud3ec\ud2b8 \ud30c\uc77c: $REPORT_FILE\"\n\n# \uc774\uc804 \ub9ac\ud3ec\ud2b8 \uc815\ub9ac (7\uc77c \uc774\uc0c1 \ub41c \uac83)\nfind $REPORT_DIR -name \"system_report_*.txt\" -mtime +7 -delete<\/code><\/pre>\n\n\n\n6. \ub85c\uadf8 \ubcf4\uc548\uacfc \ucef4\ud50c\ub77c\uc774\uc5b8\uc2a4<\/h2>\n\n\n\n
\ub85c\uadf8 \ubb34\uacb0\uc131 \ubcf4\uc7a5<\/h3>\n\n\n\n
# 1. \ub85c\uadf8 \ud30c\uc77c \uad8c\ud55c \uc124\uc815\nsudo chmod 640 \/var\/log\/messages\nsudo chown root:adm \/var\/log\/secure\n\n# 2. \ub85c\uadf8 \ubcc0\uc870 \ubc29\uc9c0\ub97c \uc704\ud55c \uccb4\ud06c\uc12c \uc0dd\uc131\n#!\/bin\/bash\n# log_integrity_check.sh\n\nLOG_CHECKSUM_DIR=\"\/var\/log\/checksums\"\nmkdir -p $LOG_CHECKSUM_DIR\n\n# \uc911\uc694 \ub85c\uadf8 \ud30c\uc77c\ub4e4\uc758 \uccb4\ud06c\uc12c \uc0dd\uc131\nfor logfile in \/var\/log\/messages \/var\/log\/secure \/var\/log\/audit\/audit.log; do\n if [ -f \"$logfile\" ]; then\n checksum_file=\"$LOG_CHECKSUM_DIR\/$(basename $logfile).sha256\"\n sha256sum \"$logfile\" > \"$checksum_file.new\"\n\n # \uc774\uc804 \uccb4\ud06c\uc12c\uacfc \ube44\uad50\n if [ -f \"$checksum_file\" ]; then\n if ! diff \"$checksum_file\" \"$checksum_file.new\" > \/dev\/null; then\n echo \"\uacbd\uace0: $logfile \uc774 \ubcc0\uc870\ub418\uc5c8\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4!\"\n logger \"LOG_INTEGRITY_WARNING: $logfile checksum mismatch\"\n fi\n fi\n\n mv \"$checksum_file.new\" \"$checksum_file\"\n fi\ndone<\/code><\/pre>\n\n\n\n\uc911\uc559 \uc9d1\uc911\uc2dd \ub85c\uadf8 \uc218\uc9d1 (Rsyslog)<\/h3>\n\n\n\n
# rsyslog \uc11c\ubc84 \uc124\uc815 (\/etc\/rsyslog.conf)\n# \uc911\uc559 \ub85c\uadf8 \uc11c\ubc84\ub85c \uc124\uc815\n\n# UDP\ub85c \ub85c\uadf8 \uc218\uc2e0 \ud5c8\uc6a9\n$ModLoad imudp\n$UDPServerRun 514\n$UDPServerAddress 0.0.0.0\n\n# TCP\ub85c \ub85c\uadf8 \uc218\uc2e0 \ud5c8\uc6a9 (\ub354 \uc548\uc804)\n$ModLoad imtcp\n$InputTCPServerRun 514\n\n# \ud074\ub77c\uc774\uc5b8\ud2b8\ubcc4\ub85c \ub85c\uadf8 \ubd84\ub9ac \uc800\uc7a5\n$template RemoteLogs,\"\/var\/log\/remote\/%HOSTNAME%\/%PROGRAMNAME%.log\"\n*.* ?RemoteLogs\n& stop\n\n# \ud074\ub77c\uc774\uc5b8\ud2b8 \uc124\uc815 - \uc911\uc559 \uc11c\ubc84\ub85c \ub85c\uadf8 \uc804\uc1a1\necho \"*.* @@log-server:514\" >> \/etc\/rsyslog.conf\nsystemctl restart rsyslog<\/code><\/pre>\n\n\n\n7. \ud2b8\ub7ec\ube14\uc288\ud305 \uc2e4\uc804 \uc2dc\ub098\ub9ac\uc624<\/h2>\n\n\n\n
\uc2dc\ub098\ub9ac\uc624 1: “\uc0ac\uc774\ud2b8\uac00 \uac11\uc790\uae30 500 \uc5d0\ub7ec\ub97c \ub0b4\ubfdc\uc5b4\uc694!”<\/h3>\n\n\n\n
# \ub2e8\uacc4\ubcc4 \uc9c4\ub2e8 \uacfc\uc815\necho \"=== \uc6f9 \uc11c\ubc84 500 \uc5d0\ub7ec \ud2b8\ub7ec\ube14\uc288\ud305 ===\"\n\n# 1. \uc6f9\uc11c\ubc84 \uc5d0\ub7ec \ub85c\uadf8 \uc989\uc2dc \ud655\uc778\necho \"1. \uc6f9\uc11c\ubc84 \uc5d0\ub7ec \ub85c\uadf8:\"\ntail -50 \/var\/log\/nginx\/error.log\n\n# 2. \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub85c\uadf8 \ud655\uc778\necho -e \"n2. \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub85c\uadf8:\"\njournalctl -u myapp -n 50\n\n# 3. \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc5f0\uacb0 \ud655\uc778\necho -e \"n3. \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc0c1\ud0dc:\"\nsystemctl status mysql\njournalctl -u mysql -n 20\n\n# 4. \uc2dc\uc2a4\ud15c \ub9ac\uc18c\uc2a4 \ud655\uc778\necho -e \"n4. \uc2dc\uc2a4\ud15c \ub9ac\uc18c\uc2a4:\"\nfree -h\ndf -h | grep -v tmpfs\n\n# 5. \ub124\ud2b8\uc6cc\ud06c \uc5f0\uacb0 \uc0c1\ud0dc\necho -e \"n5. \ub124\ud2b8\uc6cc\ud06c \uc5f0\uacb0:\"\nss -tuln | grep :80\nss -tuln | grep :3306<\/code><\/pre>\n\n\n\n\uc2dc\ub098\ub9ac\uc624 2: “\uc11c\ubc84\uac00 \uc790\uafb8 \uba48\ucdb0\uc694!”<\/h3>\n\n\n\n
# \uc2dc\uc2a4\ud15c \ud589\uc5c5\/\ud504\ub9ac\uc9d5 \ubd84\uc11d\necho \"=== \uc2dc\uc2a4\ud15c \ud589\uc5c5 \ubd84\uc11d ===\"\n\n# 1. \ucee4\ub110 \uba54\uc2dc\uc9c0 \ud655\uc778\ndmesg | tail -50\n\n# 2. \ub192\uc740 CPU \uc0ac\uc6a9 \ud504\ub85c\uc138\uc2a4\necho -e \"n2. CPU \uc0ac\uc6a9\ub960 TOP 10:\"\nps aux --sort=-%cpu | head -11\n\n# 3. \uba54\ubaa8\ub9ac \ubd80\uc871 \uc774\ubca4\ud2b8\necho -e \"n3. OOM \uc774\ubca4\ud2b8 \ud655\uc778:\"\ndmesg | grep -i \"out of memory\"\njournalctl --since today | grep -i \"oom\"\n\n# 4. I\/O \ub300\uae30 \uc0c1\ud0dc \ud504\ub85c\uc138\uc2a4\necho -e \"n4. I\/O \ub300\uae30 \ud504\ub85c\uc138\uc2a4:\"\nps aux | awk '$8 ~ \/D\/ { print $0 }'\n\n# 5. \uc2dc\uc2a4\ud15c \ubd80\ud558 \uc774\ub825\necho -e \"n5. \uc2dc\uc2a4\ud15c \ubd80\ud558 \uc774\ub825:\"\nsar -q 1 5<\/code><\/pre>\n\n\n\n\uc2dc\ub098\ub9ac\uc624 3: “\ub370\uc774\ud130\uac00 \uc0ac\ub77c\uc84c\uc5b4\uc694!”<\/h3>\n\n\n\n
# \ub370\uc774\ud130 \uc190\uc2e4 \uc6d0\uc778 \ubd84\uc11d\necho \"=== \ub370\uc774\ud130 \uc190\uc2e4 \uc6d0\uc778 \ubd84\uc11d ===\"\n\n# 1. \ud30c\uc77c\uc2dc\uc2a4\ud15c \uc5d0\ub7ec \ud655\uc778\necho \"1. \ud30c\uc77c\uc2dc\uc2a4\ud15c \uc5d0\ub7ec:\"\ndmesg | grep -i \"error|fail\" | grep -E \"(sd[a-z]|nvme|ext4|xfs)\"\n\n# 2. \ub514\uc2a4\ud06c \ud558\ub4dc\uc6e8\uc5b4 \uc0c1\ud0dc\necho -e \"n2. \ub514\uc2a4\ud06c \uc0c1\ud0dc:\"\nsmartctl -a \/dev\/sda | grep -E \"(Health|Error)\"\n\n# 3. \ubc31\uc5c5 \uad00\ub828 \ub85c\uadf8\necho -e \"n3. \ubc31\uc5c5 \ub85c\uadf8:\"\njournalctl -u backup -n 20\n\n# 4. \uc0ac\uc6a9\uc790 \ud65c\ub3d9 \ub85c\uadf8\necho -e \"n4. \ucd5c\uadfc \uc0ac\uc6a9\uc790 \ud65c\ub3d9:\"\nlast -10\njournalctl --since today | grep sudo | grep -E \"(rm|mv|delete)\"\n\n# 5. \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ub85c\uadf8\necho -e \"n5. \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ub85c\uadf8:\"\ngrep -i \"drop|delete|truncate\" \/var\/log\/mysql\/mysql.log<\/code><\/pre>\n\n\n\n\ub9c8\uce58\uba70: \ub85c\uadf8\ub85c \uc2dc\uc2a4\ud15c\uacfc \ub300\ud654\ud558\uae30<\/h2>\n\n\n\n
\ud575\uc2ec \uc6d0\uce59 \uc815\ub9ac<\/h3>\n\n\n\n
\n
journalctl -f<\/code>\uc640 tail -f<\/code>\ub97c \uc2b5\uad00\ud654\ud558\uc138\uc694<\/li>\n\n\n\n\ub85c\uadf8 \ubd84\uc11d\uac00\uac00 \ub418\uae30 \uc704\ud55c \uc77c\uc77c \uc2b5\uad00<\/h3>\n\n\n\n
# \ub9e4\uc77c \uc544\uce68 \uc2e4\ud589\ud558\ub294 \ub85c\uadf8 \uccb4\ud06c \ub8e8\ud2f4\n#!\/bin\/bash\necho \"=== \uc624\ub298\uc758 \uc2dc\uc2a4\ud15c \uc0c1\ud0dc $(date) ===\"\n\n# 1. \uc5b4\uc81c\ubd80\ud130 \uc624\ub298\uae4c\uc9c0\uc758 \uc5d0\ub7ec \uc694\uc57d\njournalctl -p err --since yesterday --no-pager | wc -l\n\n# 2. \uc0c8\ub85c\uc6b4 SSH \uc811\uc18d\ngrep \"Accepted\" \/var\/log\/secure | grep \"$(date +%b %d)\"\n\n# 3. \uc2dc\uc2a4\ud15c \ub9ac\uc18c\uc2a4 \uc0c1\ud0dc\nfree -h | grep Mem\ndf -h | grep -v tmpfs | grep -E \"9[0-9]%|100%\"\n\n# 4. \uc911\uc694 \uc11c\ube44\uc2a4 \uc0c1\ud0dc\nsystemctl is-active nginx mysql ssh\n\necho \"\uc88b\uc740 \ud558\ub8e8 \ub418\uc138\uc694! \ud83d\ude80\"<\/code><\/pre>\n\n\n\n\ub2e4\uc74c \ub2e8\uacc4<\/h3>\n\n\n\n
\n
journalctl -f<\/code>\ub85c \uc2e4\uc2dc\uac04 \ub85c\uadf8 \ubaa8\ub2c8\ud130\ub9c1 \uc5f0\uc2b5<\/li>\n\n\n\n\n
\n
\n\n\n\n