DHCP(动态主机配置协议)日志是排查网络问题、监控IP分配情况的重要资源。以下是Linux系统中分析DHCP日志的详细方法:
/var/log/syslog
或 /var/log/messages
bash
grep dhcpd /var/log/syslog
bash
grep dnsmasq /var/log/syslog
bash
journalctl -u systemd-networkd
# 查看最近DHCP活动
grep -i dhcp /var/log/syslog | tail -50
# 查看特定时间段的日志
grep -i dhcp /var/log/syslog | grep "May 10"
grep -i "00:11:22:33:44:55" /var/log/syslog
grep "DHCPACK" /var/log/syslog | awk '{print $8}' | sort | uniq -c
对于ISC DHCP服务器,可以在/etc/dhcp/dhcpd.conf
中增加日志级别:
log-facility local7;
log (info, debug);
然后配置rsyslog将DHCP日志分离到单独文件:
local7.* /var/log/dhcpd.log
重启服务生效:
systemctl restart rsyslog dhcpd
May 10 10:00:00 server dhcpd: DHCPDISCOVER from 00:11:22:33:44:55 via eth0
May 10 10:00:01 server dhcpd: DHCPOFFER on 192.168.1.100 to 00:11:22:33:44:55 via eth0
May 10 10:00:02 server dhcpd: DHCPREQUEST for 192.168.1.100 from 00:11:22:33:44:55 via eth0
May 10 10:00:02 server dhcpd: DHCPACK on 192.168.1.100 to 00:11:22:33:44:55 via eth0
dhcpd: No subnet declaration for eth0 (no IPv4 addresses).
dhcpd: ** Ignoring requests on eth0. If this is not what you want, please write a subnet declaration in your dhcpd.conf file for the network segment to which interface eth0 is attached. **
安装:
apt install dhcpdump # Debian/Ubuntu
yum install dhcpdump # RHEL/CentOS
使用:
dhcpdump -i eth0
tcpdump -i eth0 port 67 or port 68 -vv
可以将日志导入ELK(Elasticsearch, Logstash, Kibana)栈进行可视化分析。
确保日志不会无限增长,在/etc/logrotate.d/dhcpd
中添加:
/var/log/dhcpd.log {
weekly
missingok
rotate 4
compress
delaycompress
notifempty
create 640 root adm
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
通过以上方法,您可以有效地监控和分析Linux系统中的DHCP服务运行情况,快速定位和解决网络配置问题。