Shulou(Shulou.com)06/01 Report--

This article mainly introduces "detailed explanation of log management of Linux server". In daily operation, I believe that many people have doubts about the detailed explanation of log management of Linux server. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "detailed explanation of log management of Linux server". Next, please follow the editor to study!

In the Linux system, there are three main logging subsystems:

Connection time logs-executed by multiple programs, write records to programs such as / var/log/wtmp and / var/run/utmp,login to update wtmp and utmp files, allowing system administrators to track who logged in to the system and when.

Process statistics-- performed by the system kernel. When a process terminates, write a record to the process statistics file (pacct or acct) for each process. The purpose of process statistics is to provide command usage statistics for basic services in the system.

Error log-executed by syslogd (8). Various system daemons, user programs, and kernels report noteworthy events to the file / var/log/messages through syslog (3). There are also many Unix programs that create logs. Servers that provide network services such as HTTP and FTP also keep detailed logs.

Common log files are as follows:

Access-log records the transmission of HTTP/web

Acct/pacct record user command

Aculog records the activities of MODEM

Btmp record of failure

Lastlog records recent successful login events and the last unsuccessful login

Messages records information from syslog (some links to syslog files)

Sudolog records commands issued using sudo

Sulog records the use of the su command

Syslog records information from syslog (usually linked to a messages file)

Utmp records each user who is currently logged in

Wtmp A permanent record of each login entry and exit time of a user

Xferlog records FTP session

Utmp, wtmp, and lastlog log files are the key to most reusable Unix log subsystems-keeping records of users logging in and out. Information about the current login user is recorded in the file utmp; login entry and exit are recorded in the file wtmp; and the last login file can be viewed with the lastlog command. Data exchange, shutdown and restart are also recorded in the wtmp file. All records contain a timestamp. These files (lastlog is usually small) are growing rapidly in systems with a large number of users. For example, wtmp files can grow indefinitely unless intercepted on a regular basis. Many systems configure wtmp to be recycled on a daily or weekly basis. It is usually modified by the script that cron runs. These scripts rename and recycle the wtmp file. Usually, wtmp is named wtmp.1; after the end of the first day, and then wtmp.1 becomes wtmp.2 and so on, until wtmp.7.

Each time a user logs in, the login program looks at the user's UID in the file lastlog. If found, the user's last login, logout time, and hostname are written to standard output, and the login program records the new login time in lastlog. After the new lastlog record is written, the utmp file opens and inserts the user's utmp record. The record is used until the user logs in and exits. Utmp files are used by a variety of command files, including who, w, users, and finger.

Next, the login program opens the file wtmp to attach the user's utmp record. When a user logs in and exits, the same utmp record with an update timestamp is appended to the file. The wtmp file is used by the programs last and ac.

Specific command

Wtmp and utmp files are binaries, and they cannot be clipped or merged by commands such as tail (using the cat command). Users need to use who, w, users, last, and ac to use the information contained in these two files.

The who:who command queries the utmp file and reports on each user who is currently logged in. The default output of Who includes user name, terminal type, login date, and remote host. For example: who (enter) display

Chyang pts/0 Aug 18 15:06

Ynguo pts/2 Aug 18 15:32

Ynguo pts/3 Aug 18 13:55

Lewis pts/4 Aug 18 13:35

Ynguo pts/7 Aug 18 14:12

Ylou pts/8 Aug 18 14:15

If the wtmp file name is specified, the who command queries all previous records. The command who / var/log/wtmp reports every login since the wtmp file was created or deleted.

The W w command queries the utmp file and displays information about each user in the current system and the processes it is running. For example: W (enter) shows: 3:36pm up 1 day, 22:34, 6 users, load average: 0.23,0.29,0.27.

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

Chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s-bash

Ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 w

Lewis pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s-bash

Lewis pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh / home/users/

Ynguo pts/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet mail

Ylou pts/8 202.38.64.235 2:15pm 1purl 09m 0.10s 0.04s-bash

Users:users prints out the currently logged-in user on a separate line, with each displayed user name corresponding to a login session. If a user has more than one login session, his user name will be displayed the same number of times. For example: users (enter) display: chyang lewis lewis ylou ynguo ynguo

The last:last command searches back for wtmp to show users who have logged in since the file was first created. For example:

Chyang pts/9 202.38.68.242 Tue Aug 1 08:34-11:23 (02:49)

Cfan pts/6 202.38.64.224 Tue Aug 1 08:33-08:48 (00:14)

Chyang pts/4 202.38.68.242 Tue Aug 1 08:32-12:13 (03:40)

Lewis pts/3 202.38.64.233 Tue Aug 1 08:06-11:09 (03:03)

Lewis pts/2 202.38.64.233 Tue Aug 1 07:56-11:09 (03:12)

If a user is specified, last reports only the user's recent activity, for example: last ynguo (enter) shows:

Ynguo pts/4 simba.nic.ustc.e Fri Aug 4 16:50-08:20 (15:30)

Ynguo pts/4 simba.nic.ustc.e Thu Aug 3 23:55-04:40 (04:44)

Ynguo pts/11 simba.nic.ustc.e Thu Aug 3 20:45-22:02 (01:16)

Ynguo pts/0 simba.nic.ustc.e Thu Aug 3 03:17-05:42 (02:25)

Ynguo pts/0 simba.nic.ustc.e Wed Aug 2 01:04-03:16 1pm 02purl 12)

Ynguo pts/0 simba.nic.ustc.e Wed Aug 2 00:43-00:54 (00:11)

Ynguo pts/9 simba.nic.ustc.e Thu Aug 1 20:30-21:26 (00:55)

The ac:ac command reports the user contact time (hours) based on the login entry and exit in the current / var/log/wtmp file, and the total time if no flag is used. For example: ac (enter) shows: total 5177.47

At this point, the study of "detailed explanation of log management of Linux server" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.