Shulou(Shulou.com)06/03 Report--

/ var/log

The commonly used system logs are as follows:

Core startup log: / var/log/messages

Logs such as system error or service restart: / var/log/messages

Mail Syslog: / var/log/maillog

Cron (custom task log): / var/log/cron # whether the schedule log is executed successfully or not, in this file

Verify that the system user logs in: / var/log/secure

Record all logins and logouts: / var/log/wtmp

Last login information for each user: / var/log/lastlog

Incorrect login information: / var/log/btmp

> / var/log/wtmp # clear log-in and logout records

Last # View wtmp

Lastlog # check the last login time of the user

Lastb # check the error login information to determine whether there is a brute force breach.

two。 Logging method: first classify, and then level in each class

There are seven main log classifications (FACILITY):

Related to authpriv security certification

Timing correlation between cron at and cron

Related to daemon background process

Kern kernel generation

Lpr printing system generation

Related to mail mail system

The syslog Log Service itself

News News system (similar to BBS, newsgroup)

Uucp uucp system is generated. Unix-to-Unix Copy (copy of UNIX to UNIX), a feature of the Unix system that allows computers to exchange e-mail and messages in a store-and-forward manner. Before the rise of Internet, it was the main way to connect Unix systems.

Local0 to local7 # a total of 8 types, the system reserved: 8 Syslog types, for other programs to use. Or user-defined with

8 log levels: the following order, from light to heavy

Level (PRIOROTY):

Debug troubleshooting message. Developer

Info normal information

Notice needs to pay a little attention.

Warn warning

Err (error) error

Crit (critical) critical error

Alert alarm vigilance

Emerg (emergency) emergency

Log service:

1). Rhel5:

Service name: syslog

Configuration file:

# vim / etc/syslog.conf

2) .RHEL6: rsyslog

Configuration file:

# vim / etc/rsyslog.conf

3) .RHEL7:rsyslog

Configuration file:

# vim / etc/rsyslog.conf

The entry profile displays as follows:

1. All-level logs of kern.* kernel type

2 * .info;mail.none;news.none;authpriv.none;cron.none: because mail, news, authpriv, cron and other categories generate more messages, these items are not recorded in / var/log/messages. Except for this, all other messages are written to / var/log/messages. So messages files are important.

3. Authpriv.* authentication information is written into / var/log/secure file.

4. Mail.*: mail messages are written into / var/log/maillog files

5. Cron.*: routine work schedule is written into / var/log/cron file

6. Local7.*: writes messages that should be displayed on the screen when the computer is powered on to the / var/log/boot.log file

/ log entry rules in etc/rsyslog.conf:

Example:

. It means that higher grades than the following are recorded.

For example, mail.info represents the meaning that any information that is of type mail and whose level of information is higher than info (including info itself) will be recorded.

. =: it means that the required level is the one that follows, and you don't want anything else!

!: it means that it is not equal to, that is, all levels except that level are recorded.

For example:

Cron.none does not record any information for cron type logs

Cron.=err only records information at the err level for cron type logs

Cron.err records information greater than the err level for cron type logging

Cron.accounerr does not record err-level information for cron type logs, all other levels.

Where the log is recorded:

1. Relative path of log: it is usually put in / var/log

2. Stored on the remote log server

Sometimes the log will pop up directly on the screen. Similar to the wall command.

Extend:

The wall command describes:

Wall-- send a message to everybody'sterminal.

[root@localhost ~] # wall Today is nice daylighting!

Wall Today is nicedayvim / etc/rsyslog.conf!

Broadcast message fromroot@localhost.localdomain (pts/0) (Thu Dec 17 22:10:28 2015):

Today is nice dayvim/etc/rsyslog.conf!

In this way, all users who log in to the virtual side of Linux will receive this message.

[root@localhost ~] # vim / etc/rsyslog.conf

Mail.*-/ var/log/maillog

In the fourth line of the mail record above, what is the minus sign "-" used in front of the recorded file / var/log/maillog?

As there are many messages generated by the mail, we hope that the messages generated by the mail will be stored in the faster memory (buffer) first, and then all the data will be filled into the disk at once until the amount of data is large enough, which will help to reduce the number of times to read and write to the disk and reduce the IO read and write overhead. In addition, because the message is temporarily stored in memory, if the login information is not written into the document due to abnormal shutdown, some data may be lost.

Customize the log of the sshd service

[root@localhost ~] # vim / etc/rsyslog.conf

Local0.* / var/log/sshd.log

[root@localhost ~] # systemctl restart rsyslog.service

Configure the profile for the sshd service

[root@localhost ~] # vim / etc/ssh/sshd_config

SyslogFacility local0

[root@localhost ~] # systemctl restart sshd

[root@localhost ~] # ls / var/log/sshd.log

/ var/log/sshd.log

[root@localhost ~] # catwalk $

Cat / var/log/sshd.log

Dec 17 22:18:38localhost sshd [35876]: Server listening on 0.0.0.0 port 22.

Dec 17 22:18:38localhost sshd [35876]: Server listening on:: port 22.

Log viewing method

Actions performed by the time host process ID

How to prevent the log from being deleted?

[root@localhost ~] # chattr + a / var/log/sshd.log

[root@localhost ~] # lsattr / var/log/sshd.log

-a-/var/log/sshd.log

After adding this attribute, your / var/log/messages login file can only be added, not deleted, until root cancels the a parameter with "chattr-a / var/log/messages".

5. Log rollback:

Logrotate (log rollback process: create a new file, rename an old file. )

Configuration file:

# vim/etc/logrotate.conf

[root@localhost ~] # vim / etc/logrotate.conf

Weekly

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.