Shulou(Shulou.com)06/01 Report--

This article mainly explains "Linux log example analysis", interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "Linux log example analysis" bar!

1. Brief introduction to the log

Default location of logs: / var/log/

Check log configuration: more / etc/rsyslog.conf

Log file description / var/log/cron records the log related to the system timing task / var/log/cups record print information / var/log/dmesg records the kernel self-test information when the system is booted, you can also use the dmesg command to directly view the kernel self-test information / var/log/mailog log email message / var/log/message log to record important information of the system. This log file will record most of the important information of the Linux system. If there is a problem with the system, the first thing to check is the log file / var/log/btmp record error login log. This file is a binary file and cannot be viewed directly by vi. Instead, use the lastb command to view / var/log/lastlog the log of the last login time of all users in the system. This file is a binary file. Instead of vi directly, use the lastlog command to view / var/log/wtmp to permanently record the login and logout information of all users, as well as the startup, restart and shutdown events of the system. Similarly, this file is also a binary file, which cannot be vi directly. Instead, you need to use the last command to view / var/log/utmp the information of the currently logged-in user. This file will change with the login and logout of the user, recording only the information of the currently logged-in user. Similarly, this file cannot be vi directly. Instead, you need to query / var/log/secure record authentication and authorization information using commands such as w.whowhousers. Any program that involves account numbers and passwords, such as SSH login, su switching users, sudo authorization, and even adding users and changing user passwords, will be recorded in this log file.

Some important logs: login failure record: / var/log/btmp / / lastb Last login: / var/log/lastlog / / lastlog login success record: / var/log/wtmp / / last login log record: / var/log/secure

Login user information: / var/run/utmp / / w, who, users

Historical command record: history cleans up only the current user: history-c

2. Log analysis skills A, commonly used shell commands

Common shell commands under Linux, such as find, grep, egrep, awk, sed

Tips:

1. Grep displays several lines of information:

Grep under standard unix/linux controls the context by the following parameters: grep-C 5 foo file displays the line that matches the foo string in the file file, and five lines up and down grep-B 5 foo file displays foo and the first five lines grep-A 5 foo file displays foo and the last five lines view the grep version number is grep-V

2. Grep finds all files containing a string

Grep-rn "hello,world!" *: represents all files in the current directory, or can be a file name-r is a recursive lookup-n is a display line number-R lookup all files include subdirectories-I ignore case

3. How to display certain lines of a file:

Cat input_file | tail-n + 1000 | head-n 200 starts at line 1000 and displays 2000 lines. That is, the line 1000mm 2999 is displayed.

4. Find / etc-name init

/ / find the file init in the directory / etc

5. Just show the account of / etc/passwd

`cat / etc/passwd | awk-F':'{print $1}'`/ / awk-F specifies that the domain separator is':', and divides the record into domains according to the specified domain separator, and fills the domain. $0 represents all domains, $1 represents the first domain, and $n represents the nth domain.

6. Sed-I '153 sed d`.bash _ history

Delete the history operation record, keep only the first 153 lines B, log analysis skills

A 、 / var/log/secure

1 、 Locate how many IP are blasting host's root account: grep "Failed password for root" / var/log/secure | awk'{print $11}'| sort | uniq-c | sort-nr | more locate which IP is blasting: grep "Failed password" / var/log/secure | grep-E-o "(25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) "| what is the user name dictionary for uniq-c blasting? Grep "Failed password" / var/log/secure | perl-e 'while ($_ =) {/ for (. *?) From/; print "$1\ n" }'| uniq-c | sort-nr2, which IP have successfully logged in: grep "Accepted" / var/log/secure | awk'{print $11}'| sort | uniq-c | sort-nr | more login success date, user name, IP:grep "Accepted" / var/log/secure | awk'{print $1 Magnum 2 Magnum 9 Magi 11}'3. Add a user kali log: Jul 10 00:12:15 localhost useradd [2382]: new group name=kali: GID=1001Jul 10 00:12:15 localhost useradd [2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali Shell=/bin/bashJul 10 00:12:58 localhost passwd: pam_unix (passwd:chauthtok): password changed for kali#grep "useradd" / var/log/secure 4, delete user kali log: Jul 10 00:14:17 localhost userdel [2393]: delete user 'kali'Jul 10 00:14:17 localhost userdel [2393]: removed group' kali' owned by 'kali'Jul 10 00:14:17 localhost userdel [2393]: removed shadow group' kali' owned by 'kali'# grep "userdel" / var/log/secure5, Su switching user: Jul 10 00:38:13 localhost su: pam_unix (su-l:session): session opened for user good by root (uid=0) sudo authorized execution: sudo-lJul 10 00:43:09 localhost sudo: good: TTY=pts/4 PWD=/home/good; USER=root; COMMAND=/sbin/shutdown-r now

2 、 / var/log/yum.log

Software installation, upgrade, uninstall log:

Yum install gcc [root@bogon ~] # more / var/log/yum.logJul 10 00:18:23 Updated: cpp-4.8.5-28.el7_5.1.x86_64Jul 10 00:18:24 Updated: libgcc-4.8.5-28.el7_5.1.x86_64Jul 10 00:18:24 Updated: libgomp-4.8.5-28.el7_5.1.x86_64Jul 10 00:18:28 Updated: gcc-4.8.5-28.el7 _ 5.1.x86_64Jul 10 00:18:28 Updated: libgcc-4.8.5-28.el7_5.1.i686 here I believe that everyone has a deeper understanding of the "Linux log example analysis", might as well come to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.