Shulou(Shulou.com)06/01 Report--

This article will explain in detail what is the important log file and how to view it under Linux. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The log is very important for security. It records all kinds of things that happen to the system every day, and you can use it to check the cause of the error or the traces left by the person. This paper mainly introduces the viewing methods of important log files and Linux log output under Linux.

1. Introduction of important log files under Linux

/ var/log/boot.log

This file records the events that occur during the boot process of the system, which is the information displayed during post of the Linux system. Figure 1 / var/log/boot.log schematic

/ var/log/cron

This log file records the actions of the child processes derived from the crontab daemon crond, preceded by the user, login time, and PID, as well as the actions of the derived processes. One of the actions of CMD is a common situation in which cron derives a scheduling process. The REPLACE (replace) action records the user's update to its cron file, which lists the task schedules to be executed periodically. The RELOAD action occurs shortly after the REPLACE action, which means that cron notices that a user's cron file has been updated and cron needs to reload it into memory. The document may find some anomalies.

Figure 2 / var/log/cron file illustration

/ var/log/maillog

This log file records every activity of e-mail sent to or from the system. It can be used to see which system the user uses to send tools or which system to send data to.

Figure 3 / var/log/maillog file illustration

The format of the file is that each line contains the date, hostname, program name, followed by square brackets containing the PID or kernel identity, a colon, a space, and finally a message. One drawback of this file is that the recorded attempts and successful events are submerged in a large number of records of normal processes. But this file can be customized by the / etc/syslog file. The / etc/syslog.conf configuration file determines how the system writes to / var/messages.

/ var/log/syslog

The default Fedora does not generate the log file, but you can configure / etc/syslog.conf to have the system generate the log file. Unlike the / etc/log/messages log file, it only records warnings, often information about problems with the system, so you should pay more attention to this file. To allow the system to generate the log file, add: * .warning / var/log/syslog to the / etc/syslog.conf file. This log file can record the wrong password recorded by login when the user logs in, the problem with Sendmail, the failure to execute the su command, and so on. This log file records the most recent successful login event and the last unsuccessful login event, which is generated by login. Queried each time the user logs in, the file is binary and needs to be viewed using the lastlog command, showing the login name, port number, and last login time according to UID sorting. If a user has never logged in, it is displayed as "* * Never logged in**". This command can only be executed with root privileges. Simply enter the lastlog command.

Figure 4 running result of the lastlog command

/ var/log/wtmp

The log file permanently records the events of login, logout, startup and downtime of each user. Therefore, with the increase of system uptime, the size of the file will become larger and larger, and the speed of increase depends on the number of times the system user logs in. The log file can be used to view the user's login records, and the last command obtains this information by accessing the file and displays the user's login records from back to front in reverse order, and last can also display the corresponding records according to the user, terminal tty or time.

/ var/run/utmp

The log file records information about each user who is currently logged in. Therefore, this file will change as the user logs in and out of the system, and it only keeps the user record online at that time, not the permanent record for the user. Programs in the system that need to query the current user status, such as who, w, users, finger, etc., need to access this file. The log file does not contain all the accurate information because some sudden errors terminate the user's login session and the system does not update the utmp record in a timely manner, so the record of the log file is not 100% trustworthy.

The three files mentioned above (/ var/log/wtmp, / var/run/utmp, / var/log/lastlog) are key files in the log subsystem, all of which record user logins. All records of these files contain timestamps. These files are saved in binary, so you can't view them directly with commands such as less, cat, and so on. Instead, you need to use related commands to view them. Among them, the data structures of utmp and wtmp files are the same, while lastlog files use other data structures, and the specific data structures about them can be queried using the man command.

Each time a user logs in, the login program looks at the user's UID in the file lastlog. If it exists, the user's last login, logout time, and hostname are written to standard output, and then the login program records the new login time in lastlog, opens the utmp file, and inserts the user's utmp record. The record is used until the user logs in and exits. Utmp files are used by a variety of commands, including who, w, users, and finger.

Next, the login program opens the file wtmp to attach the user's utmp record. When the user logs in and exits, the same utmp record with the update timestamp is appended to the file. The wtmp file is used by the program last.

/ var/log/xferlog

This log file records the FTP session and shows what files the user copied to or from the FTP server. The file shows the malicious programs that the user copied to the server for the server and which files the user copied for his use.

The format of the file is: the first domain is the date and time, and the second domain is the number of seconds it took to download the file, remote system name, file size, local pathname, transfer type (aburete ASCII tar b: binary), compression-related flag or tar, or "_" (if there is no compression), transfer direction (relative to the server: I represents in, o represents out), access mode (a: anonymous) G: enter the password, r: real user), user name, service name (usually ftp), authentication method (l:RFC931, or 0), authentication user's ID or "*".

2. How to view Linux log output

Linux provides many text tools to view and manipulate log files, and here are some of the more common and useful tools for readers.

Dmesg

Use the dmesg command to quickly view the boot log of the last system boot. As shown above, it usually contains a lot of content, so we often use the following command to display the boot information in a paged manner:

# dmesg | more

Tail

The tail command is designed to display the last few lines of a text file. Using the-f switch, tail will continue to display new output when new content is added to the log. As shown:

# tar-f / var/log/messages

The above command displays the last six lines of the / var/log/messages file, then continues to monitor that file and outputs the new behavior. To stop the tail-f command, use [Ctrl + C] to abort the process.

More and less

More works in the same way as the DOS version. You can point it to a file, or use it to output information as a pipe and view the information in paging. For example, display the contents of the maillog log file in paging:

# more maillog

Figure 9 use more to view logs

You can then use Q or [Ctrl+C] to stop viewing the file.

Less is another text reader, but it also allows you to scroll through files and retrieve information. As follows:

# less / var/log/cron-20090830

The above command displays the contents of the / var/log/yum.log file, and you can use Q to stop viewing the file.

Other ways

The log files in Linux are very important for system troubleshooting and maintenance. The Linux log records of many web application services, such as WWW, FTP, SMTP, etc., are recorded in specially designated text files (such as access.log,error.log, etc.), so there is no need for special tools to view these files. Users can choose Vi, gEdit and other simple text editing tools to view and use.

3. Important principles for using Linux logs

System managers should be vigilant, pay attention to all kinds of suspicious situations at any time, and check all kinds of system log files on time and randomly, including general information log, network connection log, file transfer log and user login log. When checking these logs, pay attention to whether there is an unreasonable time record. For example:

Users log in at unconventional times

Abnormal log records, such as incomplete logs or log files such as wtmp, are missing intermediate record files for no reason

The IP address of the user logging in to the system is different from the previous one.

Log records of user login failures, especially those that have repeatedly tried to enter failures

Instructions for illegal or improper use of the superuser privilege su

Records of restarting various network services without reason or illegally.

In particular, managers are reminded that the log is not completely reliable. After the smart system, the scene is often cleaned. Therefore, we need to comprehensively use the above system commands, comprehensive and comprehensive review and detection, do not take it out of context, otherwise it is difficult to find * or make a wrong judgment.

About Linux important log files and what is the way to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.