Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what are the commonly used log files and commands in Linux". In daily operation, I believe that many people have doubts about the commonly used log files and commands in Linux. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "what are the commonly used log files and commands in Linux". Next, please follow the editor to study!

One of the keys to successfully managing any system is to know what is going on in the system. Exception logs are provided in Linux, and the log details are configurable. Linux logs are stored in clear text, so users can search and read them without special tools. You can also write scripts to scan these logs and automate some functions based on their contents. Linux logs are stored in the / var/log directory. There are several log files maintained by the system, but other services and programs may also keep their logs here. Most logs can only be read by root accounts, but changing the access permissions of the files can make them readable to others.

Log files commonly used in RedHat Linux

The common log files for RedHat Linux are described in detail as follows

/ var/log/boot.log

This file records the events that occur during the boot process of the system, which is the information displayed during post of the Linux system.

/ var/log/cron

This log file records the actions of the child processes derived from the crontab daemon crond, preceded by the user, login time, and PID, as well as the actions of the derived processes. One of the actions of CMD is a common situation in which cron derives a scheduling process. The REPLACE (replace) action records the user's update to its cron file, which lists the task schedules to be executed periodically. The RELOAD action occurs shortly after the REPLACE action, which means that cron notices that a user's cron file has been updated and cron needs to reload it into memory. The document may find some anomalies.

/ var/log/maillog

This log file records every activity of e-mail sent to or from the system. It can be used to see which system the user uses to send tools or which system to send data to. Here is a snippet of the log file:

Sep 4 17:23:52 UNIX sendmail [1950]: g849Npp01950: from=root, size=25, class=0, nrcpts=1, msgid=,relay=root@localhostSep 4 17:23:55 UNIX sendmail [1950]: g849Npp01950: to=lzy@fcceec.net, ctladdr=root (0Unip 0), delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=30025, relay=fcceec.net. [10.152.8.2], dsn=2.0.0, stat=Sent (Message queued) / var/log/messages

This log file is a summary of many process log files, from which you can see any attempted or successful intrusion. Such as the following lines:

Sep 3 08:30:17 UNIX login [1275]: FAILED LOGIN 2 FROM (null) FOR suying, Authentication failureSep 4 17:40:28 UNIX-suying [2017]: LOGIN ON pts/1 BY suying FROMfcceec.www.ec8.pfcc.com.cnSep 4 17:40:39 UNIX su (pam_unix) [2048]: session opened for user root by suying (uid=999)

The format of the file is that each line contains the date, hostname, program name, followed by square brackets containing the PID or kernel identity, a colon, a space, and finally a message. One deficiency of this document is that the recorded intrusion attempts and successful intrusions are submerged in a large number of records of normal processes. But this file can be customized by the / etc/syslog file. The / etc/syslog.conf configuration file determines how the system writes to / var/messages. How to configure the / etc/syslog.conf file to determine the behavior of system logging is described in more detail later.

/ var/log/syslog

The default RedHat Linux does not generate the log file, but you can configure / etc/syslog.conf to have the system generate the log file. Unlike the / etc/log/messages log file, it only records warnings, often information about problems with the system, so you should pay more attention to this file. To allow the system to generate the log file, add: * .warning / var/log/syslog to the / etc/syslog.conf file. This log file can record the wrong password recorded by login when the user logs in, the problem with Sendmail, the failure to execute the su command, and so on. Here is a record:

Sep 6 16:47:52 UNIX login (pam_unix) [2384]: check pass; user unknown/var/log/secure this log file records security-related information. Part of the log file is as follows: Sep 4 16:05:09 UNIX xinetd [711]: START: ftp pid=1815 from=127.0.0.1Sep 4 16:05:09 UNIX xinetd [1815]: USERID: ftp OTHER: rootSep 4 16:07:24 UNIX xinetd [711]: EXIT: ftp pid=1815 duration=135 (sec) Sep 4 16:10:05 UNIX xinetd [711]: START: ftp pid=1846 from=127.0.0.1Sep 4 16:10:05 UNIX xinetd [1846]: USERID: ftp OTHER: rootSep 4 16: 16:26 UNIX xinetd: EXIT: ftp pid=1846 duration=381 (sec) Sep 4 17:40:20 UNIX xinetd: START: telnet pid=2016 from=10.152.8.2/var/log/lastlog

This log file records the most recent successful login event and the last unsuccessful login event, which is generated by login. Queried each time the user logs in, the file is binary and needs to be viewed using the lastlog command, showing the login name, port number, and last login time according to UID sorting. If a user has never logged in, it is displayed as "* * Never logged in**". This command can only be executed with root privileges. Simply enter the lastlog command and you will see information similar to the following:

Username Port From Latestroot tty2 Tue Sep 3 08:32:27 + 0800 2002bin * * Never logged in**daemon * * Never logged in**adm * * Never logged in**lp * Never logged in**sync * * Never logged in**shutdown * * Never logged in**halt * * Never logged In**mail * Never logged in**news * * Never logged in**uucp * * Never logged in**operator * * Never logged in**games * * Never logged in**gopher * * Never logged in**ftp ftp UNIX Tue Sep 3 14:49:04 + 0800 2002nobody * * Never logged in**nscd * * Never logged in**mailnull * Never logged in**ident * * Never logged in**rpc * * Never logged in**rpcuser * * Never logged in**xfs * * Never logged in**gdm * Never logged in**postgres * * Never logged in**apache * * Never logged in**lzy tty2 Mon Jul 15 08:50:37 + 0800 2002suying tty2 Tue Sep 3 08:31:17 + 0800 2002

System accounts such as bin, daemon, adm, uucp, mail, etc., should never be logged in. If these accounts are found to have been logged in, the system may have been compromised. If it is found that the recorded time is not the last time the user logged in, the user's account has been compromised.

/ var/log/wtmp

The log file permanently records the events of login, logout, startup and downtime of each user. Therefore, with the increase of system uptime, the size of the file will become larger and larger, and the speed of increase depends on the number of times the system user logs in. The log file can be used to view the user's login records, and the last command obtains this information by accessing the file and displays the user's login records from back to front in reverse order, and last can also display the corresponding records according to the user, terminal tty or time.

The command last has two optional parameters:

The last-u user name shows the user's last login.

Last-t days displays user logins before the specified number of days.

/ var/run/utmp

The log file records information about each user who is currently logged in. Therefore, this file will change as the user logs in and out of the system, and it only keeps the user record online at that time, not the permanent record for the user. Programs in the system that need to query the current user status, such as who, w, users, finger, etc., need to access this file. The log file does not contain all the accurate information because some sudden errors terminate the user's login session and the system does not update the utmp record in a timely manner, so the record of the log file is not 100% trustworthy.

The three files mentioned above (/ var/log/wtmp, / var/run/utmp, / var/log/lastlog) are key files in the log subsystem, all of which record user logins. All records of these files contain timestamps. These files are saved in binary, so you can't view them directly with commands such as less, cat, and so on. Instead, you need to use related commands to view them. Among them, the data structures of utmp and wtmp files are the same, while lastlog files use other data structures, and the specific data structures about them can be queried using the man command.

Each time a user logs in, the login program looks at the user's UID in the file lastlog. If it exists, the user's last login, logout time, and hostname are written to standard output, and then the login program records the new login time in lastlog, opens the utmp file, and inserts the user's utmp record. The record is used until the user logs in and exits. Utmp files are used by a variety of commands, including who, w, users, and finger.

Next, the login program opens the file wtmp to attach the user's utmp record. When the user logs in and exits, the same utmp record with the update timestamp is appended to the file. The wtmp file is used by the program last.

/ var/log/xferlog

This log file records the FTP session and shows what files the user copied to or from the FTP server. The file shows the malicious programs that the user copied to the server to invade the server, and which files the user copied for his use.

The format of the file is: the first domain is the date and time, and the second domain is the number of seconds it took to download the file, remote system name, file size, local pathname, transfer type (aburete ASCII tar b: binary), compression-related flag or tar, or "_" (if there is no compression), transfer direction (relative to the server: I represents in, o represents out), access mode (a: anonymous) G: enter the password, r: real user), user name, service name (usually ftp), authentication method (l:RFC931, or 0), authentication user's ID or "*". Here is a record of the file:

Wed Sep 4 08:14:03 2002 1 UNIX 275531 / var/ftp/lib/libnss_files-2.2.2.so bo a-root@UNIX ftp 0 * c/var/log/kernlog

RedHat Linux does not record the log file by default. To enable the log file, you must add a line to the / etc/syslog.conf file: kern.* / var/log/kernlog. This enables the ability to log all kernel messages to the / var/log/kernlog file. This file records how the device is loaded or used when the system starts. It is generally a normal operation, but if these operations are recorded by unauthorized users, be careful, because it is possible that this is the behavior of malicious users. Here is part of the file:

Sep 5 09:38:42 UNIX kernel: NET4: Linux TCP/IP 1.0 for NET4.0 Sep 5 09:38:42 UNIX kernel: IP Protocols: ICMP, UDP, TCP, IGMPSep 5 09:38:42 UNIX kernel: IP: routing cache hash table of 512 buckets 4KbytesSep 5 09:38:43 UNIX kernel: TCP: Hash tables configured (established 4096 bind 4096) Sep 5 09:38:43 UNIX kernel: Linux IP multicast router 0.06 plus PIM-SMSep 5 09:38:43 UNIX kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.Sep 5 09:38:44 UNIX kernel: EXT2-fs warning: checktime reached Running e2fsck is recommendedSep 5 09:38:44 UNIX kernel: VFS: Mounted root (ext2 filesystem). Sep 5 09:38:44 UNIX kernel: SCSI subsystem driver Revision: 1.00/var/log/Xfree86.x.log

This log file records the startup of X-Window. In addition, in addition to / var/log/, malicious users may also leave traces in other places, so you should pay attention to the following places: shell history files of root and other accounts; various mailboxes of users, such as. Sent, mbox, and mailboxes stored in / var/spool/mail/ and / var/spool/mqueue; temporary files / tmp, / usr/tmp, / var/tmp; hidden directories Files created by other malicious users, usually with "." Files with hidden attributes at the beginning, etc.

Specific command

Wtmp and utmp files are binaries, and they cannot be cut, pasted or merged by commands such as tail (using the cat command). Users need to use commands such as who, w, users, last, and ac to use the information contained in these two files.

Who command

The who command queries the utmp file and reports on each user who is currently logged in. The default output of who includes user name, terminal type, login date, and remote host. For example, type the who command, and then press enter, which displays something like this:

Chyang pts/0 Aug 18 15:06 ynguo pts/2 Aug 18 15:32 ynguo pts/3 Aug 18 13:55 lewis pts/4 Aug 18 13:35 ynguo pts/7 Aug 18 14:12 ylou pts/8 Aug 18 14:15

If the wtmp file name is specified, the who command queries all previous records. The command who / var/log/wtmp reports every login since the wtmp file was created or deleted.

W command

The w command queries the utmp file and displays information about each user in the current system and the processes it is running. For example, type the w command, and then press enter, which displays something like this:

3:36pm up 1 day, 22:34, 6 users, load average: 0.23, 0.29 0.27 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s-bash ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 w lewis pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s-bash lewis pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh / home/users/ ynguo pts/7 simba .nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet mail ylou pts/8 202.38.64.235 2:15pm 1VR 09m 0.10s 0.04s-bash

Users command

The users command prints out the currently logged-in user on a separate line, with each displayed user name corresponding to a login session. If a user has more than one login session, his user name will be displayed the same number of times. For example, type the users command, and then press enter, which displays something like this:

Chyang lewis lewis ylou ynguo ynguo

Last command

The last command searches back for wtmp to show users who have logged in since the file was first created. For example:

Chyang pts/9 202.38.68.242 Tue Aug 1 08:34-11:23 (02:49) cfan pts/6 202.38.64.224 Tue Aug 1 08:33-08:48 (00:14) chyang pts/4 202.38.68.242 Tue Aug 1 08:32-12 Tue Aug 13 (03cfan pts/6 40) lewis pts/3 202.38.64.233 Tue Aug 1 08 chyang pts/9 06-1109 (03Ze3) lewis pts/2 202.38.64.233 Tue Aug 1 07 Tue Aug 56-1109 (03cfan pts/6 12)

If a user is specified, last reports only the user's recent activity. For example, typing the last ynguo command and then pressing enter will display something like this:

Ynguo pts/4 simba.nic.ustc.e Fri Aug 4 16:50-08:20 (15:30) ynguo pts/4 simba.nic.ustc.e Thu Aug 3 23:55-04:40 (04:44) ynguo pts/11 simba.nic.ustc.e Thu Aug 3 20:45-22 ynguo pts/11 simba.nic.ustc.e Thu Aug 02 (01 ynguo pts/0 simba.nic.ustc.e Thu Aug 16) ynguo pts/0 simba.nic.ustc.e Thu Aug 3 03 ynguo pts/11 simba.nic.ustc.e Thu Aug 17-05 ynguo pts/4 simba.nic.ustc.e Fri Aug 42 (02) ynguo pts/0 simba.nic.ustc.e Wed Aug 2 01: 04-03:16 02 12) ynguo pts/0 simba.nic.ustc.e Wed Aug 2 00:43-00:54 (00:11) ynguo pts/9 simba.nic.ustc.e Thu Aug 1 20:30-21:26 (0015)

Ac command

The ac command reports the time (hours) of the user connection based on the login entry and exit in the current / var/log/wtmp file, and the total time if no flag is used. For example, type the ac command, and then press enter, which displays something like this:

Total 5177.47

Typing the ac-d command, and then pressing enter, will display the total connection time for each day:

Aug 12 total 261.87 Aug 13 total 351.39 Aug 14 total 396.09 Aug 15 total 462.63 Aug 16 total 270.45 Aug 17 total 104.29 Today total 179.02

Typing the ac-p command, and then pressing enter, displays the total connection time for each user:

Ynguo 193.23 yucao 3.35 rong 133.40 hdai 10.52 zjzhu 52.87 zqzhou 13.14 liangliu 24.34 total 5178.24

Lastlog command

The lastlog file is queried every time a user logs in. You can use the lastlog command to check when a particular user last logged in and format the contents of the last login log / var/log/lastlog output. It displays the login name, port number (tty), and last login time, sorted by UID. If a user has never logged in, lastlog displays * * Never logged**. Note that you need to run the command as root, for example:

Rong 5 202.38.64.187 Fri Aug 18 15:57:01 + 0800 2000 dbb * * Never logged in** xinchen * * Never logged in** pb9511 * * Never logged in** xchen 0 202.38.64.190 Sun Aug 13 10:01:22 + 0800 2000

In addition, some parameters can be added, for example, the "last-u 102" command will report users with a UID of 102, and the "last-t 7" command will be limited to the previous week's report.

Process statistics

UNIX can track every command that each user runs, and if you want to know which important files were messed up last night, the process statistics subsystem can tell you. It's also helpful in tracking an intruder. Unlike the connection time log, the process statistics subsystem is not activated by default and must be started. Start the process statistics in the Linux system using the accton command, which must be run as root. The accton command takes the form that accton file,file must exist beforehand. Use the touch command to create the pacct file: touch / var/log/pacct, and then run accton:accton / var/log/pacct. Once accton is activated, you can use the lastcomm command to monitor commands executed at any time in the system. To turn off statistics, you can use the accton command without any parameters.

The lastcomm command reports files that were previously executed. Without parameters, the lastcomm command displays information about all commands recorded during the current statistics file life cycle. Includes the command name, user, tty, CPU time spent by the command, and a timestamp. If the system has many users, the input can be long. Look at the following example:

Crond F root?? 0.00 secs Sun Aug 20 00:16 promisc_check.s S root?? 0.04 secs Sun Aug 20 00:16 promisc_check root?? 0.01 secs Sun Aug 20 00:16 grep root?? 0.02 secs Sun Aug 20 00:16 tail root?? 0.01 secs Sun Aug 20 00:16 sh root?? 0.01 secs Sun Aug 20 00:15 ping S root?? 0.01 secs Sun Aug 20 00:15 ping6.pl F root?? 0.01 secs Sun Aug 20 00:15 sh root?? 0.01 secs Sun Aug 20 00:15 ping S root?? 0.02 secs Sun Aug 20 00:15 ping6.pl F root?? 0.02 secs Sun Aug 20 00:15 sh root?? 0.02 secs Sun Aug 20 00:15 ping S root?? 0.00 secs Sun Aug 20 00:15 ping6.pl F root?? 0.01 secs Sun Aug 20 00:15 sh root?? 0.01 secs Sun Aug 20 00:15 ping S root?? 0.01 secs Sun Aug 20 00:15 sh root?? 0.02 secs Sun Aug 20 00:15 ping S root?? 1.34 secs Sun Aug 20 00:15 locate root ttyp0 1.34 secs Sun Aug 20 00:15 accton S root ttyp0 0.00 secs Sun Aug 20 00:15

One problem with process statistics is that pacct files can grow very rapidly. At this point, you need to run the sa command interactively or through the cron mechanism to ensure that the log data is under system control. The sa command reports, cleans, and maintains process statistics files. It can compress the information in / var/log/pacct into summary files / var/log/savacct and / var/log/usracct. These summaries contain system statistics classified by command name and user name. By default, sa reads them first, and then the pacct file, so that the report contains all the available information. The output of sa has the following tag entries.

Avio: the average number of iUnip O operations performed each time.

Cp: the sum of user and system time in minutes.

Cpu: same as cp.

K: the average CPU time used by the kernel in 1k.

K*sec:CPU storage integrity in 1k-core seconds.

Re: real-time time in minutes.

S: system time, in minutes.

The total number of tio:I/O operations.

U: user time, in minutes.

For example:

842 173.26re 4.30cp 0avio 358k 2 10.98re 4.06cp 0avio 299k find 9 24.80re 0.05cp 0avio 291k * other 105 30.44re 0.03cp 0avio 302k ping 104 30.55re 0.03cp 0avio 394k sh 162 0.11re 0.03cp 0avio 413k security.sh* 154 0.03re 0.02cp 0avio 273k ls 56 31.61re 0.02cp 0avio 823k ping6.pl* 2 3.23re 0.02cp 0avio 822k ping6.pl 35 0.02re 0.01cp 0avio 257k md5sum 97 0.02re 0.01cp 0avio 263k initlog 12 0.19re 0.01cp 0avio 399k promisc_check.s 15 0.09re 0.00cp 0avio 288k grep 11 0.08re 0.00cp 0avio 332k awk

The user can also provide a summary report based on the user rather than the command. For example, type the command "sa-m" and the following will appear:

885 173.28re 4.31cp 0avk root 879 173.23re 4.31cp 0avk alias 3 0.05re 0.00cp 0avk qmailp 3 0.01re 0.00cp 0avk

Syslog equipment

Syslog has been adopted by many logging functions and is used in many protection measures. Any program can log events through syslog. Syslog can record system events, write to a file or device, or send a message to the user. It can record local events or events on another host over the network.

Syslog devices are based on two important files: / etc/syslogd (daemon) and / etc/syslog.conf configuration file. Traditionally, most syslog information is written to an information file (messages.*) in the / var/adm or / var/log directory. A typical syslog record includes the name of the generator and a text message. It also includes a device and a priority range (but does not appear in the log).

Each syslog message is assigned one of the following main devices:

LOG_AUTH: authentication system login, su, getty, etc. LOG_AUTHPRIV: same as LOG_AUTH, but only log in to a single user-readable file of your choice. LOG_CRON:cron daemon. LOG_DAEMON: other system daemons, such as routed. LOG_FTP: file transfer protocols ftpd, tftpd. LOG_KERN: messages generated by the kernel. LOG_LPR: system printer buffer pool lpr, lpd. LOG_MAIL: e-mail system. LOG_NEWS: network news system. LOG_SYSLOG: an internal message generated by syslogd (8). LOG_USER: messages generated by random user processes. LOG_UUCP:UUCP subsystem. LOG_LOCAL0~LOG_LOCAL7: reserved for local use. Syslog assigns several different priorities to each event: LOG_EMERG: emergency. LOG_ALERT: problems that should be corrected immediately, such as system database corruption. LOG_CRIT: important situations, such as hard drive errors. LOG_ERR: error. LOG_WARNING: warning message. LOG_NOTICE: it's not an error condition, but it may need to be handled. LOG_INFO: intelligence information. LOG_DEBUG: information containing intelligence, usually used only when debugging a program.

The syslog.conf file indicates the logging behavior of the syslogd program, which queries the configuration file at startup. The file consists of individual entries classified by different programs or messages, each on a single line. A selection field and an action field are provided for each type of message. These fields are separated by tabs: the selection field indicates the type and priority of the message; the action field indicates the action that syslogd takes when it receives a message that matches the selection criteria. Each option is made up of devices and priorities. When a priority is specified, syslogd logs a message with the same or higher priority. So if you specify "crit", all messages marked crit, alert, and emerg will be logged. The action field of each row indicates where to send a given message after the selected domain has been selected. For example, if you want to log all mail messages to one file, as follows:

# Log all the mail messages in one place mail.* / var/log/maillog

Other devices also have their own logs. UUCP and news devices can generate many external messages. It stores these messages in its own log (/ var/log/spooler) and limits the level to "err" or higher. For example:

# Save mail and news errors of level err and higher in aspecial file. Uucp,news.crit / var/log/spooler

When an urgent message arrives, you may want all users to get it, or you may want your log to be received and saved:

# Everybody gets emergency messages, plus log them on anther machine * .emerg * * .emerg @ linuxaid.com.cn

Alert messages should be written to the personal accounts of root and tiger:

# Root and Tiger get alert and higher messages * .alert root,tiger

Sometimes syslogd will generate a large number of messages. For example, the kernel ("kernel" device) can be verbose. Users may want to log kernel messages to / dev/console. The following example shows that kernel logging is commented out:

# Log all kernel messages to the console # Logging much else clutters up the screen # kern.* / dev/console

The user can specify all the devices in one line. The following example sends info or higher-level messages to / var/log/messages, except for mail. Level "none" forbids a device:

# Log anything (except mail) of level info or higher # Don't log private authentication messages! * .info:mail.none;authpriv.none / var/log/messages

In some cases, the log can be sent to the printer, so it is useless for the network intruder to modify the log. It is usually necessary to keep an extensive log. The syslog device is a prominent target of an attacker. A system that maintains logs for other hosts is particularly vulnerable to server attacks, so pay special attention.

There is a small command logger that provides a shell command interface for syslog (3) Syslog files to enable users to create entries in log files.

Usage: logger

For example: logger This is a test!

It will produce the following syslog record: Aug 19 22:22:34 tiger: This is a test!

Be careful not to trust the log completely, because it is easy for an attacker to modify it.

Program log and other

Many programs reflect the security status of the system by maintaining logs. The su command allows the user to gain the privileges of another user, so its security is important, and its log file is sulog. The same goes for sudolog. In addition, people like Apache have two logs: access_log and error_log. There are some other commonly used logging tools, we will not elaborate on them one by one, interested readers can refer to the following URL.

Chklastlog:

Ftp://coast.cs.purdue.edu/pub/tools/unix/chklastlog/

Chkwtmp:

Ftp://coast.cs.purdue.edu/pub/tools/unix/chkwtmp/

Dump_lastlog:

Ftp://coast.cs.purdue.edu/pub/tools/unix/dump_lastlog.Z

Spar:

Ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/

Swatch:

Http://www.lomar.org/komar/alek/pres/swatch/cover.html

Zap:

Ftp://caost.cs.purdue.edu/pub/tools/unix/zap.tar.gz

Log classification method:

Http://csrc.nist.gov/nissc/1998/proceedings/paperD1.pdf

At this point, the study on "what are the commonly used log files and commands in Linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.