Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is Linux system log management". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is Linux system log management"?

Logs are very important for security. it records all kinds of things that happen to the system every day, and you can use him to check the cause of the error or the traces left by the attacker during the attack. The main functions of the log are audit and monitoring. He can also monitor the status of the system in real time, monitor and track intruders and so on.

In the Linux system, there are three main logging subsystems:

Connection time logs-executed by multiple programs, write records to programs such as / var/log/wtmp and / var/run/utmp,login to update wtmp and utmp files, allowing system administrators to track who logged in to the system and when.

Process statistics-- performed by the system kernel. When a process terminates, write a record to the process statistics file (pacct or acct) for each process. The purpose of process statistics is to provide command usage statistics for basic services in the system.

Error log-executed by syslogd (8). Various system daemons, user programs, and kernels report noteworthy events to the file / var/log/messages through syslog (3). There are also many UNIX programs that create logs. Servers that provide network services such as HTTP and FTP also keep detailed logs.

Common log files are as follows:

Access-log records the transmission of HTTP/web

Acct/pacct record user command

Aculog records the activities of MODEM

Btmp record of failure

Lastlog records recent successful login events and the last unsuccessful login

Messages records information from syslog (some links to syslog files)

Sudolog records commands issued using sudo

Sulog records the use of the su command

Syslog records information from syslog (usually linked to a messages file)

Utmp records each user who is currently logged in

Wtmp A permanent record of each login entry and exit time of a user

Xferlog records FTP session

Utmp, wtmp, and lastlog log files are the key to most reusable UNIX log subsystems-keeping records of user logins and logins. Information about the current login user is recorded in the file utmp; login entry and exit are recorded in the file wtmp; and the last login file can be viewed with the lastlog command. Data exchange, shutdown and restart are also recorded in the wtmp file. All records contain a timestamp. These files (lastlog is usually small) are growing rapidly in systems with a large number of users. For example, wtmp files can grow indefinitely unless intercepted on a regular basis. Many systems configure wtmp to be recycled on a daily or weekly basis. It is usually modified by the script that cron runs. These scripts rename and recycle the wtmp file. Usually, wtmp is named wtmp.1; after the end of the first day, and then wtmp.1 becomes wtmp.2 and so on, until wtmp.7.

Each time a user logs in, the login program looks at the user's UID in the file lastlog. If found, the user's last login, logout time, and hostname are written to standard output, and the login program records the new login time in lastlog. After the new lastlog record is written, the utmp file opens and inserts the user's utmp record. The record is used until the user logs in and exits. The utmp files are assigned to each

The use of various command files, including who, w, users, and finger.

Next, the login program opens the file wtmp to attach the user's utmp record. When a user logs in and exits, the same utmp record with an update timestamp is appended to the file. The wtmp file is used by the programs last and ac.

Specific command

Wtmp and utmp files are binaries, and they cannot be clipped or merged by commands such as tail (using the cat command). Users need to use who, w, users, last, and ac to use the information contained in these two files.

The who:who command queries the utmp file and reports on each user who is currently logged in. The default output of Who includes user name, terminal type, login date, and remote host. For example: who (enter) display

Chyang pts/0 Aug 18 15:06

Ynguo pts/2 Aug 18 15:32

Ynguo pts/3 Aug 18 13:55

Lewis pts/4 Aug 18 13:35

Ynguo pts/7 Aug 18 14:12

Ylou pts/8 Aug 18 14:15

If the wtmp file name is specified, the who command queries all previous records. The command who / var/log/wtmp reports every login since the wtmp file was created or deleted.

The W w command queries the utmp file and displays information about each user in the current system and the processes it is running. For example: W (enter) shows: 3:36pm up 1 day, 22:34, 6 users, load average: 0.23,0.29,0.27.

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

Chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s-bash

Ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 w

Lewis pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s-bash

Lewis pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh / home/users/

Ynguo pts/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet mail

Ylou pts/8 202.38.64.235 2:15pm 1purl 09m 0.10s 0.04s-bash

Users:users prints out the currently logged-in user on a separate line, with each displayed user name corresponding to a login session. If a user has more than one login session, his user name will be displayed the same number of times. For example: users (enter) display: chyang lewis lewis ylou ynguo ynguo

The last:last command searches back for wtmp to show users who have logged in since the file was first created. For example:

Chyang pts/9 202.38.68.242 Tue Aug 1 08:34-11:23 (02:49)

Cfan pts/6 202.38.64.224 Tue Aug 1 08:33-08:48 (00:14)

Chyang pts/4 202.38.68.242 Tue Aug 1 08:32-12:13 (03:40)

Lewis pts/3 202.38.64.233 Tue Aug 1 08:06-11:09 (03:03)

Lewis pts/2 202.38.64.233 Tue Aug 1 07:56-11:09 (03:12)

If a user is specified, last reports only the user's recent activity, for example: last ynguo (enter) shows:

Ynguo pts/4 simba.nic.ustc.e Fri Aug 4 16:50-08:20 (15:30)

Ynguo pts/4 simba.nic.ustc.e Thu Aug 3 23:55-04:40 (04:44)

Ynguo pts/11 simba.nic.ustc.e Thu Aug 3 20:45-22:02 (01:16)

Ynguo pts/0 simba.nic.ustc.e Thu Aug 3 03:17-05:42 (02:25)

Ynguo pts/0 simba.nic.ustc.e Wed Aug 2 01:04-03:16 1pm 02purl 12)

Ynguo pts/0 simba.nic.ustc.e Wed Aug 2 00:43-00:54 (00:11)

Ynguo pts/9 simba.nic.ustc.e Thu Aug 1 20:30-21:26 (00:55)

The ac:ac command reports the user contact time (hours) based on the login entry and exit in the current / var/log/wtmp file, and the total time if no flag is used. For example: ac (enter) shows: total 5177.47

Ac-d (enter) shows the total connection time per day

Aug 12 total 261.87

Aug 13 total 351.39

Aug 14 total 396.09

Aug 15 total 462.63

Aug 16 total 270.45

Aug 17 total 104.29

Today total 179.02

Ac-p (enter) displays the total connection time for each user

Ynguo 193.23

Yucao 3.35

Rong 133.40

Hdai 10.52

Zjzhu 52.87

Zqzhou 13.14

Liangliu 24.34

Total 5178.24

The lastlog:lastlog file is queried every time a user logs in. You can use the lastlog command to check when a particular user last logged in and to format the contents of the last login log / var/log/lastlog output. It displays the login name, port number (tty), and last login time, sorted by UID. If a user has never logged in, lastlog says "* * Never logged**. Note that you need to run the command as root, for example:

Rong 5 202.38.64.187 Fri Aug 18 15:57:01 + 0800 2000

Dbb * * Never logged in**

Xinchen * * Never logged in**

Pb9511 * * Never logged in**

Xchen 0 202.38.64.190 Sun Aug 13 10:01:22 + 0800 2000

In addition, some parameters can be added, for example, last-u 102 will report users with a UID of 102; last-t 7 limits the report of the previous week.

Process statistics

UNIX can track every command that each user runs, and if you want to know which important files were messed up last night, the process statistics subsystem can tell you. It helps to track an intruder. Unlike the connection time log, the process statistics subsystem is not activated by default and must be started. Start the process statistics in the Linux system using the accton command, which must be run as root. The form accton file,file of the Accton command must exist first. Use the touch command to create the pacct file: touch / var/log/pacct, and then run accton: accton / var/log/pacct. Once accton is activated, you can use the lastcomm command to monitor commands executed at any time in the system. To turn off statistics, you can use the accton command without any parameters.

The lastcomm command reports files that were previously executed. Without parameters, the lastcomm command displays information about all commands recorded during the life cycle of the current statistics file. Includes the command name, user, tty, CPU time spent by the command, and a timestamp. If the system has many users, the input can be long. Here is an example:

Crond

F root?? 0.00 secs Sun Aug 20 00:16

Promisc_check.s S root?? 0.04 secs Sun Aug 20 00:16

Promisc_check root?? 0.01 secs Sun Aug 20 00:16

Grep root?? 0.02 secs Sun Aug 20 00:16

Tail root?? 0.01 secs Sun Aug 20 00:16

Sh root?? 0.01 secs Sun Aug 20 00:15

Ping S root?? 0.01 secs Sun Aug 20 00:15

Ping6.pl F root?? 0.01 secs Sun Aug 20 00:15

Sh root?? 0.01 secs Sun Aug 20 00:15

Ping S root?? 0.02 secs Sun Aug 20 00:15

Ping6.pl F root?? 0.02 secs Sun Aug 20 00:15

Sh root?? 0.02 secs Sun Aug 20 00:15

Ping S root?? 0.00 secs Sun Aug 20 00:15

Ping6.pl F root?? 0.01 secs Sun Aug 20 00:15

Sh root?? 0.01 secs Sun Aug 20 00:15

Ping S root?? 0.01 secs Sun Aug 20 00:15

Sh root?? 0.02 secs Sun Aug 20 00:15

Ping S root?? 1.34 secs Sun Aug 20 00:15

Locate root ttyp0 1.34 secs Sun Aug 20 00:15

Accton S root ttyp0 0.00 secs Sun Aug 20 00:15

One problem with process statistics is that pacct files can grow very rapidly. At this point, you need to run the sa command interactively or through the cron mechanism to keep the log data under system control. The sa command reports, cleans, and maintains process statistics files. It can compress the information in / var/log/pacct into summary files / var/log/savacct and / var/log/usracct. These summaries contain system statistics classified by command name and user name. By default, sa reads them first, and then the pacct file, so that the report contains all the available information. The output of sa has the following tag entries:

Average number of avio-- O operations per execution

Sum of cp-- user and system time in minutes

Cpu-- is the same as cp

KMury-the average CPU time used by the kernel, in 1k

K*sec--CPU storage integrity in 1k-core seconds

Re-- real-time time in minutes

Smurf-system time, in minutes

Total number of tio--I/O operations

Umuri-user time, in minutes

For example:

842 173.26re 4.30cp 0avio 358k

2 10.98re 4.06cp 0avio 299k find

9 24.80re 0.05cp 0avio 291k * other

105 30.44re 0.03cp 0avio 302k ping

104 30.55re 0.03cp 0avio 394k sh

162 0.11re 0.03cp 0avio 413k security.sh*

154 0.03re 0.02cp 0avio 273k ls

56 31.61re 0.02cp 0avio 823k ping6.pl*

2 3.23re 0.02cp 0avio 822k ping6.pl

35 0.02re 0.01cp 0avio 257k md5sum

97 0.02re 0.01cp 0avio 263k initlog

12 0.19re 0.01cp 0avio 399k promisc_check.s

15 0.09re 0.00cp 0avio 288k grep

11 0.08re 0.00cp 0avio 332k awk

The user can also provide a summary report based on the user rather than the command. For example, sa-m is shown as follows:

885 173.28re 4.31cp 0avk

Root 879 173.23re

4.31cp 0avk

Alias 3 0.05re 0.00cp 0avk

Qmailp 3 0.01re 0.00cp 0avk

Syslog equipment

Syslog has been adopted by many logging functions and is used in many safeguards-any program can log events through syslog. Syslog can record system events, write to a file or device, or send a message to the user. It can record local events or events on another host over the network.

Syslog devices are based on two important files: / etc/syslogd (daemon) and / etc/syslog.conf configuration file. Traditionally, most syslog information is written to the information file (messages.*) in the / var/adm or / var/log directory. A typical syslog record includes the name of the generator and a text message. It also includes a device and a priority range (but does not appear in the day).

Each syslog message is assigned one of the following main devices:

LOG_AUTH-- authentication system: login, su, getty, etc.

LOG_AUTHPRIV-- is the same as LOG_AUTH, but only logs in to a single user-readable file of your choice

LOG_CRON--cron daemon

LOG_DAEMON-- other system daemons, such as routed

LOG_FTP-- File transfer Protocol: ftpd, tftpd

Messages generated by the LOG_KERN-- kernel

Printer buffer pool for LOG_LPR-- system: lpr, lpd

LOG_MAIL-- email system

LOG_NEWS-- network news system

LOG_SYSLOG-- internal messages generated by syslogd (8)

Messages generated by random user processes in LOG_USER--

LOG_UUCP--UUCP subsystem

LOG_LOCAL0~LOG_LOCAL7-- reserved for local use

Syslog assigns several different priorities to each event:

LOG_EMERG-- emergency

Problems that LOG_ALERT-- should be corrected immediately, such as system database corruption

Important LOG_CRIT-- situations, such as hard drive error

LOG_ERR-- error

LOG_WARNING-- warning message

LOG_NOTICE-- is not an error condition, but it may need to be handled

LOG_INFO-- intelligence information

LOG_DEBUG-- contains intelligence information, usually designed to be used when debugging a program

The syslog.conf file indicates the logging behavior of the syslogd program, which queries the configuration file at startup. The file consists of individual entries classified by different programs or messages, each on a single line. A selection field and an action field are provided for each type of message. These fields are separated by tab: the selection field indicates the type and priority of the message; the action field indicates the action that the syslogd takes when it receives a message that matches the selection criteria. Each option is made up of devices and priorities. When a priority is specified, syslogd logs a message with the same or higher priority. So if you specify "crit", all messages marked crit, alert, and emerg will be logged. The action field of each row indicates where the selected domain should be sent after a given message is selected. For example, if you want to log all mail messages to one file, as follows:

# Log all the mail messages in one place

Mail.* / var/log/maillog

Other devices also have their own logs. UUCP and news devices can generate many external messages. It stores these messages in its own log (/ var/log/spooler) and limits the level to "err" or higher. For example:

# Save mail and news errors of level err and higher in aspecial file.

Uucp,news.crit / var/log/spooler

When an urgent message comes, you may want all users to get it. You may also want your log to be received and saved.

# Everybody gets emergency messages, plus log them on anther machine

* .emerg *

* .emerg @ linuxaid.com.cn

Alert messages should be written to the personal accounts of root and tiger:

# Root and Tiger get alert and higher messages

* .alert root,tiger

Sometimes syslogd will generate a large number of messages. For example, the kernel ("kern" device) can be verbose. Users may want to log kernel messages to / dev/console. The following example shows that the kernel log record is commented out:

# Log all kernel messages to the console

# Logging much else clutters up the screen

# kern.* / dev/console

The user can specify all the devices in one line. The following example sends info or higher-level messages to / var/log/messages, except for mail. Level "none" forbids a device:

# Log anything (except mail) of level info or higher

# Don't log private authentication messages!

* .info:mail.none;autHPriv.none / var/log/messages

In some cases, the log can be sent to the printer, so it is useless for the network intruder to modify the log. It is usually necessary to keep an extensive log. The Syslog device is a prominent target of an attacker. A system that maintains logs for other hosts is particularly vulnerable to server attacks, so pay special attention.

There is a small command logger that provides a shell command interface for syslog (3) Syslog files to enable users to create entries in log files. Usage: logger for example: logger This is a test!

It will produce the following syslog record: Aug 19 22:22:34 tiger: This is a test!

Be careful not to trust the log completely, because it is easy for an attacker to modify it.

Program log

Many programs reflect the security status of the system by maintaining logs. The su command allows the user to gain the permissions of another user, so its security is important, and its file is sulog. The same goes for sudolog. In addition, think Apache has two logs: access_log and error_log.

At this point, I believe you have a deeper understanding of "what is Linux system log management". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.