Learn linux--log view every day

The general server is installed Linux system, if it is black, detection of black traces, mainly based on Linux system logs.

Find information, see an article about the log, write more detailed, now excerpt, and learn together with you.

(1)/var/log/boot.log

This file records the events that occurred during the boot process, and is the information displayed during the post process of the Linux system.

(2)/var/log/cron

This log file records the actions of the child process derived from the crontab daemon Crond, preceded by the user, logon time and PID, and the actions of the derived process.

One action of CMD is a common scenario in which cron derives a scheduling process. The Replace action records the user's update of its cron file, which lists the periodic

The task schedule that is executed. The reload action occurs shortly after the Replace action, which means that cron notices that a user's cron file is being updated and cron needs to reload it into memory. The file may find some anomalies.

(3)/var/log/maillog

The log file records the activity of each email sent to or from the system. It can be used to see which system the user uses to send the tool or send the data to.

The format of the file is that each row contains a date, a hostname, a program name, a square bracket that contains a PID or kernel ID, a colon and a space, and finally a message.

One disadvantage of this file is that the recorded intrusion attempts and successful intrusion events are submerged in a large number of normal process records. But the file can have

/etc/syslog file for customization. The/etc/syslog.conf configuration file determines how the system writes to/var/messages.

(4)/var/log/syslog

The default fedora does not produce this log file, but you can configure/etc/syslog.conf to have the log file generated by the system. It and the/etc/log/messages log file

, it only records the warning message, which is often a problem with the system, so you should pay more attention to the file. To have the system generate the file, in the/etc/syslog.conf file

Plus: *.warning/var/log/syslong The log file can record the error password, sendmail problem, and su command execution failure when the user logs in.

and other information. This log file records the most recent successful logon event and the last unsuccessful logon event that was generated by login. Is queried every time the user logs on, the file is two

files, you need to use the Lastlog command to view the login name, port number, and last logon time based on the UID sort. If a user has never logged in, it is displayed as

"**never Logged in * *". This command can only be performed with root privileges.

(5)/var/log/wtmp

This log file permanently records each user's logon, logoff, and system startup, downtime events. Therefore, as the system uptime increases, the size of the file becomes larger and higher, depending on the number of times the system user logs on. The log file can be used to view the user's login record, the last command to access this file to obtain this information, and in reverse order from back to front to display the user's log-in record, can also be based on user, terminal TTY or time display corresponding records.

(6)/var/run/utmp

The log file records information about each user that is currently logged on. As a result, the file changes as the user logs on and off, leaving only the user records that were online at that time and not keeping permanent records for the user. The system needs to query the current user state of the program, such as WHO, W, users, finger and so on need to access this file. The log file does not include all the exact information, because some burst errors terminate the user logon session, and the system does not update the UTMP record in a timely manner, so the log file record is not entirely trustworthy.

The 3 files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are the key files of the log subsystem, all of which record the user login. All records for these files contain timestamps. These files are stored in binary, so they cannot be viewed directly with commands such as less and cat, but they need to be viewed using the relevant commands. Where the data structures of utmp and wtmp files are the same, and Lastlog files use additional data structures, the concrete data structures for them can be queried using the man command.

(7)/var/log/xferlog

This log file records the FTP session and can show what files the user has copied to the FTP server or from the server. The file shows the malicious program that the user has copied to the server to invade the server, and what files the user has copied for him to use.

The format of the file is: The first field is the date and time, the second domain is the number of seconds to download the file, the remote system name, the file size, the local pathname, the transport type (a:ascii,b: binary), the compression-related flag or tar, or "_" (if there is no compression), Transmission direction (relative to the server: I represents the input, O represents), Access mode (A: Anonymous, G: Enter password, r: Real user), user name, service name (usually FTP), authentication method (1:rfc931, or 0), authentication User ID or "*".

(8)/var/log/secure

Basically, as long as it involves the software that needs to enter the account password, it will be recorded in the file when logging in (whether the login is correct or wrong). Including the system login program, GUI login using the GDM program, Su, sudo and other programs, as well as network online ssh, telnet and other programs, login information will be recorded here.

The services and programs that are required for the log file are:

(1) SYSLOGD: The main login system and network services such as information; (now generally the enhanced version of the RSYSLOGD, add some new features)

(2) KLOGD: All the information generated by the main login kernel;

(3) Logrotate: The main function of the rotation of the log file.

Learn linux--log view every day