Linux server log file lookup tips Pristine

There are no fewer than dozens of tools used to search for specific event events in a log file, this article describes the policies that should be taken when searching for log files. Then, several specific examples are presented to describe some ways to manually search for log files using the grep command. Next, we'll see the use of the Logwatch tool and the Logsurfer tool. Finally, you will see the tools you need to download and install yourself, such as Swatch. 1. Find the log file simple method

In general, the system log files are almost always saved in the/var/subdirectory (the path is defined by the syslog.conf file). If you want all applications to store the log files in the/var/subdirectory, you need to edit each application's configuration file in turn. It is a good idea to centralize the logs in the/var/subdirectory. First, when you need to view them, modify their permissions, or back them up, you can find all the log files in just one place.

Second, the/var/subdirectory is usually in a stand-alone root directory (/) filesystem, which helps prevent log files from becoming large and full of free space, preventing operating systems and applications from being affected. You can use the Find command to locate the log files that you don't know. The practice is to switch to the root directory and then execute the following command as root (root) to find all the recently modified files:

Find. -type F-mtime-5–print | GREP-V proc | Grep-v Lock

2, search the log files when the policy

The first challenge in log file analysis is to identify abnormal activities from normal activities. The prerequisite to completing this challenge is that you must know what the normal activity on the system and the network looks like in the log file. Without the accumulated experience, it is difficult to know the performance of events in the log file according to the rules. Familiar with the normal log file activities to have a time process, asking everyone to see the log file is clearly not realistic, this is a time to accumulate the process.

You know, as the number of applications and users on the network increases and changes, the contents of the log file will certainly change accordingly. After isolating the exception, the next step is to correctly determine whether the exception is an alarm condition. To make a correct judgment, you can only do it by deepening your understanding of the company's day-to-day activities. It is often necessary to strike a balance between the availability of the system and the prevention of risk.

3. Search the log files manually

grep is one of the most powerful shell commands on UNIX systems. Using the grep command to search a variety of suspicious clues in a log file is an excellent use of this text file Search command. The use of the grep command is simple--enter on the command line:

grep "Failed"/var/log/messages

The above grep command will find all text lines containing the word "failed" in the/var/log/messages file. By default, the grep command is case sensitive, and you may need to use the grep command and its "-i" option to perform a case-insensitive search based on the situation. One of the challenges of searching for a log file is that you have to know what you are looking for before you can find out what might be there. There are several ways to help solve this problem.

If you know the event or activity you're looking for--for example, if a user tries to switch to the root user using the SU command--you can do it yourself first, and then go to the log file to see what it looks like. For example, on a SuSE Linux system, the failed SU command would leave a record in the log file:

APR 1 11:15:54 chim su:failed su (to root) Rreck ON/DEV/PTS/1

Therefore, if you want to identify all of these activities, you should use the following command:

grep "FAILED SU"/var/log/messages

The activity in the example above is a sign of hacker attacks. If the grep command finds only a few such failures in the log file, it is likely that someone has forgotten the password or that there was an error typing. Conversely, if the grep command finds dozens of such failures in the log file, it is likely that someone is trying to break into your system and should take immediate steps to deny their access at the network level.