Linux system log files and log cleanup after intrusion

The following article describes how to understand system logs that are written by others. Now we post the Linux functions that we do not know to remember.

-------------
Document directory
-------------
1. What is syslogd?
2. syslogd configuration instructions
3 Relationship Between syslogd and logs in service configuration in the system
4. What is logrotate?
5. logrotate configuration instructions

-------------
Document body
-------------
1. What is syslogd?
Syslogd can be simply called a daemons that records system activities. For example, you can record who, when, where, and what you have done (such as writing a narrative), or you can record what happened in your system, for example, when is the reboot or hardware or software error information? Of course, it also records the information of the Service running on your system.
Most of the time, a friend came up and asked, "Why can't I start X ?!" Question marks and exclamation marks are not allowed to be used in Chinese standards, but we can know that his mood is urgent. But why don't you first consider what changes you have made? Why don't you first check whether there is any error output? Why don't you check the log file? At least, logs provide a good reference for solving the problem. Many people say that one of their devices does not work. Do you take the dmesg information seriously for reference?
Syslogd is a trivial task, but it is a very important task. Many of my friends decided to stop the daemons in order to improve the system performance and save a little resources. In my opinion, this is not advisable.
Syslogd logs are generally stored in/var/log/, and are stored on another server. Because the information recorded by syslogd is too important, it also involves log security issues.
General System Log information:
/Var/log/Secure: records system security information, such as SSH, FTP, and POP3;
/Var/log/wtmp: record who has logged on to the system. Because this log has been encoded, you can only use the last command to view it;
/Var/log/boot. Log: as the name suggests, records the information about enabling or disabling the system and Wu fu;
/Var/log/message: system errors are recorded in this log, for example, logs using the log function in iptables;
/Var/log/mail:
/Var/log/httpd/
/Var/log/mysqld. D. logs of these services are recorded.

2. syslogd configuration instructions
2.1 start syslogd Service
First, you must determine whether your system is running the service.
Service syslog status
Or:
PS-Aux | grep Syslog
If your system does not run this service, you can open it. There are many methods.
Service syslog start
If you want the system to run syslogd at the next startup, you can add it to the Service in setup. If you determine your default boot level, such as 3, you can also add a soft connection starting with s under/etc/rc. d/rc3.d. Alternatively, you can use chkconfig 2345 syslog on to add.
2.2 syslogd service configuration file
The configuration file of syslogd is generally in/etc/syslog. conf. This file still follows the rules of other configuration files you have seen, for example, # Is a comment. You can see what your syslogd is helping you record. This is part of my syslog. conf:
Quote:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Kern. */dev/console

# Log anything (could t mail) of level info or higher.
# Don't log private authentication messages!
*. Info; mail. None; authpriv. None; cron. None/var/log/messages

# The authpriv file has restricted access.
Authpriv. */var/log/secure

# Log all the mail messages in one place.
Mail. */var/log/maillog

# Log cron stuff
Cron. */var/log/cron
2.3 syslog. conf configuration rules
Service name. storage or display location of information level
This syntax is simple.
Service name
Mail HTTP at cron Kern and so on.
Information level
Info: displays information;
Notice: the information you need to pay attention;
Warn or Waring: warning information;
Although the above three information reminds you of the error, the error still persists. Pay attention to the following information.
Error or err: error message. You need to carefully check the cause of the error;
Crit: a very serious error. It has reached the critical point;
Alert: Warning! Do you think of "Red Alert "? However, this is a serious error;
Emerg or panic: The system is messy. redo it;

Special:
Debug: displays a lot of information;
None: as the name suggests, no information is recorded.
Storage or display location
Absolute Log Path: for example,/var/log;
One of your users;
Host on the Network: @ log.company.com
Printer:/dev/lp0
2.4 application example
Mail.info/var/log/maillog
Information greater than or equal to info will be written to/var/log/maillog.
Mail. *; cron. */var/log/mailcron mail. = warn; cron. = warn/var/log/mailcronwarn
Information with a level of warn is written into/var/log/mailcronwarn, and other information is written into/var/log/mailcron.
*. *; Mail, cron. None/var/log/message

*. *; Mail. None; cron. None/var/log/message
Records all information of all services except mail and cron.

3 Relationship Between syslogd and logs in service configuration in the system
As mentioned above, syslogd provides Log service for the system. So what is the relationship between the log information defined in the configuration file and syslog. conf?
Or you have noticed this section:
# Log anything (could t mail) of level info or higher.
# Don't log private authentication messages!
*. Info; mail. None; authpriv. None; cron. None/var/log/messages
What does this passage mean? I think it is to record all system information except mail, authpriv, and cron in/var/log/messages. That is, it records your own HTTP information. Is that true? I have installed an httpd and specified the log to another file, such as/usr/website/log/httplog. Although I can see my httpd log information in/usr/website/log/httpdlog
# Cat/var/log/messages | grep HTTP
Is empty.
In addition, I once asked a friend about this problem. He said that syslogd won't record the information you didn't ask it to record. Although there is a *. info above, this * Does not include your own service. I asked, so iptables is not required in my syslog. conf. Why does it record/var/log/messages? Or you can define iptables yourself.
Therefore, I have only such an understanding of this section. If any error occurs, please point it out.

4. What is logrotate?
Logrotate rotates log files. It is to name the current log as log.1, and then continue to write the log. If log.1 exists, it is named log.1 as log.2 and then named log as log.1, and so on, but it is not endless. At the end of this step is your definition in the logrotate configuration file. The default value of my system is 4. What are the operations on log.4? Delete.
Syslogd runs in daemons mode;
Logrotate runs as planned.

5. logrotate configuration instructions
5.1 location of the configuration file
/Etc/logrotate. conf
/Etc/logrotate. d
Among them,/etc/logrotate. conf is the main configuration file, and the files in/etc/logrotate. D will be read by/etc/logrotate. conf. If the configuration file in/etc/logrotate. d does not specify specific parameters, these parameters are determined by/etc/logrotate.
5.2 logrotate configuration rules
As mentioned above in 5.1, the main configuration of logrotate is in/etc/logrotate. and/etc/logrotate. the file in D is for/etc/logrotate. conf. You can also set it to prevent/etc/logrotate. conf from being too large. Logrotate statement:
Write the logfile (s) in front of the file. It contains the absolute path of the file. You can use blank characters to separate multiple logs or use the wildcard replacement;
Use {} to include all settings;
It generally includes:
Prerotate commands executed before logrotate is started, such as/usr/bin/charrt-A/var/log/logfile;
Postrotate: The Command executed after logrotate is executed, for example,/usr/bin/charrt + A/var/log/logfile;
You can configure or disable the above two actions, depending on your needs.
Actions between prerotate and postrotate include:
Weeky # Run once a week
Rotate 4 # retain four logs
Create # create a log after logratoe
Compress # Whether the logs after rotate are compressed
Include/etc/logrotate. D # include rotation settings under the/etc/logrotate. d directory
If you write your rotation settings under/etc/logrotate. D, you can use

Logrotate-F Yourfile
To test.
5.3 application example
The settings in this document are clear. You can refer to the documents below/etc/logrotate. conf and/etc/logrotate. D.

 

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/cneaglelee/archive/2009/06/27/4301513.aspx