Linux System Log parsing 7 --- Memorandum

Linux System Log parsing 7 --- memorandum this is the seventh article in the series. It was originally written separately. This time, it is very important to add 7.1 in the linux column -- Forword Linux system logs, it is of great benefit for us to analyze system faults and solve related problems. This article has accumulated some knowledge and is only used for memo. 7.2 -- Start Linux system logs generally include system logs and application logs. The former is mostly recorded under/var/log/, while the latter is distributed in different directories as needed, of course, it may also be written under/var/log. Here we will describe the system logs: 7.2.1, which can be easily divided into the following categories: [html]/usr/adm-earlier versions of UNIX/var/adm-new versions use this location/var/log-some versions of Solaris, linux, BSD, free BSD uses this location/etc-most UNIX versions put utmp here, some also put wtmp here, syslog. conf references: connection time log, which is executed by multiple programs and written to/var/log/wtmp and/var/run/utmp, login and other programs update the wtmp and utmp files so that the system administrator can track who is logged on to the system at any time. Process statistics-executed by the system kernel. When a process terminates, each process writes a record to the process Statistics file (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system. Error Log -- executed by syslogd (8. Various system Daemon Processes, user programs, and kernels report noteworthy events to files/var/log/messages through syslog (3. In addition, many UNIX programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs. Common Log File Usage Description: [html] acct or pacct -- records each user's Command record access_log -- mainly when the server runs ncsa httpd, record the sites connected to your server aculog -- save the MODEMS record lastlog you dialed -- Record the recent LOGIN record of the user and the initial destination of each user, sometimes it is the last successful LOGIN record loginlog -- Record some abnormal LOGIN record messages -- Record the records output to the system console, in addition, syslogs are used to generate security-record some examples of UCP system attempts to enter the restricted range sulog-record utmp-record records of all users currently logged on to the system, this file is constantly changing as users enter and exit the system. utmpx -- UTMP extended wtmp -- record user logon and exit event syslog -- The most important log file, use the syslogd daemon to obtain the log information:/dev/log -- a UNIX domain socket, message/dev/klog generated by processes running on the local machine -- a device that receives messages from the UNIX kernel ** port 514 -- an INTERNET socket, receives syslog messages from other machines over UDP. Uucp-the recorded UUCP information can be updated by a local UCP activity or modified by an action initiated by a remote site. The information includes sent and received calls, sent requests, and senders, sending time and sending host lpd-errs -- logs for processing Printer fault information ftp logs -- execute ftpd with the-l option to obtain the logging function httpd logs -- the HTTPD server records every WEB access record history log-this file stores the vold record of the user's recent command input. log-record the errors encountered when using external media. The wtmp and utmp files are both binary files, that is, you cannot view them through cat or vi. You can view them through system commands, common commands: who, user, w, ac, last 7.2.2. Briefly introduce these commands: who: execute this command to find out which users are currently logged on to the system, executing the who command separately lists the logon accounts, terminals used, and logon times. W: more information is displayed than who. For more information, see the command description [html] user logon. The tty name used by the tty user. FROM local LOGIN @ date and time of user logon. IDLE is the number of minutes that a program has attempted to read from the terminal. JCPU: the time when all processes on the terminal and their sub-processes use the system components. The system part time used by the current active process of the PCPU. WHAT is the name and parameter of the current process. User: no explanation. It is very simple. The logon user is displayed. Last: displays Recent user or terminal logon information. This log is being added ......... 7.3 --- Appendix attachment: common command for viewing system information [html] system: # uname-a # view kernel/OS/CPU information # cat/etc/issue # cat/etc/redhat-release # view OS version # cat/proc/cpuinfo # View CPU information # hostname # View computer name # lspci-TV # list all PCI devices # lsusb-TV # list all USB devices # lsmod # list loaded kernel modules # env # view environment variables resource: # free-m # view memory usage and swap zone usage # df-h # view usage of each partition # du-sh <Directory Name> # view the size of a specified directory # grep MemTotal/proc /meminfo # view the total memory # grep MemFree/proc/meminfo # view the Amount of idle memory # uptime # view the system running time, number of users, and load # cat/proc/loadavg # view the system load disk and partition: # mount | column-t # view the status of the mounted partition # fdisk-l # view all partitions # swapon-s # view all swap partitions # hdparm-I/dev/hda # view disk parameter (applicable only to IDE devices) # dmesg | grep IDE # view the network of IDE Device Detection Status at startup: # ifconfig # view the attributes of all network interfaces # iptables-L # view firewall settings # route-n # view route tables # netstat-lntp # view all listening ports # netstat-antp # view all established connection # netstat-s # view network statistics process: # ps-ef # view all processes # top # display Process status in real time (details are provided in another article) Users: # w # view active users # id <User Name> # view specified user information # last # view User Logon logs # cut-d: -f1/etc/passwd # view all users of the system # cut-d:-f1/etc/group # view all groups of the system # crontab-l # view the scheduled Task Service of the current user: # chkconfig-list # list all system services # chkconfig-list | grep on # list all started system service programs: # rpm-qa # view all installed software packages