5 common commands for Linux log management

From ext to Ext2, from Ext2 to Ext3, or later EXT4, Linux systems have always been known for their powerful, rich, and complete journaling systems. Through the management log, you can clearly understand the system's health, but also from a variety of clues to detect intrusion and quickly prevent intrusion. This article is the fourth part of the overall management of Linux systems, which covers the issues of Linux log management. The previous three sections are: File system Management, Linux process management, and user management.

The main functions of the log are: Audit and monitoring. It also allows real-time monitoring of system status, monitoring and tracking of intruders, and so on. One of the keys to successfully managing any system is to know what is happening in the system. The Exception log is provided in Linux, and the details of the log are configurable. Linux logs are stored in plaintext, so users can search and read them without the need for special tools. You can also write scripts to scan these logs and automate certain functions based on their content. The Linux log is stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read by the root account, but the access rights to modify files can be read by others. In a Linux system, there are four main types of logs:

Connection time log: Executed by multiple programs, write records to programs such as/VAR/LOG/WTMP and/var/run/utmp,login update wtmp and utmp files, allowing system administrators to track who is logged on to the system.

Process statistics: executed by the system kernel. When a process terminates, write a record for each process to the process statistics file (PACCT or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.

Error log: Executed by SYSLOGD (8) daemon. Various system daemons, user programs, and cores report noteworthy events to file/var/log/messages through the SYSLOGD (3) daemon. There are also many UNIX programs that create logs. Servers that provide network services, such as HTTP and FTP, also maintain detailed logs.

Utility log: Many programs reflect the security state of the system by maintaining the log. The SU command allows the user to gain permission from another user, so its security is important and its file is Sulog. The same goes for Sudolog. In addition, HTTP servers such as Apache have two logs: Access_log (Client access log) and Error_log (Service error log). The FTP service log is recorded in the Xferlog file, and the log of the mail delivery Service (sendmail) under Linux is generally stored in the Maillog file.

Utmp, wtmp log files are key to most Linux log subsystems, and they keep records of user login entry and exit. Information about the current logged-on user is recorded in file utmp, login entry and exit records are in file wtmp, and machine information for data interchange, shutdown, and restart is also recorded in the Wtmp file. All records contain a timestamp. Timestamps are important for logging because many of the attack behavior analysis has a great relationship with time. These files grow very quickly in systems with a large number of users. For example, wtmp files can grow infinitely, unless periodically intercepted. Many systems configure WTMP to be recycled in a single day or week. It is usually modified by a cron-run script. These scripts are renamed and recycled using the Wtmp file. Typically, Wtmp is named WTMP.1 after the end of the first day, WTMP.1 becomes WTMP.2, and so on, and the user can name and configure the files according to the actual situation.

utmp files are used by various command files, including who, W, users, and finger. The Wtmp file is used by program last and AC.

Wtmp and utmp files are binary files and they cannot be clipped or merged (using cat commands), such as the tail command. Users need to use who, W, users, last, and AC to use the information contained in these two files.

1. Who Order

The WHO command queries the utmp file and reports each user who is currently logged on. The WHO default output includes user name, terminal type, logon date, and remote host. By using this command, the system administrator can view and audit and process the illegal users of the current system. For example, running the WHO command shows the following:

# who
root     pts/1        2010-02-22 13:02 (: 0.0)
root     pts/2 2010-02-22 15:57        (: 0.0)
Root     PTS/3        2010-02-22 15:57 (: 0.0)

If the wtmp file name is indicated, the WHO command queries all previous records. Command who/var/log/wtmp will report every login since the Wtmp file was created or deleted. For example, running the command looks like this:

# who/var/log/wtmp
root     : 0           2010-01-24 21:47
root     pts/1        2010-01-24 21:47 (: 0.0)
Root     : 0           2010-02-20 19:36
root     pts/1        2010-02-20 19:36 (: 0.0)
root     : 0           2010-02-21 15:21
root     pts/1        2010-02-21 15:56 (: 0.0)
root     pts/2        2010-02-21 16:03 (: 0.0
root     : 0           2010-02-22 13:01
root     pts/1        2010-02-22 13:02 (: 0.0)
root     pts/2        2010-02-22 15:57 (: 0.0)
root     pts/3        2010-02-22 15:57 (: 0.0)