One of the keys to the successful management of any system using common log files and commands in Linux is to know what is happening in the system. Exception logs are provided in Linux and the log details are configurable. Linux logs are stored in plain text, so you can search and read them without special tools. You can also write scripts to scan these logs and automatically execute certain functions based on their contents. Linux logs are stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read by the root account, but modifying the file access permission allows others to read the logs. Common RedHat Linux Log Files are described as follows:/var/log/boot. log this file records the system events during the boot process, that is, the information displayed during the Linux system boot self-check process. /Var/log/cron this log file records the actions of sub-processes derived from the crontab daemon crond, followed by the user, Logon Time and PID, and the actions of the derived process. One cmd action is a common situation where cron derives a scheduling process. Replace action records the updates to its Cron file, which lists the task scheduling to be periodically executed. The reload action occurs shortly after the replace action, which means cron notices that a user's Cron file is updated and cron needs to reload it into the memory. This file may find some unusual situations. /Var/log/maillog this log file records every activity of emails sent to or from the system. It can be used to view which system sending tool the user uses or which system the data is sent. The following is the log file segment: SEP 4 17:23:52 UNIX Sendmail [1950]: g849npp01950: From = root, size = 25, class = 0, nrcpts = 1, msgid = <200209040923.g849Npp01950@redhat.pfcc.com.cn>, relay = root @ localhost Sep 4 17:23:55 UNIX Sendmail [1950]: g849npp01950: To = lzy@fcceec.net, ctladdr = root (0/0), delay = 00:00:04, xdelay = 00:00:03, Mailer = ESMTP, PRI = 30025, relay = fcceec.net. [10.152.8.2], DSN = 2.0.0, stat = sent (Message queued)/var/Lo G/messages this log file is a summary of many process log files, from which you can see any intrusion attempt or successful intrusion. For example, Sep 3 08:30:17 UNIX login [1275]: Failed Login 2 from (null) for suying, authentication failure Sep 4 17:40:28 UNIX -- suying [2017]: login on pts/1 by suying from fcceec.www.ec8.pfcc.com.cn Sep 4 17:40:39 unix su (pam_unix) [2048]: session opened for user root by suying (uid = 999) the format of this file is that each line contains a date, host name, program name, followed by square brackets containing the PID or kernel ID, a colon and a space, and finally a message. This file has one disadvantage: The recorded intrusion attempts and successful intrusion events are drowned in a large number of normal process records. However, this file can be customized by the/etc/syslog file. The/etc/syslog. conf configuration file determines how the system writes/var/messages. How to configure the/etc/syslog. conf file to determine the behavior of system log records will be described in detail later. /Var/log/syslog the default Redhat Linux does not generate this log file, but you can configure/etc/syslog. conf to allow the system to generate this log file. It is different from the/etc/log/messages log file. It only records warning information, which is often the information of system problems. Therefore, you should pay more attention to this file. To have the system generate the log file, go to/etc/syslog. add the following to the conf file :*. warning/var/log/syslog this log file records information such as the wrong password, Sendmail issue, and su command execution failure recorded by login during user logon. The following is a record: Sep 6 16:47:52 UNIX login (pam_unix) [2384]: Check pass; user unknown/var/log/secure this log file records security-related information. Part of the log file is as follows: SEP 4 16:05:09 UNIX xinetd [711]: Start: ftp pid = 1815 from = 127.0.0.1 Sep 4 16:05:09 UNIX xinetd [1815]: userid: ftp Other: root Sep 4 16:07:24 UNIX xinetd [711]: Exit: ftp pid = 1815 duration = 135 (SEC) Sep 4 16:10:05 UNIX xinetd [711]: start: FTP pid = 1846 from = 127.0.0.1 Sep 4 16:10:05 UNIX xinetd [1846]: userid: ftp other: Root Sep 4 16:16:26 UNIX xinetd [711]: Exit: FTP pid = 1846 duration = 381 (Sec) Sep 4 17:40:20 UNIX xinetd [711]: start: telnet pid = 2016 from = 10.152.8.2/var/log/lastlog this log file records the last successful logon events and the last unsuccessful logon events, which are generated by login. This file is a binary file and needs to be viewed using the lastlog command. The username, port number, and last logon time are displayed according to the UID sorting. If a user has never logged on, it is displayed as ** never logged in **. This command can only be executed as root. Simply enter the lastlog command and you will see information similar to the following: username port from latest root tty2 Tue Sep 3 08:32:27 + 0800 2002 bin ** never logged in ** daemon ** never logged in ** ADM ** never logged in ** LP ** never logged in ** sync ** never logged in ** shutdown ** never logged in ** halt ** never logged in ** mail ** never logged in ** news ** never logged in ** uucp ** never logged in ** operator ** never logged in ** games ** never logged in ** Gopher ** never logged in ** ftp unix Tue Sep 3 14:49:04 + 0800 2002 nobody ** never logged in ** nscd ** never logged in ** mailnull ** never logged in ** ident ** never logged in ** RPC ** never logged in ** rpcuser ** never logged in ** XFS ** never logged in ** Ann ** never logged in ** S ** never logged in ** Apache ** never logged in ** lzy tty2 Mon Jul 15 08:50:37 + 0800 2002 suying tty2 Tue Sep 3: 17 + 0800 2002 system accounts such as bin, daemon, ADM, uucp, and mail should never log on. If these accounts have been logged on, the system may have been intruded. If the recorded time is not the time the user logged on to the console, the user's account has been leaked. /Var/log/wtmp this log file permanently records the logon, logout, and system startup and shutdown events of each user. Therefore, as the system runs normally, the file size increases, depending on the number of system user logins. This log file can be used to view the user's logon records. The last command obtains this information by accessing this file and displays the user's logon records in reverse order, last can also display corresponding records based on the user, terminal tty or time. The last command has two optional parameters: the last-u User Name displays the user's last logon status. The last-T days show the user logon status before the specified number of days. /Var/run/utmp this log file records information about each user currently logged on. Therefore, this file will change as the user logs in and out of the system. It only keeps the user records online at the time and does not keep permanent records for the user. Programs in the system that need to query the current user status, such as WHO, W, users, and finger, need to access this file. This log file does not contain all accurate information, because some unexpected errors will terminate the user logon session, and the system does not update the utmp record in time, therefore, the log file is not trustworthy. The three files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are key files of the log subsystem, all records the user logon status. All records of these files contain timestamps. These files are saved in binary format. Therefore, you cannot directly view these files using commands such as less and CAT. Instead, you need to use relevant commands to view these files. The data structure of the utmp and wtmp files is the same, while the lastlog file uses another data structure. You can use man to query the specific data structure of the utmp and wtmp files. Each time a user logs on, the login program checks the user's uid in the lastlog file. If so, the user's last logon, logout time, and host name are written to the standard output. Then, the login program records the new Logon Time in lastlog, opens the utmp file, and inserts the user's utmp record. This record is always deleted when the user logs on and exits. The utmp file is used by various commands, including WHO, W, users, and finger. Next, the login program opens the file wtmp and attaches the user's utmp record. When a user logs on and exits, the same utmp record with the updated timestamp is appended to the file. The wtmp file is used by the program last time. /Var/log/xferlog this log file records FTP sessions, which can display what files the user has copied to or from the FTP server. This file displays the malicious programs copied to the server to invade the server, and the files copied by the user for use. The format of the file is: the first domain is the date and time, the second domain is the number of seconds the file was downloaded, the remote system name, the file size, local path name, transmission type (: ASCII, B: Binary), compression-related sign or tar, or _ (if no compression is available), transmission direction (relative to the server: I indicates inbound, O indicates outbound), access mode (A: Anonymous, G: enter the password, R: real user), user name, service name (usually FTP), authentication method (L: rfc931, or 0 ), the ID of the authenticated user or *. Below is a record of the file: wed Sep 4 08:14:03 2002 1 UNIX 275531/var/FTP/lib/libnss_files-2.2.2.so B _ o a-root @ UNIX ftp 0 * C/var/log/kernlog RedHat Linux by default this is not recorded log File. To enable this log file, you must add a line in the/etc/syslog. conf file: Kern. */var/log/kernlog. In this way, all kernel messages are recorded in the/var/log/kernlog file. This file records the status of loading devices or using devices when the system starts. It is generally a normal operation, but if you have recorded the operations performed by unauthorized users, you should note that this is probably the behavior of malicious users. Below is part of the file: SEP 5 09:38:42 Unix kernel: net4: Linux TCP/IP 1.0 for net4.0 Sep 5 09:38:42 Unix kernel: IP protocols: ICMP, UDP, TCP, IGMP Sep 5 09:38:42 Unix kernel: IP: routing cache hash table of 512 buckets, 4 Kbytes Sep 5 09:38:43 Unix kernel: TCP: Hash Tables configured (established 4096 bind 4096) SEP 5 09:38:43 Unix kernel: Linux IP multicast router 0.06 plus PIM-SM Sep 5 09:38:43 UNIX Kernel: Net4: Unix domain sockets 1.0/SMP for Linux net4.0. Sep 5 09:38:44 Unix kernel: EXT2-fs warning: checktime reached, running e2fsck is recommended Sep 5 09:38:44 Unix kernel: VFS: mounted root (ext2 filesystem ). SEP 5 09:38:44 Unix kernel: SCSI subsystem driver revision: 1.00/var/log/xfree86.x. log this log file records the startup status of X-window. In addition to/var/log/, malicious users may also leave traces elsewhere. Pay attention to the following: Root and shell history files of other accounts; users' mailboxes, for example. sent, mbox, and emails stored in/var/spool/mail/AND/var/spool/mqueue; temporary files/tmp,/usr/tmp,/var/tmp; hidden directory; files created by other malicious users are usually. files with hidden attributes. The specific commands wtmp and utmp are binary files. They cannot be cut or merged by commands such as tail (using cat commands ). You need to use commands such as WHO, W, users, last, and AC to use the information contained in these two files. Run the who command to query the utmp file and report to each user currently logged on. The default output of WHO includes the user name, terminal type, logon date, and remote host. For example, enter the who command and press enter to display the following content: chyang pts/0 Aug 18 ynguo pts/2 Aug 18 ynguo pts/3 Aug 18 Lewis pts/4 Aug 18 ynguo pts/7 Aug 18 ylou pts/8 Aug if the wtmp file name is specified, then, the WHO command queries all previous records. The command who/var/log/wtmp will report every login since the wtmp file was created or deleted. Command W queries the utmp file and displays information about each user in the current system and the processes it runs. For example, enter the W command and press enter to display the following content: PM up 1 day, 6 users, load average: 0.23, 0.29, 0.27 user tty from login @ idle jcpu pcpu what chyang pts/0 202.38.68.242 06 PM 0.08 s 0.04 s-bash ynguo pts/2 202.38.79.47 PM 0.00 s 0.14 s 0.05 W Lewis pts/ 3 202.38.64.233 :55 PM 30: 39 0.27 s 0.22 s-bash Lewis pts/4 202.38.64.233 PM 6.00 s 4.03 s 0.01 s sh/home/users/ynguo pts/7 Simba. nic. USTC. e pm 0.0 0 s 0.47 s 0.24 s Telnet mail ylou pts/8 202.38.64.235 pm 1: 09 m 0.10 s 0.04 s-bash users command print the current login user with a separate line, each displayed user name corresponds to a logon session. If a user has more than one login session, the user name will display the same number of times. For example, enter the users command and press the Enter key to display the following information: The last command of chyang Lewis ylou ynguo last searches for wtmp to display the users who have logged on since the first file creation. Example: chyang pts/9 202.38.68.242 Tue Aug 1-() cfan pts/6 202.38.64.20.tue Aug 1) chyang pts/4 202.38.68.242 Tue Aug 1-() Lewis pts/3 202.38.64.233 Tue Aug 1) lewis pts/2 202.38.64.233 Tue Aug 1-() if the user is specified, only recent activities of the user are reported last time. For example, type the last ynguo command and press Enter, the following content is displayed: ynguo pts/4 Simba. nic. USTC. E Fri Aug 4 16: 50- () Ynguo pts/4 Simba. nic. USTC. E Thu Aug 3-() ynguo pts/11 Simba. nic. USTC. E Thu Aug 3-() ynguo pts/0 Simba. nic. USTC. E Thu Aug 3-() ynguo pts/0 Simba. nic. USTC. E Wed Aug 2 0:04-0:16 1 + 02: 12) ynguo pts/0 Simba. nic. USTC. E Wed Aug 2 00:43-00:54 (00:11) ynguo pts/9 Simba. nic. USTC. E Thu Aug 1-() AC command according to the current/VA In the R/log/wtmp file, log in and exit to report the user connection time (hours). If no sign is used, the total time is reported. For example, enter the AC command and press enter to display the following content: Total 5177.47 type the ac-D command, and then press enter to display the total connection time of each day: [1]
Common log files and commands in Linux Aug 12 Total 261.87 Aug 13 Total 351.39 Aug 14 total 396.09 Aug 15 Total 462.63 Aug 16 total 270.45 Aug 17 total 104.29 today total 179.02 type the ac-p command, then press enter to display the total connection time of each user: ynguo 193.23 yucao 3.35 Rong 133.40 hdai 10.52 zjzhu 52.87 zqzhou 13.14 liangliu 24.34 total 5178.24 lastlog command the lastlog file is queried every time a user logs on. You can use the lastlog command to check the last logon time of a specific user and format the last logon log/var/log/lastlog. It displays the logon name, port number (TTY), and last logon time according to the UID sorting. If a user has never logged on, lastlog displays ** never logged **. Note that you need to run this command as root, for example: rong 5 parse Fri Aug 18 15:57:01 + 0800 2000 DBB ** never logged in ** XinChen ** never logged in ** pb9511 ** never logged in ** xchen 0 202.38.64.190 sun Aug 13 10:01:22 + 0800 2000 In addition, some parameters can be added. For example, the last-u 102 command will report users whose uid is 102. The last-T 7 command indicates that the report for the previous week is limited. Process statistics UNIX can track every command run by each user. If you want to know what important files were messed up last night, the process Statistics subsystem can tell you. It also helps track an attacker. Unlike the connection time log, the process Statistics subsystem is not activated by default and must be started. In Linux, The accton command is used to START process statistics and must be run as root. The form of the accton command is: accton file, which must exist in advance. Run the touch command to create the pacct file touch/var/log/pacct, and then run accton: accton/var/log/pacct. Once accton is activated, you can use the lastcomm command to monitor the commands executed in the system at any time. To disable statistics, you can use the accton command without any parameters. The lastcomm Command reports the previously executed files. Without parameters, the lastcomm command displays information about all commands recorded in the lifecycle of the current statistics file. It includes the command name, user, tty, CPU time consumed by the command, and a timestamp. If the system has many users, the input may be very long. See the following example: crond F root ?? 0.00 secs sun Aug 20 promisc_check.s root ?? 0.04 secs sun Aug 20 promisc_check root ?? 0.01 secs sun Aug 20 grep root ?? 0.02 secs sun Aug 20 tail root ?? 0.01 secs sun Aug 20 sh root ?? 0.01 secs sun Aug 20 Ping s root ?? 0.01 secs sun Aug 20 ping6.pl F root ?? 0.01 secs sun Aug 20 sh root ?? 0.01 secs sun Aug 20 Ping s root ?? 0.02 secs sun Aug 20 ping6.pl F root ?? 0.02 secs sun Aug 20 sh root ?? 0.02 secs sun Aug 20 Ping s root ?? 0.00 secs sun Aug 20 ping6.pl F root ?? 0.01 secs sun Aug 20 sh root ?? 0.01 secs sun Aug 20 Ping s root ?? 0.01 secs sun Aug 20 sh root ?? 0.02 secs sun Aug 20 Ping s root ?? 1.34 secs sun Aug 20 locate root ttyp0 1.34 secs sun Aug 20 accton s root ttyp0 0.00 secs sun Aug 20 one problem in the process statistics is that the pacct file may grow very rapidly. In this case, you need to run the SA command interactively or through the cron mechanism to ensure that the log data is under system control. SA command reports, cleans and maintains process statistical files. It can compress the information in/var/log/pacct to the abstract file/var/log/savacct and/var/log/usracct. These summaries contain system statistics by command name and user name. By default, sa reads them first and then the pacct file so that the report can contain all available information. Sa outputs some of the following markup items. Avio: Average number of I/O operations performed each time. CP: The sum of user and system time, measured in minutes. CPU: The same as CP. K: Average CPU time used by the kernel, in the unit of 1 K. K * sec: CPU storage integrity, in the unit of 1 k-core seconds. Re: Real-Time, measured in minutes. S: system time, in minutes. Tio: Total number of I/O operations. U: User time, in minutes. For example: 842 173.26re 4.30cp 0 avio 358 K 2 10.98re 4.06cp 0 avio 299 K find 9 24.80re 0.05cp 0 avio 291 K *** other 105 30.44re 0.03cp 0 avio 302 K Ping 104 30.55re 0.03cp 0 avio 394 K Sh 162 0.11re 0.03cp 0 avio 413 K security. sh * 154 0.03re 0.02cp 0 avio 273 K ls 56 1160.02cp 0 avio 823 K ping6.pl * 2 3.23re 0.02cp 0 avio 822 K limit 35 0.02re 0.01cp 0 avio 257 k md5sum 97 0.02re 0.01cp 0 avio 263 K initlog 12 0.19 Re 0.01cp 0 avio 399 K promisc_check.s 15 0.09re 0.00cp 0 avio 288 K grep 11 0.08re 0.00cp 0 avio 332 K awk users can also provide a summary report based on the user rather than the command. For example, if you type the SA-M command, the following content is displayed: 885 173.28re 4.31cp 0avk root 879 173.23re 4.31cp 0avk Alias 3 0.05re 0.00cp 0avk qmailp 3 0.01re 0.00cp 0avk syslog device syslog has been adopted by many log functions and is used in many protection measures. Any program can record events through Syslog. Syslog can record system events, write to a file or device, or send a message to users. It can record local events or events on another host over the network. The SYSLOG device depends on two important files:/etc/syslogd (Daemon) and/etc/syslog. conf. Traditionally, most syslog information is written to the/var/adm or the information file (messages. *) in the/var/log directory .*). A typical syslog record includes the name of the generated program and a text message. It also includes a device and a priority range (but not in the log ). Each Syslog message is assigned to one of the following main devices: log_auth: authentication system login, Su, Getty, etc. Log_authpriv: Same as log_auth, but only log on to the selected readable file by a single user. Log_cron: cron daemon. Log_daemon: Other System daemprocesses, such as routed. Log_ftp: FTPD and TFTPD. Log_kern: the message generated by the kernel. Log_lpr: System printer Buffer Pool LPR and LPD. Log_mail: email system. Log_news: network news system. Log_syslog: internal message generated by syslogd (8. Log_user: a message generated by a random user process. Log_uucp: uucp subsystem. Log_local0 ~ Log_local7: reserved for local use. Syslog assigns a few different priorities for each event: log_emerg: emergency. Log_alert: a problem that should be corrected immediately, for example, the system database is damaged. Log_crit: important situations, such as hard disk errors. Log_err: error. Log_warning: warning information. Log_notice: it is not an error, but it may need to be processed. Log_info: information. Log_debug: information containing intelligence, which is usually used only when debugging a program. The syslog. conf file specifies the log behavior recorded by the syslogd program. The program queries the configuration file when it starts. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by a tab: select a domain to specify the type and priority of the message. The action domain indicates the action that syslogd performs when receiving a message that matches the selection criteria. Each option is composed of devices and priorities. When a priority is specified, syslogd records a message with the same or higher priority. Therefore, if the crit is specified, all messages labeled as crit, alert, and emerg will be recorded. The action fields in each row indicate where to send a specified message when the selected domain is selected. For example, if you want to record all the mail messages to a file, as shown below: # log all the mail messages in one place mail. */var/log/maillog other devices also have their own logs. Uucp and news devices can produce many external messages. It stores these messages in its own logs (/var/log/Spooler) and limits the level to err or higher. Example: # Save mail and news errors of level err and higher in aspecial file. uucp, news. crit/var/log/Spooler when an emergency message arrives, you may want all users to get it, or you may want your own logs to receive and save: # Everybody gets emergency messages, plus log them on anther machine *. emerg **. emerg @ linuxaid.com.cn alert message should be written to the personal account of root and tiger: # root and tiger get alert and higher messages *. alert root, Tiger sometimes syslogd will generate a large number of messages. For example, the kernel (kernel device) may be lengthy. You may want to record kernel messages to/dev/console. The following example shows that the kernel log is commented out: # log all kernel messages to the console # logging much else clutters up the screen # Kern. */dev/console users can specify all devices in a row. In the following example, messages of info or higher level are sent to/var/log/messages, except for mail. None: # log anything (cannot t mail) of level info or higher # dont log private authentication messages! *. Info: mail. None; authpriv. None/var/log/messages in some cases, the log can be sent to the printer, so that it is useless for network intruders to modify the log. Generally, a wide range of logs are required. Syslog device is a notable target for attackers. A system that maintains logs for other hosts is particularly vulnerable to server attacks. A small command logger provides a shell command interface for syslog (3) system log files so that you can create entries in the log files. Usage: logger For example: logger this is a test! It generates the following syslog record: Aug 19 22:22:34 Tiger: this is a test! Note: Do not trust logs completely because attackers can easily modify logs. Program logs and many other programs maintain logs to reflect the security status of the system. The su command allows the user to obtain permissions from another user, so its security is very important. Its log file is sulog. Sudolog is also available. In addition, Apache has two logs: access_log and error_log. There are some other commonly used log tools that we will not elaborate on one by one. Interested readers can refer to the content of the following URL. Chklastlog: ftp://coast.cs.purdue.edu/pub/tools/unix/chklastlog/ chkwtmp: ftp://coast.cs.purdue.edu/pub/tools/unix/chkwtmp/ dump_lastlog: ftp://coast.cs.purdue.edu/pub/tools/unix/dump_lastlog.Z spar: ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/ swatch: http://www.lomar.org/komar/alek/pres/swatch/cover.html zap: ftp://caost.cs.purdue.edu/pub/tools/unix/zap.tar.gz log classification method: http://csrc.nist.gov/nissc/1998/proceedings/paperD1.pdf