Detailed analysis of linux system log management commands

Logs are very important for security. They record all kinds of events that occur in the system every day. You can use them to check the cause of the error or the traces left by the attacker when the system is attacked. The main functions of logs are audit and monitoring. It can also monitor the system status in real time, monitor and track intrusions, and so on. In Linux, there are three main

Logs are very important for security. They record all kinds of events that occur in the system every day. You can use them to check the cause of the error or the traces left by the attacker when the system is attacked. The main functions of logs are audit and monitoring. It can also monitor the system status in real time, monitor and track intrusions, and so on.

In Linux, there are three major log subsystems:

Connection time log-the log is executed by multiple programs and written to/var/log/wtmp and/var/run/utmp, login and other programs to update the wtmp and utmp files, enables the system administrator to track who is logged on to the system at any time.

Process statistics-executed by the system kernel. When a process terminates, each process writes a record to the process Statistics file (pacct or acct. Process statistics are designed to provide basic services in the system.CommandUsage Statistics.

Error Log -- executed by syslogd. Various system Daemon Processes, user programs, and kernels report noteworthy events to files/var/log/messages through syslog. In addition, many UNIX programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.

Common log files are as follows:

Access-log records HTTP/web transmission

Acct/pacct record user commands

Aculog records MODEM activities

Btmp record failure record

Lastlog records the last successful logon events and the last unsuccessful logon events.

Messages records information from syslog (some links to the syslog file)

　　SuDolog logs commands issued by sudo

Sulog logs the use of the su command

Syslog records information from syslog (usually linked to the messages file)

Utmp records each user currently logged on

Wtmp a permanent record of the entry and exit times of a user upon each login

Xferlog records FTP sessions

Utmp, wtmp, and lastlog log files are the key for most UNIX log subsystems to be reused-keep records of user logon entry and exit.

Information about the current login user is recorded in the file utmp;

The logon entry and exit records are in the file wtmp;

You can use the lastlog command to view the last logon file.

Data exchange, shutdown, and restart are also recorded in the wtmp file.

All records contain timestamps. These files (lastlog is usually not large) grow rapidly in systems with a large number of users. For example, the wtmp file can grow infinitely unless it is intercepted regularly. Many systems configure wtmp to be used cyclically in units of one day or one week. It is usually modified by the script run by cron. These scripts are renamed and the wtmp file is recycled. Generally, wtmp is named wtmp.1 after the first day, wtmp.1 is changed to wtmp.2 after the second day, and so on until wtmp.7.

Each time a user logs on, the login program checks the user's UID in the lastlog file. If the logon time is found, the user's Last Logon Time, exit time, and host name are written to the standard output, and the login program records the new Logon Time in lastlog. After a new lastlog is written, the utmp file is opened and the user's utmp record is inserted. This record is always used when a user logs on and exits. The utmp file is used by various command files, includingWho, W, users, andFinger.

Next, the login program opens the file wtmp and appends the user's utmp record. When a user logs on and exits, the same utmp record with the updated timestamp is appended to the file. The wtmp file is used by the program last and ac.

Specific commands

The wtmp and utmp files are binary files and they cannot be cut or merged by tail commands (usingCatCommand ). You need to use the information contained in the two files by who, w, users, last, and ac.

Who: The who command queries the utmp file and reports to each user currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. For example: who (Press ENTER) display:

Chyang pts/0 Aug 18 :06

Ynguo pts/2 Aug 18 :32

Ynguo pts/3 Aug 18 :55

Lewis pts/4 Aug 18 :35

Ynguo pts/7 Aug 18

Ylou pts/8 Aug 18

If the wtmp file name is specified, the who command queries all previous records. The command who/var/log/wtmp will report every login since the wtmp file was created or deleted.

W:W commandQuery the utmp file and display information about each user in the current system and the processes it runs. Example: w (Press ENTER): 3: 36pm up 1 day, 6 users, load average: 0.23, 0.29, 0.27.

User tty from login @ IDLE JCPU PCPU WHAT

Chyang pts/0 202.38.68.242 pm 0.08 s 0.04 s-bash

Ynguo pts/2 202.38.79.47 pm 0.00 s 0.14 s 0.05 w

Lewis pts/3 202.38.64.233 pm 30: 39 0.27 s 0.22 s-bash

Lewis pts/4 202.38.64.233 pm 6.00 s 4.03 s sh/home/users/

Ynguo pts/7 simba. nic. ustc. e pm 0.00 s 0.47 s 0.24 s teLnEt mail

Ylou pts/8 202.38.64.235 pm 1: 09 m 0.10 s 0.04 s-bash

 

 

 

Users: users prints the current logon user with a single line. Each displayed user name corresponds to a logon session. If a user has more than one login session, the user name will display the same number of times. Example: users (Press ENTER): chyang lewis ylou ynguo

Last: The last command searches back for wtmp to display the users that have logged on since the first file creation. For example:

Chyang pts/9 202.38.68.242 Tue Aug 1)

Cfan pts/6 202.38.64.20.tue Aug 1)

Chyang pts/4 202.38.68.242 Tue Aug 1)

Lewis pts/3 202.38.64.233 Tue Aug 1)

Lewis pts/2 202.38.64.233 Tue Aug 1)

If the user is specified, only recent activities of the user are reported last time. For example, the last ynguo (Press ENTER) display:

Ynguo pts/4 simba. nic. ustc. e Fri Aug 4)

Ynguo pts/4 simba. nic. ustc. e Thu Aug 3)

Ynguo pts/11 simba. nic. ustc. e Thu Aug 3)

Ynguo pts/0 simba. nic. ustc. e Thu Aug 3)

Ynguo pts/0 simba. nic. ustc. e WEdAug 2-1 + 02: 12)

Ynguo pts/0 simba. nic. ustc. e Wed Aug 2)

Ynguo pts/9 simba. nic. ustc. e Thu Aug 1)

Syslog Device

Syslog has been adopted by many log functions and is used in many protection measures-any program can record events through syslog. Syslog records system events, writes to a file or device, or sends a message to users. It can record local events or events on another host through the network.

The Syslog device depends on two important files:/etc/syslogd (Daemon) and/etc/syslog. conf configuration file. Traditionally, most syslog information is written to the/var/adm or the/var/log directory information file (messages. *). A typical syslog record includes the name of the generated program and a text message. It also includes a device and a priority range (but not in the day ).

Each syslog message is assigned to one of the following main devices:

LOG_AUTH -- Authentication System: login, su,GettyAnd so on

LOG_AUTHPRIV -- same as LOG_AUTH, but only log on to the selected readable file by a single user

LOG_CRON -- cron Daemon

LOG_DAEMON -- Other System daemprocesses, such as routed

LOG_FTP -- File Transfer Protocol:FtpD,TftpD

LOG_KERN -- message generated by the kernel

LOG_LPR -- System printer Buffer Pool: lpr,Lpd

LOG_MAIL -- email system

LOG_NEWS-network news system

LOG_SYSLOG-Internal messages generated by syslogd (8)

LOG_USER -- messages generated by random user processes

LOG_UUCP--UUCP Subsystem

LOG_LOCAL0 ~ LOG_LOCAL7 -- reserved for local use

Syslog assigns several different priorities to each event:

LOG_EMERG-Emergency

LOG_ALERT-problems that should be corrected immediately, such as system database damages

LOG_CR99v-important cases, such as hard disk errors

LOG_ERR -- Error

LOG_WARNING -- warning information

LOG_NOTICE -- not an error, but it may need to be processed

LOG_INFO -- intelligence information

LOG_DEBUG -- contains information about intelligence, which is usually used to debug a program.

The syslog. conf file indicates the Log action recorded by the syslogd program. The program queries the configuration file at startup. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by tabs: select a domain to specify the type and priority of the message. The action domain indicates the action that syslogd performs when receiving a message that matches the selection criteria. Each option is composed of a device and a priority. When a priority is specified, syslogd records a message with the same or higher priority. Therefore, if the crit is specified, all messages marked as crit, alert, and emerg will be recorded. The action fields in each row indicate where to send a specified message to the selected domain. For example, if you want to record all the mail messages to a file, as follows:

# Log all the mail messages in one place

Mail. */var/log/maillog

Other devices also have their own logs. UUCP and news devices can produce many external messages. It stores these messages in its own logs (/var/log/spooler) and limits the level to err or higher. For example:

# Save mail and news errors of level err and higher in aspecialFile.

UuCp, News. crit/var/log/spooler

When an emergency message arrives, all users may want to get it. You may also want to receive and save your own logs.

# Everybody gets emergeNcY messages, plus log them on anther machine

*. Emerg *

*. Emerg @ linuxaId.Com.cn

Alert messages should be written to the root and tiger personal accounts:

# Root and Tiger get alert and higher messages

*. Alert root, tiger

Sometimes syslogd will generate a large number of messages. For example, the kernel (kern device) may be lengthy. You may want to record kernel messages to/dev/console. The following example shows that the kernel log is commented out:

# Log all kernel messages to the console

# Logging much eLsE clutters up the screen

# Kern. */dev/con