Detailed introduction to Centos Log Analysis

1. Understand log files
Linux Log files are the most useful. Log Files let us know the status of the system. For example, you can find out which users have logged on, which also involves related security issues. If we do not know how to analyze logs, we may not know that some users have logged on to our system. In addition, if something goes wrong with the system, we also need to check the system log. For example, we often cannot access Xwindows. We need to check the system log files such as XFree86.0.log. Let's talk about it in detail, if we have run settings for system display properties [in theory XFree86.setup], let me talk about this with Redhat 8.0, when we run a redhat-config-xfree86 on a terminal or virtual console, in the etc/var

XFree86.setup. log is found in the directory, which records the content and details we have set.

2. Location of the log file
The log files are located in the/var/log directory, provided that you have not specially prepared the log configuration file/etc/syslog. conf.

3. log file configuration file
Log File configuration file. in/etc/syslog. conf, if you want to modify the log configuration file, you must back up the file first. This is the primary task of system management.

The following command is backup. I operate with the root permission. Be careful when using the root permission.
[Root @ linuxsir01 root] # cp/etc/syslog. conf/etc/syslog. confBAK
When/etc/syslog. conf is incorrectly configured, we still cannot remember what the original system file is like. At this time, the backup file will play a significant role, and we will restore it and it will be OK. We can modify this file again.
[Root @ linuxsir01 root] # cp/etc/syslog. confBAK/etc/syslog. conf

4. What are some log preparation files? Please see! We can use the following command to view details, such as more/etc/syslog. conf.
[Root @ linuxsir01 root] # more/etc/syslog. conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Kern. */dev/console
# Log anything (could t mail) of level info or higher.
# Don't log private authentication messages!
*. Info; mail. none; news. none; authpriv. none; cron. none/var/log/message
S
# The authpriv file has restricted access.
Authpriv. */var/log/secure security verification log. The log files generated by the system are stored in/var/log/secure.
# Log all the mail messages in one place.
Mail. */var/log/maillog is the function of the email system. This log file is in the/var/log/maillog directory.
# Log cron stuff
Cron. */var/log/cron [COLOR = blue] This is the timing information.
# Everybody gets emergency messages
*. Emerg * This is the log level set by syslog. emerg indicates that the system is unavailable.
# Save news errors of level crit and higher in a special file.
Uucp, news. crit/var/log/spooler this is the level set by syslog for the logs of news and uucp. crit indicates critical, but the accident has not yet occurred and will happen.
# Save boot messages also to boot. log
Local7. */var/log/boot. log System boot log, expressed in local7. The location of the log file is/var/log. The log file is boot. log.
#
# INN
#
News. = crit/var/log/news. crit
News. = err/var/log/news. err

News. notice/var/log/news. notice

5] Log Type
Authpriv Security/verification information. Through this, we can view logon system logs such as telnet and ssh. This plays an important role in anti-black.
Cron task scheduling information is a bit like a scheduled job in windows. We can use this program to do what at what time. The preparation file is in/etc/crontab. Here we refer to the preparation of its log file.
Kern: This is the system kernel log. To define the storage location, you can define the storage location in/etc/syslog. conf. For example, we can add a line in syslog. conf, for example
Ker. debug/var/log/kern. log
Local0-local7 Custom Level, boot system log, expressed in local7, the location of the log file is in/var/log, the log file is boot. log
Lpr should also know the name. This is a printed log file, which can be defined by ourselves. Next, let's take a closer look at how to write system logs.
Mail is email, sendmail, qmail, and other information.
News is a newsgroup server.
User and user information
Syslog internal log information
Auth is also the user login information, security and validation log
Uucp is the UNIX-TO-UNIX copy protocol information

6] At the log level, the log system administrator maintains the system, and there are too many system logs, so it is necessary to sort the logs by level, in this way, administrators can easily find urgent and important problems to solve.
Here there is a primary and secondary order, that is, the importance is put in front, the level is from high and low.
The emerg system is unavailable and its level is urgent.
Alert, which must be handled and resolved immediately
The crit will occur and must be prevented. Event is about to happen
Warnig warning.
Err error message, common error message
Notice reminder information, very important information
Info notification information, which is general information
Debug: This is debugging information.
* Record all information and send it to all users
After learning about the storage and type of linux logs, you are most interested in how to analyze linux logs.
At this point, we need to master some linux Log Analysis commands, and then use these commands or scripts to analyze the logs in detail.

7] log settings or syntax format writing
In/etc/syslog. conf, we can prepare or define log files based on our own situation. Syntax format:
Log type. Level log storage location [use absolute path]

For example
Kern. debug/var/log/kern. log
Further details: [Note: RedHat 8.0 is used as an example] in RedHat 8.0, we can see the following line. What does this mean.
Authpriv. */var/log/secure
This means that all the logs at the validation class level are stored in the log file secure. Sometimes, we will also see secure1 in the/var/log directory. In fact, this type of logs also needs to be flexible. Right?
Through this file, we can see the verification class logs, such as telnet and ssh. If someone else uses telnet to our machine, we need to check this file. We can use
# More secure | grep telnet: Of course, more can be used to view the page by page. My goal is to know if this file can see this aspect, for example, if I use telnet from another machine, my linux host will be recorded below. Is it clear?
Dec 15 15:22:59 linuxsir01 xinetd [809]: START: telnet pid = 2535 from = 192.168.0.6
Dec 17 01:06:42 linuxsir01 xinetd [810]: START: telnet pid = 26581 from = 192.168.0.6
Dec 17 17:59:05 linuxsir01 xinetd [810]: START: telnet pid = 4152 from = 192.168.0.8
Dec 18 02:52:59 linuxsir01 xinetd [810]: START: telnet pid = 9520 from = 192.168.0.6
Dec 18 03:15:55 linuxsir01 xinetd [810]: START: telnet pid = 9910 from = 192.168.0.6