Detailed introduction to linux log analysis

Detailed introduction to linux log analysis 1. understanding the linux log files of log files is the most useful. log files let us know the status of the system, such as which users have logged on, this also involves related security issues. If we do not know how to analyze logs, we may... detailed introduction to linux log analysis 1. understanding the linux log files of log files is the most useful. log files let us know the status of the system, such as which users have logged on, this also involves related security issues. If we do not know how to analyze logs, we may not know that some users have logged on to our system. In addition, if something goes wrong with the system, we also need to check the system log. for example, we often cannot access Xwindows. we need to check the system log files such as XFree86.0.log. let's talk about it in detail, if we have run settings for system display properties [in theory XFree86.setup], let me talk about this with Redhat 8.0, when we run a redhat-config-xfree86 on a terminal or Virtual Console, we can find an XFree86.setup in The etc/var directory. log, this file records the content we have set and detailed information. 2. the location where the log file is located in the/var/log Directory, provided that you have not configured the log file/etc/syslog. conf has been specially formulated. 3. the configuration file of the log file, in/etc/syslog. conf, if we want to modify the log preparation file, we must first back up. This is the primary task of system management. The following command is Backup. I operate with the root permission. be careful when using the root permission. [Root @ linuxsir01 root] # cp/etc/syslog. conf/etc/syslog. confBAK when we set/etc/syslog. the conf configuration is wrong, but we still cannot remember what the original system file is like. At this time, the backup file will play a significant role, and we will restore it and it will be OK. We can modify this file again. [Root @ linuxsir01 root] # cp/etc/syslog. confBAK/etc/syslog. conf 4. what are the log preparation files? Please see! We can use the following command to view details, such as more/etc/syslog. conf [root @ linuxsir01 root] # more/etc/syslog. conf # Log all kernel messages to the console. # Logging much else clutters up the screen. # kern. */dev/console # Log anything (same T mail) of level info or higher. # Don't log private authentication messages! *. Info; mail. none; news. none; authpriv. none; cron. none/var/log/messages # The authpriv file has restricted access. authpriv. */var/log/secure security verification log. the Log files generated by the system are stored in/var/log/secure # log all the mail messages in one place. mail. */var/log/maillog is the function of the email system. the log file is in the/var/log/maillog directory. # Log cron stuffcron. */var/log/cron [COLOR = blue] this is the timing information # Everybody gets emergency messages *. emerg * This is the syslog log level. emerg indicates that the system is unavailable. # Save news errors of level crit and higher in a special file. uucp, news. crit/var/log/spooler this is the level set by syslog for the logs of news and uucp. crit indicates critical, but the accident has not occurred and will happen. # Save boot messages also to boot. loglocal7. */var/log/boot. log boot system log, expressed in local7. the location of the log file is/var/log, and the log file is boot. log # INN # news. = crit/var/log/news. critnews. = err/var/log/news. errnews. notice/var/log/news. notice 5] log type authpriv security/verification information, through which we can view login system logs such as telnet and ssh. This plays an important role in anti-black. Cron task scheduling information is a bit like a scheduled job in windows. we can use this program to do what at what time. The preparation file is in/etc/crontab. here we mean the preparation of its log file. kern is the log of the system kernel. we need to define the storage location, we can go to/etc/syslog. conf to define the storage location. For example, we can use syslog. add a row in conf, such as a ker. debug/var/log/kern. loglocal0-local7 custom level, boot system log, expressed in local7, the location of the log file in/var/log, the log file is boot. loglpr should also know the name. this is a printed log file, which can be defined by ourselves. Next, let's take a closer look at how to write system logs. mail is an email, sendmail, qmail, and other information. news is a newsgroup server. User and user information syslog internal log auth is also the user login information, security and validation of the log uucp full name is UNIX-TO-UNIX copy protocol Information 6] log level, the log system administrator maintains the system. because there are too many system logs, it is necessary to sort the logs by level so that the administrator can easily find urgent and important problems, to start processing and solving. Here there is a primary and secondary order, that is, the importance is put in front, the level is from high and low. The emerg system is unavailable and the level is an emergency alert alarm. you need to handle and solve the crit immediately and prevent it. The event requires a warnig warning. Err error information, general error information notice reminder information, very important information info notification information, belonging to general information debug this is debugging information * record all information, after all users have learned about the storage and type of linux logs, they are most interested in how to analyze linux logs. At this point, we need to master some linux log analysis commands, and then use these commands or scripts to analyze the logs in detail. 7] log settings or syntax format are written in/etc/syslog. conf. we can prepare or define log files based on our own situation. The syntax format is as follows, which is also relatively simple .. Log type. level log storage location [use absolute path] for example, kern. debug/var/log/kern. log: [note: RedHat 8.0 is used as an example] in RedHat 8.0, we can see the following line. What does this mean. Authpriv. */var/log/secure indicates that all logs of the verification class are stored in the log file secure. Sometimes, we will also see secure1 in the/var/log Directory. In fact, this type of logs also needs to be flexible. Right? Through this file, we can see the verification class logs, such as telnet and ssh. If someone else uses telnet to our machine, we need to check this file. We can see it through # more secure | grep telnet. of course, we can also see it one page by one with more. my goal is to know if this file can see this thing, for example, if I use telnet from another machine, my linux host will be recorded below. Is it clear? Dec 15 15:22:59 linuxsir01 xinetd [809]: START: telnet pid = 2535 from = 192.168.0.6Dec 17 01:06:42 linuxsir01 xinetd [810]: START: telnet pid = 26581 from = 192.168.0.6Dec 17 17:59:05 linuxsir01 xinetd [810]: START: telnet pid = 4152 from = 192.168.0.8Dec 18 02:52:59 linuxsir01 xinetd [810]: START: telnet pid = 9520 from = 192.168.0.6Dec 18 03:15:55 linuxsir01 xinetd [810]: START: telnet pid = 9910 from = 192.168.0.6