Dialysis Linux Log query intrusion

Logs are undoubtedly very important for network security. They record all kinds of events that occur in the system every day. You can use them to check the causes of errors, or traces left by attackers after being attacked. The main functions of logs include auditing and monitoring. At the same time, logs can monitor the system status and intruders in real time.

Log subsystem category
In Linux, there are three major log subsystems:
Connection time log-the log is executed by multiple programs and written to/var/log/Wtmp and/var/run/Utmp, Login and other programs to update the Wtmp and Utmp files, enables the system administrator to track who is logged on to the system at any time.
Process statistics-executed by the system kernel. When a process terminates, each process writes a record to the process Statistics file (Pacct or Acct. Process statistics are used to provide command usage statistics for basic services in the system.
Error Log -- executed by Syslogd (8. Various system Daemon Processes, user programs, and kernels report noteworthy events to files/var/log/messages through Syslog (3. In addition, many UNIX programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.
Common log files are as follows:
Access-log: records the transmission of HTTP/WEB data.
Acct/pacct: record user commands.
Aculog: records MODEM activities.
Btmp: the record of failure.
Lastlog: records the last successful logon events and the last unsuccessful logon events.
Messages: records information from syslogs (some links to the Syslog file ).
Sudolog: records the commands issued by using Sudo.
Sulog: records the use of "su.
Utmp: records every user currently logged on.
Wtmp: a permanent record of the time a user logs on to and exits.
Xferlog: records FTP sessions.

Basic Logging Process
Utmp, Wtmp, and Lastlog log files are the key for most UNIX log subsystems to be reused-keep records of user logon entry and exit. The information about the current logon user is recorded in the file Utmp; the logon entry and exit records are recorded in the file Wtmp; the last logon file can be viewed using the "Lastlog" command. Data exchange, shutdown, and restart are also recorded in the Wtmp file. All records contain timestamps. These files (Lastlog is usually not large) grow rapidly in systems with a large number of users. For example, the Wtmp file can grow infinitely unless it is intercepted regularly. Many systems configure Wtmp to be used cyclically in units of one day or one week. It is usually modified by the script run by Cron. These scripts are renamed and the Wtmp file is recycled.

TIPS: Generally, Wtmp is named Wtmp.1 after the first day. After the second day, Wtmp.1 is changed to Wtmp.2 until Wtmp.7.

Each time a user logs on, the Login program checks the user's UID in the Lastlog file. If the logon time is found, the user's Last Logon Time, exit time, and host name are written to the standard output, and the Login program records the new Logon Time in Lastlog. After a new Lastlog is written, the Utmp file is opened and the user's Utmp record is inserted. This record is always used when a user logs on and exits. The Utmp file is used by various command files, including Who, Users, and Finger. Next, the Login program opens the file Wtmp and appends the user's Utmp record. When a user logs on and exits, the same Utmp record with the updated timestamp is appended to the file. The Wtmp file is used by the program Last and AC.

View specific logs
Wtmp and Utmp files are binary files, which cannot be cut or merged by Tail commands (Cat commands are required ), you need to use the information contained in the two files by Who, W, Users, Last, and AC.
1. Who: This command queries the Utmp file and reports to each user currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. For example, enter Who and press enter to display:
Chyang pts/0 Aug 18 :06
Ynguo pts/2 Aug 18 :32
Ynguo pts/3 Aug 18 :55
Lewis pts/4 Aug 18 :35
Ynguo pts/7 Aug 18
Ylou pts/8 Aug 18
If the Wtmp file name is specified, the Who command queries all previous records. Run the "Who/var/log/Wtmp" command to report every logon attempt since the Wtmp file was created or deleted.
2. W: This command queries the Utmp file and displays information about each user in the current system and the processes it runs.
3. Users: Users displays the currently logged-on user with a single line. Each displayed user name corresponds to a logon session. If a user has more than one login session, the user name will display the same number of times. For example, enter Users and press enter to display:
Chyang lewis ylou ynguo
4. Last: run the Last command to search for Wtmp and display the users who have logged on since the first file creation. For example:
Chyang pts/9 202.38.68.242 Tue Aug 1)
Cfan pts/6 202.38.64.20.tue Aug 1)
Chyang pts/4 202.38.68.242 Tue Aug 1)
Lewis pts/3 202.38.64.233 Tue Aug 1)
Lewis pts/2 202.38.64.233 Tue Aug 1)
If the user is specified, only recent activities of the user are reported Last time. For example: last ynguo display:
Ynguo pts/4 simba. nic. ustc. e Fri Aug 4)
Ynguo pts/4 simba. nic. ustc. e Thu Aug 3)
Ynguo pts/11 simba. nic. ustc. e Thu Aug 3)
Ynguo pts/0 simba. nic. ustc. e Thu Aug 3)
5. AC: the AC Command reports the user connection time (hours) based on the logon entry and exit times in the current/var/log/Wtmp file. If no signs are used, the total time is reported. For example: ac, display:
Total 5177.47
Ac-d (Press ENTER) to display the total connection time of each day:
Aug 12 all 261.87
Aug 13 total 351.39
Aug 14 Overall 396.09
Aug 15 total 462.63
Aug 16 total 270.45
Ac-p (Press ENTER) to display the total connection time of each user:
Ynguo 193.23
Yucao 3.35
Rong 1, 133.40
Hdai 1, 10.52
6. Lastlog: The Lastlog file is queried every time a user logs on. You can use the Lastlog command to check the last logon time of a specific user and format and output the last logon log/var/log/Lastlog. It displays the logon name, port number (tty), and last logon time according to the UID sorting. For example:
Rong 5 202.38.64.187 Fri
Aug 18 15:57:01 + 0800 2000
Dbb
** Never logged in **
Xinchen
** Never logged in **
Pb9511
** Never logged in **

TIPS: If a user has Never logged on, Lastlog displays "** Never logged **. Note that this command must be run with the ROOT permission.

In addition, you can add parameters after the command to implement other functions. For example, "last-u 102" will report users whose UID is 102, "last-t 7" indicates limiting the reports of the previous week.

Process Review
UNIX can track every command run by every user. If you want to know which important files were messed up by others last night, the process Statistics subsystem can tell you that this is undoubtedly helpful for tracking intruders. Unlike the connection time log, the process Statistics subsystem is not activated by default and must be started. In Linux, The Accton command is used to START process statistics and must be run as ROOT. Run the Touch command to create a Pacct file:
Touch/var/log/pact
Then run Accton:
Accton/var/log/pact
Once Accton is activated, you can use the Lastcomm command to monitor the commands executed in the system at any time. To disable statistics, you can use the Accton command without any parameters.

TIPS: The Lastcomm Command reports the files previously executed. Without parameters, the Lastcomm command displays information about all commands recorded in the lifecycle of the current statistics file. It includes the command name, user, TTY, CPU time consumed by the command, and a timestamp. If the system has many users, the input may be very long.

One problem with process statistics is that the Pacct file may grow rapidly. In this case, you need to run the SA command interactively or through the Cron mechanism to keep the log data under system control.

TIPS: SA command reports, cleans up and maintains process statistical files. It can compress the information in/var/log/pacct to the abstract file/var/log/savacct and/var/log/usracct. These summaries contain system statistics by command name and user name. By default, SA reads them first and then the Pacct file so that the report can contain all available information. The output of SA has the following mark items:

Avio-average number of I/O operations performed each time
Cp-sum of user and system time, measured in minutes
Cpu -- same as cp
K -- average CPU time used by the kernel, in the unit of 1 K
K * sec-CPU storage integrity, in 1 k-core seconds

Syslog Device
Syslog has been adopted by many log functions and is used in many protection measures. Syslog records system events and writes them to a file or device, or sends a message to users. It can record local events or record another master through the network
Events on the machine.
The Syslog device depends on two important files:/etc/Syslogd (Daemon) and/etc/Syslog. conf configuration file. Traditionally, most Syslog information is written to the/var/adm or the information file (messages.. A typical Syslog record includes the name of the generated program and a text message. It also includes a device and a priority range. Each Syslog message is assigned to one of the following major devices:
LOG_AUTH -- Authentication System: Login, SU, Getty, etc.
LOG_CRON -- Cron daemon.
LOG_DAEMON -- Other System daemprocesses, such as Routed.
LOG_FTP-File Transfer Protocol: Ftpd and Tftpd.
LOG_KERN: the message generated by the kernel.
LOG_MAIL -- email system.
LOG_SYSLOG-Internal messages generated by Syslogd (8.
LOG_LOCAL0 ~ LOG_LOCAL7 -- retain local usage.
Syslog assigns several different priorities to each event:
LOG_EMERG-emergencies.
LOG_ALERT-problems that should be corrected immediately, such as system database damages.
LOG_CRIT-important cases, such as hard disk errors.
LOG_ERR -- error.
LOG_WARNING -- warning information.
LOG_NOTICE -- it is not an error, but it may need to be processed.
LOG_INFO -- intelligence information.
The Syslog. conf file indicates the Log action recorded by the Syslogd program. The program queries the configuration file at startup. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by tabs: select a domain to specify the type and priority of the message. The action domain indicates the action that Syslogd performs when receiving a message that matches the selection criteria. Each option is composed of a device and a priority. When a priority is specified, Syslogd records a message with the same or higher priority. Therefore, if "crit" is specified, all messages marked as Crit, Alert, and Emerg will be recorded. The action fields in each row indicate where to send a specified message to the selected domain. For example, if you want to record all the mail messages to a file, as follows:
# Log all the mail messages in one place mail. */var/log/maillog
Other devices also have their own logs. The UUCP and News devices can generate many