Five Linux Log Management commands

Article Title: Five Linux Log Management commands. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

The main functions of logs are audit and monitoring. It can also monitor the system status in real time, monitor and track intrusions, and so on. One of the keys to successful management of any system is to know what is happening in the system. Exception logs are provided in Linux and the log details are configurable. Linux logs are stored in plain text, so you can search and read them without special tools. You can also write scripts to scan these logs and automatically execute certain functions based on their contents. Linux logs are stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read by the root account, but modifying the file access permission allows others to read the logs. In Linux, there are four main types of logs:

◆ Connection time log: logs are written to/var/log/wtmp and/var/run/utmp and login programs to update the wtmp and utmp files, enables the system administrator to track who is logged on to the system at any time.

◆ Process Statistics: executed by the system kernel. When a process is terminated, write a record for each process to the process Statistics file (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system.

◆ Error Log: It is executed by the syslogd (8) daemon. Various system Daemon Processes, user programs, and kernels report noteworthy events to files/var/log/messages through syslogd (3) daemon. In addition, many UNIX programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.

◆ Utility logs: many programs maintain logs to reflect the security status of the system. The su command allows the user to obtain permissions of another user, so its security is very important. Its file is sulog. Sudolog is also available. In addition, Http servers such as Apache have two logs: access_log (client access log) and error_log (service error log ). FTP service logs are stored in xferlog files, while sendmail logs in Linux are generally stored in maillog files.

Utmp and wtmp log files are the key to most Linux Log subsystems. They store records of user logon and exit. Information about the current login user is recorded in the file utmp; logon entry and exit records are recorded in the file wtmp; data exchange, shutdown, and restart machine information are also recorded in the wtmp file. All records contain timestamps. Timestamp is very important for logs, because many attack behavior analyses are closely related to time. These files are growing rapidly in systems with a large number of users. For example, the wtmp file can grow infinitely unless it is intercepted regularly. Many systems configure wtmp to be used cyclically in units of one day or one week. It is usually modified by the script run by cron. These scripts are renamed and the wtmp file is recycled. Generally, wtmp is named wtmp.1 after the first day, and wtmp.1 is changed to wtmp.2 after the second day. You can name and configure these files as needed.

The utmp file is used by various command files, including who, w, users, and finger. The wtmp file is used by the program last and ac.

Wtmp and utmp files are binary files, and they cannot be cut or merged by tail commands (using cat commands ). You need to use the information contained in the two files by who, w, users, last, and ac.

1. who command

The who command queries the utmp file and reports to each user currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. With this command, the system administrator can view which illegal users exist in the current system to audit and process them. For example, the following figure shows how to run the who command:

# Who

Root pts/1 2010-02-22 :02 (: 0.0)

Root pts/2 2010-02-22 :57 (: 0.0)

Root pts/3 2010-02-22 :57 (: 0.0)

[1] [2] [3] Next page