Apache log: access log (2)

Article title: Apache log: access log (2 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
3. process Statistics
　　
UNIX can track every command run by every user. if you want to know what important files were messed up last night, the process statistics subsystem can tell you. It is helpful for tracking an intrusion. Unlike the connection time log, the process statistics subsystem is not activated by default and must be started. In Linux, the accton command is used to start process Statistics and must be run as root. The form of the Accton command is accton file, which must exist first. Run the touch command to create the pacct file touch/var/log/pacct, and then run accton: accton/var/log/pacct. Once accton is activated, you can use the lastcomm command to monitor the commands executed in the system at any time. To disable statistics, you can use the accton command without any parameters.
　　
The lastcomm Command reports the previously executed files. Without parameters, the lastcomm command displays information about all commands recorded in the lifecycle of the current statistics file. It includes the command name, user, tty, CPU time consumed by the command, and a timestamp. If the system has many users, the input may be very long. The following example:
　　
Crond F root ?? 0.00 secs Sun Aug 20
Promisc_check.s S root ?? 0.04 secs Sun Aug 20
Promisc_check root ?? 0.01 secs Sun Aug 20
Grep root ?? 0.02 secs Sun Aug 20
Tail root ?? 0.01 secs Sun Aug 20
Sh root ?? 0.01 secs Sun Aug 20
Ping S root ?? 0.01 secs Sun Aug 20
Ping6.pl F root ?? 0.01 secs Sun Aug 20
Sh root ?? 0.01 secs Sun Aug 20
Ping S root ?? 0.02 secs Sun Aug 20
Ping6.pl F root ?? 0.02 secs Sun Aug 20
Sh root ?? 0.02 secs Sun Aug 20
Ping S root ?? 0.00 secs Sun Aug 20
Ping6.pl F root ?? 0.01 secs Sun Aug 20
Sh root ?? 0.01 secs Sun Aug 20
Ping S root ?? 0.01 secs Sun Aug 20
Sh root ?? 0.02 secs Sun Aug 20
Ping S root ?? 1.34 secs Sun Aug 20
Locate root ttyp0 1.34 secs Sun Aug 20
Accton S root ttyp0 0.00 secs Sun Aug 20
　　
One problem with process statistics is that the pacct file may grow very rapidly. In this case, you need to run the sa command interactively or through the cron mechanism to keep the log data under system control. Sa command reports, cleans and maintains process statistical files. It can compress the information in/var/log/pacct to the abstract file/var/log/savacct and/var/log/usracct. These summaries contain system Statistics by command name and user name. By default, sa reads them first and then the pacct file so that the report can contain all available information. The output of sa has the following mark items:
　　
Avio-average number of I/O operations performed each time
Cp-sum of user and system time, measured in minutes
Cpu -- same as cp
K -- average CPU time used by the kernel, in the unit of 1 k
K * sec-CPU storage integrity, in 1 k-core seconds
Re-real-time, measured in minutes
S-system time, measured in minutes
Total number of tio -- I/O operations
U-user time, in minutes
　　
For example:
　　
842 173.26re 4.30cp 0 avio 358 k
2 10.98re 4.06cp 0 avio 299 k find
9 24.80re 0.05cp 0 avio 291 k *** other
105 30.44re 0.03cp 0 avio 302 k ping
104 30.55re 0.03cp 0 avio 394 k sh
162 0.11re 0.03cp 0 avio 413 k security. sh *
154 0.03re 0.02cp 0 avio 273 k ls
56 31.61re 0.02cp 0 Avi 823 k ping6.pl *
2 3.23re 0.02cp 0 Avi 822 k ping6.pl
35 0.02re 0.01cp 0 avio 257 k md5sum
97 0.02re 0.01cp 0 avio 263 k initlog
12 0.19re 0.01cp 0 Avi 399 k promisc_check.s
15. 0.09re. 0.00cp 0 avio 288 k grep
11 0.08re 0.00cp 0 avio 332 k awk
　　
You can also provide a summary report based on the user rather than the command. For example, sa-m is shown as follows:
　　
885 173.28re 4.31cp 0avk
Root 879 173.23re 4.31cp 0avk
Alias 3 0.05re 0.00cp 0avk
Qmailp 3 0.01re 0.00cp 0avk
　　
4. Syslog device
　　
Syslog has been adopted by many log functions and is used in many protection measures-any program can record events through syslog. Syslog records system events, writes to a file or device, or sends a message to users. It can record local events or events on another host through the network.
　　
The Syslog device depends on two important files:/etc/syslogd (daemon) and/etc/syslog. conf configuration file. Traditionally, most syslog information is written to the/var/adm or the/var/log Directory Information File (messages. *). A typical syslog record includes the name of the generated program and a text message. It also includes a device and a priority range (but not in the day ).
　　
Each syslog message is assigned to one of the following main devices:
　　
LOG_AUTH -- authentication system: login, su, getty, etc.
LOG_AUTHPRIV -- same as LOG_AUTH, but only log on to the selected readable file by a single user
LOG_CRON -- cron daemon
LOG_DAEMON -- other system daemprocesses, such as routed
LOG_FTP -- File Transfer Protocol: ftpd, tftpd
LOG_KERN -- message generated by the kernel
LOG_LPR-system printer buffer pool: lpr, lpd
LOG_MAIL -- email system
LOG_NEWS-network news system
LOG_SYSLOG-internal messages generated by syslogd (8)
LOG_USER -- messages generated by random user processes
LOG_UUCP--UUCP subsystem
LOG_LOCAL0 ~ LOG_LOCAL7 -- reserved for local use
　　
Syslog assigns several different priorities to each event:
　　
LOG_EMERG-Emergency
LOG_ALERT-problems that should be corrected immediately, such as system database damages
LOG_CRIT-important cases, such as hard disk errors
LOG_ERR -- error
LOG_WARNING -- warning information
LOG_NOTICE -- not an error, but it may need to be processed
LOG_INFO -- intelligence information
LOG_DEBUG -- contains information about intelligence, which is usually used to debug a program.
　　
The syslog. conf file indicates the log action recorded by the syslogd program. The program queries the configuration file at startup. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by tabs: Select a domain to specify the type and priority of the message. The action domain indicates the action that syslogd performs when receiving a message that matches the selection criteria. Each option is composed of a device and a priority. When a priority is specified, syslogd records a message with the same or higher priority. Therefore, if "crit" is specified, all messages marked as crit, alert, and emerg will be recorded. The action fields in each row indicate where to send a specified message to the selected domain. For example, if you want to record all the mail messages to a file, as follows:
　　
# Log all the mail messages in one place
Mail. */var/log/maillog
　　
Other devices also have their own logs. UUCP and news devices can produce many external messages. It stores these messages in its own logs (/var/log/spooler) and limits the level to "err" or higher. For example:
　　
# Save mail and news errors of level err and higher in aspecial file.
Uucp, news. crit/var/log/spooler
　　
When an emergency message arrives, all users may want to get it. You may also want to receive and save your own logs.
　　
# Everybody gets emergency messages, plus log them on anther machine
*. Emerg *
*. Emerg @ linuxaid.com.cn
　　
Alert messages should be written to the root and tiger personal accounts:
　　
# Root and Tiger get alert and higher messages
*. Alert root, tiger
　　
Sometimes syslogd will generate a large number of messages. For example, the kernel ("kern" device) may be lengthy. You may want to record kernel messages to/dev/console. The following example shows that the kernel log is commented out:
　　
# Log all kernel messages to the console
# Logging much else clutters up the screen
# Kern. */dev/console
　　
You can specify all devices in a row. In the following example, messages of info or higher level are sent to/var/log/messages, except for mail. Level "none" disables a device:
　　
# Log anything (could t mail) of level info or higher
# Don't log private authentication messages!
*. Info: mail. none; authpriv. none/var/log/messages
　　
In some cases, logs can be sent to the printer, so that it is useless for network intruders to modify logs. Generally, a wide range of logs are required. Syslog device is a notable target for attackers. A system that maintains logs for other hosts is particularly vulnerable to server attacks.
　　
A small command logger provides a shell command interface for syslog (3) system log files so that you can create entries in the log files. Usage: logger for example: logger This is a test!
　　
It will generate the following syslog record: Aug 19 22:22:34 tiger: This is a test!
　　
Be sure not to trust logs completely, because attackers can easily modify logs.
　　
5. Program Logs
　　
Many programs maintain logs to reflect the security status of the system. The su command allows the user to obtain permissions of another user, so its security is very important. its file is sulog. Sudolog is also available. In addition, Apache has two logs: access_log and error_log.