SSH login log, ssh login record, recent SSH login

Linux login log/var/log/secure (root user can delete the file)

Logs are important for security, documenting the various things that happen on a daily basis, checking the cause of an error, or the traces left behind by the log. All logging information contains a timestamp.

The main features of the log are: auditing and testing. System status can be detected in real time to detect and track intruders.

Linux systems, three major log subsystems:

The connection time log---executed by multiple programs to update wtmp and utmp files to programs such as/var/log/wtmp and/var/log/utmp,login, enabling system administrators to track who is logged on to the system

Process statistics-performed by the system kernel. When a process terminates, a record is written for each process toward the process statistics file (PACCT and Acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.

Error log-executed by SYSLOGD (8). Various system daemons, user programs, and cores report noteworthy events to file/var/log/messages through Syslog (3). There are also many UNIX programs that create logs, and servers that provide Web services like HTTP and FTP maintain detailed logs.

The usual log files are as follows:

Access-log recording the transmission of Http/web

Xferlog several FTP sessions

ACCT/PACCT Logging User Commands

Messages Logging information from syslog (some links to syslog files)

Aculog Recording Modem activity

Sudolog records the commands that sudo sends

Sulog records the use of the SU Command, recorded in the/var/log/secure

Syslog logs information from a syslog (usually linked to a messages file)

Lastlog records the most recent successful logon events and the last unsuccessful login

Utmp record each user who is currently logged on

Wtmp a user's permanent record of each login entry and exit time, including data exchange, shutdown restart information

Btmp record of failed records

Utmp, Wtmp, and Lastlog entry documents are the key to most reuse of the UNIX logging subsystem-keeping users logged in and out of the log.

Wtmp files can grow indefinitely, unless they are periodically intercepted, and often grow very quickly in a large number of users ' systems. Many systems are configured to recycle wtmp on a day or a week. It is usually modified by the script run by Cron, renaming the wtmp file (plus the time suffix name) so that the Wtmp file can be recycled.

Each time a user logs in, the login program looks at the user's UID in the Lastlog file. If found, writes the user's last login, exit time, and hostname to standard output, and the login program logs the new logon time in Lastlog. After the new Lastlog record is written, the Utmp file opens and inserts the user utmp record. This record is always deleted when the user logs on and exits. utmp files are used by various command files, including Who/w/users/finger.

In addition, the login program opens the Wtmp file, appends the utmp record to the Wtmp file, and appends the same utmp record with the new timestamp to the Wtmp file when the user exits. The wtmp file is last/ac used.

Specific commands:

Wtmp and utmp files are binary files and they cannot be merged or even opened by clips such as the tail command. The user needs to use the WHO/W/USERS/LAST/AC command to invoke the information.

Who: Queries the utmp file and reports each user information that is currently logged on. The WHO standard output format includes: User name, terminal type, logon date, and remote host IP. Who/var/log/wtmp will make every login since the creation or deletion of the Wtmp file (similar to last function, rarely used).

[email protected] log]# who

Transfor pts/0 2015-09-24 06:45 (122.10.70.66)

Transfor pts/1 2015-09-25 01:01 (122.10.70.66)

Transfor pts/2 2015-09-25 02:24 (122.10.70.66)

W: Queries the utmp file and displays information about each user in the current system and the process it is running. For example:

[Email protected] log]# W

06:15:32 up Days, 7:10, 4 users, load average:0.57, 0.47, 0.43

USER TTY [email protected] IDLE jcpu PCPU what

Transfor pts/0 Thu06 23:45m 0.54s 0.11s sshd:transfor [Priv]

Users: Prints out the currently logged-on user with a separate line, with each user name displayed for a logon session. If a user has more than one logon session, that user name is displayed the same number of times.

[[email protected] log]# users

Transfor transfor transfor transfor

Last: Search wtmp to show users who have logged in since the first time the file was created.

[Email protected] log]# last

Transfor PTS/3 122.10.70.66 Fri Sep 09:41 still logged in

Transfor PTS/3 122.10.70.66 Fri Sep 25 09:19-09:28 (00:08)

Transfor PTS/3 122.10.70.66 Fri Sep 25 02:56-03:34 (00:38)

Transfor pts/2 122.10.70.66 Fri Sep 02:24 still logged in

Transfor pts/1 122.10.70.66 Fri Sep 01:01 still logged in

Transfor pts/1 122.10.70.66 Thu Sep 24 06:56-23:06 (16:09)

Transfor pts/0 122.10.70.66 Thu Sep 06:45 still logged in

Transfor pts/0 122.10.70.66 Wed Sep 23 03:52-21:35 (17:42)

Transfor pts/0 122.10.70.66 Sat Sep 19 02:32-06:20 (03:47)

Transfor PTS/2 122.10.70.66 Thu Sep 17 05:48-22:55 (1+17:06)

Transfor pts/1 122.10.70.66 Thu Sep 17 05:25-22:55 (1+17:29)

Linux view the appropriate logs:

#less/var/log/secure

#less/var/log/messages

SSH login log, ssh login record, recent SSH login