Linux system logs and analysis, linux logs

Linux system logs and analysis, linux logs

Linux has flexible and powerful log functions, which can save almost all operation records and retrieve the information we need.

The default log daemon process for most Linux distributions is syslog at/etc/syslog or/etc/syslogd or/etc/rsyslog. d. The default configuration file is/etc/syslog. conf or rsyslog. conf. Any program that wants to generate logs can send messages to syslog.

The Linux kernel and many programs generate various error messages, warning messages, and other prompts, which are very useful for administrators to understand the running status of the system, therefore, they should be written to log files.

The program that completes this process is syslog. Syslog can save logs to different files based on the log category and priority.

For example, you can separate the kernel information from other information and save it to an independent log file for ease of reading. By default, log files are usually stored in the "/var/log" directory.

Log Type

The following are common log types, but not all Linux distributions contain these types:

Type	Description
Auth	Logs generated during user authentication, such as login commands and su commands.
Authpriv	Similar to auth, but can only be viewed by specific users.
Console	Messages for the system console.
Cron	Logs generated when the system periodically executes scheduled tasks.
Daemon	Logs generated by some daemon.
Ftp	FTP service.
Kern	System Kernel message.
Local0.local7	Used by a custom program.
Lpr	It is related to printer activity.
Mail	Mail Log.
Mark	Timestamp generated. The system outputs the current time to the log file at intervals. The format of each line is similar to May 26 11:17:09 rs2 -- MARK --. This can infer the approximate time of the system failure.
News	Messages generated by the network news transmission Protocol (nntp.
Ntp	Message generated by the Network Time Protocol (ntp.
User	User process.
Uucp	UUCP subsystem.

Log priority

For common log priorities, see Subscript:

Priority	Description
Emerg	In an emergency, the system is unavailable (for example, a system crash). Generally, all users are notified.
Alert	Repair required immediately, such as system database corruption.
Crit	Dangerous situations, such as hard disk errors, may impede some functions of the program.
Err	Common error messages.
Warning	Warning.
Notice	It is not an error, but it may need to be handled.
Info	Universal messages are generally used to provide useful information.
Debug	Information generated by the debugging program.
None	No priority. No log messages are recorded.

Common log files

System logs are managed by a service named syslog. For example, the following log files are all driven by syslog:

/Var/log/boot. log: records the system events during the boot process, that is, information displayed during the Linux system boot self-check process.

/Var/log/lastlog: records information such as the time when the last user successfully logs in and the logon IP address.

/Var/log/messages: records common system and service error messages of Linux operating systems.

/Var/log/secure: Linux system security log, which records the deterioration of users and working groups and user login authentication.

/Var/log/btmp: records the users, times, and remote IP addresses that failed Linux Login.

/Var/log/syslog: only warning information is recorded, which is often the information of system problems. Use lastlog to view

/Var/log/wtmp: This log file permanently records the logon and logout events of each user and system startup and shutdown events. Use the last command to view

/Var/run/utmp: This log file records information about each user currently logged on. For example, who, w, users, and finger need to access this file.

/Var/log/syslog or/var/log/messages stores all global system activity data, including boot information. Debian-based systems such as Ubuntu store them in/var/log/syslog, while RedHat-based systems such as RHEL or CentOS store them in/var/log/messages.

/Var/log/auth. log or/var/log/secure stores logs from the pluggable authentication module (PAM), including successful logon, failed logon attempts, and authentication methods. Ubuntu and Debian store authentication information in/var/log/auth. log, while RedHat and CentOS store this information in/var/log/secure.

Log File details:

/Var/log/boot. log

This file records the system events during the boot process, that is, the information displayed during the Linux system boot self-check process. /Var/log/syslog

The default value is Centos. Fedora does not generate this log file, but you can configure/etc/syslog. conf to allow the system to generate this log file.

It is different from the/etc/log/messages log file. It only records warning information, which is often the information of system problems. Therefore, you should pay more attention to this file.

To have the system generate the log file, go to/etc/syslog. add the following to the conf file :*. warning/var/log/syslog this log file records information such as the wrong password, Sendmail issue, and su command execution failure recorded by login during user logon.

This log file records the recent successful logon events and the last unsuccessful logon events, which are generated by login. This file is a binary file and needs to be viewed using the lastlog command. The username, port number, and last logon time are displayed according to the UID sorting. If a user has Never logged on, it is displayed as "** Never logged in **". This command can only be executed as root. Simply enter the lastlog command and you will see information similar to Figure 4:

[Root @ TestStation etc] # lastlogUsername Port From Latestroot pts/0 110.87.109.20.wed Nov 2 10:34:20 + 0800 2016bin ** Never logged in ** daemon ** Never logged in ** adm ** never logged in ** lp ** Never logged in ** sync ** Never logged in ** shutdown ** Never logged in ** halt ** Never logged in ** mail ** never logged in ** uucp ** Never logged in ** operator ** Never logged in ** games ** Never logged in ** gopher ** Never logged in ** ftp ** never logged in ** nobody ** Never logged in ** vcsa ** Never logged in ** saslauth ** Never logged in ** postfix ** Never logged in ** sshd ** never logged in ** ntp ** Never logged in ** suda pts/2 222.79.79.120 Tue Oct 25 16:00:01 + 0800 2016

/Var/log/wtmp

This log file permanently records the logon, logout, and system startup and shutdown events of each user. Therefore, as the system runs normally, the file size increases, depending on the number of system user logins. This log file can be used to view the user's logon records. The last command obtains this information by accessing this file and displays the user's logon records in reverse order, last can also display corresponding records based on the user, terminal tty or time.

/Var/run/utmp

This log file records information about each user currently logged on. Therefore, this file will change as the user logs in and out of the system. It only keeps the user records online at the time and does not keep permanent records for the user. Programs in the system that need to query the current user status, such as who, w, users, and finger, need to access this file. This log file does not contain all accurate information, because some unexpected errors will terminate the user logon session, and the system does not update the utmp record in time, therefore, the log file is not trustworthy.

The three files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are key files of the log subsystem, all records the user logon status. All records of these files contain timestamps. These files are saved in binary format. Therefore, you cannot directly view these files using commands such as less and cat. Instead, you need to use relevant commands to view these files. The data structure of the utmp and wtmp files is the same, while the lastlog file uses another data structure. You can use man to query the specific data structure of the utmp and wtmp files.

Each time a user logs on, the login program checks the user's UID in the lastlog file. If so, the user's last logon, logout time, and host name are written to the standard output. Then, the login program records the new Logon Time in lastlog, opens the utmp file, and inserts the user's utmp record. This record is always deleted when the user logs on and exits. The utmp file is used by various commands, including who, w, users, and finger.

Next, the login program opens the file wtmp and attaches the user's utmp record. When a user logs on and exits, the same utmp record with the updated timestamp is appended to the file. The wtmp file is used by the program last time.