Linux System Log Analysis

From: http://www.itokit.com/2012/0602/74289.html

Log category:

1. Connection time log

The connection time log is usually recorded by the/var/log/wtmp and/var/run/utmp files.

The two files cannot be directly viewed by CAT and are automatically updated by the system. You can use the following method:

W/WHO/finger/ID/last/lastlog/AC

[Root @ xhot ~] # Who

Root tty1

Root pts/0 (218.192.87.4)

Root pts/1 (218.192.87.4)

Root pts/3 2010-10-06 (218.192.87.4)

[Root @ xhot ~] # W

01:01:02 up, 4 Users, load average: 0.15, 0.03, 0.01

User tty from login @ idle jcpu pcpu what

Root tty1-1: 20 m 0.16 s 0.16 S-Bash

Root pts/0 218.192.87.4 2: 05 m 0.18 s 0.18 S-Bash

Root pts/1 218.192.87.4 41 0.00 s 0.41 s 0.00 S W

Root pts/3 218.192.87.4 1: 38 m 0.03 s 0.03 s-Bash

[Root @ xhot ~] # Ac-P // view the connection time of each user

U51 1.23

U55 0.04

Root 95.21 // you can see the longest root connection time

Xhot 0.06

User1 3.93

Total 100.48

[Root @ xhot ~] # Ac-A // view the connection time of all users

Total 100.49

[Root @ xhot ~] # Ac-D // view the user's daily connection time

SEP 24 total 0.14

SEP 25 total 14.60

SEP 26 total 13.71

SEP 27 total 21.47

Sep 28 total 11.74

Sep 29 Total 6.60

Sep 30 all 8.81

Oct 1 All 9.04

Oct 2 Total 0.47 // you can see that I went out to play on National Day 3, 4, and 5

Oct 6 total 8.62

Today total 5.29

Other commands are not described in detail.

2. process monitoring logs

Process statistics monitoring logs are very effective in monitoring user operation instructions. Frequently detected on servers

You can use the process Statistics log to view the symptoms of shutdown or file deletion without reason:

[Root @ xhot ~] # Accton/var/account/pacct // enable process Statistics log monitoring

[Root @ xhot ~] # Lastcomm // view process statistics logs

Accton s root pts/1 0.00 secs Thu Oct 7

Accton root pts/1 0.00 secs Thu Oct 7

AC root pts/1 0.00 secs Thu Oct 7

AC root pts/1 0.00 secs Thu Oct 7

Free root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Bash F root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Ifconfig root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Accton s root pts/1 0.00 secs Thu Oct 7

[Root @ xhot ~] # Accton // disable process Statistics log monitoring

3. system and service logs

The System Log service is managed by a service named syslog. For example, a log file is driven by the syslog Log Service:

/Var/log/lastlog: records information such as the time when the last user successfully logs in and the logon IP address.

/Var/log/messages: records common system and service error messages of Linux operating systems.

/Var/log/Secure: Linux system security log, which records the deterioration of users and working groups and user login authentication.

/Var/log/btmp: records the users, times, and remote IP addresses that failed Linux Login.

/Var/log/cron: records the Service Execution of crond scheduled tasks.

......

[Root @ xhot ~] # Cat/var/log/lastlog

LPTS/0218.192.87.4

LPTS/1218.192.87.4

LPTS/1218.192.87.4

LPTS/0218.192.87.46

LPTS/0218.192.87.4

......

Introduction to Linux Log Service

1. in Linux, most of the logs are driven and managed by the syslog Log service.
The syslog service is managed by two important configuration files: the/etc/syslog. conf master configuration file and/etc/sysconfig/syslog

The configuration file/etc/init. d/syslog is the startup script. Here we will talk about the main configuration file/etc/syslog. conf:

/Etc/syslog. conf statement structure:

[Root @ xhot ~] # Grep-V "#"/etc/syslog. conf // list each line that does not start #

*. Info; mail. None; authpriv. None; cron. None/var/log/messages

Authpriv. */var/log/secure

Mail. *-/var/log/maillog

Cron. */var/log/cron

*. Emerg *

Uucp, news. crit/var/log/Spooler

Local7. */var/log/boot. Log

Select the domain (Message type. error level) Action domain

2. Message Type:Auth, authpriv, security; Cron, daemon, Kern, LPR, mail, Mark, news, syslog, user, uucp, local0 ~ Local7.

Error level: (8) debug, info, notice, warning | warn; err | error; crit, alert, emerg | panic

Action domain: file, user, console, @ remote_ip

The following are three examples of the/etc/syslog. conf file:

*. Info; mail. None; authpriv. None; cron. None/var/log/messages

Indicates that any message at the info level is sent to the/var/log/messages log file, but the email system and Verification System

And the error level information of the scheduled task is excluded, not sent (none indicates prohibited)

Cron. */var/log/cron indicates that all levels of cron information are sent to the/var/log/cron file.

*. Emerg * indicates that all message types of the emerg error level (dangerous status) are sent to all users.

Linux Log Server Configuration

The configuration of this server is very simple. You just need to modify a file and restart the service:

[Root @ xhot ~] # Grep-V "#"/etc/sysconfig/syslog

Syslogd_options = "-M 0-R" // just add "-R" here.

Klogd_options = "-X"

Syslog_umask = 077

[Root @ xhot ~] # Service syslog restart

Disable the kernel logger: [OK]

Disable the system logger: [OK]

Start the system logger: [OK]

Start the kernel logger: [OK]

For the OS sending messages to the server, as long as the main configuration file/etc/syslog. conf is written, the scope

For example, for the log server 218.192.87.24

If the Info-level auth information is sent to the log server

Add auth.info @ 218.192.87.24 to the row.

Log dumping Service

After the system has been working for a certain period of time, the content of log files increases with the increase of time and traffic,

Log files are also growing. When the log file exceeds the system control range

. The dump mode can be set to annual dump, monthly dump, weekly dump, or a certain size dump.

In Linux"Logrotate"Tool for log dumping, combinedCronSchedule Tasks with ease

Dump log files. The dump mode is set"/Etc/logrotate. conf"Configuration File control:

[Root @ xhot ~] # Cat/etc/logrotate. conf

# See "Man logrotate" For details // you can view the help documentation.

# Rotate log files weekly

Weekly // set weekly dump

# Keep 4 weeks worth of backlogs

Rotate 4 // up to 4 Dump times

# Create new (empty) log files after rotating old ones

Create // create a dump when the file is not stored

# Uncomment this if you want your log files compressed

# Compress // compress the dump

# Rpm packages drop log rotation information into this directory

Include/etc/logrotate. d // other log file dump method, including in this directory

# No packages own wtmp -- We'll rotate them here

/Var/log/wtmp {// set/var/log/wtmp Log File dump Parameters

Monthly // monthly dump

Create 0664 root utmp // create it when the file does not exist after the dump, the file owner is root,

The Group is utmp and the corresponding permission is 0664.

Rotate 1 // dump once

}

# System-specific logs may be also be configured here.

Here are two examples: 
Set the dump parameter for all files in the/var/log/news/directory. Dump is performed twice a week.

Store the old log file in the/var/log/news/old directory. If the log file does not exist, skip this step. Restart

News group service, not compressed During dump. You can add the following at the end of the/etc/logrotate. conf file:

/Var/log/news /*{

Monthly

Rotate 2

Olddir/var/log/news/old

Missingok

Postrotate

Kill-HUP 'cat/var/run/Inn. Pi'

Endscript

Nocompress

}

Another example:Set dump parameters for/var/log/httpd/access. log and/var/log/httpd/error. Log logs. Dump

Five times, an email is sent to the root @ localhost user during the dump. The dump is sent only when the log file reaches KB. The dump is restarted after the dump.

Httpd serviceYou can add the following directly at the end of the/etc/logrotate. conf file:

/Var/log/httpd/access. log/var/log/HTTP/error. Log {

Rotate 5

Mail root @ localhost

Size = 100 K

Sharedscripts

/Sbin/killall-hup httpd

Endscript

}

Custom log dump (/etc/logrotate. d /*)

The following example is used:Dump all logs whose error levels are info to the/var/log/test. log file, and set

/Var/log/test. log is dumped after 50 kb. it is dumped 10 times, compressed During dump, and then restarted syslog service.:

1. Modify the/etc/syslog. conf file to make it as follows:

[Root @ xhot ~] # Tail-1/etc/syslog. conf // view the last line of the file

*. Info/var/log/test. Log

2. Restart the syslog service:

[Root @ xhot ~] #/Sbin/service syslog restart

Disable the kernel logger: [OK]

Disable the system logger: [OK]

Start the system logger: [OK]

Start the kernel logger: [OK]

3. Create the/etc/logrotate. d/test. log dump parameter configuration file and add the following:

[Root @ xhot ~] # Vim/etc/logrotate. d/test. Log

[Root @ xhot ~] # Cat/etc/logrotate. d/test. Log

/Var/log/test. Log {

Rotate 10

Size = 50 K

Compress

Postrotate

Killall-hup Syslog

Endscript

}

4. Check the file/etc/cron. daily/logrotate to ensure the following:

[Root @ xhot ~] # Cat/etc/cron. daily/logrotate

#! /Bin/sh

/Usr/sbin/logrotate/etc/logrotate. conf

Exitvalue = $?

If [$ exitvalue! = 0]; then

/Usr/bin/logger-T logrotate "alert exited abnormally with [$ exitvalue]"

Fi

Exit 0

5. view the dumped File

[Root @ xhot log] # pwd

/Var/log

[Root @ xhot log] # ls test. log *

...... // The compressed file and the original test. log file will be found when the result is to be dumped.

Syslog is a log system widely used in UNIX and Linux.