Log Files in centos7
Common Linux Log Files are described as follows:
1./var/log/boot. log (self-check process)
2./var/log/cron (actions of the child process derived from crontab daemon crond)
3./var/log/maillog (activity of emails sent to or from the System)
4./var/log/syslog (it only records warning information, which is often the information of system problems, so pay more attention to this file)
5./usr/local/apache/logs/error_log (which is the log directory that records apache)
6./var/log/httpd/error_log (it is the log directory that records http)
To have the system generate a syslog log file,
Add *. warning/var/log/syslog To the/etc/rsyslog. conf file.
This log file records information such as the wrong password, Sendmail problem, and su command execution failure recorded by login during user logon.
5./var/run/utmp
Use the lastlog command to view the log file.
6./var/log/wtmp
(This log file permanently records logon and cancellation of each user and system startup and shutdown events)
The last command obtains this information by accessing this file.
7./var/run/utmp
(This log file records information about each user currently logged on)
8./var/log/xferlog
(This log file records FTP sessions and displays the files that the user has copied to or from the FTP server)
Linux Log Analysis details
Logs are also a part of user attention. Do not underestimate the importance of log files for network security, because log files can detail various events that occur on a daily basis in the system. You can use log files to check the cause of errors, or trace the traces of attackers when they are attacked or hacked. Two important roles of logs are review and monitoring. The configured Linux Log is very powerful. For Linux systems, all log files are under/var/log. By default, Linux Log Files are powerful enough, but FTP activities are not recorded. You can modify/etc/ftpacess to allow the system to record all FTP activities.
Introduction to the Linux Log System
Linux Log System
Logs are very important to System Security. They record all kinds of events that occur in the system every day. You can use them to check the causes of errors, or look for traces left by attackers when they are attacked. The main functions of logs are audit and monitoring. It can also monitor the system status in real time and monitor and track intrusions.
Linux generally has three major log subsystems: connection time logs, process statistics logs, and error logs.
Connection time log
The connection time log is executed by multiple programs, and the records are written to/var/og/wtmp and/var/run/utmp. Ogin and other programs update the wtmp and utmp files so that the system administrator can track who is logged on to the system at any time.
Process statistics log
Process statistics logs are executed by the system kernel. When a process is terminated, write a record for each process to the process Statistics file (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system.
Error Log
The error log is executed by sysogd (8. Various system Daemon Processes, user programs, and kernels report noteworthy events to files/var/og/messages through sysog (3. In addition, there are many UNIX-type Program Creation logs, such as HTTP and FTP. The server providing network services also has detailed logs.
RedHat common log files and Common commands in Linux
One of the keys to successful management of any system is to know what is happening in the system. Exception logs are provided in Linux and the log details are configurable. Linux logs are stored in plain text, so you can search and read them without special tools. You can also write scripts to scan these logs and automatically execute certain functions based on their contents. Linux logs are stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read by the root account, but modifying the file access permission allows others to read the logs.
RedHat common log files in Linux
Common RedHat Linux Log Files are described as follows:
/Var/log/boot. log
This file records the system events during the boot process, that is, the information displayed during the Linux system boot self-check process.
/Var/log/cron
This log file records the actions of sub-processes derived from the crontab daemon crond, followed by the user, Logon Time, PID, and derived process actions. One CMD action is a common situation where cron derives a scheduling process. REPLACE action records the updates to its cron file, which lists the task scheduling to be periodically executed. The RELOAD action occurs shortly after the REPLACE action, which means cron notices that a user's cron file is updated and cron needs to RELOAD it into the memory. This file may find some unusual situations.
/Var/log/maillog
This log file records every activity that is sent to or from the system by email. It can be used to view which system sending tool the user uses or which system the data is sent. The following is a snippet of the log file:
Sep 4 17:23:52 UNIX sendmail [1950]: g849Npp01950: from = root, size = 25, nrcpts = 1, msgid = <200209040923.g849Npp01950@redhat.pfcc.com.cn>, relay = root @ localhostSep this log file is a summary of many process log files. From this file, we can see any intrusion attempt or successful intrusion. For example:
Sep 3 08:30:17 UNIX login [1275]: failed login 2 FROM (null) FOR suying, Authentication failureSep 4 17:40:28 UNIX-suying [2017]: login on pts/1 BY suying FROMfcceec.www.ec8.pfcc.com. cnSep4 17:40:39 UNIX su (pam_unix) [2048]: session opened for user root by suying (uid = 999)
The format of this file is that each line contains a date, host name, program name, followed by square brackets containing the PID or kernel ID, a colon and a space, and finally a message. This file has one disadvantage: The recorded intrusion attempts and successful intrusion events are drowned in a large number of normal process records. However, this file can be customized by the/etc/syslog file. The/etc/syslog. conf configuration file determines how the system writes/var/messages. How to configure the/etc/syslog. conf file to determine the behavior of system log records will be described in detail later.
/Var/log/syslog
By default, RedHat Linux does not generate this log file, but you can configure/etc/syslog. conf to allow the system to generate this log file. It is different from the/etc/log/messages log file. It only records warning information, which is often the information of system problems. Therefore, you should pay more attention to this file. To have the system generate the log file, go to/etc/syslog. add the following to the conf file :*. warning/var/log/syslog this log file records information such as the wrong password, Sendmail issue, and su command execution failure recorded by login during user logon. Below is a record:
Sep 6 16:47:52 UNIX login (pam_unix) [2384]: check pass; user unknown/var/log/secure this log file records security-related information. Part of the log file is as follows: Sep 4 16:05:09 UNIX xinetd [711]: START: ftp pid = 1815 from = 127.0.0.1Sep 4 16:05:09 UNIX xinetd [1815]: USERID: ftp OTHER: rootSep 4 16:07:24 UNIX xinetd [711]: EXIT: ftp pid = 1815 duration = 135 (sec) Sep 4 16:10:05 UNIX xinetd [711]: START: ftp pid = 1846 from = 127.0.0.1Sep 4 16:10:05 UNIX xinetd [1846]: USERID: ftp OTHER: rootSep 4 16:16:26 UNIX xinetd [711]: EXIT: ftp pid = 1846 duration = 381 (sec) Sep 4 17:40:20 UNIX xinetd [711]: START: telnet pid = 2016 from = 10.152.8.2/var/log/lastlog
This log file records the recent successful logon events and the last unsuccessful logon events, which are generated by login. This file is a binary file and needs to be viewed using the lastlog command. The username, port number, and last logon time are displayed according to the UID sorting. If a user has Never logged on, it is displayed as "** Never logged in **". This command can only be executed as root. Simply enter the lastlog command and you will see information similar to the following:
Username Port From Latestroot tty2 Tue Sep 3 08:32:27 + 0800 2002bin ** Never logged in ** daemon ** Never logged in ** adm ** Never logged in ** lp ** Never logged in ** sync ** Never logged in ** shutdown ** Never logged in ** halt ** Never logged in ** mail ** Never logged in ** news ** Never logged in ** uucp ** Never logged in ** operator ** Never logged in ** games ** Never logged in ** gopher ** Never logged in ** ftp UNIX Tue Sep 3 14:49:04 + 0800 2002 nobody ** Never logged in ** nscd ** Never logged in ** mailnull ** Never logged in ** ident ** Never logged in ** rpc ** never logged in ** rpcuser ** Never logged in ** xfs ** Never logged in ** Ann ** Never logged in ** postgres ** Never logged in ** apache ** never logged in ** lzy tty2 Mon Jul 15 08:50:37 + 0800 2002 suying tty2 Tue Sep 3 08:31:17 + 0800 2002
System accounts such as bin, daemon, adm, uucp, and mail should never be logged on. If these accounts have been logged on, the system may have been intruded. If the recorded time is not the time the user logged on to the console, the user's account has been leaked.
/Var/log/wtmp
This log file permanently records the logon, logout, and system startup and shutdown events of each user. Therefore, as the system runs normally, the file size increases, depending on the number of system user logins. This log file can be used to view the user's logon records. The last command obtains this information by accessing this file and displays the user's logon records in reverse order, last can also display corresponding records based on the user, terminal tty or time.
The last command has two optional parameters:
The last-u User Name displays the user's last logon status.
The last-t days show the user logon status before the specified number of days.
/Var/run/utmp
This log file records information about each user currently logged on. Therefore, this file will change as the user logs in and out of the system. It only keeps the user records online at the time and does not keep permanent records for the user. Programs in the system that need to query the current user status, such as who, w, users, and finger, need to access this file. This log file does not contain all accurate information, because some unexpected errors will terminate the user logon session, and the system does not update the utmp record in time, therefore, the log file is not trustworthy.
The three files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are key files of the log subsystem, all records the user logon status. All records of these files contain timestamps. These files are saved in binary format. Therefore, you cannot directly view these files using commands such as less and cat. Instead, you need to use relevant commands to view these files. The data structure of the utmp and wtmp files is the same, while the lastlog file uses another data structure. You can use man to query the specific data structure of the utmp and wtmp files.
Each time a user logs on, the login program checks the user's UID in the lastlog file. If so, the user's last logon, logout time, and host name are written to the standard output. Then, the login program records the new Logon Time in lastlog, opens the utmp file, and inserts the user's utmp record. This record is always deleted when the user logs on and exits. The utmp file is used by various commands, including who, w, users, and finger.
Next, the login program opens the file wtmp and attaches the user's utmp record. When a user logs on and exits, the same utmp record with the updated timestamp is appended to the file. The wtmp file is used by the program last time.
/Var/log/xferlog
This log file records FTP sessions and displays the files that the user copied to or from the FTP server. This file displays the malicious programs copied to the server to invade the server, and the files copied by the user for use.
The format of the file is: the first domain is the date and time, the second domain is the number of seconds the file was downloaded, the remote system name, the file size, local path name, transmission type (: ASCII, B: Binary), compression-related sign or tar, or "_" (if no compression is available), transmission direction (relative to the server: I indicates inbound, o stands for outbound), access mode (a: Anonymous, g: Enter password, r: real user), user name, service name (usually ftp), authentication method (l: RFC931, or 0), authenticate the user ID or "*". Below is a record of the file:
Wed Sep 4 08:14:03 2002 1 UNIX 275531/var/ftp/lib/libnss_files-2.2.2.so B _ o a-root @ UNIX ftp 0 * c/var/log/kernlog 4 17:23:55 UNIX sendmail [1950 ]: g849Npp01950: to = lzy@fcceec.net, ctladdr = root (0/0), delay = 00:00:04, xdelay = 00:00:03, mailer = esmtp, pri = 30025, relay = fcceec.net. [10.152.8.2], dsn = 2.0.0, stat = Sent (Message queued)/var/log/messages