FreeBSD system logs and backups

Because FreeBSD is a multi-user system, it requires the administrator to do day-to-day maintenance, especially as a network server system, once because of lack of maintenance caused by downtime failure, will cause great losses. Even for a single user of the FreeBSD system, but also to perform these indispensable maintenance tasks, only because the system to personal use, then the maintenance requirements need not so high, maintenance tasks easier.

System log

System logging provides a detailed audit of system activities that are used to assess, review, and operate the system's operating environment. In general, logging involves recording user logon hours, logon locations, what to do, and if properly used, logging can provide system administrators with very useful information about security violations or intrusion attempts.

BSD provides a detailed range of log records, as well as a large number of tools and utilities for logging. These audit records, usually generated automatically by the program, are part of the default setting that can help UNIX administrators find problems in the system and are useful for system maintenance. There are other log records that require an administrator to set up to take effect. Most of the log files are saved in the/var/log directory, which includes some application log files in addition to the system build log. Of course, other subdirectories in the/var directory also record other kinds of logging files, depending on the settings of the specific application.

$ ls /var/log
adduser　　　　　　maillog.5.gz　　 sendmail.st.1
dmesg.today　　　　maillog.6.gz　　 sendmail.st.10
dmesg.yesterday　　maillog.7.gz　　 sendmail.st.2
httpd-access.log　 messages　　　　 sendmail.st.3
httpd-error.log　　messages.0.gz　　sendmail.st.4
kerberos.log　　　 messages.1.gz　　sendmail.st.5
lastlog　　　　　　messages.2.gz　　sendmail.st.6
lpd-errs　　　　　 messages.3.gz　　sendmail.st.7
maillog　　　　　　messages.4.gz　　sendmail.st.8
maillog.0.gz　　　 messages.5.gz　　sendmail.st.9
maillog.1.gz　　　 news　　　　　　 setuid.today
maillog.2.gz　　　 ppp.log　　　　　setuid.yesterday
maillog.3.gz　　　 sendmail.st　　　userlog
maillog.4.gz　　　 sendmail.st.0　　wtmp

System login Log

Each user's login record is saved, including the name of the user, the start of the login and where to log in to the system, and so on. They are saved to the/var/log/lastlog,/var/log/wtmp, and/var/run/utmp files, which hold their logon data in binary format.

Where the/var/run/utmp file holds the login record of the current system user, the file changes as the user enters and leaves the system, and it does not keep a long record for the user, retaining only the user records that were online at that time. The system needs to query the current user status of the program, such as WHO, W and so on need to access this file. Utmp may not include all the accurate information, some burst errors will terminate the user logon session, when the UTMP record is not updated in time, so the utmp record is not absolutely trustworthy.

While/var/log/wtmp saves all login, exit information, and system startup and downtime records, as the system uptime increases, its size increases, and the speed of the system relies on the number of user logons. Therefore, this log can be used to view the user's login record, the last command to access the file to obtain this information, and in reverse order from the back to display the user's login record, and can also be based on the user, terminal TTY or time to display the corresponding records. The AC command also uses data from wtmp to produce reports, but it is displayed in a different way. It can display information based on the user (ac-p), or by date (ap-d), so that the administrator can get some very useful anomalous information, such as a normally inactive user who suddenly logs in and connects for a long time and has reason to suspect that the account has been stolen.