1. Introduction to important log files in Linux
/Var/log/boot. log
This file records the system events during the boot process, that is, the information displayed during the Linux system boot self-check process, as shown in 1:
Figure 1/var/log/boot. log Diagram
/Var/log/cron
This log file records the actions of sub-processes derived from the crontab daemon crond, followed by the user, Logon Time, PID, and derived process actions. One CMD action is a common situation where cron derives a scheduling process. REPLACE action records the updates to its cron file, which lists the task scheduling to be periodically executed. The RELOAD action occurs shortly after the REPLACE action, which means cron notices that a user's cron file is updated and cron needs to RELOAD it into the memory. This file may find some unusual situations. The file diagram is shown in Figure 2:
Figure 2/var/log/cron file Diagram
/Var/log/maillog
This log file records every activity that is sent to or from the system by email. It can be used to view which system sending tool the user uses or which system the data is sent. Figure 3 shows the log file segment:
Figure 3/var/log/maillog file Diagram
The format of this file is that each line contains a date, host name, program name, followed by square brackets containing the PID or kernel ID, a colon and a space, and finally a message. This file has one disadvantage: The recorded intrusion attempts and successful intrusion events are drowned in a large number of normal process records. However, this file can be customized by the/etc/syslog file. The/etc/syslog. conf configuration file determines how the system writes/var/messages.
/Var/log/syslog
By default, Fedora does not generate this log file, but you can configure/etc/syslog. conf to allow the system to generate this log file. It is different from the/etc/log/messages log file. It only records warning information, which is often the information of system problems. Therefore, you should pay more attention to this file. To have the system generate the log file, go to/etc/syslog. add the following to the conf file :*. warning/var/log/syslog this log file records information such as the wrong password, Sendmail issue, and su command execution failure recorded by login during user logon. This log file records the recent successful logon events and the last unsuccessful logon events, which are generated by login. This file is a binary file and needs to be viewed using the lastlog command. The username, port number, and last logon time are displayed according to the UID sorting. If a user has Never logged on, it is displayed as "** Never logged in **". This command can only be executed as root. Simply enter the lastlog command and you will see information similar to Figure 4:
Figure 4 execution result of the lastlog command
/Var/log/wtmp
This log file permanently records the logon, logout, and system startup and shutdown events of each user. Therefore, as the system runs normally, the file size increases, depending on the number of system user logins. This log file can be used to view the user's logon records. The last command obtains this information by accessing this file and displays the user's logon records in reverse order, last can also display corresponding records based on the user, terminal tty or time.
/Var/run/utmp
This log file records information about each user currently logged on. Therefore, this file will change as the user logs in and out of the system. It only keeps the user records online at the time and does not keep permanent records for the user. Programs in the system that need to query the current user status, such as who, w, users, and finger, need to access this file. This log file does not contain all accurate information, because some unexpected errors will terminate the user logon session, and the system does not update the utmp record in time, therefore, the log file is not trustworthy.
The three files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are key files of the log subsystem, all records the user logon status. All records of these files contain timestamps. These files are saved in binary format. Therefore, you cannot directly view these files using commands such as less and cat. Instead, you need to use relevant commands to view these files. The data structure of the utmp and wtmp files is the same, while the lastlog file uses another data structure. You can use man to query the specific data structure of the utmp and wtmp files.
Each time a user logs on, the login program checks the user's UID in the lastlog file. If so, the user's last logon, logout time, and host name are written to the standard output. Then, the login program records the new Logon Time in lastlog, opens the utmp file, and inserts the user's utmp record. This record is always deleted when the user logs on and exits. The utmp file is used by various commands, including who, w, users, and finger.
Next, the login program opens the file wtmp and attaches the user's utmp record. When a user logs on and exits, the same utmp record with the updated timestamp is appended to the file. The wtmp file is used by the program last time.
/Var/log/xferlog
This log file records FTP sessions and displays the files that the user copied to or from the FTP server. This file displays the malicious programs copied to the server to invade the server, and the files copied by the user for use.
The format of the file is: the first domain is the date and time, the second domain is the number of seconds the file was downloaded, the remote system name, the file size, local path name, transmission type (: ASCII, B: Binary), compression-related flag or tar, or "_" (if not compressed), transmission direction (relative to the server: I indicates inbound, o stands for outbound), access mode (a: Anonymous, g: Enter password, r: real user), user name, service name (usually ftp), authentication method (l: RFC931, or 0), authenticate the user ID or "*". Figure 5 shows the part of the file:
Figure 5/var/log/xferlog file Diagram
2. How to view Linux Log output
Linux provides many text tools to view and process log files. Below are some common and useful tools for readers.
Dmesg
You can use the dmesg command to quickly view the boot log of the last system boot. 6:
Figure 6 dmesg Display Results
As shown above, there is usually a lot of content, so we often use the following command to display the boot information by PAGE, 7 is shown:
# Dmesg | more
Figure 7 dmesg | more command display result
Tail
The tail command is designed to display the last few lines of a text file. When you use the-F switch to add new content to the log on the current day, tail will continue to display new output. 8:
# Tar-f/var/log/messages
Figure 8 use tail to view logs
The above command will display the last six lines of the/var/log/messages file, then continue to monitor the file and output new behaviors. To stop the tail-f command, use [Ctrl + C] to stop the process.
More and less
More works in the same way as the DOS version. You can point it to a file, or use it to output information in an MPS queue and view the information by page. For example, the content of the maillog file is displayed by page:
# More maillog
Figure 9 use more to view logs
Then, you can use q or [Ctrl + C] To Stop viewing files.
Less is another text reader, but it also allows you to scroll through and retrieve information in files. As follows:
# Less/var/log/cron-20090830
Figure 9 use the less command to view logs
The above command will display the content of the/var/log/yum. log file. You can use q to stop viewing the file.
Other methods
Log Files in Linux are critical for System Fault Diagnosis and Maintenance. Many Linux log records for network application services such as WWW, FTP, and SMTP are recorded in specially designated text files (such as access. log, error. log), so you do not need a dedicated tool to view these files. You can select Vi, gEdit, and other simple text editing tools to view and use.
3. Important Linux Log usage principles
System Management personnel should be vigilant, pay attention to various suspicious situations at any time, and check various system log files on time and randomly, including general information logs, network connection logs, file transfer logs, and user logon logs. When checking these logs, pay attention to whether there are unreasonable time records. For example:
Users log on at unconventional times;
Abnormal log records, such as incomplete logs or intermediate log files such as wtmp, are missing for no reason;
The IP address used to log on to the system is different from the previous one;
Logs of user logon failures, especially those that fail to log on continuously;
Commands for illegal use or improper use of Super User Permissions su;
Record of restarting various network services for no reason or illegal reasons.
In particular, management personnel are reminded that logs are not completely reliable. Clever Hackers often clean the site after they intrude into the system. Therefore, the above system commands need to be used comprehensively and comprehensively for review and detection, and should not be taken out of context. Otherwise, it is difficult to detect intrusion or make wrong judgments.
In addition, in some cases, logs can be sent to the printer, so that it is useless for network intruders to modify logs. In addition, logs are usually widely recorded. In addition, syslog devices are a notable target for attackers. A system that maintains logs for other hosts is particularly vulnerable to server attacks.