1. Introduction of important log files under Linux
/var/log/boot.log
This file records the events that occurred during the boot process, which is the information displayed by the Linux system post process, as shown in 1:
Figure 1/var/log/boot.log Schematic
/var/log/cron
This log file records the actions of the child process derived from the crontab daemon Crond, preceded by the user, logon time and PID, and the actions of the derived process. One action of CMD is a common scenario in which cron derives a scheduling process. The Replace action records the user's updates to its cron file, which lists the task schedules to be executed periodically. The reload action occurs shortly after the Replace action, which means that cron notices that a user's cron file is being updated and cron needs to reload it into memory. The file may find some anomalies. See Figure 2 for a schematic of the file:
Figure 2/var/log/cron File schematic
/var/log/maillog
The log file records the activity of each email sent to or from the system. It can be used to see which system the user uses to send the tool or send the data to. The fragment of the log file is shown in Figure 3:
Figure 3/var/log/maillog File schematic
The format of the file is that each row contains a date, a hostname, a program name, a square bracket that contains a PID or kernel ID, a colon and a space, and finally a message. The file has a shortage of logged intrusion attempts and successful intrusion events that are submerged in a large number of normal process records. However, the file can be customized by the/etc/syslog file. The/etc/syslog.conf configuration file determines how the system writes to/var/messages.
/var/log/syslog
The default fedora does not generate the log file, but you can configure/etc/syslog.conf to have the log file generated by the system. It is different from the/etc/log/messages log file, it only records the warning message, often is the system problem information, so should be concerned about the file. To have the log file generated by the system, add: *.warning/var/log/syslog The log file can record information such as error password, sendmail problem, su command execution failure when the user logged in/etc/syslog.conf. This log file records the most recent successful logon event and the last unsuccessful logon event that was generated by login. Each time a user logs on, the file is a binary file and needs to be viewed using the Lastlog command, which displays the login name, port number, and last logon time based on the UID. If a user has never logged in, it is displayed as "**never logged in**". This command can only be performed with root privileges. Simply enter the Lastlog command and you will see a message similar to Figure 4:
Figure 4 Running results of the Lastlog command
/var/log/wtmp
This log file permanently records each user's logon, logoff, and system startup, downtime events. Therefore, as the system uptime increases, the size of the file becomes larger and higher, depending on the number of times the system user logs on. The log file can be used to view the user's login record, the last command to access this file to obtain this information, and in reverse order from back to front to display the user's log-in record, can also be based on user, terminal TTY or time display corresponding records.
/var/run/utmp
The log file records information about each user who is currently logged on. As a result, the file changes as the user logs on and off the system, preserving only the user records that were online at that time and not keeping permanent records for the user. The system needs to query the current user state of the program, such as WHO, W, users, finger and so on need to access this file. The log file does not include all the exact information, because some burst errors terminate the user logon session, and the system does not update the UTMP record in a timely manner, so the log file record is not entirely trustworthy.
The 3 files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are the key files of the log subsystem, all of which record the user login. All records for these files contain timestamps. These files are stored in binary, so they cannot be viewed directly with commands such as less and cat, but they need to be viewed through these files using related commands. Where the data structures of utmp and wtmp files are the same, and Lastlog files use additional data structures, the concrete data structures for them can be queried using the man command.
Each time a user logs in, the login program looks at the UID of the user in the file lastlog. If present, the user's last logon, logoff time, and hostname are written to standard output, then the login program logs the new logon time in Lastlog, opens the Utmp file and inserts the user's utmp record. This record is always deleted when the user logs on and exits. utmp files are used by various commands, including WHO, W, users, and finger.
Next, the login program opens the file wtmp additional user's utmp record. When a user logs on and exits, the same utmp record with the update timestamp is appended to the file. The Wtmp file is used by the last program.
/var/log/xferlog
This log file records the FTP session and can show what files the user has copied to the FTP server or from the server. The file shows the malicious program that the user has copied to the server to invade the server, and what files the user has copied for him to use.
The file is in the format: the first field is the date and time, the second domain is the number of seconds spent downloading the file, the remote system name, the file size, the local pathname, the transport type (a:ascii,b: binary), the compression-related flag or tar, or "_" (if there is no compression), the transport direction ( Relative to the server: I represents the input, O stands out), Access mode (A: Anonymous, G: Enter password, r: Real user), user name, service name (usually FTP), authentication method (l:rfc931, or 0), authentication User ID or "*". Figure 5 shows a partial display of the file:
Figure 5/var/log/xferlog File schematic
2. How to view Linux log output
Linux provides a number of text tools to view and work with log files, which provide readers with some of the more common and useful tools.
Dmesg
Use the DMESG command to quickly view the boot log for the last system boot. 6 is shown below:
Figure 6 DMESG Display Results
As shown above, it usually has a lot of content, so we often use the following command to display the boot information in pagination, as shown in 7:
# DMESG | More
Figure 7 Dmesg|more Command Display results
Tail
The tail command is designed to display the last few lines of a text file. With the-f switch, tail will continue to display the new output when new content is added to the log. 8 is shown below:
# tar-f/var/log/messages
Figure 8 Viewing logs using tail
The above command will display the last 6 lines of the/var/log/messages file, then continue to monitor that file and output the new behavior. To stop the tail-f command, use [Ctrl + C] to abort the process.
More and less
More works the same way as the DOS version. You can point it to a file, or use it to export information in a pipeline to view the information in a paginated manner. For example, the contents of the Maillog log file are displayed in a paginated manner:
# more Maillog
Figure 9 using more to view the log
You can then use q or [Ctrl + C] to stop viewing the file.
Less is another text reader, but it also lets you scroll through and retrieve information in a file. As shown below:
# less/var/log/cron-20090830
Figure 9 using the less command to view the log
The above command will display the contents of the/var/log/yum.log file, and you can use Q to stop viewing the file.
Other ways
Log files in Linux are critical for system troubleshooting and maintenance. Many Linux log records such as WWW, FTP, SMTP and other Web application services are recorded in a specially specified text file (such as Access.log,error.log, etc.), so there is no need for specialized tools to view these files. Users can choose the VI, Gedit and other simple text editing tools to view the use.
3. important principles for using Linux logs
System administrators should be vigilant, keep a lookout for suspicious situations, and check various system log files on time and randomly, including general information log, network connection log, file transfer log and user log. When checking these logs, pay attention to whether there is an unreasonable time record. For example:
- The user is logged in at a non-regular time;
- Abnormal log records, such as incomplete logs or log files such as wtmp, without an undue lack of intermediate log files;
- The IP address of the user login system is different from the previous one;
- Log records of user logon failures, especially those that repeatedly attempt to enter the failed log record;
- Illegal use or improper use of super user rights Su's instructions;
- The record of the network service is restarted without cause or illegality.
In particular, remind managers that the logs are not completely reliable. Smart hackers often sweep the scene after they invade the system. Therefore, it is necessary to comprehensively use the above system commands, comprehensive and comprehensive review and testing, should not be taken out of context, otherwise it is difficult to find the invasion or make the wrong judgment.
In addition, in some cases, you can send logs to the printer, so that the network intruder how to modify the log is not used. Also, it is common to record logs extensively. In addition, the syslog device is a significant target for an attacker. A system that maintains logs for other hosts is particularly vulnerable to server attacks, so pay special attention.
Important log files and viewing methods under Linux