Information about the Linux system/var/log directory

Transferred from: http://blog.chinaunix.net/uid-24250828-id-3198922.html

1)/var/log/secure: Record log in system to access data files;
For example: POP3,SSH,TELNET,FTP, etc. will be recorded here.

2)/ar/log/btmp: Record login This information record, has been encoded, so must be resolved with last;
Example: Lastb | awk ' {print $} ' | Sort | uniq-c | Sort-nr | More

3)/var/log/message: Almost all boot system errors will be recorded here;

4)/var/log.boot.log: Record some startup or shutdown of some services to display the start or shutdown information;

5)/var/log/maillog: Record the access and correspondence of mail;

6)/var/log/cron: Used to record the contents of this service crontab;

7)/var/log/httpd,/var/log/mysqld.log and so on file, record several different network service record file;

8)/var/log/acpid, acpi-advanced Configuration and Power Interface, represents the advanced configurations and power management interfaces.
The following D represents Deamon. Acpid is also the ACPI event daemon. This is the ACPI message process. A service program used to control, obtain, and manage the state of ACPI.

9)/var/run/utmp records the user who is now logged in;
/var/log/lastlog record each user's last login information;
One)/var/log/btmp log the wrong login attempt;
/VAR/LOG/DMESG kernel log;
/var/log/cpus CPU processing information;
/var/log/syslog Event record monitoring program log;
/var/log/auth.log user authentication log;
()/var/log/daemon.log system process log;
()/var/log/mail.err mail error message;
/var/log/mail.info Mail information;
/var/log/mail.warn Mail warning message;
(/var/log/daemon.log) The information generated by the system monitoring program;
)/var/log/kern the information generated by the kernel;
(/VAR/LOG/LPR) The information generated by the spool system of the printer;
-----------------------------------------------

Information about the Linux system/var/log directory

Http://www.cnblogs.com/balaamwe/archive/2012/02/28/2371306.html

I./var directory

/var all services log-in files or error information files (log files) are under/var/log, in addition, some databases such as MySQL under/var/lib, also, the user unread mail default location is/var/spool/mail

Second,:/var/log/

Boot Log for system:/var/log/boot.log
For example: Feb 10:40:48 Sendmial:sendmail startup succeeded
Is that the Mail service started successfully!

System logs are generally present under/var/log
The usual system logs are as follows:
Core Boot log:/VAR/LOG/DMESG
System error log:/var/log/messages
Mail system log:/var/log/maillog
FTP System log:/var/log/xferlog
Security information and System login and network connection information:/var/log/secure
Login record:/var/log/wtmp record the login, the binary file, must use last to read the content who-u/var/log/wtmp View information
News log:/var/log/spooler
RPM Package:/var/log/rpmpkgs
XFree86 log:/var/log/xfree86.0.log
Boot log:/var/log/boot.log record boot message, DMESG | More
Cron (custom task Log) log:/var/log/cron

Security information and System login and network connection information:/var/log/secure

The file/var/run/utmp records the user who is logged in now.

File/var/log/wtmp records all login and logout.

Document/var/log/lastlog records the last login information for each user.

File/var/log/btmp log in to the wrong login try.

Less/var/log/auth.log action required for identity confirmation

Part three, the detailed command

/var/log/messages

The messages log is the core system log file. It contains boot messages at system startup and other status messages when the system is running. IO errors, network errors, and other system errors are recorded in this file. Other information, such as a person's identity switch to root, is also listed here. If the service is running, such as a DHCP server, you can observe its activity in the messages file. Typically,/var/log/messages is the first file you want to view when troubleshooting.

/var/log/xfree86.0.log

This log records the results of the last execution of the Xfree86 xwindows server. If you are having trouble booting into graphics mode, the general situation is that the cause of the failure is found in this file.

Http://www.guanwei.org/post/LINUXnotes/01/linuxlogs.html

One of the keys to successfully managing any system is to know what is going on in the system. Exception logs are provided in Linux, and the details of the logs are configurable. Linux logs are stored in clear text, so users do not need special tools to search and read them. You can also write scripts that scan these logs and automatically perform certain functions based on their content. The Linux logs are stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also place their logs here. Most logs can only be read by the root account, but the access to the file can be read by other people.

Log file classification

/var/log/boot.log

This file records the events that occurred during the boot process, and is the information displayed during the post process of the Linux system.

/var/log/cron

This log file records the actions of the child process derived from the crontab daemon Crond, preceded by the user, logon time and PID, and the actions of the derived process. One action of CMD is a common scenario in which cron derives a scheduling process. The Replace action records the user's updates to its cron file, which lists the task schedules to be executed periodically. The reload action occurs shortly after the Replace action, which means that cron notices that a user's cron file is being updated and cron needs to reload it into memory. The file may find some anomalies.

/var/log/maillog

The log file records the activity of each email sent to or from the system. It can be used to see which system the user uses to send the tool or send the data to. The following is a fragment of the log file:

Sep 4 17:23:52 UNIX sendmail[1950]: g849npp01950:from=root, size=25,

Class=0, Nrcpts=1,

Msgid=<[email Protected]>

[Email protected]

Sep 4 17:23:55 UNIX sendmail[1950]: g849npp01950: [email protected],

Ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:03, MAILER=ESMTP, pri=30025,

Relay=fcceec.net. [10.152.8.2], dsn=2.0.0, stat=sent (Message queued)

/var/log/messages

This log file is a summary of many process log files, from which you can see any intrusion attempts or successful intrusions. As in the following lines:

Sep 3 08:30:17 UNIX login[1275]: FAILED login 2 from (null) for suying,

Authentication failure

SEP 4 17:40:28 UNIX--suying[2017]: LOGIN on PTS/1 by suying

fcceec.www.ec8.pfcc.com.cn

Sep 4 17:40:39 UNIX su (Pam_unix) [2048]: Session opened for user root by suying (uid=999)

The format of the file is that each row contains a date, a hostname, a program name, a square bracket that contains a PID or kernel ID, a colon and a space, and finally a message. The file has a shortage of logged intrusion attempts and successful intrusion events that are submerged in a large number of normal process records. However, the file can be customized by the/etc/syslog file. The/etc/syslog.conf configuration file determines how the system writes to/var/messages. The behavior of how to configure the/etc/syslog.conf file to determine system logging is described in more detail later.

/var/log/syslog

The default Redhat Linux does not generate the log file, but you can configure/etc/syslog.conf to have the log file generated by the system . It is different from the/etc/log/messages log file, it only records the warning message , often is the system problem information, so should be concerned about the file. To have the log file generated by the system, add: *.warning/var/log/syslog The log file can record the error password, sendmail problem, which is logged by login when the user logs in,/etc/syslog.conf file The SU command fails to execute information. Here is a record:

SEP 6 16:47:52 UNIX Login (Pam_unix) [2384]: Check pass; User Unknown

/var/log/secure

This log file records security-related information. Some of the contents of the log file are as follows:

Sep 4 16:05:09 UNIX xinetd[711]: start:ftp pid=1815 from=127.0.0.1

Sep 4 16:05:09 UNIX xinetd[1815]: userid:ftp other:root

Sep 4 16:07:24 UNIX xinetd[711]: exit:ftp pid=1815 duration=135 (sec)

Sep 4 16:10:05 UNIX xinetd[711]: start:ftp pid=1846 from=127.0.0.1

Sep 4 16:10:05 UNIX xinetd[1846]: userid:ftp other:root

Sep 4 16:16:26 UNIX xinetd[711]: exit:ftp pid=1846 duration=381 (sec)

Sep 4 17:40:20 UNIX xinetd[711]: start:telnet pid=2016 from=10.152.8.2

/var/log/lastlog

This log file records the most recent successful logon event and the last unsuccessful logon event that was generated by login. Each time a user logs on, the file is a binary file and needs to be viewed using the Lastlog command , which displays the login name, port number, and last logon time based on the UID. If a user has never logged in, it is displayed as "**never logged in**". This command can only be performed with root privileges. Simply enter the Lastlog command and you will see a message similar to the following:

Username Port from Latest

Root Tty2 Tue Sep 3 08:32:27 +0800 2002

Bin **never Logged in**

Daemon **never logged in**

ADM **never logged in**

LP **never logged in**

Sync **never logged in**

Shutdown **never Logged in**

Halt **never logged in**

Mail **never logged in**

News **never Logged in**

UUCP **never logged in**

Operator **never logged in**

Games **never Logged in**

Gopher **never Logged in**

FTP FTP UNIX Tue Sep 3 14:49:04 +0800 2002

Nobody **never logged in**

NSCD **never logged in**

Mailnull **never logged in**

Ident **never logged in**

RPC **never logged in**

Rpcuser **never logged in**

XFS **never logged in**

GDM **never logged in**

Postgres **never logged in**

Apache **never logged in**

Lzy tty2 Mon Jul 15 08:50:37 +0800 2002

Suying tty2 Tue Sep 3 08:31:17 +0800 2002

system accounts such as bin, Daemon, ADM, UUCP, mail, etc. should never be logged in, if they are found to be logged in, the system may have been compromised. If the recorded time is not the last time the user logged in, then the user's account has been compromised.

/var/log/wtmp

This log file permanently records each user's logon, logoff, and system startup, downtime events. Therefore, as the system uptime increases, the size of the file becomes larger and higher, depending on the number of times the system user logs on. The log file can be used to view the user's login record, the last command to access this file to obtain this information, and in reverse order from back to front to display the user's log-in record, can also be based on user, terminal TTY or time display corresponding records.

The last command has two optional parameters:

The Last-u user name shows the last time the user logged in.

Last-t days Displays the user logon situation before the specified number of days.

/var/run/utmp

The log file records information about each user who is currently logged on. As a result, the file changes as the user logs on and off the system, preserving only the user records that were online at that time and not keeping permanent records for the user. The system needs to query the current user state of the program, such as WHO, W, users, finger and so on need to access this file. The log file does not include all the exact information, because some burst errors terminate the user logon session, and the system does not update the UTMP record in a timely manner, so the log file record is not entirely trustworthy.

The 3 files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are the key files of the log subsystem, all of which record the user login. all records for these files contain timestamps. These files are stored in binary, so they cannot be viewed directly with commands such as less and cat, but they need to be viewed through these files using related commands. Where the data structures of utmp and wtmp files are the same, and Lastlog files use additional data structures, the concrete data structures for them can be queried using the man command.

Each time a user logs in, the login program looks at the UID of the user in the file lastlog. If present, the user's last logon, logoff time, and hostname are written to standard output, then the login program logs the new logon time in Lastlog, opens the Utmp file and inserts the user's utmp record. This record is always deleted when the user logs on and exits. utmp files are used by various commands, including WHO, W, users, and finger.

Next, the login program opens the file wtmp additional user's utmp record. When a user logs on and exits, the same utmp record with the update timestamp is appended to the file. The Wtmp file is used by the last program.

/var/log/xferlog

This log file records the FTP session and can show what files the user has copied to the FTP server or from the server. The file shows the malicious program that the user has copied to the server to invade the server, and what files the user has copied for him to use.

The format of the file is: The first field is the date and time, the second domain is the number of seconds to download the file, the remote system name, the file size, the local pathname, the transport type (a:ascii,b: binary), the compression-related flag or tar, or "_" (if there is no compression), Transmission direction (relative to the server: I represents the input, O represents), Access mode (A: Anonymous, G: Enter password, r: Real user), user name, service name (usually FTP), authentication method (l:rfc931, or 0), authentication User ID or "*". Here is a record of the file:

Wed SEP 4 08:14:03 2002 1 UNIX 275531

/var/ftp/lib/libnss_files-2.2.2.so b _ o A [email protected] FTP 0 * C

/var/log/kernlog

RedHat Linux does not record this log file by default. To enable the log file, you must add a line to the/etc/syslog.conf file: kern.*/var/log/kernlog . This enables the ability to log all kernel messages to the/var/log/kernlog file. This file records how the device is loaded or used when the system starts. It is generally normal operation, but if you record these actions by a user who is not authorized, be aware that this is the behavior of a malicious user. Here is a partial description of the file:

Sep 5 09:38:42 UNIX kernel:NET4:Linux TCP/IP 1.0 for NET4.0

Sep 5 09:38:42 UNIX kernel:ip protocols:icmp, UDP, TCP, IGMP

Sep 5 09:38:42 UNIX kernel:IP:routing cache Hash Table of buckets, 4Kbytes

Sep 5 09:38:43 UNIX kernel:TCP:Hash tables configured (established 4096 bind 4096)

Sep 5 09:38:43 UNIX kernel:linux IP multicast router 0.06 plus PIM-SM

Sep 5 09:38:43 UNIX Kernel:NET4:Unix domain sockets 1.0/SMP for Linux NET4.0.

Sep 5 09:38:44 UNIX kernel:ext2-fs Warning:checktime reached, running E2fsck is recommended

Sep 5 09:38:44 UNIX kernel:VFS:Mounted root (ext2 filesystem).

Sep 5 09:38:44 UNIX KERNEL:SCSI Subsystem driver revision:1.00

/var/log/xfree86.x.log

The log file records the X-window boot situation. In addition, in addition to/var/log/, malicious users may also leave traces in other places, should pay attention to the following places: root and other accounts of the shell history files, the user's various mailboxes, such as. sent, mbox, and stored in/var/spool/mail/and/var /spool/mqueue, temporary files/tmp,/usr/tmp,/var/tmp; hidden directories; files created by other malicious users, usually with "." Files with hidden properties, and so on.

Iv. Specific Orders

Wtmp and utmp files are binary files and cannot be clipped or merged (using the Cat command) by commands such as tail. Users need to use the Who , W, users, last, and AC commands to use the information contained in these two files.

Who command

The WHO command queries the utmp file and reports each user who is currently logged on. The WHO default output includes the user name, terminal type, logon date, and remote host. For example, type the WHO command and press ENTER to display the following:

Chyang pts/0 18 15:06

Ynguo PTS/2 18 15:32

Ynguo PTS/3 18 13:55

Lewis PTS/4 18 13:35

Ynguo PTS/7 18 14:12

Ylou PTS/8 18 14:15

If the wtmp file name is indicated, the WHO command queries all previous records. Command who/var/log/wtmp will report every login since the Wtmp file was created or hacked.

W command

The W command queries the utmp file and displays information about each user in the current system and the process it is running. For example, type the W command and press ENTER to display the following:

3:36pm up 1 day, 22:34, 6 users, load average:0.23, 0.29, 0.27

USER TTY from [email protected] IDLE jcpu PCPU

Chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s-bash

Ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 W

Lewis Pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s-bash

Lewis Pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh/home/users/

Ynguo PTS/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet Mail

Ylou pts/8 202.38.64.235 2:15pm 1:09m 0.10s 0.04s-bash

The Users command

The users command prints out the currently logged-on user with a separate line, with each user name displayed with a logon session. If a user has more than one logon session, his user name displays the same number of times. For example, type the users command, and then press ENTER to display the following:

Chyang Lewis Lewis Ylou Ynguo Ynguo

Last command

The last command searches back wtmp to display the user who has logged in since the file was first created. For example:

Chyang PTS/9 202.38.68.242 Tue 1 08:34-11:23 (02:49)

Cfan PTS/6 202.38.64.224 Tue 1 08:33-08:48 (00:14)

Chyang PTS/4 202.38.68.242 Tue 1 08:32-12:13 (03:40)

Lewis Pts/3 202.38.64.233 Tue 1 08:06-11:09 (03:03)

Lewis Pts/2 202.38.64.233 Tue 1 07:56-11:09 (03:12)

If the user is indicated, then last reports only the user's recent activity, for example, by typing the last Ynguo command, and then pressing ENTER, the following is displayed:

Ynguo PTS/4 SIMBA.NIC.USTC.E Fri 4 16:50-08:20 (15:30)

Ynguo PTS/4 SIMBA.NIC.USTC.E Thu 3 23:55-04:40 (04:44)

Ynguo PTS/11 SIMBA.NIC.USTC.E Thu 3 20:45-22:02 (01:16)

Ynguo pts/0 SIMBA.NIC.USTC.E Thu 3 03:17-05:42 (02:25)

Ynguo pts/0 SIMBA.NIC.USTC.E Wed 2 01:04-03:16 1+02:12)

Ynguo pts/0 SIMBA.NIC.USTC.E Wed 2 00:43-00:54 (00:11)

Ynguo PTS/9 SIMBA.NIC.USTC.E Thu 1 20:30-21:26 (00:55)

AC command

The AC command reports the user's connection time (in hours) based on login entry and exit in the current/var/log/wtmp file, and reports the total time if the flag is not used. For example, type the AC command and press ENTER to display the following:

Total 5177.47

Type the ac-d command, and then press ENTER to display the total connection time per day:

261.87 Total

Total 351.39

Total 396.09

Total 462.63

270.45 Total

Total 104.29

Today Total 179.02

Type the Ac-p command, and then press ENTER to display the total connection time for each user:

Ynguo 193.23

Yucao 3.35

Rong 133.40

Hdai 10.52

Zjzhu 52.87

Zqzhou 13.14

Liangliu 24.34

Total 5178.24

Lastlog command

The Lastlog file is queried each time a user logs on. You can use the Lastlog command to check the last logon time for a particular user and format the output of the last logon log/var/log/lastlog. It displays the login name, port number (TTY), and last logon time based on the UID sort. If a user has never logged in, Lastlog displays **never logged**. Note You need to run the command as root, for example:

Rong 5 202.38.64.187 Fri 18 15:57:01 +0800 2000

DBB **never logged in**

Xinchen **never logged in**

pb9511 **never logged in**

Xchen 0 202.38.64.190 Sun 13 10:01:22 +0800 2000

In addition, some parameters can be added, for example, the "Last-u 102" command will report a user with a UID of 102, and the "last-t 7" command represents a report that is limited to the previous week.

V. Process statistics

UNIX can track every command run by each user, and if you want to know what important files were messed up last night, the process statistics subsystem can tell you. It is also helpful for tracking an intruder. Unlike the connection time log, the process statistics subsystem is not activated by default and it must be started. Starting process statistics on Linux systems use the Accton command, which must be run as root.

The Accton command is in the form:Accton file, file must exist beforehand.

First Use the touch command to create the Pacct file: Touch/var/log/pacct, and then run ACCTON:ACCTON/VAR/LOG/PACCT. Once Accton is activated, you can use the Lastcomm command to monitor the commands that are executed at any time in the system. To turn off statistics, you can use the Accton command without any parameters.

The Lastcomm command reports previously executed files. With no parameters, the Lastcomm command displays information about all the commands recorded in the current statistics file life cycle. Includes the command name, the user, the TTY, the CPU time spent by the command, and a timestamp. If the system has many users, the input may be very long. Look at the following example:

Crond F root?? 0.00 secs Sun 20 00:16

Promisc_check.s s root?? 0.04 secs Sun 20 00:16

Promisc_check root?? 0.01 secs Sun 20 00:16

grep root?? 0.02 secs Sun 20 00:16

Tail root?? 0.01 secs Sun 20 00:16

SH root?? 0.01 secs Sun 20 00:15

Ping S root?? 0.01 secs Sun 20 00:15

ping6.pl F root?? 0.01 secs Sun 20 00:15

SH root?? 0.01 secs Sun 20 00:15

Ping S root?? 0.02 secs Sun 20 00:15

ping6.pl F root?? 0.02 secs Sun 20 00:15

SH root?? 0.02 secs Sun 20 00:15

Ping S root?? 0.00 secs Sun 20 00:15

ping6.pl F root?? 0.01 secs Sun 20 00:15

SH root?? 0.01 secs Sun 20 00:15

Ping S root?? 0.01 secs Sun 20 00:15

SH root?? 0.02 secs Sun 20 00:15

Ping S root?? 1.34 secs Sun 20 00:15

Locate root ttyp0 1.34 secs Sun 20 00:15

Accton S Root ttyp0 0.00 secs Sun 20 00:15

One problem with process statistics is that PACCT files can grow very quickly. The SA command needs to be run interactively or through a cron mechanism to ensure that the log data is within system control. The SA command reports, cleans up, and maintains process statistics files. It can compress the information in the/VAR/LOG/PACCT into the digest file/var/log/savacct and/var/log/usracct. These summaries contain system statistics categorized by command name and user name. By default, the SA reads them first, and then reads the Pacct file so that the report can contain all the available information. The output of the SA has some of the following markup entries.

Information about the Linux system/var/log directory