Information detailed in Linux system/var/log directory __linux

Source: Internet
Author: User
Tags auth syslog system log dmesg
1)/var/log/secure: Record the log in system Access data file;
For example: Pop3,ssh,telnet,ftp and so on will be recorded here.

2)/ar/log/btmp: Record logged in this information record, has been encoded, so must be resolved by the last;
For example: LASTB | awk ' {print $} ' | Sort | uniq-c | Sort-nr | More

3)/var/log/message: Almost all of the boot system errors will be recorded in this case;

4)/var/log.boot.log: Record the boot or shutdown of some services to start or shutdown the display of information;

5)/var/log/maillog: Record the access and exchange of mails;

6)/var/log/cron: Used to record the contents of the Crontab service;

7/var/log/httpd,/var/log/mysqld.log and so on file, record several different network service record files;

8)/var/log/acpid, acpi-advanced Configuration and Power Interface, represents the advanced configuration and the source management interface.
The following d indicates Deamon. Acpid is the ACPI event daemon. is the ACPI message process. A service program used to control, acquire, and manage ACPI state.

9)/var/run/utmp records the user who is now logged in;
/var/log/lastlog records the last login information of each user;
One)/var/log/btmp log the wrong login attempt;
/VAR/LOG/DMESG kernel log;
/var/log/cpus CPU processing information;
/var/log/syslog Event record monitoring program log;
/var/log/auth.log user authentication log;
/var/log/daemon.log system process log;
/var/log/mail.err message error message;
/var/log/ Mail information;
/var/log/mail.warn message warning messages;
/var/log/daemon.log the information generated by the system monitoring program;
/var/log/kern the information generated by the kernel;
/VAR/LOG/LPR Line Printer spool system generated information;

Information detailed in Linux system/var/log directory


First,/var directory

/var all service log in files or error message files (log files) are under/var/log, in addition, some databases, such as MySQL, under/var/lib, and the default location for users unread messages is/var/spool/mail


System boot log:/var/log/boot.log
Example: Feb 10:40:48 Sendmial:sendmail startup succeeded
Is that the Mail service started successfully!

System logs generally exist under/var/log
The common system logs are as follows:
Core Boot log:/VAR/LOG/DMESG
System error log:/var/log/messages
Mail system log:/var/log/maillog
FTP System log:/var/log/xferlog
Information for security information and system logons and network connections:/var/log/secure
Login record:/var/log/wtmp record login, binary file, must use last to read content who-u/var/log/wtmp View information
News log:/var/log/spooler
RPM Package:/var/log/rpmpkgs
XFree86 log:/var/log/xfree86.0.log
Boot log:/var/log/boot.log logging boot message, DMESG | More
Cron (custom task Log) log:/var/log/cron

Information for security information and system logons and network connections:/var/log/secure

File/var/run/utmp record the user who is now logged in.

File/var/log/wtmp record all login and logout.

File/var/log/lastlog records the last login information for each user.

File/var/log/btmp the wrong login attempt.

Less/var/log/auth.log requires an identity confirmation operation

Three, part of the order detailed


The messages log is the core system log file. It contains the boot message when the system starts, and other status messages when the system is running. IO errors, network errors, and other system errors are recorded in this file. Other information, such as a person's identity switch to root, is also listed here. If the service is running, such as a DHCP server, you can observe its activity in the messages file. Typically,/var/log/messages is the first file you want to see when you troubleshoot.


This log records the results of the last execution of the Xfree86 xwindows server. If you are having problems booting to graphics mode, you will generally find the reason for the failure in this file.


One of the keys to successfully managing any system is to know what is happening in the system. The Exception log is provided in Linux, and the details of the log are configurable. Linux logs are stored in plaintext, so users can search and read them without the need for special tools. You can also write scripts to scan these logs and automate certain functions based on their content. The Linux log is stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read by the root account, but the access rights to modify files can be read by others.

Log file classification


This file records the events that occurred during the boot process, which is the information displayed by the Linux system post process.


The log file records the actions of the subprocess that the crontab daemon Crond derives, preceded by the user, logon time, and PID, and the actions of the derived process. One of the actions of CMD is the common case where cron derives a scheduling process. The replace (replace) Action records the user's update to its cron file, which lists the task schedules to be performed periodically. The reload action occurs shortly after the Replace action, which means that cron notices that a user's cron file is updated and cron needs to reload it into memory. The file may find some anomalies.


This log file records each activity that is sent to or from the system. It can be used to see which system the user uses to send the tool or to which system to send the data. The following is a fragment of the log file:

Sep 4 17:23:52 UNIX sendmail[1950]: g849npp01950:from=root, size=25,

Class=0, Nrcpts=1,



Sep 4 17:23:55 UNIX sendmail[1950]:,

Ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:03, MAILER=ESMTP, pri=30025, [], dsn=2.0.0, stat=sent (Message queued)


The log file is a summary of many process log files, from which you can see any intrusion attempts or successful intrusions. As in the following lines:

Sep 3 08:30:17 UNIX login[1275]: FAILED login 2 from (null) for suying,

Authentication failure

SEP 4 17:40:28 UNIX-suying[2017]: LOGIN on PTS/1 by suying from

Sep 4 17:40:39 UNIX su (Pam_unix) [2048]: Session opened to user root by suying (uid=999)

The file is formatted with a date, host name, program name, followed by a square bracket containing the PID or kernel ID, a colon and a space, and finally a message. The file has a shortage of recorded intrusion attempts and successful intrusion events that are submerged in a large number of normal process records. However, the file can be customized by the/etc/syslog file. The/etc/syslog.conf configuration file determines how the system writes to/var/messages. The behavior of how to configure the/etc/syslog.conf file to determine system logging is described in detail later.


The default Redhat Linux does not generate the log file, but you can configure/etc/syslog.conf to allow the system to generate the log file. Unlike the/etc/log/messages log file, it only logs warning messages, often system-problem information, and should be more concerned about the file. To have the system generate the log file, add the following in the/etc/syslog.conf file: *.warning/var/log/syslog The log file can record information about the error password, sendmail problem, and the SU command failure, which is logged when the user logs on. Here is a record:

SEP 6 16:47:52 UNIX Login (Pam_unix) [2384]: Check pass; User Unknown


This log file records security-related information. Part of the log file reads as follows:

Sep 4 16:05:09 UNIX xinetd[711]: start:ftp pid=1815 from=

Sep 4 16:05:09 UNIX xinetd[1815]: userid:ftp other:root

Sep 4 16:07:24 UNIX xinetd[711]: exit:ftp pid=1815 duration=135 (sec)

Sep 4 16:10:05 UNIX xinetd[711]: start:ftp pid=1846 from=

Sep 4 16:10:05 UNIX xinetd[1846]: userid:ftp other:root

Sep 4 16:16:26 UNIX xinetd[711]: exit:ftp pid=1846 duration=381 (sec)

Sep 4 17:40:20 UNIX xinetd[711]: start:telnet pid=2016 from=


This log file records the most recent successful logon events and the last unsuccessful logon event, which is generated by login. Queried each time the user logs on, the file is a binary file and needs to be viewed using the Lastlog command, displaying the login name, port number, and last logon time according to the UID order. If a user has never logged in, it is displayed as "**never logged in**". This command can only be executed with root permissions. Simply enter the Lastlog command and you will see a message similar to the following:

Username Port from Latest

Root Tty2 Tue Sep 3 08:32:27 +0800 2002

Bin **never Logged in**

Daemon **never logged in**

ADM **never logged in**

LP **never logged in**

Sync **never logged in**

Shutdown **never Logged in**

Halt **never logged in**

Mail **never logged in**

News **never Logged in**

UUCP **never logged in**

Operator **never logged in**

Games **never Logged in**

Gopher **never Logged in**

FTP FTP UNIX Tue Sep 3 14:49:04 +0800 2002

Nobody **never logged in**

NSCD **never logged in**

Mailnull **never logged in**

Ident **never logged in**

RPC **never logged in**

Rpcuser **never logged in**

XFS **never logged in**

GDM **never logged in**

Postgres **never logged in**

Apache **never logged in**

Lzy tty2 Mon 15 08:50:37 +0800 2002

Suying tty2 Tue Sep 3 08:31:17 +0800 2002

System accounts such as bin, Daemon, ADM, UUCP, mail, and so on should never log on, and if they are found to be logged in, the system may have been compromised. If the record is found to be not the time the user last logged on, the user's account has been compromised.


This log file permanently records each user's logon, logoff, and system startup, downtime events. Therefore, as the system uptime increases, the file size increases, depending on the number of times the system user logs on. The log file can be used to view the user's logon record, and the last command obtains the information by accessing the file, and then displays the user's login record in reverse order, and can also display the corresponding record according to the user, the terminal TTY, or the time.

Command last has two optional parameters:

Last-u User Name Displays the user's last login.

The last-t number of days shows the user logon before the specified number of days.


This log file records information about each user who is currently logged on. As a result, this file will change as the user logs on and off the system, retaining only the user records that were online at the time and not keeping permanent records for the user. The system needs to query the current user status of the program, such as WHO, W, users, finger and so on need to access this file. The log file does not include all the exact information because some burst errors terminate the user's logon session, and the system does not update the UTMP record in a timely manner, so the log file is not fully trustworthy.

The 3 files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are the key files of the log subsystem, all of which record the user login. All records for these files contain a timestamp. These files are saved in binary order, so you can't view them directly with commands like less or cat, but you need to view them through these files using the relevant commands. The data structures of the utmp and wtmp files are the same, while the Lastlog files use a different data structure, and their specific structures can be queried using the man command.

Each time a user logs on, the login program views the user's UID in file Lastlog. If present, the user's last logon, logoff time and host name are written to standard output, then the login program records the new logon time in Lastlog, opens the Utmp file, and inserts the user's utmp record. The record is used until the user logs on and exits. utmp files are used by various commands, including WHO, W, users, and finger.

Next, the login program opens the file wtmp the attached user's utmp record. The same utmp record with the update timestamp is appended to the file when the user logs out. The Wtmp file is used by the program last.


This log file records the FTP session and shows you what files the user copied to the FTP server or from the server. The file displays the malicious program that the user has copied to the server to invade the server, and which files the user has copied for his use.

The format of the file is: The first field is a date and time, the second field is the number of seconds spent downloading the file, the remote system name, the file size, the local pathname, the transport type (a:ascii,b: binary), the compression-related flag or tar, or "_" (if not compressed), Transfer direction (relative to server: I represents enter, O represents), Access mode (A: Anonymous, G: Enter password, r: Real user), username, service name (usually FTP), authentication method (l:rfc931, or 0), authenticated user ID or "*". The following is a record of the file:

Wed SEP 4 08:14:03 2002 1 UNIX 275531

/var/ftp/lib/ b _ o A-root@unix FTP 0 * C


RedHat Linux does not record this log file by default. To enable this log file, you must add a row to the/etc/syslog.conf file: kern.*/var/log/kernlog. This enables the ability to log all kernel messages to the/var/log/kernlog file. This file records the condition at which the device was loaded or used when the system was started. This is generally normal, but if you record these actions by unauthorized users, be aware that it is possible that this is the behavior of a malicious user. The following are some of the contents of the file:

Sep 5 09:38:42 UNIX kernel:NET4:Linux TCP/IP 1.0 for NET4.0

Sep 5 09:38:42 UNIX kernel:ip protocols:icmp, UDP, TCP, IGMP

Sep 5 09:38:42 UNIX kernel:IP:routing cache Hash Table of buckets, 4Kbytes

Sep 5 09:38:43 UNIX kernel:TCP:Hash tables configured (established 4096 bind 4096)

Sep 5 09:38:43 UNIX kernel:linux IP multicast router 0.06 plus PIM-SM

Sep 5 09:38:43 UNIX Kernel:NET4:Unix domain sockets 1.0/SMP for Linux NET4.0.

Sep 5 09:38:44 UNIX kernel:ext2-fs Warning:checktime reached, running E2fsck is recommended

Sep 5 09:38:44 UNIX kernel:VFS:Mounted root (ext2 filesystem).

Sep 5 09:38:44 UNIX KERNEL:SCSI Subsystem driver revision:1.00


The log file records the X-window startup situation. In addition, in addition to/var/log/, malicious users may also leave traces elsewhere, should pay attention to the following areas: root and other accounts of the shell history file, the user's various mailboxes, such as. sent, mbox, and stored in/var/spool/mail/and/var Mailboxes in/spool/mqueue, temporary files/tmp,/USR/TMP,/var/tmp, hidden directories, files created by other malicious users, usually with "." A file with a hidden attribute at the beginning, and so on.

Iv. Specific Orders

Wtmp and utmp files are binary files that cannot be clipped or merged with commands such as tail (using the Cat command). Users need to use the WHO, W, users, last, and AC commands to use the information contained in these two files.

Who Order

The WHO command queries the utmp file and reports each user who is currently logged on. The WHO default output includes user name, terminal type, logon date, and remote host. For example, type the WHO command, and then press ENTER to display the following:

Chyang pts/0 Aug 18 15:06

Ynguo PTS/2 Aug 18 15:32

Ynguo PTS/3 Aug 18 13:55

Lewis Pts/4 Aug 18 13:35

Ynguo PTS/7 Aug 18 14:12

Ylou PTS/8 Aug 18 14:15

If the wtmp file name is indicated, the WHO command queries all previous records. Command who/var/log/wtmp will report every login since the Wtmp file was created or deleted.

W command

The W command queries the utmp file and displays information about each user in the current system and the process it is running. For example, type the W command, and then press ENTER to display the following:

3:36pm up 1 day, 22:34, 6 users, load average:0.23, 0.29, 0.27

USER TTY from login@ IDLE jcpu pcpu WHAT

Chyang pts/0 3:06pm 2:04 0.08s 0.04s-bash

Ynguo pts/2 3:32pm 0.00s 0.14s 0.05 W

Lewis Pts/3 1:55pm 30:39 0.27s 0.22s-bash

Lewis Pts/4 1:35pm 6.00s 4.03s 0.01s sh/home/users/

Ynguo PTS/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet Mail

Ylou pts/8 2:15pm 1:09m 0.10s 0.04s-bash

Users command

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.