Linux Log file analysis

2. Importance of the login file
   • To resolve system errors:
   • Solve the problem of network service;
   • Past Event Log book:
4. Linux Common Login file name
2. /var/log/cron:
   • Is your crontab schedule actually being carried out? Did the process occur without errors? Is your/etc/crontab written correctly? Check in this log in file.
4. /VAR/LOG/DMESG:
   • Record the information generated by the core detection process when the system is powered on. Because CentOS defaults to the hardware detection process at boot time, the data is recorded in this file
6. /var/log/lastlog:
   • You can record information about the last time the system was logged in to the system. The lastlog instruction in the 14th chapter is to use the record information of this file to display.
8. /var/log/maillog or/var/log/mail/*:
   • The record of the correspondence between messages, in fact, is mainly recorded SendMail (SMTP protocol Provider) and Dovecot (POP3 protocol Provider) generated by the message. SMTP is the communication protocol used for sending letters, and POP3 is the communication protocol used by the recipient. SendMail and Dovecot are two sets of software to achieve communication protocols.
10. /var/log/messages:
    • This file is quite important, and almost all of the error messages (or important information) that occur in the system are recorded in this file; If the system has an inexplicable error, this file is one of the login files that must be consulted.
12. /var/log/secure:
    • Basically, just is involved in the "need to enter account password" software, then when logged in (regardless of login correct or error) will be recorded in this file. Including the system login program, graphical interface login using the GDM program, Su, sudo and other programs, as well as network online ssh, telnet and other programs, login information will be recorded here;
14. /var/log/wtmp,/var/log/faillog:
    • These two files can record the account information (wtmp) of the user who logged in to the system correctly and the information (Faillog) that was used when the error was logged in. The last thing we talked about in chapter 11th is to read the wtmp to show, which is very helpful for tracking the usage behavior of general account users!
16. /var/log/httpd/*,/var/log/news/*,/var/log/samba/*:
    • Different Web services use their own log-in files to record the messages they generate! The above-mentioned directory is a login file developed by individual services.
5. Related services (daemon) and procedures required for login
   2. The services required to log in are mainly Syslogd and klogd.
   4. General format of the content of the login file
      • The date and time the event occurred;
      • The hostname of the event that occurred;
      • Start the service name for this event (such as samba, xinetd, etc.) or function name (such as Libpam.) ；
      • The actual data content of the message.
   5. Configuration file for syslog:/etc/rsyslog.conf---------CentOS 6.5
      • This file stipulates "(1) What level message (2) of what service (3) needs to be recorded where (device or file)" The three boom,
      • Syntax: service name [. =!] The file name or device or host on which the message level message is recorded.
      • Message level Description:

        1. • Grade	Rank name	Description
             1	Info	Just a few basic message descriptions;
             2	Notice	Some information content that needs to be noticed more than info.
             3	Warning (warn)	The warning message may be problematic, but it will not affect the information of a daemon operation; basically, info, notice, warn the three messages are all about the basic information, and should not cause some system operation problems;
             4	ERR (Error)	Some significant error messages, such as some of the settings in the configuration file, cause the service to start the information description, usually by the error of err told, should be able to understand the service can not start the problem!
             5	Crit	More serious error message than error, this crit is the critical point (critical) abbreviation, this error is very serious Oh!
             6	Alert	Warning warning, already very problematic level, more serious than crit!
             7	Emerg (Panic)	The level of pain means that the system has almost become a state of the machine! Very serious error message. Usually there is a hardware problem, which causes the whole core to not work smoothly, there will be such a level of information!

      • There is also a link symbol for [. =!] before the message level. He stands for the idea that:
        1. . : means "the rank (including that level) which is higher than the following is recorded",
        2. . =: Represents the required level is the next level only, the other do not!
        3. .! : The representation is not equal to, that is, other grades other than that level are recorded.
      • The file name or device or host of the message record
        1. The absolute path to the file: it's usually a file in/var/log!
        2. Printer or other: For example/dev/lp0 this printer device
        3. User name: Display to users!
        4. Process Host: For example, @www. Vbird.tsai of course, to the other host can also support the line!
        5. *: Represents "everyone on the line", similar to wall the meaning of this directive!
7. Self-Added Login file archive function
   • 1. Set the file settings you want to set up first!
     • Vim/etc/syslog.conf
     • *.info/var/log/admin.log <== useful is this line!
   • 2. Restart the syslog!
     • /etc/init.d/rsyslog restart
9. Security settings for the login file
   • Increase the hidden properties of your login file
     • Chattr +a/var/log/messages Add attribute, can only increase with can be deleted
     • Chattr-a/var/log/messages minus-a property
     • Lsattr/var/log/messages Viewing hidden properties
   • You accidentally "manually" changed the login file, such as the/var/log/messages, you accidentally opened him with VI, leaving but issued: Wq parameters, hehe! Then the file will not continue to login in the future! To allow the login to continue writing, you just to restart the syslog (/etc/init.d/syslog restart)
11. Settings for the login server
    1. Server-side configuration
       • Vim/etc/sysconfig/rsyslog------------CentOS 6.5 do not need to make changes in this configuration file,
       • Syslogd_options= "-M 0-r" only open port monitoring in/etc/rsyslod.conf
    2. Configuration of the Client
       • Vim/etc/rsyslog.conf
       • *. * @192.168.1.100 TCP is @@
13. Rotation of the login file (logrotate)
2. "The syslog is used by the daemon way to start, when there is a need to be executed immediately, but Logrotate is in the specified time until after the registration of the rotation of the file, so this logrotate program of course is hanging in Cron under the Yo!" 』
3. Configuration file for Logrotate
   • /etc/logrotate.conf
   • /etc/logrotate.d/
   • Vim/etc/logrotate.conf
     • Weekly <== preset One rotate per week for log-in files
     • Rotate 4 <== How many logins do you keep? Presets are reserved for four!
     • Create <== because the login file was renamed, so create a new to continue to store the meaning!
     • #compress <== the changed log files need to be compressed? If the login file is too large, consider this parameter to start
     • Include/etc/logrotate.d
     • # All the files in this directory will be read in/etc/logrotate.d/to perform rotate work!
     • /var/log/wtmp {<== only for parameters set by/var/log/wtmp
     • Monthly <== once a month, instead of weekly!
     • MinSize 1M <== file capacity must be blockbuster over 1M before rotate (skip time parameter)
     • Create 0664 root utmp <== Specify permissions for new profile and account/group
     • Rotate 1 <== only one, i.e. only WTMP.1 reserved.
   • Vi/etc/logrotate.d/syslog
     • Syntax Explanation:
       • File name: The absolute path file name of the processed login file is written in front, you can separate multiple logins with space characters;
       • Parameters: The parameters of the above file name are replaced with {};
       • Execute script: can call external instruction for additional command release, this setting should be
         • Sharedscripts. Endscript setting is enabled. As for the available environment:
         • Prerotate: Instructions before starting logrotate, such as modifying the properties of the login file;
         • Postrotate: A command that starts after logrotate, such as restarting (KILL-HUP) a service!
         • Prerotate and postrotate for the file processing that has been added special attributes, it is quite important to execute the program!
   • Example of a login that has a hidden property:
• Vi/etc/logrotate.d/syslog Add the following content:
  • Sharedscripts
  • Prerotate
  • /usr/bin/chattr-a/var/log/messages
  • Endscript
  • Sharedscripts
  • Postrotate
  • /usr/bin/killall-hup syslogd
  • /usr/bin/chattr +a/var/log/messages
  • Endscript
• Actual test of Logrotate action
  • logrotate [-VF] LogFile
    • -V: Start the display mode, will show the process of logrotate operation Oh!
    • -F: Force each login to rotate action, regardless of whether it conforms to the profile data.

Linux Log file analysis