Linux Server--log Chapter

Source: Internet
Author: User
Tags syslog dmesg

For security, it is important to keep track of the various things that happen in your system every day, and you can check the cause of the error or the traces of an attacker who was attacked. The main functions of the log are: auditing and monitoring. He can also monitor system status in real time, monitor and trace intruders, and more. Because of this, fuqin to cook it into a specific proportion of hardware and the network of articles, as the "plainly your Linux Server" series of the third, I hope you can learn from them useful things.

First, configure the syslog (gyl4802959 students write)

At present, Linux still uses syslogd as the log monitoring process, the necessary configuration can reduce a lot of trouble, and can more effectively monitor from the system log to the state of the system. Understanding and perfecting the configuration of a syslog is especially important for system administrators.
/etc/syslog.conf defines the rule according to the following format: Facility.level action
Device. The Priority Action Facility.level field is also called Seletor (selection criteria), and the selection condition and action are separated by a space or tab.
#号开头的是注释, blank rows are skipped automatically.

1, facility

Facility defines the range of log messages that can be used with the key: auth-authentication activity reported by PAM_PWDB. Authpriv-authentication activity cron, including privileged information such as user name-scheduled task information related to cron and at. Daemon-background process information related to the inetd daemon. Kern-Kernel information, first passed through KLOGD. LPR-Information about the print service. Mail-Information about email Mark-syslog internal features for generating timestamps news-information from the news server syslog-Information generated by the Syslog user-information generated by the users program UUCP-Information generated by UUCP Local0-lo CAL7-Use with custom programs

* Wildcards represent all functions except mark for internal use, as well as security for an old key definition, equivalent to auth, which is no longer recommended for use.

2. Level

Level defines the urgency of the message. Ranked by severity from highest to lowest: Emerg-the system is not available, equivalent to Panicalert-conditions that need to be modified immediately crit-error conditions that prevent certain tools or subsystem features from being implemented ERR-block tool or some subsystem partial function implementation error condition, Equivalent errorwarning-alert information, equivalent Warnnotice-General conditions of importance info-Message Debug-Provides information about the other information that does not contain a function condition or problem none-no important level, usually used for troubleshooting

* All levels except none of which, panic, error, warn are old identifiers and are no longer recommended for use.
When defining level levels, it is important to note that two points: 1) Priority is determined by the application at the time of programming, unless the source code is modified, the priority of the message cannot be changed;

The low priority includes high priority, for example, log-oriented for defining info for an application, including notice, warning, err, crit, alert, Emerg, and so on. (unless defined using the = number)

3. Selector selection conditions

By the decimal symbol "." Connecting the facility and level together becomes the selector (selection criteria). You can use the semicolon ";" Define multiple selection criteria at the same time. also supports three modifiers: *-all log information =-equals, that is, only the log information with this priority! -Not equal to, except for this priority log information

4, Action action

The log information defined by the previous selection criteria can be performed as follows: file-specifies the absolute path of the log file terminal or print-sent to a serial or parallel device identifier, such as/dev/ttys2@host-Remote log server username -Send information to the specified user Information window of the machine, but the user must have logged in to the system named pipe-the absolute path to the FIFO file that is sent to the pre-use MKFIFO command to create ※ Note that the "|/var/xxx.sh" method cannot be used to direct the log to other scripts for processing.

5. Example

For example: *.info;mail.none;news.none;authpriv.none;cron.none/var/log/messages# to mail, newsgroups, authorization information, All notification messages other than the scheduled task are written to the messages file. mail,news.=info/var/adm/info# writes only informational messages in messages and newsgroups to the info file, and other information is not written. mail.*;mail.! =info/var/adm/mail# writes the message except the notification message to the mail file. mail.=info/dev/tty12# only sends notification messages to TTY12 terminal equipment *.alert root,joey# if Root and Joey users have logged on to the system, notify them of all urgent messages *. * @finlandia # Directs all information to the Finlandia host (resolves its IP address via/etc/hosts or DNS) ※ Note: Each message passes through all rules and is not the only one that matches.

That is, assuming that mail.=info information passes through the rules defined in the example above,/var/adm/info,/var/adm/mail,/dev/tty12, and even Finalandia hosts will receive the same information. This may seem cumbersome, but the benefit is that the integrity of the information can be analyzed in different places.


Second, messages log

First of all, we are most concerned about the system/var/log/messages, this is not only our server system log, many times it has also done a lot of service logs, which is also known as the reason for the grocery store, it is worth focusing on, we generally like to use the following command to see the last 10 logs

Tail-n10/var/log/messages

You can also save a log as a file, using your own awk, sed, and grep levels, or simply use Vim to view it, which is a kind of experience. I used to configure the master-slave copy of Bind, sometimes because of the permissions of the error, this can be on an error server with the command tail-f/var/log/messages real-time view of the changes in the server, to find clues to the error; it turns out to be very effective and used for lvs+ Keepalived is also good at troubleshooting, and so on.

Third, the use of secure

/var/log/secure: Records log in to the system Access data files, such as POP3, SSH, Telnet, FTP, etc. will be recorded, we can use this file to find the insecure login IP.

650) this.width=650; "Width=" 498 "class=" Fit-image "src=" http://images.51cto.com/files/uploadimg/20100714/1003260. JPG "border=" 0 "/>

Iv. record the data of the landing person

/VAR/LOG/WTMP: Log The logged in information data, because this file has been encoded (for binary files), so you must use the last command to remove the contents of the file, you can use the cat and other commands to view the file directly is not possible.

V. Lastlog recording System time

/var/log/lastlog: Records the time each consumer recently checked in to the system, so when a consumer checks in, it displays the time of its last check-in, and you should be aware that this time, if not the time you last checked in, indicates that your account may have been compromised. This file can be read with/usr/bin/lastlog instruction (/usr/sbin/lastlogin under FreeBSD).

Vi. viewing the startup message with DMESG

DMESG provides an easy way to view system boot information. When Linux boots, the kernel information is stored in the kernel ring cache, and DMESG can display the contents of the cache. By default, DMESG prints content to the top of the screen, and of course you can redirect output to a file. If the hardware is damaged, it is displayed in the DMESG log and can be viewed with the following command DMESG | grep error

VII. Mail logs for servers

Server mail for/var/log/messages, if you want to use professional log analysis tools to analyze, I recommend using Awstats, because the company's development of the mail requirements are relatively low, so I help them configure is the simplest sendmail, Sometimes look at the status of the mail log in order to determine whether the message is sent correctly; in the configuration Nagios server, I also used to use this log to determine whether the alarm message is sent, if the level of self-sufficient confidence in the shell, you can also write scripts to collect the mail server return status, etc. But professional things, recommendations or professional tools to do, especially when the mail load is relatively large, millions of logs per day or on the thousands log is not a joke.

Eight, professional tools for log files

Some services like the system, such as Apache, Nginx, Squid, and MySQL, have their own specific log files, due to the complexity of the format, it is recommended to use professional tools, such as awstats, cacti to analyze, Now using cacti is more used to analyze the concurrency of the nginx load balancer for a period of time.


Nine, output iptables log to a specified file (logboy students write)

Iptables's Man reference page mentions: we can use iptables to establish, maintain, and check IP packet filtering rules tables in the Linux kernel. Several different tables may have been created, each containing many inline chains, or a user-defined chain. Iptables The log information is exported to the/var/log/messages file by default. However, in some cases you may need to modify the location of the log output. Here's how to create a new log file,/var/log/iptables.log. By modifying or using a new log file, you can create better statistics or help you analyze network attack information.

(1). iptables The default log file

For example, if you enter the following command, the screen displays the Iptables log information in the/var/log/messages file:

# tail-f/var/log/messages

Output:

OCT 4 00:44:28 Debian GCONFD (vivek-4435): Resolved Address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only Configuration source at position 2Oct 4 01:14:19 Debian kernel:in=ra0 out= mac=00:17:9a:0a:f6:44:00:08:5c:0 0:00:01:08:00src=200.142.84.36 dst=192.168.1.2len=60 tos=0x00 prec=0x00 ttl=51 id=18374df PROTO=TCP SPT=46040 DPT=22 window=5840 res=0x00 SYN urgp=0

(2). Output iptables log information to a specified file method

Open your/etc/syslog.conf file:

# vi/etc/syslog.conf

Add the following line of information to the end of the file:

Kern.warning/var/log/iptables.log

Save and close the file.

Restart SYSLOGD (if you are using Debian/ubuntu Linux):

#/etc/init.d/sysklogd Restart

Also, restart SYSLOGD with the following command (if you are using red hat/cent os/fedora Core Linux):

#/etc/init.d/syslog Restart now confirm that your iptables uses the Log-level 4 parameter (preceded by a log-prefix flag). For example:

# drop everything and Log itiptables-a input-j log–log-level 4iptables-a input-j Drop

For example, discard and log all connection information from the IP address 65.55.11.2 to the/var/log/iptables.log file.

Iptables-a input-s 64.55.11.2-m limitlimit 5/m--limit-burst 7-j loglog-prefix ' * * HACKERS * '--log-level 4iptables- A input-s 64.55.11.2-j DROP

Command explanation:

Log-level 4: The level of the record. Level 4 is a warning (warning).

Log-prefix ' * * * * text ': This defines the text prefix before the log output information. The text message can be up to 29 characters long, so you can easily find relevant information in the log file.

You can now refer to all of Iptables's information through the/var/log/iptables.log file:

# tail-f/var/log/iptables.log

Ten, log polling

Again, the log polling, Linux log polling mechanism is doing quite well, of course, we can also configure/etc/logrotate.conf to modify it, interested students can refer to Bird Brother's article, here is not detailed introduction.

Reference: http://os.51cto.com/art/201007/211455.htm

This article is from the "--" blog, please be sure to keep this source http://57388.blog.51cto.com/47388/1548837

Linux Server--log Chapter

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.