Linux Log Analysis

Connection time log-the connection time log is executed by multiple programs and records are written to/var/log/wtmp and/var/run/utmp. Login and other programs update the wtmp and utmp files so that the system administrator can track who is logged on to the system at any time.
Log format-select the condition and priority.
Error Log -- executed by syslogd (8. Various system Daemon Processes, user programs, and kernels report noteworthy events to files/var/log/messages through syslog (3. There are also many Linux Program Creation logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.
Connection time log:
Utmp, wtmp, and lastlog log files are the key for most UNIX log subsystems to be reused-keep the records of user logon entry and exit. Information about the previously logged-on user is recorded in the file utmp; logon entry and exit records are recorded in the file wtmp; the last log-on file can be viewed using the lastlog command. Data exchange, shutdown, and restart are also recorded in the wtmp file.
The who, w, users, and ac commands are executed by the system kernel. When a process terminates, each process writes a record to the process Statistics file (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system.
/Var/log/secure logging into the system, including sshd telnet pop.
Error Log:
Syslog has been adopted by many log functions and is used in many protection measures-any program can record events through syslog. Syslog records system events, writes to a file or device, or sends a message to users. It can record local events or events on another host through the network.
/Etc/syslog. conf file format description
Service name. Record level storage location
The service name includes common services such as httpd and ftpd.
Record level info (information) notice (Recommended information should be followed) warning or warn (warning information) error (error information) Special level such as debug (display debugging information)
Syslog storage location
Absolute path:/var/log
Printer:/dev/lp0
Remote Host: @ 192.168.0.10
The-r option/etc/sysconfig/syslog must be enabled for the remote host.
(Focuses on implementation)
Syslog security attribute settings
Chattr + a/var/log/messages
Lsattr/var/log/message
Only materials can be added, but cannot be deleted. (Only root can be modified, but we may not use lcap to prevent root from being deleted or modified for further explanation)