Linux Log Management Skills

Linux Log Management Skills-general Linux technology-Linux programming and kernel information. The following is a detailed description. Directory
1. Use shell to write information to the syslog Log File
2. Output iptables logs to a specified file


Content
1. Use shell to write information to the syslog Log File

The log file (in the/var/log directory) that the application uses the syslog protocol to send information to the Linux system ). sysklogd provides two system tools: system logging and kernel information capturing. generally, most programs use the C language, syslog application, or library to send syslog messages.

The following describes how to use shell to write information to syslog log files:

1). Use the Logger command

The logger command is a shell command (interface). You can use the syslog System Log Module through this interface. You can also directly write a line of information to the system log file from the command line.

For example, record the system restart information after the hard disk upgrade:
$ Logger System rebooted for hard disk upgrade

Then you can view the/var/log/message file:

# Tail-f/var/log/message

Output:

Jan 26 20:53:31 dell6400 logger: System rebooted for hard disk upgrade

You can also use the logger command by using a script program. See the following example:

#! /Bin/bash
HDBS = "db1 db2 db3 db4"
BAK = "/sout/email"
[! -D $ BAK] & mkdir-p $ BAK |:
/Bin/rm $ BAK /*
NOW = $ (date + "% d-% m-% Y ")
ATTCH = "/sout/backup. $ NOW. tgz"
[-F $ ATTCH] & amp;/bin/rm $ ATTCH |:
MTO = "you@yourdomain.com"
For db in $ HDBS
Do
FILE = "$ BAK/$ db. $ NOW-$ (date +" % T "2.16.gz"
Mysqldump-u admin-p 'Password' $ db | gzip-9> $ FILE
Done
Tar-jcvf $ ATTCH $ BAK
Mutt-s "DB $ NOW"-a $ ATTCH $ MTO < DBS $ (date)
EOF
["$? "! = "0"] & logger "$0-MySQL Backup failed" |:

If the mysql database backup fails, the last line of code above will write a message to the/var/log/message file.

2). Other usage

If you need to record the information in the/var/log/myapp. log file, you can use:
$ Logger-f/var/log/myapp. log

Send messages to the screen (standard errors), such as system logs:
$ Logger-s "Hard disk full"

You can refer to the man reference page for more options:
Man logger
Man syslogd

2. Output iptables logs to a specified file

Iptables man reference page: We can use iptables to create, maintain, and check the IP packet filtering rule table in the Linux kernel. several different tables may have been created. Each table contains many embedded chains or custom chains.

Iptables outputs log information to the/var/log/messages file by default. however, you may need to modify the log output location in some cases. this section describes how to create a new log file/var/log/iptables. log. by modifying or using new log files, you can create better statistics or help you analyze network attack information.

1). Iptables default Log File
For example, if you enter the following command, the page displays the iptables log information in the/var/log/messages file:

# Tail-f/var/log/messages

Output:

Oct 4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml: readonly:/etc/gconf. xml. defaults" to a read-only configuration source at position 2
Oct 4 01:14:19 debian kernel: IN = ra0 OUT = MAC = 00: 17: 9a: 0a: f6: 44: 00: 08: 5c: 00: 00: 01: 08: 00 SRC = 200.142.84.36 DST = 192.168.1.2 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 51 ID = 18374 df proto = tcp spt = 46040 DPT = 22 WINDOW = 5840 RES = 0x00 syn urgp = 0

2). Method for outputting iptables log information to a specified file
Open your/etc/syslog. conf file:
# Vi/etc/syslog. conf

Add the following line of information to the end of the file
Kern. warning/var/log/iptables. log

Save and close the file.

Restart syslogd (if you use Debian/Ubuntu Linux ):
#/Etc/init. d/sysklogd restart

In addition, run the following command to restart syslogd (if you use Red Hat/Cent OS/Fedora Core Linux ):
#/Etc/init. d/syslog restart

Now make sure that your iptables uses the log-level 4 parameter (there is a log-prefix flag before). For example:
# DROP everything and Log it
Iptables-a input-j LOG? Log-level 4
Iptables-a input-j DROP

For example, discard and record all connection information from the IP address 65.55.11.2 to the/var/log/iptables. log file.
Iptables-a input-s 64.55.11.2-m limit -- limit 5/m -- limit-burst 7-j LOG? Log-prefix '** HACKERS **' -- log-level 4
Iptables-a input-s 64.55.11.2-j DROP

Command explanation:

.-Log-level 4: record level. level 4 is warning ).
. -Log-prefix '*** TEXT **': the prefix of TEXT is defined before the log output information. TEXT Information can contain a maximum of 29 characters, so that you can easily find relevant information in the record file.

Now you can refer to all iptables information through the/var/log/iptables. log file:
# Tail-f/var/log/iptables. log

Reference
Shell scripting: Write message to a syslog/log file
Force iptables to log messages to a different log file