Linux operating system log management method 1. log introduction logs are very important for security. they record all kinds of events that occur in the system every day. you can use them to check the causes of errors, or the traces left by the attacker during the attack. The main functions of logs include auditing and monitoring... information Linux operating system log management method 1. log introduction logs are very important for security. they record all kinds of events that occur in the system every day. you can use them to check the causes of errors, or the traces left by the attacker during the attack. The main functions of logs are Audit and monitoring. It can also monitor the system status in real time, monitor and track intrusions, and so on. In Linux, there are three major log subsystems: connection time logs-executed by multiple programs, write records to programs such as/var/log/wtmp and/var/run/utmp and login to update the wtmp and utmp files so that the system administrator can track who is logged on to the system at any time. Process Statistics-executed by the system kernel. When a process terminates, each process writes a record to the process statistics File (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system. Error log -- executed by syslogd (8. Various system daemon processes, user programs, and kernels report noteworthy events to files/var/log/messages through syslog (3. In addition, many UNIX programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs. Common log files are as follows: access-log record HTTP/web transmission acct/pacct record user command aculog record MODEM activity btmp record failure record lastlog record recent successful login events and last unsuccessful log on to messages to record information from syslog (some links to the syslog file) sudolog records the use of sudo commands sulog records the use of syslogs using the su command to record information from syslogs (usually linked to the messages file) utmp records the number of currently logged-on users (wtmp) each user (permanent records of entry and exit times) xferlog records FTP session (utmp), wtmp, and lastlog files are the key for most UNIX log subsystems to be reused-maintain user logon entry and exit records. The information about the current logon user is recorded in the file utmp; the logon entry and exit records are recorded in the file wtmp; the last logon file can be viewed using the lastlog command. Data Exchange, shutdown, and restart are also recorded in the wtmp file. All records contain timestamps. These files (lastlog is usually not large) grow rapidly in systems with a large number of users. For example, the wtmp file can grow infinitely unless it is intercepted regularly. Many systems configure wtmp to be used cyclically in units of one day or one week. It is usually modified by the script run by cron. These scripts are renamed and the wtmp file is recycled. Generally, wtmp is named wtmp.1 after the first day, wtmp.1 is changed to wtmp.2 after the second day, and so on until wtmp.7. Each time a user logs on, the login program checks the user's UID in the lastlog file. If the logon time is found, the user's last logon time, exit time, and host name are written to the standard output, and the login program records the new logon time in lastlog. After a new lastlog is written, the utmp file is opened and the user's utmp record is inserted. This record is always used when a user logs on and exits. The utmp file is used by various command files, including who, w, users, and finger. Next, the login program opens the file wtmp and appends the user's utmp record. When a user logs on and exits, the same utmp record with the updated timestamp is appended to the file. The wtmp file is used by the program last and ac. 2. the specific commands wtmp and utmp files are binary files, and they cannot be cut or merged by tail commands (using cat commands ). You need to use the information contained in the two files by who, w, users, last, and ac. Who: The who command queries the utmp file and reports to each user Currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. Example: who (press enter) display chyang pts/0 Aug 18 06 ynguo pts/2 Aug 18 32 ynguo pts/3 Aug 18 55 lewis pts/4 Aug 18 35 ynguo pts/7 Aug 18 ylou pts/8 aug 18 if the wtmp file name is specified, then, the who command queries all previous records. The command who/var/log/wtmp will report every login since the wtmp file was created or deleted. The w: w command queries the utmp file and displays information about each user in the current system and the processes it runs. Example: w (press enter): 3: 36pm up 1 day, 6 users, load average: 0.23, 0.29, 0.27 user tty from login @ idle jcpu pcpu what chyang pts/0 202.38.68.242 06 pm 0.08 s 0.04 s-bash ynguo pts/2 202.38.79.47 pm 0.00 s 0.14 s 0.05 w lewis pts/ 3 202.38.64.233 :55 pm 30: 39 0.27 s 0.22 s-bash lewis pts/4 202.38.64.233 pm 6.00 s 4.03 s 0.01 s sh/home/users/ynguo pts/7 simba. nic. ustc. e pm 0.00 s 0.47 s 0.24 s Telnet mail ylou pts/8 202.38.64.235 pm 1: 09 m 0.10 s 0.04 s-bash users: users print the current logon user with a single line, each displayed user name corresponds to a logon session. If a user has more than one login session, the user name will display the same number of times. For example, users (press enter) shows: chyang lewis ylou ynguo last: last Command searches back for wtmp to show users who have logged on since the first file creation. Example: chyang pts/9 202.38.68.242 Tue Aug 1-() cfan pts/6 202.38.64.20.tue Aug 1) chyang pts/4 202.38.68.242 Tue Aug 1-() lewis pts/3 202.38.64.233 Tue Aug 1) lewis pts/2 202.38.64.233 Tue Aug 1-() if the user is specified, only recent activities of the user are reported last time. for example: last ynguo (press enter: ynguo pts/4 simba. nic. ustc. e Fri Aug 4 -() Ynguo pts/4 simba. nic. ustc. e Thu Aug 3-() ynguo pts/11 simba. nic. ustc. e Thu Aug 3-() ynguo pts/0 simba. nic. ustc. e Thu Aug 3-() ynguo pts/0 simba. nic. ustc. e Wed Aug 2 0:04-0:16 1 + 02: 12) ynguo pts/0 simba. nic. ustc. e Wed Aug 2 00:43-00:54 (00:11) ynguo pts/9 simba. nic. ustc. e Thu Aug 1-() ac: ac command according to the current/var/log/wtmp file The time (in hours) when the user is logged in and out. if no sign is used, the total time is reported. Example: ac (press enter): total 5177.47 ac-d (press enter) show the total connection time of each day Aug 12 total 261.87 Aug 13 total 351.39 Aug 14 total 396.09 Aug 15 total 462.63 Aug 16 total 270.45 Aug 17 total 104.29 Today total 179.02 ac-p (press enter) display the total connection time of each user: ynguo 193.23 yucao 3.35 rong 133.40 hdai 10.52 zjzhu 52.87 zqzhou 13.14 liangliu 24.34 total 5178.24 lastlog: the lastlog file is queried every time a user logs on. You can use the lastlog command to check the last logon time of a specific user and format and output the last logon log/var/log/lastlog. It displays the logon name, port number (tty), and last logon time according to the UID sorting. If a user has Never logged on, lastlog displays "** Never logged **. Note that you need to run this command as root, for example: rong 5 parse Fri Aug 18 15:57:01 + 0800 2000 dbb ** Never logged in ** xinchen ** Never logged in ** pb9511 ** Never logged in ** xchen 0 202.38.64.190 Sun Aug 13 10:01:22 + 0800 2000 in addition, you can add one parameter. for example, last-u 102 will report users whose UID is 102, and last-t 7 will limit the report of the previous week. 3. process statistics UNIX can track every command run by each user. if you want to know what important files were messed up last night, the process statistics subsystem can tell you. It is helpful for tracking an intrusion. Unlike the connection time log, the process statistics subsystem is not activated by default and must be started. In Linux, the accton command is used to start process Statistics and must be run as root. The form of the Accton command is accton file, which must exist first. Run the touch command to create the pacct file touch/var/log/pacct, and then run accton: accton/var/log/pacct. Once accton is activated, you can use the lastcomm command to monitor the commands executed in the system at any time. To disable statistics, you can use the accton command without any parameters. The lastcomm Command reports the previously executed files. Without parameters, the lastcomm command displays information about all commands recorded in the lifecycle of the current statistics file. It includes the command name, user, tty, CPU time consumed by the command, and a timestamp. If the system has many users, the input may be very long. The following example: crond F root ?? 0.00 secs Sun Aug 20 promisc_check.s root ?? 0.04 secs Sun Aug 20 promisc_check root ?? 0.01 secs Sun Aug 20 grep root ?? 0.02 secs Sun Aug 20 tail root ?? 0.01 secs Sun Aug 20 sh root ?? 0.01 secs Sun Aug 20 ping S root ?? 0.01 secs Sun Aug 20 ping6.pl F root ?? 0.01 secs Sun Aug 20 sh root ?? 0.01 secs Sun Aug 20 ping S root ?? 0.02 secs Sun Aug 20 ping6.pl F root ?? 0.02 secs Sun Aug 20 sh root ?? 0.02 secs Sun Aug 20 ping S root ?? 0.00 secs Sun Aug 20 ping6.pl F root ?? 0.01 secs Sun Aug 20 sh root ?? 0.01 secs Sun Aug 20 ping S root ?? 0.01 secs Sun Aug 20 sh root ?? 0.02 secs Sun Aug 20 ping S root ?? 1.34 secs Sun Aug 20 locate root ttyp0 1.34 secs Sun Aug 20 accton S root ttyp0 0.00 secs Sun Aug 20 one problem in the process statistics is that the pacct file may grow very rapidly. In this case, you need to run the sa command interactively or through the cron mechanism to keep the log data under system control. Sa command reports, cleans and maintains process statistical files. It can compress the information in/var/log/pacct to the abstract file/var/log/savacct and/var/log/usracct. These summaries contain system Statistics by command name and user name. By default, sa reads them first and then the pacct file so that the report can contain all available information. Sa outputs some of the following markup items: avio-average I/O operation times of each execution cp-total user and system time, cpu in minutes-same as cp k-average CPU time used by the kernel, in 1 k * sec-CPU storage integrity, in 1 k-core s re-real-time, in minutes: s-system time; in minutes, the total number of tio -- I/O operations u-user time. in minutes, for example: 842 173.26re 4.30cp 0 avio 358 k 2 10.98re 4.06cp 0 avio 299 k find 9 24.80re 0.05cp 0 avio 291 k *** other 105 30.44re 0.03cp 0 avio 302 k ping 104 30.55re 0.03cp 0 avio 394 k sh 162 0.11re 0.03cp 0 avio 413 k security. sh * 154 0.03re 0.02cp 0 avio 273 k ls 56 1090.02cp 0 avio 823 k ping6.pl * 2 3.23re 0.02cp 0 avio 822 k 12735 0.02re 0.01cp 0 avio 257 k md5sum 97 0.02re 0.01cp 0 avio 263 k initlog 12 0.19re 0.01cp 0 avio 399 k promisc_check.s 15 0.09re 0.00cp 0 avio 288 k grep 11 0.08re 0.00cp 0 avio 332 k awk users can also provide a summary report based on the user rather than the command. For example, sa-m shows 885 173.28re 4.31cp 0avk root 879 173.23re 4.31cp 0avk alias 3 0.05re 0.00cp 0avk qmailp 3 0.01re 0.00cp 0avk 4. syslog has been adopted by many log functions and is used in many protection measures-any program can record events through Syslog. Syslog records system events, writes to a file or device, or sends a message to users. It can record local events or events on another host through the network. The Syslog device depends on two important files:/etc/syslogd (daemon) and/etc/syslog. conf configuration file. Traditionally, most syslog information is written to the/var/adm or the/var/log Directory Information File (messages. *). A typical syslog record includes the name of the generated program and a text message. It also includes a device and a priority range (but not in the day ). Each syslog message is assigned to one of the following main devices: LOG_AUTH -- authentication system: login, su, getty, and other LOG_AUTHPRIV -- same as LOG_AUTH, but only log on to the LOG_CRON -- cron daemon in the selected file that is readable to a single user -- other system daemon, such as routed LOG_FTP -- File Transfer Protocol: ftpd, tftpd LOG_KERN -- Kernel-generated message LOG_LPR -- system printer buffer pool: lpr, lpd LOG_MAIL -- email system LOG_NEWS -- Network News system LOG_SYSLOG -- by syslogd (8) generated internal message LOG_USER -- the message LOG_UUCP--UUCP subsystem LOG_LOCAL0 ~ generated by the random user process ~ LOG_LOCAL7 -- give a few different priorities for each event for local use of retained Syslog: LOG_EMERG-Emergency LOG_ALERT-problems that should be corrected immediately, such as system database damage LOG_CRIT-important situations, for example, a hard drive error LOG_ERR -- error LOG_WARNING -- warning message LOG_NOTICE -- is not an error, but you may need to handle LOG_INFO -- intelligence information LOG_DEBUG -- contains intelligence information, which is usually intended to use syslog when debugging a program. the conf file specifies the log action recorded by the syslogd program, which queries the configuration file at startup. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by tabs: Select a domain to specify the type and priority of the message. The action domain indicates the action that syslogd performs when receiving a message that matches the selection criteria. Each option is composed of a device and a priority. When a priority is specified, syslogd records a message with the same or higher priority. Therefore, if "crit" is specified, all messages marked as crit, alert, and emerg will be recorded. The action fields in each row indicate where to send a specified message to the selected domain. For example, if you want to record all the mail messages to a file, Log all the mail messages in one place mail. */var/log/maillog other devices also have their own logs. UUCP and news devices can produce many external messages. It stores these messages in its own logs (/var/log/spooler) and limits the level to "err" or higher. Example: # Save mail and news errors of level err and higher in aspecial file. uucp, news. crit/var/log/spooler when an emergency message arrives, all users may want to get it. You may also want to receive and save your own logs. # Everybody gets emergency messages, plus log them on anther machine *. emerg **. emerg @ linuxaid.com.cn alert message should be written to the personal account of root and tiger: # Root and Tiger get alert and higher messages *. alert root, tiger sometimes syslogd will generate a large number of messages. For example, the kernel ("kern" device) may be lengthy. You may want to record kernel messages to/dev/console. The following example shows that the kernel Log record has been commented out: # Log all kernel messages to the console # Logging much else clutters up the screen # kern. */dev/console users can specify all devices in a row. In the following example, messages of info or higher level are sent to/var/log/messages, except for mail. Level "none": # Log anything (login t mail) of level info or higher # Don't log private authentication messages! *. Info: mail. none; authpriv. none/var/log/messages in some cases, logs can be sent to the printer, so that it is useless for network intruders to modify logs. Generally, a wide range of logs are required. Syslog device is a notable target for attackers. A system that maintains logs for other hosts is particularly vulnerable to server attacks. A small command logger provides a shell command interface for syslog (3) system log files so that you can create entries in the log files. Usage: logger for example: logger This is a test! It will generate the following syslog record: Aug 19 22:22:34 tiger: This is a test! Be sure not to trust logs completely, because attackers can easily modify logs. 5. program logs many programs maintain logs to reflect the security status of the system. The su command allows the user to obtain permissions of another user, so its security is very important. its file is sulog. Sudolog is also available. In addition, Apache has two logs: access_log and error_log.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.