Linux Server Log Management detailed

In a Linux system, there are three main log subsystems:

Connection time logs--executed by multiple programs, writing records to programs such as/VAR/LOG/WTMP and/var/run/utmp,login to update wtmp and utmp files so that system administrators can track who is logged on to the system.

Process statistics-executed by the system kernel. When a process terminates, write a record for each process to the process statistics file (PACCT or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.

Error log-executed by SYSLOGD (8). Various system daemons, user programs, and cores report noteworthy events to file/var/log/messages via Syslog (3). There are also many UNIX programs that create logs. Servers that provide network services, such as HTTP and FTP, also maintain detailed logs.

The common log files are as follows:

Transmission of Access-log Record Http/web

Acct/pacct Record User command

Aculog record the activities of the modem

Btmp record of failed records

Lastlog Record of recent successful logon events and last unsuccessful login

Messages records information from Syslog (some linked to the syslog file)

Sudolog records using Sudo's command

Sulog record use of the SU command

Syslog Records information from syslog (usually linked to messages files)

Utmp record each user currently logged in

Wtmp a permanent record of entry and exit time for each user login

Xferlog Log FTP session

Utmp, wtmp, and lastlog log files are the key to most reusable UNIX log subsystems-keeping users logged in and out of their records. Information about the current logged-on user is recorded in the file utmp, the login entry and exit records are in the file wtmp, and the last logon file can be viewed with the Lastlog command. Data interchange, shutdown, and restart are also recorded in the Wtmp file. All records contain a timestamp. These files (often lastlog) grow very quickly in systems with a large number of users. For example, wtmp files can grow infinitely, unless periodically intercepted. Many systems configure WTMP to be recycled in a single day or week. It is usually modified by a cron-run script. These scripts are renamed and recycled using the Wtmp file. Usually, Wtmp is named after the end of the first day WTMP.1, and the second days WTMP.1 becomes WTMP.2 and so on, until WTMP.7.

Each time a user logs on, the login program sees the UID of the user in the file lastlog. If found, writes the user's last login, exit time, and host name to standard output, and the login program records the new logon time in Lastlog. After the new Lastlog record is written, the Utmp file opens and inserts the user's utmp record. The record is used until the user logs on and exits. utmp files are used by various command files, including who, W, users, and finger.

Next, the login program opens the file wtmp the attached user's utmp record. The same utmp record with the update timestamp is appended to the file when the user logs out. wtmp files are used by program last and AC.

Specific orders

Wtmp and utmp files are binary files and they cannot be clipped or merged (using cat commands), such as the tail command. Users need to use who, W, users, last, and AC to use the information contained in these two files.

The who:who command queries the utmp file and reports each user who is currently logged on. The WHO default output includes user name, terminal type, logon date, and remote host. For example: Who (carriage return) display

Chyang pts/0 Aug 18 15:06

Ynguo PTS/2 Aug 18 15:32

Ynguo PTS/3 Aug 18 13:55

Lewis Pts/4 Aug 18 13:35

Ynguo PTS/7 Aug 18 14:12

Ylou PTS/8 Aug 18 14:15

If the wtmp filename is indicated, the WHO command queries all previous records. Command who/var/log/wtmp will report every login since the Wtmp file was created or deleted.

The w:w command queries the utmp file and displays information about each user in the current system and the process it is running. For example: W (carriage return) display: 3:36pm up 1 day, 22:34, 6 users, load average:0.23, 0.29, 0.27.

USER TTY from login@ IDLE jcpu pcpu WHAT

Chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s-bash

Ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 W

Lewis Pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s-bash

Lewis Pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh/home/users/

Ynguo PTS/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet Mail

Ylou pts/8 202.38.64.235 2:15pm 1:09m 0.10s 0.04s-bash

Users:users a single line to print out the currently logged-on user, and each displayed user name corresponds to a login session. If a user has more than one logon session, his or her user name displays the same number of times. For example: Users (carriage returns) display: Chyang Lewis Lewis Ylou Ynguo Ynguo

The last:last command searches back wtmp to show who has logged in since the first time the file was created. For example:

Chyang PTS/9 202.38.68.242 Tue Aug 1 08:34-11:23 (02:49)

Cfan PTS/6 202.38.64.224 Tue Aug 1 08:33-08:48 (00:14)

Chyang PTS/4 202.38.68.242 Tue Aug 1 08:32-12:13 (03:40)

Lewis PTS/3 202.38.64.233 Tue Aug 1 08:06-11:09 (03:03)

Lewis PTS/2 202.38.64.233 Tue Aug 1 07:56-11:09 (03:12)

If the user is indicated, then last reports only the immediate activity of that user, for example: "Last Ynguo (carriage return) display:"

Ynguo PTS/4 SIMBA.NIC.USTC.E Fri Aug 4 16:50-08:20 (15:30)

Ynguo PTS/4 SIMBA.NIC.USTC.E Thu Aug 3 23:55-04:40 (04:44)

Ynguo PTS/11 SIMBA.NIC.USTC.E Thu Aug 3 20:45-22:02 (01:16)

Ynguo pts/0 SIMBA.NIC.USTC.E Thu Aug 3 03:17-05:42 (02:25)

Ynguo pts/0 simba.nic.ustc.e Wed Aug 2 01:04-03:16 1+02:12)

Ynguo pts/0 simba.nic.ustc.e Wed Aug 2 00:43-00:54 (00:11)

Ynguo PTS/9 simba.nic.ustc.e Thu Aug 1 20:30-21:26 (00:55)

The AC:AC command reports the user's link time (hours) according to the login entry and exit in the current/var/log/wtmp file, and reports the total time if the flag is not used. For example: AC (return) display: Total 5177.47

ac-d (carriage return) shows the total link time of the day

Aug Total 261.87

Aug Total 351.39

Aug Total 396.09

Aug Total 462.63

Aug Total 270.45

Aug Total 104.29

Today Total 179.02

Ac-p (carriage return) Displays the total connection time for each user

Ynguo 193.23

Yucao 3.35

Rong 133.40

Hdai 10.52

Zjzhu 52.87

Zqzhou 13.14

Liangliu 24.34

Total 5178.24

The Lastlog:lastlog file is queried every time a user logs on. You can use the Lastlog command to check the last logon time for a particular user and format the output of the last logon log/var/log/lastlog. It displays the login name, port number (TTY), and last logon time, sorted by UID. If a user has never logged in, Lastlog displays "**never logged**." Note that you need to run the command with root, for example:

Rong 5 202.38.64.187 Fri Aug 18 15:57:01 +0800 2000

DBB **never logged in**

Xinchen **never logged in**

pb9511 **never logged in**

Xchen 0 202.38.64.190 Sun Aug 13 10:01:22 +0800 2000

In addition, you can add some parameters, such as Last-u 102, which will report a user with a UID of 102, and LAST-T 7 to limit the previous week's report.

Process statistics

UNIX can track every command a user runs, and if you want to know what important files were messed up last night, the process statistics subsystem can tell you. It is also useful for tracking an intruder. Unlike the connection time log, the process statistics subsystem is not activated by default, and it must be started. Starting process statistics in a Linux system use the Accton command, which must be run as root. The form of the Accton command Accton File,file must first exist. First use the touch command to create the Pacct file: Touch/var/log/pacct, and then run ACCTON:ACCTON/VAR/LOG/PACCT. Once the Accton is activated, you can use the Lastcomm command to monitor any command that is executed at any time in the system. To turn off statistics, you can use the Accton command with no parameters.

The Lastcomm command reports previously executed files. With no parameters, the Lastcomm command displays information about all the commands that are recorded in the current statistics file lifecycle. Includes the command name, user, TTY, the CPU time the command spends, and a timestamp. If the system has many users, the input can be very long. The following example:

Crond F root?? 0.00 secs Sun Aug 20 00:16

Promisc_check.s s root?? 0.04 secs Sun Aug 20 00:16

Promisc_check root?? 0.01 secs Sun Aug 20 00:16

grep root?? 0.02 secs Sun Aug 20 00:16

Tail root?? 0.01 secs Sun Aug 20 00:16

SH root?? 0.01 secs Sun Aug 20 00:15

Ping S root?? 0.01 secs Sun Aug 20 00:15

ping6.pl F root?? 0.01 secs Sun Aug 20 00:15

SH root?? 0.01 secs Sun Aug 20 00:15