Linux server-Log

Logs are very important for security. they record various events that occur in the system every day. you can use them to check the cause of the error or the traces left by the attacker when the system is attacked. The main functions of logs are Audit and monitoring. It can also monitor the system status in real time, monitor and track intrusions, and so on. Because

Logs are very important for security. they record various events that occur in the system every day. you can use them to check the cause of the error or the traces left by the attacker when the system is attacked. The main functions of logs are Audit and monitoring. It can also monitor the system status in real time, monitor and track intrusions, and so on. As a result, Fuqin makes it into an article that shares the same proportion with hardware and network articles. I hope you can learn something useful to yourself.

1. configure syslog (written by gyl4802959)

Currently, linux still uses syslogd as the log monitoring process. The necessary configuration can reduce a lot of trouble and monitor the system status more effectively from system logs. It is especially important for the system administrator to understand and improve the syslog configuration.

/Etc/syslog. conf defines the rule according to the following format: facility. level action

The device. priority action facility. level field is also known as seletor (selection condition). spaces or tabs are used to separate the selection condition and action.

# Comments start with "#". Blank lines are automatically skipped.

1. facility

Facility defines the range of log messages. the keys used include auth-authentication activities reported by pam_pwdb.

Authpriv-authentication activities including privileged information such as user names

Cron-information about scheduled tasks related to cron and.

Daemon-background process information related to the inetd daemon.

Kern-kernel information is first transmitted through klogd.

Lpr-information related to the print service.

Mail-email-related information

The internal function of mark-syslog is used to generate a timestamp.

News-information from the news server

Syslog-information generated by syslog

User-information generated by the user program

Uucp-information generated by uucp

Local0-local7-used with custom programs

* Wildcards indicate that all functions except mark are used internally, and security is defined as an old key, which is equivalent to auth and is no longer recommended.

2. level

Level defines the degree of urgency of a message. In ascending order of severity: emerg-the system is unavailable, equivalent to panic

Alert-conditions for immediate modification

Crit-false conditions that prevent implementation of certain tools or subsystems

Err-the error condition that blocks the implementation of some functions of a tool or some subsystems, which is equivalent to an error

Warning-warning information, equivalent to warn

Notice-general conditions of importance

Info-messages that provide information

Debug-other information that does not contain function conditions or problems

None-no importance level, usually used for troubleshooting

* All levels except none, panic, error, and warn are old identifiers and are not recommended.

When defining the level, pay attention to two points: 1) the priority is determined by the application programming. the priority of the message cannot be changed unless the source code is modified and compiled;

A low priority includes a high priority. for example, if you define the log orientation of info for an application, messages such as notice, warning, err, crit, alert, and emerg are included. (Unless defined by "=)

3. selector selection conditions

Connect facility and level by the decimal point "." to become selector (selection condition ).

You can use the semicolon ";" to define multiple selection conditions at the same time. Three modifiers are also supported: *-all log information

=-Equal to, that is, only the log information of this priority is contained

! -Not equal to, except for the priority log information

4. action

The log information defined by the preceding conditions can be used to perform the following action: file-specify the absolute path of the log file.

Terminal or print-send to a serial or parallel device identifier, such as/dev/ttyS2

@ Host-remote log server

Username-the specified user information window of the sender's machine, but the user must have logged on to the system

Named pipe-the absolute path sent to the FIFO file created by using the mkfifo command in advance. Note that logs cannot be forwarded to other scripts through the "|/var/xxx. sh" method.

5. example

Example: *. info; mail. none; news. none; authpriv. none; cron. none/var/log/messages

# Write all notification messages except emails, newsgroups, authorization information, and scheduled tasks into the messages file.

Mail, news. = info/var/adm/info

# Only notification messages in emails and newsgroups are written to the info file, and other information is not written.

Mail. *; mail .! = Info/var/adm/mail

# Write all emails except notification messages to the mail file.

Mail. = info/dev/tty12

# Send only the intellectual message of the email to The tty12 terminal device

*. Alert root, joey

# If the root and joey users have logged on to the system, notify them of all emergency information

*. * @ Finlandia

# Direct all information to the finlandia host (resolve its IP address through/etc/hosts or dns). note: Each message passes through all rules and is not a unique match.

That is to say, assume mail. = when the info information passes the rules defined in the preceding example, the/var/adm/info,/var/adm/mail,/dev/tty12, and even the finalandia host will receive the same information. This seems cumbersome, but the benefit is that it ensures the integrity of information and can be analyzed in different places.