Log system on Linux
Syslog
Syslog-ng: Open Source
Log system: Syslog ()
A:
B:
D:
Syslog Service Process:
SYSLOGD: System, non-kernel generated information
KLOGD: Kernel, specifically responsible for recording the log information generated by the kernel
Kernel---physical terminal (/dev/console)--/VAR/LOG/DMESG
# DMESG
# CAT/VAR/LOG/DMESG
/sbin/init
/var/log/messages: System standard error log information, non-core generation of boot information, the information generated by each subsystem; The log volume is large and requires rolling processing
/var/log/maillog: Log information generated by the mail system;
/var/log/secure:
Logs need to be scrolled (log cut):
Messages Messages.1 Messages.2 messages.3
Syslog:
Syslogd
Klogd
Configuration file:/etc/syslog.conf
[Email protected] ~]# chkconfig--list syslog
Syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[[Email protected] ~]# service syslog status
SYSLOGD (PID 3885) is running ...
KLOGD (PID 3888) is running ...
[Email protected] ~]#
[[email protected] ~]# cat/etc/logrotate.conf (log scroll definition directory)
# see ' Man logrotate ' for details
# Rotate log Files Weekly
Weekly
# Keep 4 weeks worth of backlogs (number of scrolls)
Rotate 4
# Create new (empty) log files after rotating old ones
Create
# Uncomment this if you want your log files compressed
#compress
# RPM Packages Drop log rotation information into this directory
Include/etc/logrotate.d
# no packages own wtmp--we'll rotate them here
/var/log/wtmp {
Monthly
MinSize 1M
Create 0664 Root utmp
Rotate 1
}
/var/log/btmp {
Missingok
Monthly
MinSize 1M
Create 0600 Root utmp
Rotate 1
}
# system-specific logs May is also is configured here.
[Email protected] ~]# cd/etc/logrotate.d/
[[email protected] logrotate.d]# ls
Acpid Conman cups iscsiuiolog mgetty PPP psacct rpm subscription-manager syslog up2date wpa_supplicant Yum
[email protected] logrotate.d]# cat Yum
/var/log/yum.log {
Missingok
Notifempty
Size 30k
Yearly
Create 0600 root root
}
[email protected] logrotate.d]# Cat Cups
/var/log/cups/*_log {
Missingok
Notifempty
Sharedscripts
}
[Email protected] logrotate.d]#
[[email protected] logrotate.d]# tail/var/log/secure (Login related log)
Mar 07:50:14 localhost sshd[4212]: Received signal 15; Terminating.
Mar 07:50:14 localhost sshd[4587]: Exiting on Signal 15
Mar 07:50:14 localhost sshd[4587]: Pam_unix (sshd:session): Session closed for user root
Mar 06:35:05 localhost sshd[4212]: Server listening on:: Port 22.
Mar 06:35:05 localhost sshd[4212]: Server listening on 0.0.0.0 Port 22.
Mar 06:39:34 localhost sshd[4607]: Address 192.168.1.18 maps to localhost, but this does no map back to the address- POSSIBLE break-in attempt!
Mar 06:39:34 localhost sshd[4607]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.18 user=root
Mar 06:39:36 localhost sshd[4607]: Failed password for root from 192.168.1.18 Port 6506 ssh2
Mar 06:39:37 localhost sshd[4607]: Accepted password for root from 192.168.1.18 Port 6506 ssh2
Mar 06:39:37 localhost sshd[4607]: Pam_unix (sshd:session): Session opened for user root by (uid=0)
[Email protected] logrotate.d]#
Log information Source:
The configuration file definition format is: facility.priority action
facility, which can be understood as the source of the log or device currently used by facility, has the following types:
AUTH # Certifications related to
AUTHPRIV # permissions, authorization-related
Cron # Tasks related to scheduling
Daemon # daemon-related
Kern # kernel-related
LPR # Print Related
Mail # Message-related
Mark # tags related to
News # Related
Security # Safety-related, similar to auth
Syslog # Syslog's Own
User # users-related
UUCP # UNIX to UNIX CP related
Local0 to LOCAL7 # user-defined use
* # * means all the facility
The level of the priority log levels, which generally have the following levels (from low to high)
Debug # Debugging information for a program or system
Info # General Information
Notice # does not affect the normal function, need to note the message
Warning/warn # may affect system functionality and need to alert users of important events
Err/error # error message
Crit # more serious.
Alert # must be dealt with immediately.
Emerg/panic # will cause the system to be unavailable
* # indicates all log levels
None # is the opposite of *, it means nothing.
Location of the action (action) log record
Absolute path on system # Normal file such as:/var/log/xxx
| # pipelines are routed to other command processing
Terminal # Terminals such as:/dev/console
@HOST # remote host such as: @10.0.0.1
User # System user such as: root
* # Log on to all users on the system, general Emerg level logs are defined like this
Examples of defining formats:
Mail.info/var/log/mail.log # indicates mail-related, level info, and
# Info above level information is recorded in the/var/log/mail.log file
Auth.=info @10.0.0.1 # indicates that auth related, basic info information is recorded to the 10.0.0.1 host.
# If 10.0.0.1 is going to be able to receive log messages from other hosts
user.! =error # Indicates a record of user-related information, excluding the error level
user.! Error # Contrary to User.error
*.info # indicates the info level for logging all log information
Mail.* # indicates that all levels of information related to mail are logged
* * * you know that.
Cron.info;mail.info # Multiple log sources can be separated by ";"
Cron,mail.info # and Cron.info;mail.info is a meaning
mail.*;mail.! =info # represents all levels of information related to mail, but does not include the info level
[[email protected] ~]# cat/etc/syslog.conf (System log Definition method)
# Log all kernel messages to the console.
# Logging Much else clutters up the screen.
#kern. */dev/console
# Log anything (except mail) of level info or higher.
# Don ' t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none/var/log/messages (Save all information except Mail,authpri,cron to /var/log/messages )
# The Authpriv file has restricted access.
authpriv.*/var/log/secure
# Log All of the mail messages in one place.
Mail.*-/var/log/maillog (asynchronously writes out, first saves to memory and then writes to disk; not immediately to disk)
# Log Cron Stuff
Cron.*/var/log/cron
# Everybody gets emergency messages
*.emerg * (notify all users)
# Save News errors of level crit and higher in a special file.
Uucp,news.crit/var/log/spooler
# Save Boot messages also to Boot.log
local7.*/var/log/boot.log
[Email protected] ~]#
Self-defined collection log information
[Email protected] ~]# vim/etc/syslog.conf
[[Email protected] ~]# service syslog reload (do not restart service, read config file)
Reloading syslogd ... [OK]
Reloading klogd ... [OK]
[Email protected] ~]# cat/etc/syslog.conf
# Log all kernel messages to the console.
# Logging Much else clutters up the screen.
#kern. */dev/console
# Log anything (except mail) of level info or higher.
# Don ' t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none/var/log/messages
# The Authpriv file has restricted access.
authpriv.*/var/log/secure
# Log All of the mail messages in one place.
Mail.*-/var/log/maillog
# Log Cron Stuff
Cron.info/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save News errors of level crit and higher in a special file.
Uucp,news.crit/var/log/spooler
# Save Boot messages also to Boot.log
local7.*/var/log/boot.log
[Email protected] ~]# Cat/etc/sysconfig/syslog
# Options to Syslogd
#-M 0 disables ' MARK ' messages.
#-R enables logging from remote machines
#-X disables DNS lookups on messages recieved with-r
# See SYSLOGD (8) For more details
syslogd_options= "-r-m 0" (only need to add-r, as a log server, receive other hosts sent over the log)
# Options to Klogd
#-2 Prints all kernel oops messages twice; Once for KLOGD to decode, and
# once for processing with ' ksymoops '
#-X disables all KLOGD processing of oops messages entirely
# See KLOGD (8) For more details
klogd_options= "-X"
#
syslog_umask=077
# Set this to a Umask value to use for all log files as in Umask (1).
# By default, all permissions is removed for ' group ' and ' other '.
[Email protected] ~]#Service Syslog Reload (requires restart of syslog service)
Reloading syslogd ... [OK]
Reloading klogd ... [OK]
[Email protected] ~]#
[Email protected] ~]# CD busybox-1.20.2
[[email protected] busybox-1.20.2]# ls _install/sbin/
Acpid bootchartd Findfs halt ifenslave loadkmap man Mkfs.minix nameif rmmod start-st Op-daemon Sysctl watchdog
Adjtimex depmod freeramdisk hdparm ifup logread mdev mkfs.vfat pivot_root Route Sulogin SYSLOGD Zcip
ARP devmem fsck hwclock init losetup mkdosfs mkswap poweroff runlevel Swapoff Tunctl
Blkid fbsplash Fsck.minix ifconfig insmod lsmod mke2fs modinfo raidautorun setconsole swapon Udhcpc
Blockdev fdisk Getty Ifdown klogd Makedevs mkfs.ext2 modprobe reboot Slattach Switch_r Oot Vconfig
[[email protected] busybox-1.20.2]# ls _install/sbin/| grep log
Klogd
Logread
Sulogin
Syslogd
[Email protected] busybox-1.20.2]#
Telnet: Telnet protocol, 23/TCP
C
S:telnet Server
C:telnet Client
Ssh:secure SHell, Application layer protocol, 22/TCP
Communication process and authentication process is encrypted, host authentication
User authentication process Encryption
Data transfer Process Encryption
SSH v1, v2
Man-in-middle
Sshv2
Certification process:
Password-based authentication
Key-based authentication:
Protocol: Specification
Implementation: Server-side, client
Linux:openssh
C
Server side: sshd, configuration file/etc/ssh/sshd_config
Client: SSH, config file/etc/ssh/ssh_config
Ssh-keygen: Key Generator
Ssh-copy-id: Transferring the public key to a remote server
SCP: Cross-Host Security Replication tool
Ssh:
SSH [email protected]
Ssh-l USERNAME HOST
SSH [email protected] ' COMMAND '
SCP copies local file encryption to the remote client:
SCP SRC DEST
-R
-A
SCP [Email protected]:/path/to/somefile/path/to/local
scp/path/to/local [Email Protected]:/path/to/somewhere
Key-based authentication:
the host key is saved in the/root/.ssh/directory
Ssh-keygen: Generates a pair of public and private keys;
SSH-KEYGEN-T RSA
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
-f/path/to/key_file
-P ': Specify the password for the encrypted private key
ssh-keygen-t rsa-f. Ssh/id_rsa-p "Generate key directly
. SSH permissions are chmod. ssh/
Cat Id_rsa.pub >> . Ssh/authorized_keys
The public key is appended to the. ssh/authorized_keys file or. ssh/authorized_keys2 file in a user's home directory of a remote host.
ssh-copy-id
-i ~/.ssh/id_rsa.pub
ssh-copy-id-i ~/.ssh/id_rsa.pub [email protected] (Copy the public key directly to the destination host; not all hosts support ssh-copy-id,-i specifying specific files)
Dropbear: Embedded system-specific SSH server and client Tools
Server side: Dropbear
Dropbearkey
Client: Dbclient
Dropbear using Nsswitch to implement name resolution by default
/etc/nsswitch.conf
/lib/libnss_files*
/usr/lib/libnss3.so
/usr/lib/libnss_files*
Dropbear will check whether the default shell is the security shell of the current system at user logon
/etc/shells
Host key default location:
/etc/dropbear/
Rsa:dropbear_rsa_host_key
Variable length, as long as the integer multiple of 8, the default is 1024
Dss:dropbear_dss_host_key
Fixed length, default is 1024
Dropbearkey
-T RSA|DSA
-f/path/to/key_file
-S SIZE
Linux-syslog,ssh,ssh-keygen,dropbear