Linux System Log Management: (1) Connection time log

There are three main logging subsystems in the Linux operating system:

(1) Connection time log

(2) Process statistics log

(3) System and service logs

The connection time log and the process statistic log are driven by the Rsyslog (Legacy syslog) log service, and the system and service logs are driven and managed by the corresponding network service;

Connection Time Log

The connection time log is recorded by/var/run/utmp and/var/log/wtmp two files, the system updates automatically, these two files cannot be viewed through the cat command, but can be viewed by commands such as W/who/ac/finger/last/lastlog. (the field definition for/var/run/utmp is placed in the/usr/include/utmp.h, which is interesting to study carefully)

The W/who/ac/finger command is primarily to read the /var/run/utmp file information, see the following example

(1) W command

# w -helpw: invalid option --  ' E ' usage: w -hlsufv [user]     -h    skip header    -l     long listing  (default)     -s    short listing     -u    ignore uid of processes    -f     toggle FROM field  (Default on)     -V     display version# w 21:48:53 up 36 days, 18:04,   1 user,  load average: 0.00, 0.00, 0.00USER      TTY      FROM               [email protected]   IDLE   JCPU    Pcpu whatyucz     pts/1    116.6.101.193    21:16     0.00S  0.01S  0.00S SSHD: YUCZ [PRIV]

(2) who command displays the currently logged in user

# who --helpusage: who [option]... [ file | arg1 arg2 ]print  information about users who are currently logged in.  -a,  --all         same as -b -d --login  -p -r -t -T -u  -b, --boot         time of last system boot  -d, --dead         print dead processes  -H, --heading      print line of column headings  -l, --login        print system login processes      --lookup       attempt to canonicalize hostnames via dns  -m                 only hostname and user  Associated with stdin  -p, --process     print active  processes spawned by init  -q, --count        all login names and number of users logged on  -r,  --runlevel    print current runlevel  -s, --short        print only name, line, and time  (default)   -t, --time        print last system  Clock change  -t, -w, --mesg    add user ' S message  status as +, - or ?  -u, --users        list users Logged in      --message     same as -t       --writable    same as -T       --help     display this help and exit       --version  output version information and exit#  whoyucz     pts/1        2015-02-25  21:16  (116.6.101.193)

(3) AC command to display user connection time

#ac--helpusage:ac [-dhpvy] [-f <file>] [people] ... #ac-d Rootaug 8 Total 0.00Aug one total 5.62Au G Total 2.21Aug 7.74

(4) Finger command displays the user's connection status and other information

#finger rootlogin:root name:rootdirectory:/root Shell:/bin/bashlast Login Wed 03:26 (CDT) on PTS/4 from 116.6.101.193No Mail. No Plan.

The Lastb/lastlog/last command is primarily to read the /var/log/btmp file information, see the following example

(1) Last command can check the local computer user's login situation, and can see the system start and restart status;

#last  | tail -10root     pts/0         116.6.101.193    Tue Aug 12 04:42 - down     (00:49)     root     pts/1         116.6.101.193    Mon Aug 11 21:05 - 23:19    (02:14)     root     pts/1         116.6.101.193    Mon Aug 11 21:02 - 21:04    (00:02)     root     pts/0         116.6.101.193    Mon Aug 11 20:39 - 00:58    (04:19)     reboot   system boot  2.6.32-431.23.3.  fri aug  8 04:11 - 05:31  (4+01:20)    root     pts/0         10.0.80.185      Fri Aug   8 04:08 - 04:09   (00:00)     reboot   system  boot  2.6.32-431.23.3. Fri Aug  8 04:08 - 04:09   (00:01)     reboot   system boot  2.6.32-431.el6.x thu  Aug  7 23:01 - 04:06   (05:05)

(2) Lastlog View the status of the user's last login system

# lastlog -husage: lastlog [options]options:  -b, --before days              print only lastlog  records older than days  -h, --help                     display this help  message and exit  -t, --time DAYS                print only lastlog records more  recent than DAYS  -u, --user LOGIN               print lastlog record of the specified  login# lastlog -u rootusername         port      from             latestroot              pts/4    116.6.101.193     wed aug 13 03:26:29 -0500 2014

(3) LASTB primary display of login failures

# lastbyucz     ssh:notty    116.6.101.193     Wed Feb 25 21:16 - 21:16   (00:00)     yucz      ssh:notty    116.6.101.193    thu feb  12 00:49 - 00:49   (00:00)     yucz      ssh:notty    116.6.101.193    Mon Feb  9  02:29 - 02:29   (00:00)     yucz     ssh:notty     184.173.65.76    Fri Feb  6 03:52 -  03:52   (00:00)     yucz     ssh:notty     184.173.65.76    Fri Feb  6 03:51 - 03:51   ( 00:00)     yucz     ssh:notty    116.6.101.193     Wed Feb  4 03:33 - 03:33   (00:00)

This article is from the "Margin with Wish" blog, please be sure to keep this source http://281816327.blog.51cto.com/907015/1615459

Linux System Log Management: (1) Connection time log