Linux System Log Management (redhat)

Article Title: Linux System Log Management (redhat ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

I. Functions of Linux system logs

Logs are essential modules for any OS, application software, or service process. Logs

Files play a major role in system and network security, as well as audit, tracking, and troubleshooting.

Log files can be used to monitor system and network security risks, as well as hacker intrusion attack routes.

Ii. Log Classification

1. Connection time log

The connection time log is usually recorded by the/var/log/wtmp and/var/run/utmp files.

The two files cannot be directly viewed by cat and are automatically updated by the system. You can use the following method:

W/who/finger/id/last/lastlog/ac

[Root @ 51cto ~] # Who

Root tty1

Root pts/0 (218.192.87.4)

Root pts/1 (218.192.87.4)

Root pts/3 2010-10-06 (218.192.87.4)

[Root @ 51cto ~] # W

01:01:02 up, 4 users, load average: 0.15, 0.03, 0.01

User tty from login @ IDLE JCPU PCPU WHAT

Root tty1-1: 20 m 0.16 s 0.16 s-bash

Root pts/0 218.192.87.4 2: 05 m 0.18 s 0.18 s-bash

Root pts/1 218.192.87.4 41 0.00 s 0.41 s 0.00 s w

Root pts/3 218.192.87.4 1: 38 m 0.03 s 0.03 s-bash

[Root @ 51cto ~] # Ac-p // view the connection time of each user

U51 1.23

U55 0.04

Root 95.21 // you can see the longest root connection time

51ctos 0.06

User1 3.93

Total 100.48

[Root @ 51cto ~] # Ac-a // view the connection time of all users

Total 100.49

[Root @ 51cto ~] # Ac-d // view the user's daily connection time

Sep 24 total 0.14

Sep 25 total 14.60

Sep 26 total 13.71

Sep 27 total 21.47

Sep 28 total 11.74

Sep 29 total 6.60

Sep 30 all 8.81

Oct 1 All 9.04

Oct 2 total 0.47 // you can see that I went out to play on National Day 3, 4, and 5

Oct 6 total 8.62

Today total 5.29

Other commands are not described in detail.

2. process monitoring logs

Process statistics monitoring logs are very effective in monitoring user operation instructions. Frequently detected on servers

You can use the process Statistics log to view the symptoms of shutdown or file deletion without reason:

[Root @ 51cto ~] # Accton/var/account/pacct // enable process Statistics log monitoring

[Root @ 51cto ~] # Lastcomm // view process statistics logs

Accton S root pts/1 0.00 secs Thu Oct 7

Accton root pts/1 0.00 secs Thu Oct 7

Ac root pts/1 0.00 secs Thu Oct 7

Ac root pts/1 0.00 secs Thu Oct 7

Free root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Bash F root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Ifconfig root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Lastcomm root pts/1 0.00 secs Thu Oct 7

Accton S root pts/1 0.00 secs Thu Oct 7

[Root @ 51cto ~] # Accton // disable process Statistics log monitoring

3. system and service logs

The System Log service is managed by a service named syslog. For example, a log file is driven by the syslog Log Service:

/Var/log/lastlog: records information such as the time when the last user successfully logs in and the logon IP address.

/Var/log/messages: records common system and service error messages of Linux operating systems.

/Var/log/secure: Linux system security log, which records the deterioration of users and working groups and user login authentication.

/Var/log/btmp: records the users, times, and remote IP addresses that failed Linux Login.

/Var/log/cron: records the Service Execution of crond scheduled tasks.

......

[Root @ 51cto ~] # Cat/var/log/lastlog

Lpts/0218.192.87.4

Lpts/1218.192.87.4

Lpts/1218.192.87.4

Lpts/0218.192.87.46

Lpts/0218.192.87.4

......

Iii. Introduction to Linux Log Service

1. in Linux, most of the logs are driven and managed by the syslog Log service.

Configuration File control management, which is the master configuration file/etc/syslog. conf and/etc/sysconfig/syslog

The configuration file/etc/init. d/syslog is the startup script. Here we will talk about the main configuration file/etc/syslog. conf:

/Etc/syslog. conf statement structure:

[Root @ 51cto ~] # Grep-v "#"/etc/syslog. conf // list each line that does not start #

*. Info; mail. none; authpriv. none; cron. none/var/log/messages

Authpriv. */var/log/secure

Mail. *-/var/log/maillog

Cron. */var/log/cron

*. Emerg *

Uucp, news. crit/var/log/spooler

Local7. */var/log/boot. log

Select the domain (Message type. error level) Action domain

2. Message Type: auth, authpriv, security; cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0 ~ Local7.

Error level: (8) debug, info, notice, warning | warn; err | error; crit, alert, emerg | panic

Action domain: file, user, console, @ remote_ip

The following are three examples of the/etc/syslog. conf file:

*. Info; mail. none; authpriv. none; cron. none/var/log/messages

Indicates that any message at the info level is sent to the/var/log/messages log file, but the email system and Verification System

And the error level information of the scheduled task is excluded, not sent (none indicates prohibited)

Cron. */var/log/cron indicates that all levels of cron information are sent to the/var/log/cron file.

*. Emerg * indicates that all message types of the emerg error level (dangerous status) are sent to all users.

[1] [2] Next page