Article Title: Linux System Log Management (redhat ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
I. Functions of Linux system logs
Logs are essential modules for any OS, application software, or service process. Logs
Files play a major role in system and network security, as well as audit, tracking, and troubleshooting.
Log files can be used to monitor system and network security risks, as well as hacker intrusion attack routes.
Ii. Log Classification
1. Connection time log
The connection time log is usually recorded by the/var/log/wtmp and/var/run/utmp files.
The two files cannot be directly viewed by cat and are automatically updated by the system. You can use the following method:
W/who/finger/id/last/lastlog/ac
[Root @ 51cto ~] # Who
Root tty1
Root pts/0 (218.192.87.4)
Root pts/1 (218.192.87.4)
Root pts/3 2010-10-06 (218.192.87.4)
[Root @ 51cto ~] # W
01:01:02 up, 4 users, load average: 0.15, 0.03, 0.01
User tty from login @ IDLE JCPU PCPU WHAT
Root tty1-1: 20 m 0.16 s 0.16 s-bash
Root pts/0 218.192.87.4 2: 05 m 0.18 s 0.18 s-bash
Root pts/1 218.192.87.4 41 0.00 s 0.41 s 0.00 s w
Root pts/3 218.192.87.4 1: 38 m 0.03 s 0.03 s-bash
[Root @ 51cto ~] # Ac-p // view the connection time of each user
U51 1.23
U55 0.04
Root 95.21 // you can see the longest root connection time
51ctos 0.06
User1 3.93
Total 100.48
[Root @ 51cto ~] # Ac-a // view the connection time of all users
Total 100.49
[Root @ 51cto ~] # Ac-d // view the user's daily connection time
Sep 24 total 0.14
Sep 25 total 14.60
Sep 26 total 13.71
Sep 27 total 21.47
Sep 28 total 11.74
Sep 29 total 6.60
Sep 30 all 8.81
Oct 1 All 9.04
Oct 2 total 0.47 // you can see that I went out to play on National Day 3, 4, and 5
Oct 6 total 8.62
Today total 5.29
Other commands are not described in detail.
2. process monitoring logs
Process statistics monitoring logs are very effective in monitoring user operation instructions. Frequently detected on servers
You can use the process Statistics log to view the symptoms of shutdown or file deletion without reason:
[Root @ 51cto ~] # Accton/var/account/pacct // enable process Statistics log monitoring
[Root @ 51cto ~] # Lastcomm // view process statistics logs
Accton S root pts/1 0.00 secs Thu Oct 7
Accton root pts/1 0.00 secs Thu Oct 7
Ac root pts/1 0.00 secs Thu Oct 7
Ac root pts/1 0.00 secs Thu Oct 7
Free root pts/1 0.00 secs Thu Oct 7
Lastcomm root pts/1 0.00 secs Thu Oct 7
Bash F root pts/1 0.00 secs Thu Oct 7
Lastcomm root pts/1 0.00 secs Thu Oct 7
Ifconfig root pts/1 0.00 secs Thu Oct 7
Lastcomm root pts/1 0.00 secs Thu Oct 7
Lastcomm root pts/1 0.00 secs Thu Oct 7
Lastcomm root pts/1 0.00 secs Thu Oct 7
Accton S root pts/1 0.00 secs Thu Oct 7
[Root @ 51cto ~] # Accton // disable process Statistics log monitoring
3. system and service logs
The System Log service is managed by a service named syslog. For example, a log file is driven by the syslog Log Service:
/Var/log/lastlog: records information such as the time when the last user successfully logs in and the logon IP address.
/Var/log/messages: records common system and service error messages of Linux operating systems.
/Var/log/secure: Linux system security log, which records the deterioration of users and working groups and user login authentication.
/Var/log/btmp: records the users, times, and remote IP addresses that failed Linux Login.
/Var/log/cron: records the Service Execution of crond scheduled tasks.
......
[Root @ 51cto ~] # Cat/var/log/lastlog
Lpts/0218.192.87.4
Lpts/1218.192.87.4
Lpts/1218.192.87.4
Lpts/0218.192.87.46
Lpts/0218.192.87.4
......
Iii. Introduction to Linux Log Service
1. in Linux, most of the logs are driven and managed by the syslog Log service.
Configuration File control management, which is the master configuration file/etc/syslog. conf and/etc/sysconfig/syslog
The configuration file/etc/init. d/syslog is the startup script. Here we will talk about the main configuration file/etc/syslog. conf:
/Etc/syslog. conf statement structure:
[Root @ 51cto ~] # Grep-v "#"/etc/syslog. conf // list each line that does not start #
*. Info; mail. none; authpriv. none; cron. none/var/log/messages
Authpriv. */var/log/secure
Mail. *-/var/log/maillog
Cron. */var/log/cron
*. Emerg *
Uucp, news. crit/var/log/spooler
Local7. */var/log/boot. log
Select the domain (Message type. error level) Action domain
2. Message Type: auth, authpriv, security; cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0 ~ Local7.
Error level: (8) debug, info, notice, warning | warn; err | error; crit, alert, emerg | panic
Action domain: file, user, console, @ remote_ip
The following are three examples of the/etc/syslog. conf file:
*. Info; mail. none; authpriv. none; cron. none/var/log/messages
Indicates that any message at the info level is sent to the/var/log/messages log file, but the email system and Verification System
And the error level information of the scheduled task is excluded, not sent (none indicates prohibited)
Cron. */var/log/cron indicates that all levels of cron information are sent to the/var/log/cron file.
*. Emerg * indicates that all message types of the emerg error level (dangerous status) are sent to all users.
[1] [2] Next page