Linux system logs

# #日志记录系统每天发生的各种各样的事情, such as monitoring the status of the system, troubleshooting the system and so on. You can check the log for the cause of the error or the traces left by the attack. The main functions of the log are audit and monitoring, as well as real-time monitoring of system status, monitoring and tracking of intruders

# # frequently viewed system files are/var/log/message, which is the system core log file

Linux system logs

./var/log/messages

./etc/logrotate.conf Log Split file

./VAR/LOG/DMESG

The./last command, called the/var/log/wtmp

./LASTB command to view the user who failed the login, the corresponding file is/var/log/btmp

./var/logsecure

/var/log/messages This is a frequently viewed log file core system log file that contains boot messages for startup time, as well as other status messages that the system is running, and I/O errors and other system errors are logged to this file

[Email protected] ~]# less/var/log/messages #查看系统日志文件的信息
Jan 07:01:01 yzllinux123 systemd:started Session 3 of user root.
Jan 07:01:01 yzllinux123 systemd:starting Session 3 of user root.
Jan 07:12:33 yzllinux123 systemd-logind:removed session 1.
Jan 07:12:33 yzllinux123 systemd:removed slice User slice of root.
Jan 07:12:33 yzllinux123 systemd:stopping User Slice of root.
Jan 07:12:40 yzllinux123 systemd:created slice User slice of root.
Jan 07:12:40 yzllinux123 systemd:starting User Slice of root.
Jan 07:12:40 yzllinux123 systemd:started Session 4 of user root.
Jan 07:12:40 yzllinux123 systemd-logind:new Session 4 of user root.

/etc/logrotate.conf #日志切割配置文件

[Email protected] ~]# cat/etc/logrotate.conf #查看日志切割配置文件内容
# see ' Man logrotate ' for details
# Rotate log Files Weekly
Weekly

# Keep 4 weeks worth of backlogs
Rotate 4

# Create new (empty) log files after rotating old ones
Create

# Use date as a suffix of the rotated file
Dateext

# Uncomment this if you want your log files compressed
#compress

# RPM Packages Drop log rotation information into this directory
Include/etc/logrotate.d

# no packages own wtmp and btmp--we ' ll rotate them here
/var/log/wtmp {
Monthly
Create 0664 Root utmp
MinSize 1M
Rotate 1
}

/var/log/btmp {
Missingok
Monthly
Create 0600 Root utmp
Rotate 1
}

# system-specific logs May is also is configured here.

[Email protected] ~]# cat/etc/logrotate.conf #查看日志切割配置文件
# see ' Man logrotate ' for details
# Rotate log Files Weekly
Weekly

# Keep 4 weeks worth of backlogs
Rotate 4

# Create new (empty) log files after rotating old ones
Create

# Use date as a suffix of the rotated file
Dateext

# Uncomment this if you want your log files compressed
#compress

# RPM Packages Drop log rotation information into this directory
Include/etc/logrotate.d

# no packages own wtmp and btmp--we ' ll rotate them here
/var/log/wtmp {
Monthly
Create 0664 Root utmp
MinSize 1M
Rotate 1
}

/var/log/btmp {
Missingok
Monthly
Create 0600 Root utmp
Rotate 1
}

# system-specific logs May is also is configured here.

[[email protected] ~]# du-sh/etc/logrotate.conf #du-sh View the size of the cut file
4.0k/etc/logrotate.conf

DMESG command It can display the system boot information, if you have a hardware problem (such as a network card), this command can also see

[Email protected] ~]# DMESG |head #列出系统硬件信息
[0.000000] Initializing cgroup Subsys cpuset
[0.000000] Initializing cgroup Subsys CPU
[0.000000] Initializing cgroup Subsys CPUACCT
[0.000000] Linux version 3.10.0-123.el7.x86_64 ([email protected]) (GCC version 4.8.2 20140120 (Red Hat 4.8.2-16) (gcc)) #1 SMP Mon June, 12:09:22 UTC 2014
[0.000000] Command line:boot_image=/vmlinuz-3.10.0-123.el7.x86_64 root=uuid=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 Ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet. UTF-8
[0.000000] Disabled fast string operations
[0.000000] e820:bios-provided physical RAM Map:
[0.000000] bios-e820: [Mem 0x0000000000000000-0x000000000009efff] Usable
[0.000000] bios-e820: [mem 0x000000000009f000-0x000000000009ffff] Reserved
[0.000000] bios-e820: [mem 0x00000000000ca000-0x00000000000cbfff] Reserved
[Email protected] ~]# ^c

/VAR/LOG/DMESG Log # Record system-initiated logs

[Email protected] ~]# CAT/VAR/LOG/DMESG |head #系统启动日志
[0.000000] Initializing cgroup Subsys cpuset
[0.000000] Initializing cgroup Subsys CPU
[0.000000] Initializing cgroup Subsys CPUACCT
[0.000000] Linux version 3.10.0-123.el7.x86_64 ([email protected]) (GCC version 4.8.2 20140120 (Red Hat 4.8.2-16) (gcc)) #1 SMP Mon June, 12:09:22 UTC 2014
[0.000000] Command line:boot_image=/vmlinuz-3.10.0-123.el7.x86_64 root=uuid=50cdeab8-cfd2-475a-b77a-8f9e904b4fa6 Ro vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet. UTF-8
[0.000000] Disabled fast string operations
[0.000000] e820:bios-provided physical RAM Map:
[0.000000] bios-e820: [Mem 0x0000000000000000-0x000000000009efff] Usable
[0.000000] bios-e820: [mem 0x000000000009f000-0x000000000009ffff] Reserved
[0.000000] bios-e820: [mem 0x00000000000ca000-0x00000000000cbfff] Reserved

Last command to view the correct login

[[email protected] ~]# last |head #查看正确的登录历史 who how to log in time etc
Root pts/0 192.168.12.1 Thu Feb 1 05:00 still logged in
Reboot system boot 3.10.0-123.el7.x Thu Feb 1 04:59-06:04 (01:05)
Root pts/0 192.168.12.1 Mon Jan 07:12-crash (2+21:46)
Root pts/0 192.168.12.1 Mon Jan 29 05:01-07:12 (02:10)
Reboot system boot 3.10.0-123.el7.x Mon Jan 29 05:01-06:04 (3+01:03)
Root pts/0 192.168.12.1 Fri Jan 08:00-crash (2+21:00)
Reboot system boot 3.10.0-123.el7.x Fri Jan 26 07:58-06:04 (5+22:05)
Root tty1 Fri Jan 26 07:58-07:58 (00:00)
Root pts/0 192.168.12.1 Fri Jan 07:29-down (00:28)
Reboot system boot 3.10.0-123.el7.x Fri Jan 26 07:28-07:58 (00:29)

Lastb #记录的是登录失败的信息

[Email protected] ~]# LASTB |head #登录错误的信息

Btmp begins Thu Feb 1 05:32:02 2018

/var/log/secure #记录验证和授权等方面的信息

[Email protected] ~]# cat/var/log/secure
Jan 07:12:33 yzllinux123 sshd[2131]: Pam_unix (sshd:session): Session closed for user root
Jan 07:12:40 yzllinux123 sshd[2538]: Accepted password for root from 192.168.12.1 Port 52861 ssh2
Jan 07:12:40 yzllinux123 sshd[2538]: Pam_unix (sshd:session): Session opened for user root by (uid=0)
Feb 1 04:59:25 yzllinux123 polkitd[677]: Loading rules from DIRECTORY/ETC/POLKIT-1/RULES.D
Feb 1 04:59:25 yzllinux123 polkitd[677]: Loading rules from DIRECTORY/USR/SHARE/POLKIT-1/RULES.D
Feb 1 04:59:25 yzllinux123 polkitd[677]: finished loading, compiling and executing 2 rules
Feb 1 04:59:25 yzllinux123 polkitd[677]: acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 1 04:59:31 yzllinux123 sshd[1107]: Server listening on 0.0.0.0 Port 22.
Feb 1 04:59:31 yzllinux123 sshd[1107]: Server listening on:: Port 22.
Feb 1 05:00:11 yzllinux123 sshd[2128]: Accepted password for root from 192.168.12.1 Port 51159 ssh2
Feb 1 05:00:11 yzllinux123 sshd[2128]: Pam_unix (sshd:session): Session opened for user root by (uid=0)

Screen tool (virtual terminal)

In order not to interrupt a mission, we can still leave the task in the background. Run using: Nohup + Run log +&

Another way is to screen the virtual terminal

First we need to install screen # Yum install-y screens

After the installation is complete, we only need to enter #screen and enter the virtual terminal.

Then press the CTRL +a key to exit the screen session by pressing the D key

#screen-ls #是查看已经打开的screen Session

#screen-R + numbering #是再次打开screen会话

#exit is to end the screen session

Linux system logs