[Linux]var Directory role

var directory /var includes data to be changed while the system is running. These include directories that each system is specific, that is, that cannot be shared with other computers, such as/var/log,/var/lock,/var/run. Some directories can also be shared with other systems, such as/var/mail,/var/cache/man,/var/cache/fonts,/var/spool/news. The purpose of the Var directory is to extract the USR directory from files that need to be changed during operation, or to temporarily generate files and directories so that the USR directory can be mounted as read-only. The implied requirement is that the Var directory be mounted as a read-write method.
Note the following requirements for the analysis of this directory
1) The purpose and role of each directory.
2) What information can be obtained through the information in the directory and how to access it.
3) is safe for file operations in the directory.
Purpose: This directory holds the process records used in the system. When a process terminates, write a record of each process to the statistical file (PACCT or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system. The file can be analyzed using the Data tool (SA,AC).
Use: The process statistics subsystem is not activated by default and it must be started. Starting process statistics on Linux systems use the Accton command, which must be run as root. The form of the Accton command Accton File,file must exist first. If it does not exist, first use the touch command to create the Pacct file: Touch/var/log/pacct, and then run ACCTON:ACCTON/VAR/ACCOUNT/PACCT. Once Accton is activated, you can use the Lastcomm command to monitor the commands that are executed at any time in the system. To turn off statistics, you can use the Accton command without any parameters.
The pact file is not available for cat to read directly from the contents.
Note: The file will grow massively and care must be taken to maintain (delete, dump)
Purpose: When the system crashes, the dump file can be analyzed by this file for the reason of the down machine.
Use the: Crash tool to analyze the files in this directory. Reference Document Linux-2.6.20.6/documentation/kdump/kdump.txt
Crash-s/boot/system.map-2.6.18-53.el5pae/boot/vmlinuz-2.6.18-53.el5pae/var/crash/xxxx
Purpose: To store the application's cached data, the data application stored in the directory can be regenerated, so the data in the directory is lost without affecting the system.
This directory holds state information from the system or an application as it is running. Users are not allowed to change files under this directory.
A directory of message store files linked to/var/spool/mail in CGS. It is explicitly proposed in the FHS documentation to extract it from/var/spool/mail for use in multiple host applications.
Add-on application stores variables under this directory and stores static variables under/OPT.
The temporary files generated by the application can be collated at regular intervals. /usr/tmp. /var/tmp.
Many programs follow the convention of creating a locked file in/var/lock to support their use of a particular device or file. Other programs Note that this lock file will not attempt to use this device or file. Note that the catalog cannot be changed casually.
Save the PID number of the process that is running on the system since the start of the system, not all processes have PID files in that directory. The role of each PID file is related to its application, and the basic function is to flag that the process is already running and flag the PID number of the process. There are corresponding files in the/var/run/subsys/directory. When the system starts without deleting the files, the files in that directory are purged after the system starts. /var/run/utmp is a binary file that records the user information of the currently logged on system. The contents can be displayed as the WHO, W, users, finger commands. The log file does not include all the exact information, because some burst errors terminate the user logon session, and the system does not update the UTMP record in a timely manner, so the log file record is not entirely trustworthy.
/etc/init.d/sendmail file use cases for files in the/var/run and/var/lock/subsys directories
Save some data that requires subsequent processes to continue processing. When the process finishes processing the saved data file, the file is deleted. The data in this directory is not manually deleted.
Find the attribution method for each subdirectory in the directory (for example, directory/var/spool/voice):
[Email protected] spool]# Rpm-qf/var/spool/voice
Mgetty-voice-1.1.33-9.fc6
This allows you to find the/var/spool/voice directory associated with the Mgetty-voice package, so you can use the following command to analyze the Mgetty-voice package's commands and their effects.
Variable data that holds the programs installed in the/usr/local (that is, programs installed by the system administrator).
Temporary files stored by the editor
/var/log/boot.log
This file records the events that occurred during the boot process, and is the information displayed during the post process of the Linux system. Redhat decided to retire the use of initlog, so the command to call Initlog in/etc/init.d/functions was commented out, and the file was empty.
/var/log/cron
This log file records the actions of the crontab daemon Crond the child process that is derived. The format is as follows:
07:40:01 localhost crond[9434]: (Root) CMD (/USR/LIB/SA/SA1 1 1)
/var/log/maillog
The log file records the activity of each email sent to or from the system. It can be used to see which system the user uses to send the tool or send the data to.
/var/log/syslog
The default redhatlinux does not generate the log file, but you can configure/etc/syslog.conf to have the log file generated by the system. It is different from the/etc/log/messages log file, it only records the warning message, often is the system problem information, so should be concerned about the file. To have the log file generated by the system, add: *.warning/var/log/syslog The log file can record information such as error password, sendmail problem, su command execution failure when the user logged in/etc/syslog.conf.
/var/log/lastlog
This log file records the most recent successful logon event and the last unsuccessful logon event that was generated by login. Each time a user logs on, the file is a binary file and needs to be viewed using the Lastlog command, which displays the login name, port number, and last logon time based on the UID. If a user has never logged in, it is displayed as "**neverloggedin**". This command can only be performed with root privileges.
/var/log/wtmp
This log file permanently records each user's logon, logoff, and system startup, downtime events. Therefore, as the system uptime increases, the size of the file becomes larger and higher, depending on the number of times the system user logs on. The log file can be used to view the user's login record, the last command to access this file to obtain this information, and in reverse order from back to front to display the user's log-in record, can also be based on user, terminal TTY or time display corresponding records.
/VAR/RUN/UTMP See/var/run Catalogue
The 3 files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are the key files of the log subsystem, all of which record the user login. All records for these files contain timestamps. These files are stored in binary, so they cannot be viewed directly with commands such as less and cat, but they need to be viewed through these files using related commands.
/var/log/xferlog
This log file records the FTP session and can show what files the user has copied to the FTP server or from the server. The file shows the malicious program that the user has copied to the server to invade the server, and what files the user has copied for him to use.
The format of the file is: The first field is the date and time, the second domain is the number of seconds to download the file, the remote system name, the file size, the local pathname, the transport type (a:ascii,b: binary), the compression-related flag or tar, or "_" (if there is no compression), Transmission direction (relative to the server: I represents the input, O represents), Access mode (A: Anonymous, G: Enter password, r: Real user), user name, service name (usually FTP), authentication method (l:rfc931, or 0), authentication User ID or "*".
/var/log/xfree86.x.log
The log file records the X-window boot situation.
SYSLOGD can simply be referred to as a daemons of recording system activity. For example, you can record who, at what time, where, what to do, you can also record what has happened in the system, such as when the reboot, hardware and software error information, of course, also records the service running on your system information. Normally, Syslog accepts information from various functions of the system, each of which includes important levels. The/etc/syslog.conf file determines how SYSLOGD reports information based on device and information critical levels.
/usr/include/sys/syslog.h
Processing flow

/etc/syslog.conf
The/etc/syslog.conf file uses the following form
Facility.level Action
Blank lines and lines beginning with # can be ignored. The Facility.level field is also called Seletor. You should use the TAB key one or more times to separate facility and action. Most Linux uses these spaces as delimiters.
Facility
facility Specifies the Syslog functionality, which mainly includes the following:
Auth authentication system, such as login or Su, asks for user name and password
Information emitted when the cron system executes a timed task
Daemon syslog for some system daemons, such as log generated by in.ftpd
Kern Information about the kernel
Information about the LPR printer
Message sent by mail to process the message daemon
Mark timed program for sending messages
Information for the News newsgroup daemon
User's application information for local Users
UUCP information for the UUCP subsystem
Local0----LOCAL7 used with custom programs, such as SSH with LOCAL5
* Indicates all possible sources of information
Level
The priority that corresponds to each function is arranged in a certain order, Emerg is the highest level, followed by alert, and so on. By default, the level specified in the/ETC/SYSLOG.CONF record is the level and the higher level. If you want to use a certain level you can use two op symbols! (unequal) and =.
User.=info
Indicates that the Syslog accepts all user feature information at the info level.

The syslog levels are as follows:
Emerg or panic the system is not available
The condition that alert needs to be modified immediately
Crit error conditions that prevent some tools or subsystem functionality from being implemented
Err blocking tool or some subsystem partial functionality implementation of error conditions
Warning warning information
Notice general conditions of importance
Info message for info
Debug does not contain additional information about a function condition or problem
None has no important level and is usually used for troubleshooting
* All levels, except none
Action
The activity represented by the action field has a lot of flexibility, and in particular, the use of name pipes can make SYSLOGD post-processing information.
Syslog mainly supports the following activities
file specifies the absolute path of the files
Terminal or print full serial or parallel device identifier
@host a remote log server
Username sending information to the specified user using write
Named pipe specifies the absolute path to the FIFO file that is created using the Mkfifo command.

Because SYSLOGD may lose information when the system is very busy, you can replace the syslog with Cyclog.
RPM-QL logrotate
Manlogrotate
/etc/logrotate.conf
[Email protected] log]# cat/etc/logrotate.conf
# see ' Man logrotate ' for details
# Rotate log Files Weekly
Weekly

# Keep 4 weeks worth of backlogs
Rotate 4

# Create new (empty) log files after rotating old ones
Create

# Uncomment this if you want your log files compressed
#compress

# RPM Packages Drop log rotation information into this directory
Include/etc/logrotate.d

# no packages own wtmp--we'll rotate them here
/var/log/wtmp {
Monthly
Create 0664 Root utmp
Rotate 1
}

# system-specific logs May is also is configured here.
Run Time:
[Email protected] log]# RPM-QL logrotate
/etc/cron.daily/logrotate
/etc/logrotate.conf
/etc/logrotate.d
/usr/sbin/logrotate
/usr/share/doc/logrotate-3.7.4
/usr/share/doc/logrotate-3.7.4/changes
/usr/share/man/man8/logrotate.8.gz
/var/lib/logrotate.status
/etc/logrotate.d/
[Email protected] log]# Cat/etc/logrotate.d/yum
/var/log/yum.log {
Missingok
Notifempty
Size 30k
Create 0600 root root
}
[Email protected] log]# Rpm-qf/etc/logrotate.d/yum
Yum-3.0.5-1.el5.centos.5

Reference document "Filesystemhierarchy standard"
http://www.ibm.com/developerworks/cn/linux/security/l-ossec/part1/
Http://www.ibm.com/developerworks/cn/linux/security/l-ossec/part2/index.html
http://www.ibm.com/developerworks/cn/linux/security/l-ossec/part3/
Source: <var Directory-living-Blog channel-csdn.net>
  /var/account/pact /var/crash /var/cache /var/empty /var/games /var/lib /var/mail /var/opt /var/tmp /var/lock /var/run /var/spool /var/local /var/preserve /var/log SYSKLOGD logrotate

From for notes (Wiz)

[Linux]var Directory role