Log of Linux Services

[Email protected] ~]# Rpm-qa|grep log
Sysklogd-1.4.1-46.el5
Logwatch-7.3-9.el5_6
Logrotate-3.7.4-12
Rsyslog-3.22.1-7.el5

[[email protected] ~]# RPM-QA|GREP Init
Initscripts-8.45.42-1.el5.centos

[Email protected] ~]# Rpm-qa|grep PSACCT
Psacct-6.3.2-44.el5

/var/run/utmp Current,/var/log/wtmp history,/var/log/btmp failed

wtmp and utmp files are binaries and they cannot be clipped or merged (using the Cat command) such as tail commands. Users need to use who, W, users, last, and AC to use the information contained in these two files. The
Last command searches back wtmp to show users who have logged on since the first time the file was created
Lastlog command to see each user logon time
users print out the currently logged on user with a separate line, one login session for each displayed user name The
W command queries the utmp file and displays each user in the current system and the process information it is running
The WHO command queries the utmp file and reports the current logged on per user
AC command According to the current/var/log/ Logon entry and exit in the Wtmp file to report the user's link time (hours)

Ac-d the time to log on by day, ac-p calculate the logon time by user, ac-d LZB find the logon time for this user every day

A binary record containing the following structures is written to these two files:
struct UTMP {
Char Ut_line[8]; /* TTY line: "Ttyh0", "ttyd0", "ttyp0", ... * *
Char Ut_name[8]; /* Login Name */
Long Ut_time; /* seconds since Epoch * *
};
When logged in, the login program fills in such a structure and writes it to the Utmp file, and also adds it to the wtmp file.
When logging off, the INIT process erases the corresponding records in the Utmp file (each byte is filled with 0) and adds a new record to the Wtmp file. Read the logout record in the Wtmp file, and its Ut_name field is cleared to 0. Special record entries are added to the Wtmp file when the system restarts, and before and after changes to the system time and date. The WHO (1) program reads the Utmp file and prints its contents in a readable format. Later versions of Unix provide the last (1) command, which reads the wtmp file and prints the selected record. The Wtmp file, which tracks individual logon and logoff events.
wted
Wtmp/utmp Log editing program. You can use this tool to edit all wtmp or utmp types of files.
Z2
Utmp/wtmp/lastlog Log Cleanup Tool. You can delete all entries for a user name in the Utmp/wtmp/lastlog log file. However, if the Linux system needs to manually modify its source code, set the location of the log file.

Connection Time Log
Process Statistics Log
Error log

[Email protected] ~]# Rpm-qa|grep PSACCT
Psacct-6.3.2-63.el6_3.3.x86_64
[[Email protected] ~]# service PSACCT stop
Shutting down process accounting: [OK]
[[Email protected] account]# service PSACCT Start services started
Starting process accounting: [OK]
[[email protected] account]#/etc/init.d/psacct start script starts
Starting process accounting: [OK]

[[email protected] ~]# Lastcomm pts/0 via terminal name
[[email protected] ~]# lastcomm ls via command name
[[email protected] ~]# lastcomm Oracle query by user name
[Email protected] ~]# Lastcomm
Crond SF Root __ 0.03 secs Sat 19 20:01
Run-parts Root __ 0.03 secs Sat 19 20:01
The S command is performed by the super user
The F command is generated by fork, but no exec
D command terminates and creates a core file
X command terminated by Sigterm signal
[[email protected] ~]# SA
32918.77re 0.02CP 15590k
2 103.78re 0.00cp 17840k sshd
2 0.00re 0.00cp 40344k rpm
32719.14re 0.00CP 15922k ***other*
4 0.00re 0.00CP 27552k PS
3 95.59re 0.00cp 14420k sftp-server
3 0.00re 0.00cp 27104k Psacct
6 0.00re 0.00cp 4355k unix_chkpwd
4 0.00re 0.00cp 29324k ls
7 0.00re 0.00cp 13053k bash*

0.36re "Real Time" units are minutes.
Total 0.12CP system and User time (CPU time in minutes).
The 31156K core uses the average CPU time, and the size of one unit is 1KB.
The up2date command name.
Show each User:
[Email protected] ~]# sa-u
Root 0.00 CPU 917k Mem Accton
Root 0.00 CPU 15806k MEM Touch
Root 0.00 CPU 16060k Mem Psacct
Oracle 0.07 CPU 35696k MEM Oracle
Oracle 0.00 CPU 327296k MEM Oracle *
[Email protected] ~]# sa-a
245 107.25re 0.12CP 74539k
57.27re 0.05CP 35697k Oracle
4 0.04re 0.04CP 28412k RPMQ
1 0.12re 0.03cp 78080k yum-updatesd-he
2 24.14re 0.00cp 16330k sshd
2 23.90re 0.00cp 16576k Bash
[Email protected] ~]# Sa-b
249 110.34re 0.12CP 74947k
4 0.04re 0.04CP 28412k RPMQ
1.24re 0.03CP 14194k ***other
60.35re 0.06CP 35697k Oracle
2 24.14re 0.00cp 16330k sshd
2 23.90re 0.00cp 16576k Bash
2 0.00re 0.00CP 16464k PS

[Email protected] ~]# sa-m
252 111.34re 0.13CP 75499k
Root 156 49.77re 0.07CP 12392k
Oracle 94 61.36re 0.06CP 181496k
sshd 2 0.22re 0.00cp 16000k
You can find out the suspicious activity by looking at Re, K, cp/cpu (see above output explanation), or a user/command takes up all the CPU time. If the Cpu/memeory use Number (command) is increasing, you can indicate that there is a problem with the command.