Log system makes Linux management easier

Operating system logs mainly provide audit and monitoring functions. By analyzing the log information, you can check the cause of the error and monitor and track the intruders and the traces left when they are attacked, you can even monitor the system status in real time. The effective use of log information and its analysis and real-time monitoring and management play an extremely important role in system security.

This article discusses how to use the linux Log system to manage the system more easily. Two methods are usually used to manage log information. One method is that the log information of different servers is stored in their respective systems, and the system administrator manages each server separately. Another method is to use the log host system, which collects logs from other hosts and stores them in the same place, it is easy to associate log entries from multiple hosts for unified management and analysis, and even real-time monitoring with automated tools to effectively improve management efficiency.

The first method is often commonly used by most system administrators. This traditional management method can barely cope with a small number of servers, however, it is not an effective method to handle multiple hosts. This article describes two log management methods and explores a way to improve system management efficiency.

1. Deployment of the log host system

The log host system consists of a log host and a host system. The log host is equivalent to a server, and the system of each host is equivalent to a client. The log information is transmitted to the log host in real time.

1. Log host deployment

The log host uses a RHEL 5 Server (assuming its host name is loghost), and the log collection software uses Syslog on the Linux platform. Syslog is generally installed with the Linux system, it provides great convenience for us to deploy the entire system. Therefore, we will not describe the installation steps here, but will only describe the configuration methods.

Syslog can be used as either a client or a server, and supports remote log collection. The configuration file is/etc/sysconfig/syslog. to configure it as a server, you need to change the corresponding part of the configuration file to the following:

SYSLOGD_OPTIONS=“-r-m 0”

The "-r" option enables syslog To receive remote log information from the client.

Restart the Syslog server to make the configuration take effect:

#service syslogd restart

Because Syslog uses port 514 to listen to log information from various clients, port 514 must be opened on the firewall of the log host. For example, port 514 is opened for specific network segments:

/sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.0.0/16 -dport 514 -syn -j ACCEPT

2. Client deployment

2.1 Client deployment on Linux

In Linux, syslog is still selected as the client for deployment. In this case, the configuration file is/etc/syslog. conf. Its default configuration is (for example,/var/log/message log ):

*.info;mail.none;authpriv.none;cron.none /var/log/messages

/Var/log/message is the absolute path for Sysolg to store system logs. replace this value with the log host name. Example:

*.info;mail.none;authpriv.none;cron.none @loghost

According to the preceding configuration, after the Syslog restart configuration takes effect, the log information of the client server is transmitted to the/var/log/message file of the log host in real time, manages the log information of each server in a unified manner.

Run the following command to restart the Syslog service to make the configuration take effect:

#service syslogd restart

Follow these steps to import other system logs (such as/var/log/secure) to the log host.

We recommend that you add configurations instead of modifying them, and save system logs locally and on the log host.

2.2 client deployment on Windows

On the Windows platform, the software evtsys is used to deploy the client. The download link is the http://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/evtsys_exe.zip to unbind and get two files: evtsys. ext and evtsys. dll.

Put these two files in the C: \ WINDOWS \ system32 directory, and run the following command in the command line status to install: % systemroot % \ system32 \ evtsys-I-h loghost

After the installation is successful, you can view the corresponding information in the service list, as shown in 1.

Run the following command to uninstall evtsys:

%systemroot%\system32\evtsys-u

Figure 1

The command to change the log host name is:

Net stop evtsys // stop evtsys-u // uninstall evtsys-l-h newloghost // specify the new log host name net start evtsys // start evtsys

Ii. Automatic Log Analysis and Monitoring of log hosts

After the entire system is deployed, you can verify from the log host whether each server sends the log information to the log host. Take/var/log/message as an example to open this file. When you see the log information with different host names, it indicates that the log host is working properly. The excerpt part of the log is as follows:

Jan 9 08:39:38 dog crond (pam_unix) [4528]: ses-sion opened for user root by (uid = 0) Jan 9 08:39:36 dog crond (pam_unix) [4528]: session closed for user rootJan 9 08:39:40 panda crond (pam_unix) [20296]: ses-sion opened for user root by (uid = 0) Jan 9 08:39:40 panda crond (pam_unix) [20296]: ses-sion closed for user rootJan 9 08:39:53 app last message repeated 8 timesJan 9 08:40:11 apple net-snmp [657]: Connection from udp: 93791.11: 4298Jan 9 08: 40: 11 apple net-snmp [657]: Received SNMP packet (s) from udp: 159.226.2.144: 42988Jan 9 08: 41: 15 orangesshd (pam_unix) [28389]: ses-sion opened for user tom by (uid = 2011) Jan 9 08:41:28 orange sshd (pam_unix) [28389]: ses-sion opened for user tom by (uid = 2011) jan 9 08:41:28 orange January 9 08:41:28 su '(pam_unix) [28425]: session opened for user root by tom (uid = 2011)

Most of these logs are of little use, but they may be useful in tracking a specific problem or security vulnerability. So how can we effectively analyze and monitor it and play its real role? We recommend two commonly used log analysis and monitoring software to automatically analyze and monitor the log information.

1. Use Logwatch for log monitoring

In Linux, Logwatch is installed by default. In combination with the mail sending function of Sendmail, Logwatch sends the log analysis result email of the previous day to the system administrator. The configuration file is/etc/log. d/logwatch. conf, the following is the configuration file after the annotation is omitted, generally only need to change the MailTo part to the system administrator mailbox address, more configuration details can refer to its official http://www.logwatch.org

LogDir = /var/logMailTo = admin@local.comPrint = NoRange = yesterdayDetail = HighService = All

2. Use Swatch for real-time log monitoring

Swatch download link for http://sourceforge.net/projects/swatch/ to install Swatch, first install two perl module packages: date-calc-5.4.tar.gzand timedate-1.16.tar.gz and then install Swatch, the installation steps are as follows:

#tar-zxvf swatch-3.2.1.tar.gz
#cd swatch-3.2.1
#perl Makefile.pl
#make
#make test
#make install

Create a configuration file for configuring Swatch ~ /. Swatchrc: Add monitoring content according to its syntax rules. You can use the "man swatch" command to view the specific configuration content and meaning. The following is a simple example for your reference only:

Watch for =/Failed fuseraddllnvalid/I # specify the monitoring content in the form of a regular expression #
Echo # display matched rows through stdout #
Mail address = admin \ @ local.com, subject = Monitor Result # Send a Monitoring Result email to the system administrator and set the subject #

Use "swatch -- help" to view the specific options of Swatch runtime.

The following is an example of running commands for your reference only:

#swatch-config-file=~/.swatchrc-examine=/var/log/messages

When the monitored information appears, Swatch sends an email to the system administrator in real time to prevent intrusions and protect the system security.

Iii. Summary

The establishment of a log host system not only effectively improves the efficiency of log management, analysis and monitoring, but also plays an extremely important role in log information security protection, it backs up the log information of each server on the log host and effectively prevents intrusion traces, providing great convenience for system management, it is one of the important ways to effectively ensure system security.