Network security series of Linux log management 1

Linux servers are generally placed in the machine room automatically run, the administrator to understand the server or application running state, most need to pass the log. Log files are used to record various running messages in a Linux system, and different log files record different types of information, such as Linux kernel messages, user login records, program errors, and so on. Log files are helpful in diagnosing and resolving problems in the system, because programs that run on Linux systems often write system messages and error messages to the appropriate log files, so that the system can be traced if problems occur. In addition, when the host is attacked, the log file can also help to find traces of the attacker's left.

1. Primary log files

The log files of the Linux system itself and most of the service programs are placed in the directory "/var/log" by default. Some programs share a log file, some programs use a single log file, and some larger programs have more than one log file, so the corresponding subdirectory is created in the "/var/log" directory to hold the log files. There is a significant portion of log files that only the root user has permission to read, which guarantees the security of the relevant log information.

Example: View the various log files and subdirectories in the "/var/log" directory.

650) this.width=650; "title=" 1.jpg "src=" Http://s3.51cto.com/wyfs02/M02/4D/64/wKioL1RQknSReRFfAADquLbhkSk216.jpg " alt= "Wkiol1rqknsrerffaadqulbhksk216.jpg"/>

In these log files, the more important or frequently used are:

• /var/log/messages: Logs Linux kernel messages and common log information for various applications, including startup, I/O errors, network errors, program failures, and so on. For applications or services that do not use stand-alone log files, it is generally possible to obtain related event logging information from the log file.

• /var/log/cron: Records the event information generated by the Crond scheduled task.

• /VAR/LOG/DMESG: Records the various event information of the Linux system during the boot process.

• /var/log/maillog: Records the e-mail activity that enters or issues the system.

• /var/log/lastlog: Recent successful logon events and last unsuccessful logon events.

• /var/log/rpmpkgs: Records the list of RPM packages installed in the system.

• /var/log/secure: Records all security-related and user-logged authentication process event information.

• /VAR/LOG/WTMP: Records each user logon, logoff, and system startup and shutdown events.

• /VAR/RUN/UTMP: Records the details of each user who is currently logged on.

2. View Log file contents

Most log files can use text processing tools such as tail, more, less, and cat to view the contents of the log, which in most cases uses the tail command, which makes it easy to see the most recent log information. And if you add the "-F" option to the tail command, you can also view the latest information in the log file in real time.

Typically, the kernel and most system messages are recorded in the public log file "/var/log/messages", while some other program messages are recorded in different files. Log messages can also be logged to a specific storage device, or sent directly to the user.

Example: real-time monitoring of log information in/var/log/messages.

[Email protected] ~]# tail-f/var/log/messages Oct 04:48:35 localhost avahi-daemon[3152]: Joining MDNS multicast group on interface eth0. IPv4 with address 192.168.80.130. Oct 04:48:35 localhost avahi-daemon[3152]: Registering new address record for 192.168.80.130 on eth0. Oct 04:48:35 localhost net[4094]:/sbin/dhclient-script:updated/etc/resolv.conf Oct 04:48:35 localhost dhclient:bound to 192.168.80.130 – renewal in 760 seconds. Oct 05:01:15 localhost dhclient:dhcprequest on eth0 to 192.168.80.254 Port 67 Oct 05:01:15 localhost dhclient:dhcpack from 192.168.80.254 Oct 05:01:15 localhost dhclient:bound to 192.168.80.130 – renewal in 723 seconds. Oct 05:13:18 localhost dhclient:dhcprequest on eth0 to 192.168.80.254 Port 67 Oct 05:13:18 localhost dhclient:dhcpack from 192.168.80.254 Oct 05:13:18 localhost dhclient:bound to 192.168.80.130 – renewal in 749 seconds. Oct 05:22:58 localhost kernel:installing knfsd (Copyright (C) 1996 [email protected]). Oct 05:22:58 localhost kernel:nfsd:using/var/lib/nfs/v4recovery as the NFSV4 State recovery Directory Oct 05:22:58 localhost kernel:NFSD:starting 90-second grace period

The log record format used in most log files is the same. The following is an example of a common log file "/var/log/messages" to illustrate the basic format of logging.

Each row in the log file represents a message, and each message consists of a fixed format of four fields.

• Time Label: the date and time the message was issued.

• Host Name: The name of the computer that generated the message.

• Subsystem Name: The name of the application that issued the message.

• Message: The exact content of the message.

For example, the last message shown above:

Oct 05:22:58 localhost kernel:NFSD:starting 90-second grace period

The meaning of this message is:

October 21 05:22:58 on localhost this host, the information generated by the NFSD service in the kernel kernel is "starting 90-second grace period".

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Network security series of Linux log management 1