Qmail mail system log and Management (1)

QmailAfter a while, I feel pretty good. Due to the installation and configuration troubles, you can use the log system to determine whether the system and qmail are normal and solve the problem.

The previous articles introduced the installation of qmail on a unix system. After all the configuration work is completed, you may think the work is coming to an end. Unfortunately, work is just getting started. Compared with installation and configuration, what really makes people dislike is management and error discovery and resolution. Next we will talk about the log to determine whether the analysis system and qmail are normal and to find and solve the problem. Here, we will talk about the sub-system log and qmail log. Let's talk about system logs, because host system security is the foundation of all services and the prerequisite for qmail logs.

1. System Logs

Unix systems can track system events and record all messages of each event to system log files. Logs are very important for security. They record all kinds of events that occur in the system every day. You can use them to check the cause of the error or the traces left by the attacker when the system is attacked. The main functions of logs are audit and monitoring. It can also monitor the system status in real time, monitor and track intrusions, and so on. As an administrator, you should scan logs at least once a day to monitor system or security issues. In Linux, there are three major log subsystems.

1.1 connection time log

Connection time log-the log is executed by multiple programs and written to/var/log/wtmp and/var/run/utmp, login and other programs to update the wtmp and utmp files, enables the system administrator to track who is logged on to the system at any time. Wtmp and utmp files are binary files, and they cannot be cut or merged by tail commands (using cat commands ). You need to use the information contained in the two files by who, w, users, last, and ac.

Who: The who command queries the utmp file and reports to each user currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. Example: who (Press ENTER) display (Table 1)

Chyang pts/0 Aug 18 :06 (192.168.1.3)

Ynguo pts/2 Aug 18 :32 (192.168.1.3)

Ynguo pts/3 Aug 18 :55 (192.168.1.3)

Lewis pts/4 Aug 18 :35 (192.168.1.3)

Ynguo pts/7 Aug 18 14:12 (192.168.1.3)

Ylou pts/8 Aug 18 14:15 (192.168.1.3)

If the wtmp file name is specified, the who command queries all previous records. The command who/var/log/wtmp will report every login since the wtmp file was created or deleted.

The w: w command queries the utmp file and displays information about each user in the current system and the processes it runs. Example: w (Press ENTER) display (table 2): 3: 36pm up 1

Day, 6 users, load average: 0.23, 0.29, 0.27

User tty from login @ IDLE JCPU PCPU WHAT

Chyang pts/0 202.38.68.242 pm 0.08 s 0.04 s-bash

Ynguo pts/2 202.38.79.47 pm 0.00 s 0.14 s 0.05 w

Lewis pts/3 202.38.64.233 pm 30: 39 0.27 s 0.22 s-bash

Lewis pts/4 202.38.64.233 pm 6.00 s 4.03 s sh/home/users/

Ynguo pts/7 simba. nic. ustc. e pm 0.00 s 0.47 s 0.24 s telnet mail

Ylou pts/8 202.38.64.235 pm 1: 09 m 0.10 s 0.04 s-bash

Users: users prints the current logon user with a single line. Each displayed user name corresponds to a logon session. If a user has more than one login session, the user name will display the same number of times. Example: users (Press ENTER): chyang lewis ylou ynguo

Last: The last command searches back for wtmp to display the users that have logged on since the first file creation. For example (table 3 ):

Chyang pts/9 202.38.68.242 Tue Aug 1)

Cfan pts/6 202.38.64.20.tue Aug 1)

Chyang pts/4 202.38.68.242 Tue Aug 1)

Lewis pts/3 202.38.64.233 Tue Aug 1)

Lewis pts/2 202.38.64.233 Tue Aug 1)

If the user is specified, only recent activities of the user are reported last time. For example, last ynguo (Press ENTER) display (table 4 ):

Ynguo pts/4 simba. nic. ustc. e Fri Aug 4)

Ynguo pts/4 simba. nic. ustc. e Thu Aug 3)

Ynguo pts/11 simba. nic. ustc. e Thu Aug 3)

Ynguo pts/0 simba. nic. ustc. e Thu Aug 3)

Ynguo pts/0 simba. nic. ustc. e Wed Aug 2 0:04-0:16 1 + 02: 12)

Ynguo pts/0 simba. nic. ustc. e Wed Aug 2)

Ynguo pts/9 simba. nic. ustc. e Thu Aug 1)

Ac: the ac Command reports the user connection time (hours) based on the logon entry and exit times in the current/var/log/wtmp file. If no signs are used, the total time is reported. Example: ac (Press ENTER): total 5177.47

Ac-d (Press ENTER) to display the total daily link time (table 5 ):

Aug 12 all 261.87

Aug 13 total 351.39

Aug 14 Overall 396.09

Aug 15 total 462.63

Aug 16 total 270.45

Aug 17 total 104.29

Today total 179.02

Ac-p (Press ENTER) to display the total connection time of each user (Table 6 ):

Ynguo 193.23

Yucao 3.35

Rong 1, 133.40

Hdai 1, 10.52

Zjzhu 52.87

Zqzhou 13.14

Liangliu 24.34

Total 5178.24

Lastlog: The lastlog file is queried every time a user logs on. You can use the lastlog command to check the last logon time of a specific user and format and output the last logon log/var/log/lastlog. It displays the logon name, port number (tty), and last logon time according to the UID sorting. If a user has Never logged on, lastlog displays "** Never logged **. Note that you need to run this command as root, for example (table 7 ):

Rong 5 202.38.64.187 Fri Aug 18 15:57:01 + 0800 2000

Dbb ** Never logged in **

Xinchen ** Never logged in **

Pb9511 ** Never logged in **

Xchen 0 202.38.64.190 Sun Aug 13 10:01:22 + 0800 2000

In addition, you can add one parameter. For example, last-u 102 will report users whose UID is 102; last-t 7 indicates limiting the report of the previous week.

1.2 process Statistics log

Process statistics-executed by the system kernel. When a process terminates, each process writes a record to the process Statistics file (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system.

UNIX can track every command run by every user. If you want to know what important files were messed up last night, the process Statistics subsystem can tell you. It is helpful for tracking an intrusion. Unlike the connection time log, the process Statistics subsystem is not activated by default and must be started. In Linux, The accton command is used to START process statistics and must be run as root. The form of the Accton command is accton file, which must exist first. Run the touch command to create a pacct file:

# Touch/var/log/pacct

Then run accton:

# Accton/var/log/pact

Once accton is activated, you can use the lastcomm command to monitor the commands executed in the system at any time. To disable statistics, you can use the accton command without any parameters.

The lastcomm Command reports the previously executed files. Without parameters, the lastcomm command displays information about all commands recorded in the lifecycle of the current statistics file. It includes the command name, user, tty, CPU time consumed by the command, and a timestamp. If the system has many users, the input may be very long. The following example (table 8 ):

Crond F root ?? 0.00 secs Sun Aug 20

Promisc_check.s S root ?? 0.04 secs Sun Aug 20

Promisc_check root ?? 0.01 secs Sun Aug 20

Grep root ?? 0.02 secs Sun Aug 20

Tail root ?? 0.01 secs Sun Aug 20

Sh root ?? 0.01 secs Sun Aug 20

Ping S root ?? 0.01 secs Sun Aug 20

Ping6.pl F root ?? 0.01 secs Sun Aug 20

Sh root ?? 0.01 secs Sun Aug 20

Ping S root ?? 0.02 secs Sun Aug 20

Ping6.pl F root ?? 0.02 secs Sun Aug 20

Sh root ?? 0.02 secs Sun Aug 20

Ping S root ?? 0.00 secs Sun Aug 20

Ping6.pl F root ?? 0.01 secs Sun Aug 20

Sh root ?? 0.01 secs Sun Aug 20

Ping S root ?? 0.01 secs Sun Aug 20

One problem with process statistics is that the pacct file may grow very rapidly. In this case, you need to run the sa command interactively or through the cron mechanism to keep the log data under system control. Sa command reports, cleans and maintains process statistical files. It can compress the information in/var/log/pacct to the abstract file/var/log/savacct and/var/log/usracct. These summaries contain system statistics by command name and user name. By default, sa reads them first and then the pacct file so that the report can contain all available information. Sa output has the following tag items (table 9 ):

Avio-average number of I/O operations performed each time

Cp-sum of user and system time, measured in minutes

Cpu -- same as cp

K -- average CPU time used by the kernel, in the unit of 1 k

K * sec-CPU storage integrity, in 1 k-core seconds

Re-real-time, measured in minutes

S-system time, measured in minutes

Total number of tio -- I/O operations

U-user time, in minutes

For example (table 10 ):

842 173.26re 4.30cp 0 avio 358 k

2 10.98re 4.06cp 0 avio 299 k find

9 24.80re 0.05cp 0 avio 291 k *** other

105 30.44re 0.03cp 0 avio 302 k ping

104 30.55re 0.03cp 0 avio 394 k sh

162 0.11re 0.03cp 0 avio 413 k security. sh *

154 0.03re 0.02cp 0 avio 273 k ls

56 31.61re 0.02cp 0 Avi 823 k ping6.pl *

2 3.23re 0.02cp 0 Avi 822 k ping6.pl

35 0.02re 0.01cp 0 avio 257 k md5sum

97 0.02re 0.01cp 0 avio 263 k initlog

12 0.19re 0.01cp 0 Avi 399 k promisc_check.s

15. 0.09re. 0.00cp 0 avio 288 k grep

11 0.08re 0.00cp 0 avio 332 k awk

You can also provide a summary report based on the user rather than the command. For example, sa-m is shown as follows (Table 11 ):

885 173.28re 4.31cp 0avk

Root 879 173.23re 4.31cp 0avk

Alias 3 0.05re 0.00cp 0avk

Qmailp 3 0.01re 0.00cp 0avk