One of the keys to successful management of any system is to know what is happening in the system. Exception logs are provided in Linux and the log details are configurable. Linux logs are stored in plain text, so you can search and read them without special tools. You can also write scripts to scan these logs and automatically execute certain functions based on their contents. Linux logs are stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read by the root account, but modifying the file access permission allows others to read the logs.
RedHat common log files in Linux
Common RedHat Linux Log Files are described as follows:
/Var/log/boot. log
This file records the system events during the boot process, that is, the information displayed during the Linux system boot self-check process.
/Var/log/cron
This log file records the actions of sub-processes derived from the crontab daemon crond, followed by the user, Logon Time, PID, and derived process actions. One CMD action is a common situation where cron derives a scheduling process. REPLACE action records the updates to its cron file, which lists the task scheduling to be periodically executed. The RELOAD action occurs shortly after the REPLACE action, which means cron notices that a user's cron file is updated and cron needs to RELOAD it into the memory. This file may find some unusual situations.
/Var/log/maillog
This log file records every activity that is sent to or from the system by email. It can be used to view which system sending tool the user uses or which system the data is sent. The following is a snippet of the log file:
Sep 4 17:23:52 UNIX sendmail[1950]: g849Npp01950: from=root, size=25, class=0, nrcpts=1, msgid=<200209040923.g849Npp01950@redhat.pfcc.com.cn>,relay=root@localhostSep 4 17:23:55 UNIX sendmail[1950]: g849Npp01950: to=lzy@fcceec.net, ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=30025, relay=fcceec.net. [10.152.8.2], dsn=2.0.0, stat=Sent (Message queued)/var/log/messages
|
This log file is a summary of many process log files, from which you can see any intrusion attempt or successful intrusion. For example:
Sep 3 08:30:17 UNIX login[1275]: FAILED LOGIN 2 FROM (null) FOR suying, Authentication failureSep 4 17:40:28 UNIX -- suying[2017]: LOGIN ON pts/1 BY suying FROMfcceec.www.ec8.pfcc.com.cnSep 4 17:40:39 UNIX su(pam_unix)[2048]: session opened for user root by suying(uid=999)
|
The format of this file is that each line contains a date, host name, program name, followed by square brackets containing the PID or kernel ID, a colon and a space, and finally a message. This file has one disadvantage: The recorded intrusion attempts and successful intrusion events are drowned in a large number of normal process records. However, this file can be customized by the/etc/syslog file. The/etc/syslog. conf configuration file determines how the system writes/var/messages. How to configure the/etc/syslog. conf file to determine the behavior of system log records will be described in detail later.
/Var/log/syslog
By default, RedHat Linux does not generate this log file, but you can configure/etc/syslog. conf to allow the system to generate this log file. It is different from the/etc/log/messages log file. It only records warning information, which is often the information of system problems. Therefore, you should pay more attention to this file. To have the system generate the log file, go to/etc/syslog. add the following to the conf file :*. warning/var/log/syslog this log file records information such as the wrong password, Sendmail issue, and su command execution failure recorded by login during user logon. Below is a record:
Sep 6 16:47:52 UNIX login (pam_unix) [2384]: check pass; user unknown/var/log/secure this log file records security-related information. Part of the log file is as follows: Sep 4 16:05:09 UNIX xinetd [711]: START: ftp pid = 1815 from = 127.0.0.1Sep 4 16:05:09 UNIX xinetd [1815]: USERID: ftp OTHER: rootSep 4 16:07:24 UNIX xinetd [711]: EXIT: ftp pid = 1815 duration = 135 (sec) Sep 4 16:10:05 UNIX xinetd [711]: START: ftp pid = 1846 from = 127.0.0.1Sep 4 16:10:05 UNIX xinetd [1846]: USERID: ftp OTHER: rootSep 4 16:16:26 UNIX xinetd [711]: EXIT: ftp pid = 1846 duration = 381 (sec) Sep 4 17:40:20 UNIX xinetd [711]: START: telnet pid = 2016 from = 10.152.8.2/var/log/lastlog
|
This log file records the recent successful logon events and the last unsuccessful logon events, which are generated by login. This file is a binary file and needs to be viewed using the lastlog command. The username, port number, and last logon time are displayed according to the UID sorting. If a user has Never logged on, it is displayed as "** Never logged in **". This command can only be executed as root. Simply enter the lastlog command and you will see information similar to the following:
Username Port From Latestroot tty2 Tue Sep 3 08:32:27 +0800 2002bin **Never logged in**daemon **Never logged in**adm **Never logged in**lp **Never logged in**sync **Never logged in**shutdown **Never logged in**halt **Never logged in**mail **Never logged in**news **Never logged in**uucp **Never logged in**operator **Never logged in**games **Never logged in**gopher **Never logged in**ftp ftp UNIX Tue Sep 3 14:49:04 +0800 2002nobody **Never logged in**nscd **Never logged in**mailnull **Never logged in**ident **Never logged in**rpc **Never logged in**rpcuser **Never logged in**xfs **Never logged in**gdm **Never logged in**postgres **Never logged in**apache **Never logged in**lzy tty2 Mon Jul 15 08:50:37 +0800 2002suying tty2 Tue Sep 3 08:31:17 +0800 2002
|
System accounts such as bin, daemon, adm, uucp, and mail should never be logged on. If these accounts have been logged on, the system may have been intruded. If the recorded time is not the time the user logged on to the console, the user's account has been leaked.
/Var/log/wtmp
This log file permanently records the logon, logout, and system startup and shutdown events of each user. Therefore, as the system runs normally, the file size increases, depending on the number of system user logins. This log file can be used to view the user's logon records. The last command obtains this information by accessing this file and displays the user's logon records in reverse order, last can also display corresponding records based on the user, terminal tty or time.
The last command has two optional parameters:
The last-u User Name displays the user's last logon status.
The last-t days show the user logon status before the specified number of days.
/Var/run/utmp
This log file records information about each user currently logged on. Therefore, this file will change as the user logs in and out of the system. It only keeps the user records online at the time and does not keep permanent records for the user. Programs in the system that need to query the current user status, such as who, w, users, and finger, need to access this file. This log file does not contain all accurate information, because some unexpected errors will terminate the user logon session, and the system does not update the utmp record in time, therefore, the log file is not trustworthy.
The three files mentioned above (/var/log/wtmp,/var/run/utmp,/var/log/lastlog) are key files of the log subsystem, all records the user logon status. When all the records of these files contain