Sinsing analysis of common log files in Linux

Logs are very important to the security of the system, and it records the various things that happen on a daily basis, which can be used by the user to check the cause of the error, or to find traces of the attackers left behind by the attack. The main function of the log is auditing and testing. It also detects the state of the system, detects and tracks intruders in real time.

Typically logs can be divided into connection time logs, process statistics logs, and error logs depending on the type. The connection time log is executed by multiple programs that write records to/var/log/wtmp and/var/run/utmp, while the login program updates the wtmp and utmp files, allowing the system administrator to keep track of who is logged in to the system. For the process statistics log is performed by the kernel, when a process terminates, each process writes a record to the statistical file PACCT or Acct. The purpose of process statistics is to provide command usage statistics for basic services in the system. For the error log, it is performed by the syslog, and various system daemons, user programs, and cores report to the file/var/log/messages the time that is worth noting through the syslog.

One of the/var/log/boot.log records the system during the boot process events, is the Linux system post process display information.

The/var/log/cron records the actions of the crontab daemon Crond the child processes that are derived, preceded by the user, logon time and PID, and the actions of the derived process.

where/var/log/maillog records every activity sent to or from the system, it can be used to see which system the user uses to send the tool or which system to send the data to.

Where/var/log/syslog default is not generated, we can configure the/etc/syslog.conf to add "*.warning/var/log/syslog" then the log is logged when the user logged in the login log error password, SendMail, Su execution failure, and so on.

Where/var/log/wtmp is a permanent record of logon, logoff, and system startup, downtime events for each user logged in. As the system uptime increases, the file becomes larger and faster, depending on the number of times the user logs on. The log file can be used to view the user's login record, the last command to access the file to obtain this information, and in reverse order from the back to the forward display of the user's log-in record, can also be able to based on user, terminal TTY or time display corresponding records.

where/var/run/utmp records information about each user who is currently logged on, so this file changes as the user logs on and off the system, keeping only the user records that are currently online and not keeping permanent records for the user. We can access this file in the system using who, W, users, finger, and so on. The log does not contain all the exact information, because some burst errors terminate the user logon session, and the system does not update the UTMP record in a timely manner, so the log is not a trustworthy record.

Sinsing analysis of common log files in Linux