Use logs to make Linux management easier

BKJIA original] operating system logs are mainly used for auditing and monitoring. By analyzing log information, you can check the cause of errors and monitor and track intruders and traces of attacks, you can even monitor the system status in real time. The effective use of log information and its analysis and real-time monitoring and management play an extremely important role in system security. This article discusses how to use the linux Log system to manage the system more easily. Two methods are usually used to manage log information. One method is that the log information of different servers is stored in their respective systems, and the system administrator manages each server separately. Another method is to use the log host system, which collects logs from other hosts and stores them in the same place, it is easy to associate log entries from multiple hosts for unified management and analysis, and even real-time monitoring with automated tools to effectively improve management efficiency.

The first method is often commonly used by most system administrators. This traditional management method can barely cope with a small number of servers, however, it is not an effective method to handle multiple hosts. This article describes two log management methods and explores a way to improve system management efficiency.

1. Deployment of the log host system

The log host system consists of a log host and a host system. The log host is equivalent to a server, and the system of each host is equivalent to a client. The log information is transmitted to the log host in real time.

1. Log host deployment

The log host uses a RHEL 5.4 system server and assumes that its host name is loghost. The log collection software uses Sysiog on the Linux platform. Sysiog is generally installed with the Linux system, it provides great convenience for us to deploy the entire system. Therefore, we will not describe the installation steps here, but will only describe the configuration methods.

Sysiog can be used as either a client or a server, and supports remote log collection. Its configuration file is/etc/sysconfig/sysiog. to configure it as a server, you need to change the corresponding part of the configuration file to the following:

SYSLOGD_OPTIONS = "-r-m 0"

The "-r" option enables syslog To receive remote log information from the client.

Restart the Syslog server to make the configuration take effect:

# Service syslogd restart

Syslog uses port 514 to listen for log information from various clients. Therefore, port 514 must be opened on the firewall of the log host. For example, port 514 is opened for specific network segments: /sbin/iptables_A INPUT _ ietho_p tcp_s 192.168.0.0/16_dport 514_syn_j ACCEPT

2. Client deployment

◆ Client deployment on Linux

In Linux, Sysiog is still selected as the client for deployment. In this case, the configuration file is/etc/sysiog. conf. The default configuration is/var/log/message log ):

*. Info; mail. none; authpriv. none; cron. none/var/log/messages

/Var/log/message is the absolute path for Sysolg to store system logs. replace this value with the log host name, for example:

*. Info; mail. none; authpriv. none; cron. none @ loghost

According to the preceding configuration, after the Syslog restart configuration takes effect, the log information of the client server is transmitted to the/var/log/message file of the log host in real time, manages the log information of each server in a unified manner.

Run the following command to restart the Syslog service to make the configuration take effect:

# Service syslogd restart

Follow these steps to import other system log information such as/var/log/secure to the log host.

We recommend that you add configurations instead of modifying them, and save system logs locally and on the log host.

◆ Client deployment on Windows

Deploy the client using the software evtsys on Windows. The download link is.

Put these two files in the C: \ WINDOWS \ system32 directory, and run the following command in the command line status to install: % systemroot % \ system32 \ evtsys-I-h loghost

After the installation is successful, you can view the corresponding information in the service list, as shown in 1.

Run the following command to uninstall evtsys:

% Systemroot % \ system32 \ evtsys ­ u

 

The command to change the log host name is:

Net stop evtsys // stop evtsys

Evtsys ­ u // uninstall evtsys

Evtsys-l-h newloghost // specify the new log Host Name

Net start evtsys // start evtsys

Ii. Automatic Log Analysis and Monitoring of log hosts

After the entire system is deployed, you can verify from the log host whether each server sends the log information to the log host. Take/var/log/message as an example to open this file. When you see the log information with different host names, it indicates that the log host is working properly. The excerpt part of the log is as follows:

Sep 19 08:39:38 dog crond (pam_unix) [4528]: ses sion opened for user root by (uid = o)

Sep 19 08:39:36 dog crond (pam_unix) [4528]: session closed for user root

Sep 19 08:39:40 panda crond (pam_unix) [20296]: ses sion opened for user root by (uid = 0)

Sep 19 08:39:40 panda crond (pam_unix) [20296]: ses sion closed for user root

Sep 19 08:39:53 app last message repeated 8 times

Sep 19 08:40:11 apple net-snmp [657]: Connection from udp: 192.168.1.11: 4298

Sep 19 08: 40: 11 apple net-snmp [657]: Received SNMP packet (s) from udp: 159.226.2.144: 42988

Sep 19 08: 41: 15 orangesshd (pam_unix) [28389]: ses sion opened for user tom by (uid = 2009)

Sep 19 08:41:28 orange sshd (pam_unix) [28389]: ses sion opened for user tom by (uid = 2009)

Sep 19 08:41:28 orange September 19 08:41:28 su '(pam_unix) [28425]: session opened for user root by tom (uid = 2009)

Most of these logs are of little use, but they may be useful in tracking a specific problem or security vulnerability. So how can we effectively analyze and monitor it and play its real role? We recommend two commonly used log analysis and monitoring software to automatically analyze and monitor the log information.

1. Use Logwatch for log monitoring

In Linux, Logwatch is installed by default. In combination with the mail sending function of Sendmail, Logwatch sends the log analysis result email of the previous day to the system administrator. The configuration file is/etc/log. d/logwatch. conf, the following is the configuration file after the annotation is omitted, generally only need to change the MailTo part to the system administrator mailbox address, more configuration details can refer to its official http://www.logwatch.org.

LogDir =/var/log

MallTo = admin@local.com

Pnnt = No

Range = yesterday

Detail = High

Service = All

2. Use Swatch for real-time log monitoring

The download link of Swatch is http://sourceforge.net/projects/swatch /. To install Swatch, you must first install two perl module packages: date0000calc00005.4.tar.gzand timedate00001.16.tar.gz and then install Swatch. The installation steps are as follows:

# Tar ­ zxvf swatch­3.2.1.tar.gz

# Cd swatch 3.2.1

# Perl Makefile. PL

# Make

# Make test

# Make install

# Make realclean

Create a configuration file for configuring Swatch ~ /. Swatchrc: Add monitoring content according to its syntax rules. You can use the "man swatch" command to view the specific configuration content and meaning. The following is a simple example for your reference only:

W a t c h f o r =/Failedfuseraddllnvalid/I # specify the monitoring content in the form of a regular expression #

Echo # display matched rows through stdout #

Mail address = admin \ @ local.com, subject = Monitor Result # Send a Monitoring Result email to the system administrator and set the subject #

Mall addresses = admin \ @ local.com, subject = Monitor Result, when = 2-5: 8-17 # Send a Monitoring Result email to the system administrator, and set the corresponding topic and monitoring time #

Use "swatch ­ help" to view the specific options of Swatch runtime. The following is an example of running commands for your reference only:

# Swatch-config-file = ~ /. Swatchrc-examine =/var/log/messages

When the monitored information appears, Swatch sends an email to the system administrator in real time to prevent intrusions and protect the system security.

The establishment of a log host system not only effectively improves the efficiency of log management, analysis and monitoring, but also plays an extremely important role in log information security protection, on the one hand, it backs up the log information of each server on the log host and effectively prevents intrusion traces, providing great convenience for system management, it is one of the important ways to effectively ensure system security.

Related Articles]

• Linux operating system log management overview

• One of linux system security elements: logs

• In-depth discussion on Linux System Log Management