http://www.chinaunix.net Author:
peng
Foreword
In the first few, I introduced a UNIX installed Qmail, finished all configuration work, you might think that you would like to pay a paragraph. Unfortunately, work has just begun. Relative to the installation and configuration, truly people are managing management and misconduct and resolving errors. Let's talk about whether the analysis system and qmail are normal to discover problems through the log. Here, we are divided into system logs and QMail logs. Tell the system log, because host system security is the basis of all services, and it is also a prerequisite for qmail logs.
6.1 System Log
UNIX systems can track events that occur in the system and record all messages of each event into the system log file. Logs are very important for security. He records a variety of things that happen every day, you can check the cause of the wrong occurrence, or the traces left when attacked. The main functions of the log are: audit and monitoring. He can also monitor system status, monitor, and track invasants. As an administrator, you should scan at least a day daily to monitor system or security issues. In the Linux system, there are three major log subsystems.
6.1.1 Connection Time Log
Connection time log - executed by multiple programs, write records to / var / log / wtmp, and / var / run / utmp, login, etc. Update WTMP and UTMP files, so that the system administrator can track when who is logged in Go to the system. WTMP and UTMP files are binary, they cannot be scrapped or incorporated by a tail command (using a CAT command). Users need to use WHO, W, Users, Last, and AC to use the information contained in these two files.
The Who: who command queries the UTMP file and reports each user currently logged in. The default output of WHO includes user name, terminal type, login date, and remote host. For example: WHO (Enter) Display (Table 1)
Chyang PTS / 0 AUG 18 15:06 (192.168.1.3)
YNGUO PTS / 2 AUG 18 15:32 (192.168.1.3)
YNGUO PTTS / 3 AUG 18 13:55 (192.168.1.3)
Lewis PTS / 4 AUG 18 13:35 (192.168.1.3)
YNGUO PTS / 7 AUG 18 14:12 (192.168.1.3)
Ylou PTS / 8 AUG 18 14:15 (192.168.1.3)
If the WTMP file name is specified, the who command queries all previous records. Command WHO / VAR / LOG / WTMP will report every login since the WTMP file is created or deleted.
The W: w command queries the UTMP file and displays the process information for each user in the current system and it runs. For example: W (Enter) Display (Table 2): 3: 36pm Up 1
Day, 22:34, 6 Uses, Load Average: 0.23, 0.29, 0.27
User Tty from login @ idle jcpu pcpu what
Chyang PTS / 0 202.38.68.242 3:06 PM 2:04 0.08S 0.04S -Bash
YNGUO PTTS / 2 202.38.79.47 3:32 PM 0.00S 0.14S 0.05 W
Lewis PTS / 3 202.38.64.233 1:55 PM 30:39 0.27S 0.22S -BASH
Lewis PTS / 4 202.38.64.233 1:35 PM 6.00S 4.03S 0.01S SH / Home / Users /
YNGUO PTS / 7 Simba.nic.ustc.e 2:12 PM 0.00S 0.47S 0.24S Telnet Mailylou PTS / 8 202.38.64.235 2:15 PM 1: 09M 0.10S 0.04S -BASH
Users: Users print out the currently logged in user with a separate line, each of which corresponds to a login session. If a user has more than one login session, then his username will display the same number. For example: Users (Enter) Show: Chyang Lewis Lewis Ylou Ynguo Ynguo
The Last: Last command returns to the WTMP to display users who have been logged in since the file was created. For example (Table 3):
Chyang PTS / 9 202.38.68.242 Tue Aug 1 08:34 - 11:23 (02:49)
CFAN PTS / 6 202.38.64.224 Tue Aug 1 08:33 - 08:48 (00:14)
Chyang PTS / 4 202.38.68.242 Tue Aug 1 08:32 - 12:13 (03:40)
Lewis PTS / 3 202.38.64.233 Tue Aug 1 08:06 - 11:09 (03:03)
Lewis PTS / 2 202.38.64.233 Tue Aug 1 07:56 - 11:09 (03:12)
If the user is specified, then Last only reports the user's recent activity, for example: Last Ynguo Display (Table 4):
YNGUO PTS / 4 Simba.nic.ustc.e fri Aug 4 16:50 - 08:20 (15:30)
YNGUO PTS / 4 Simba.nic.ustc.e Thu Aug 3 23:55 - 04:40 (04:44)
YNGUO PTS / 11 Simba.nic.ustc.e Thu Aug 3 20:45 - 22:02 (01:16)
YNGUO PTS / 0 SIMBA. Nic.ustc.e Thu Aug 3 03:17 - 05:42 (02:25)
YNGUO PTS / 0 SIMBA. Nic.ustc.e Wed Aug 2 01:04 - 03:16 1 02: 12)
YNGUO PTS / 0 simba.nic.ustc.e WED AUG 2 00:43 - 00:54 (00:11)
YNGUO PTS / 9 Simba.nic.ustc.e Thu Aug 1 20:30 - 21:26 (00:55)
The AC: AC command reports the time (hour) of the user link according to the login entering and exiting in the current / var / log / wtmp file. If the flag is not used, the total time is reported. For example: AC (Enter) Show: Total 5177.47
AC -D (Enter) shows the total connection time of daily (Table 5):
Aug 12 Total 261.87
Aug 13 Total 351.39
Aug 14 Total 396.09
AUG 15 Total 462.63
AUG 16 Total 270.45
Aug 17 Total 104.29
Today Total 179.02
AC -P (Enter) Displays the total connection time of each user (Table 6):
YNGUO 193.23
Yucao 3.35
Rong 133.40
HDai 10.52
ZJZHU 52.87
ZqZhou 13.14
LiangLiu 24.34
Total 5178.24LastLog: LastLog file is queried when you log in every time you log in. You can use the LastLog command to check the time for a particular user last login, and format the contents of the last login log / var / log / lastlog. It displays the login name, port number (TTY) and last login time according to UID sorting. If a user has never logged in, LastLog displays "** never logged **. Note that you need to run this command with root, for example (Table 7):
Rong 5 202.38.64.187 fri Aug 18 15:57:01 0800 2000
DBB ** never logged in **
xinchen ** never logged in **
PB9511 ** never logged in **
Xchen 0 202.38.64.190 Sun aug 13 10:01:22 0800 2000
Alternatively, some parameters can be added, for example, the Last -u 102 will report the UID 102; Last -T 7 represents a report of the last week.
6.1.2 Process Statistics Log
Process statistics - executed by the system kernel. When a process is terminated, a record is written to the process statistics file (PACCT or ACCT) for each process. The purpose of process statistics is to provide commands to use statistics for basic services in the system.
UNIX can track each command running in each user. If you want to know which important files have been messy last night, the process statistics subsystem can tell you. It is helpful to track an invasator. Unlike the connection time log, the process statistics subsystem default is not activated, it must start. In the Linux system Starting Process Statistics Using the accton command, you must run with root identity. The form of accton commands accton file, file must exist first. First use the Touch command to create a PACCT file:
# Touch / var / log / pACCT
Then run accton:
# Acccton / var / log / pact
Once Accton is activated, you can use the LastComm command to monitor the commands performed in the system. To turn off the statistics, you can use the accton command without any parameters.
The Lastcomm command reports the previously executed file. When there is no parameters, the LastComm command displays information about all commands recorded during the current statistics file lifecycle. Including the CPU time and a timestamp that the command name, user, TTY, command cost. If there are many users in the system, the input may be very long. The following example (Table 8):
-------------------------------------------------- ----------------------------
Crond f root ?? 0.00 secs sun aug 20 00:16
PROMISC_CHECK.S S root ?? 0.04 second sun aug 20 00:16
PROMISC_CHECK ROOT ?? 0.01 Secs Sun Aug 20 00:16
Grep root ?? 0.02 second sun aug 20 00:16
Tail root ?? 0.01 second sun aug 20 00:16
SH root ?? 0.01 second sun aug 20 00:15
Ping s root ?? 0.01 second sun aug 20 00:15
PING6.PL F root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.01 second sun aug 20 00:15
Ping S root ?? 0.02 second sun aug 20 00:15
Ping6.pl f root ?? 0.02 second sun aug 20 00: 15sh root ?? 0.02 second sun aug 20 00:15
Ping S root ?? 0.00 secs sun aug 20 00:15
PING6.PL F root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.01 second sun aug 20 00:15
Ping s root ?? 0.01 second sun aug 20 00:15
-------------------------------------------------- ----------------------------
One problem with process statistics is that PACCT files may grow very rapid. At this time, you need to interactively or through the CRON mechanism to run the SA command to keep log data in system control. SA command report, clean up and maintain process statistics. It can compress the information in / var / log / pACCT to the summary file / var / log / savacct and / var / log / usracct. These summary contain system statistics classified by command name and username. SA is default, read them first, then read the PACCT file, so that the report can contain all available information. SA's output has some of the markers (Table 9):
-------------------------------------------------- ----------------------------
AVIO - the number of average I / O operations per execution
CP - user and system time summary, in minutes
CPU - and CP
The average CPU time used by the K - kernel, in 1K unit
K * sec - CPU storage integrity, in 1k-core second
RE - real-time time, in minutes
S - system time, minute
Total number of TiO - I / O operations
U - user time, in minutes
-------------------------------------------------- -----------------------------
For example (Table 10):
-------------------------------------------------- -----------------------------
842 173.26RE 4.30CP 0AVIO 358K
2 10.98R 4.06CP 0AVIO 299K FIND
9 24.80RE 0.05cp 0avio 291k *** Other
105 30.44RE 0.03CP 0AVIO 302K PING
104 30.55RE 0.03CP 0AVIO 394K SH
162 0.11Re 0.03CP 0AVIO 413K Security.sh *
154 0.03RE 0.02CP 0AVIO 273K LS
56 31.61RE 0.02CP 0AVIO 823K ping6.pl *
2 3.23RE 0.02cp 0avio 822k ping6.pl
35 0.02RE 0.01CP 0AVIO 257K MD5SUM
97 0.02RE 0.01CP 0AVIO 263K Initlog
12 0.19Re 0.01cp 0avio 399k promisc_check.s
15 0.09R 0.00CP 0AVIO 288K GREP
11 0.08R 0.00CP 0AVIO 332K AWK
-------------------------------------------------- ----------------------------
The user can also provide a summary report according to the user rather than a command. For example, SA -M is shown (Table 11):
885 173.28RE 4.31CP 0avkroot 879 173.23RE 4.31CP 0avk
Alias 3 0.05RE 0.00CP 0avk
QMAILP 3 0.01RE 0.00cp 0avk
6.1.3 Error Daily Value
Error log - executed by syslogd. Various system daemons, user programs and kernels Report to file / var / log / messages via syslog. There are also many UNIX programs to create logs. Servers that provide network services like HTTP and FTP also maintain a detailed log.
Syslog has been adopted by many log functions, which is used in many protection measures - any program can be recorded through the SYSLOG record. Syslog can record system events, you can write to a file or device, or send a user to the user. It can record local events or record the events on another host through the network.
Syslog devices are based on two important files: / etc / syslogd (daemon), and /etc/syslog.conf profiles, most Syslog information is written to the / var / ADM or / var / log directory information file (Messages. *). A typical syslog record includes the name of the generator and a text message. It also includes a device and a priority range (but does not appear in day).
Each Syslog message is given one of the main devices below (Table 12):
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
LOG_AUTH - Authentication system: login, su, getty, etc.
Log_AUTHPRIV - with log_auth, but only logs in to the selected single user readable file
Log_cron - cron daemon
Log_daemon - Other system daemons, such as ROUTED
Log_ftp - File Transfer Protocol: FTPD, TFTPD
LOG_KERN - Messages generated by the kernel
LOG_LPR - System printer buffer pool: lpr, lpd
LOG_MAIL - Email System
LOG_NEWS - Network News System
LOG_SYSLOG - internal message generated by syslogd (8)
Log_user - Messages generated by a random user process
Log_UUCP - UUCP subsystem
LOG_LOCAL0 ~ LOG_LOCAL7 - For local use reservations
-------------------------------------------------- -----------------------------
Syslog gives each event several different priorities (Table 13):
-------------------------------------------------- ----------------------------
LOG_EMERG - emergency situation
LOG_ALERT - I should be corrected immediately, such as system database destruction
LOG_CRIT - Important, such as hard disk errors
Log_err - Error
Log_warning - warning information
LOG_NOTICE - is not wrong, but may need to handle
Log_info - intelligence information
Log_Debug - Information containing information, usually uses when you debug a program
-------------------------------------------------- ----------------------------
The syslog.conf file indicates the behavior of the syslogd program logging log, which queries the configuration file at startup. This file consists of a single entry classified by different programs or messages, each accounting. Provide a selection domain and an action domain for each type of message. These domains are separated by TAB: Select the domain to indicate the type and priority of the message; the action domain indicates that the Syslogd is not performed when the message matches the message. Each option is composed of device and priority. When a priority is specified, Syslogd will record a message with the same or higher priority. So if you specify "crit", the message that is labeled crit, Alert, and Emerg will be recorded. Each line of action indicates where the selection is selected after a given message is selected. For example, if you want to record all message messages into a file, as follows (Table 14):
-------------------------------------------------- ----------------------------
#Log all the mail message in one place
Mail. * / var / log / maillog
Other devices also have their own logs. UUCP and NEWS devices can generate many external messages. It saves these messages to their own log (/ var / log / spooler) and limits the level as "ERR" or higher. E.g:
# Save mail and news errors of level err and higher in schement file.
UUCP, news.crit / var / log / spooler
When an emergency comes, you may want to get all users. May also want your log to receive and save it.
#Everybody Gets Emergency Messages, Plus log the on anti-Anther Machine
* .emerg *
* .emerg @ Linuxaid.com.cn
Alert message should be written to the Root and Tiger personal accounts:
#Root and Tiger Get alert and higher messages
* .lert root, Tiger
Sometimes syslogd will produce a lot of news. For example, the kernel ("Kern" device) may be very lengthy. Users may want to record kernel messages into / dev / console. The following example shows that the kernel log record is commented:
#Log all kernel messages to the console
#Logging much else clutters up the screen
# kern. * / dev / console
Users can specify all devices in a row. The following example sent the INFO or higher message to / var / log / messages, except for Mail. Level "None" forbidden a device:
#Log anything (except mail) of level info or higher
# DON / 'T Log Private Authentication Messages!
* .info: mail.none; authpriv.none / var / log / messages
-------------------------------------------------- ---------------------------
In some cases, you can send the log to the printer so that the network intruder has modified the log. It is usually a wide record log. Syslog devices are a significant goal of an attacker. A system for other host maintenance logs is particularly fragile for server attacks, so pay special attention.
There is a small command logger to provide a shell command interface for the Syslog (3) system log file, enabled entries in the log file. Usage: Logger, for example: Logger this is a test! It will produce a Syslog record as follows: AUG 19 22:22:34 Tiger: this is a test!
Note Don't fully believe the log, because the attacker is easy to modify it.
6.1.4 Program Log
Many programs reflect the system's security by maintaining logs. The su command allows the user to get the permissions of another user, so it is very important, its file is Sulog. There is also Sudolog. In addition, there are two logs like Apache: Access_log and Error_Log.
It is necessary to use a large number of chapters here. If you can't guarantee the security of the host, you can't talk. Below, we will tell the mail log in detail.
6.2.1 QMAIL replacement log program
There have been many controversies for the efficiency of the standard syslogd program for a long time. A message is sent to syslogd, and the disease cannot guarantee that the message is real written in the log, in addition, his write speed is not fast.
Below is a few conditions followed by Slogger:
1. Each message has a timestamp, and the timestamp is attached to the message.
2, each message must be checked for keyword aler: or warning: If there is one of them, an appropriate priority level is selected for the message.
3, the unprintable characters in the message are converted into a question mark (?).
4, do not record the blank line.
5, more than 800 characters of messages are split into multi-line messages of 800 characters. The split row is identified with a plus sign after the timestamp.
For the above, QMail's founder DAN Bernstein has developed the SPLogger program that is included in the QMAIL package.
Use it to replace the system's syslog. Use the SPLogger program as a log program, reordbound the QMAIL record to the SPLogger program, forward the record to the Syslog program for Linux. The location of the mail log depends on the value set by the /etc/syslog.conf file, how will we set it in detail above.
6.2.2 Read QMAIL Log
Once the message is recorded, the record should be monitored to find problems. Look at a QMAIL Mail log file (Table 15):
-------------------------------------------------- -----------------------------------
1, APR 11 02:02:18 Mail qmail: 955436538.813320 new msg 18995
2, APR 11 02:02:18 mail qmail: 955436538.815787 info msg 18995: Byte 603 from
3, APR 11 02:02:18 Mail QMail: 955436538.892499 Starting Delivery 103: msg 18995 to local root@96633.net
4, APR 11 02:02:18 Mail qmail: 955436538.895936 Status: local 1/10 Remote 0/20
5, APR 11 02:02:19 Mail QMail: 955436539.075785 Delivery 103: Success: DID_0 1 0 / QP-26976 /
6, APR 11 02:02:19 Mail QMail: 955436539.098222 status: local 0/10 Remote 0/207, APR 11 02:02:19 mail qmail: 955436539.100838 end msg 18995
-------------------------------------------------- ---------------------------------
The first line gives the QMAIL log for receiving this new message.
The second line uses the sender and the size identification message of the message.
The third line indicates that QMAIL is initializing.
The fourth line gives the status of QMAIL. There is only one message in the mail queue waiting to be sent.
The fifth line indicates that the message is successfully sent to the local user.
As mentioned above, the qmail item may look puzzled, he has 6 types of QMAIL log messages:
1, state
2, fatal problems
3, serious problem
4, message
5, send item
6, warning
Below we will introduce QMAIL types one by one.
6.2.3 Status News
The status message records the operations on the server. The format of a status message is as follows:
Status: LOCAL N / L Remote R / R
Where N / L is the number of local messages (n) in the queue and the size of the local mail queue (L). R / R is the number of remote messages in the queue (R) and the size of the remote mail queue. The fourth line in Table 15). If you pay attention to the frequent message, you may have to change the size of the mail queue. You can implement it by changing the QMAIL control file. In the "QMAIL Management Maintenance (Triple) System Configuration, we talked.
6.2.4 Deadly Problem
Fatal problems are those that lead to QMail abnormal termination and stop operation, should handle your mail server immediately.
QMAIL fatal problem log message (Table 16)
-------------------------------------------------- --------------------------------
Message description
-------------------------------------------------- ---------------------------------
Alert: can not start qmail-send cannot be initialized to start. Usually this is a sign of a configuration file problem
Alert: oh no! Lost A program that supports the background, for example: qmail-lspawn or qmail-rspawn is dead, so qmail-send will turn off.
-------------------------------------------------- -------------------------------
6.2.5 serious problems
A record of serious problems is that qmail cannot handle a specific event but will try again. Severe problem will not qmail
Stop running, but if you continue, it may cause a fatal problem to appear, so that QMAIL is turned off. as follows:
QMAIL serious question (Table 16)
-------------------------------------------------- -----------------------------------
Message description
-------------------------------------------------- ----------------------------------
Alert: Unable to append bounce message qmail-send can't handle a permanent delivery failure, usually there is no hard disk space.
Alert: Out of memory qmail-send attempts to allocate memory, but failed
Alert: Unable to opendir qmail-send can't open a list of files from your hard drive, because
Not enough permissions, or the descriptor table is full.
Alert: Unable to switch back qmail-send receives a SIGHUP signal, but cannot read the queue directory.
Alert: UNABLE TO READ QMAIL-Send Receives a SIGHUP signal, but cannot read the control directory.
-------------------------------------------------- ----------------------------
6.2.6 QMAIL message
Qmail creates a log record for each message that enters and exits the QMAIL system. These logging are bases
A message specifies a label. Here are some of the possible message log entries (Table 17)
-------------------------------------------------- ---------------------------
Message description
-------------------------------------------------- -----------------------------
NEW MSG M QMAIL-send is the message number in the message queue is M
INFO MSG M: BYTES B FROM QP Q UID u message m contains B bytes, from the sender S, queued by the user ID U, the queue identifier is Q.
Bounce MSG M QP Q message m failed. The queue identifier returned to the message is Q.
Triple Bounce: Discarding M Message M is identified twice returns a message that cannot be sent,
Will be deleted.
End MSG M Message M is being removed from the queue.
-------------------------------------------------- ---------------------------------
6.2.7 Send item
When qmail-send attempts to send a message, a status message must be recorded in the log. The possibility is given below
Send an item log message. QMAIL Send Log Item (Table 18)
-------------------------------------------------- -----------------------------------
Message description
-------------------------------------------------- ----------------------------------
Starting Delivery D: MSG m to qmail-send is processing a send message M and send ID to D.
Delivery D: The SUCCESS Send Item D is successfully sent to the recipient.
Delivery D: Deferral Send Issue D encountered a temporary transmission failed, retry. Delivery D: Failure Send item D encountered a permanent failure, the message will return.
Delivery D: Report Mangled Will Defer Send Issue D problem in qmail-rspawn or qmail-lspawn, will try again.
-------------------------------------------------- -----------------------------------
6.2.8 Warning
When you encounter an error in your handle, QMail will be a warning record to the log. Warning means that qmail can solve
Temporary problem. However, warnings may be a precursor to the problem. Here are some QMAIL warning messages (Table 19)
-------------------------------------------------- --------------------------------
Message description
-------------------------------------------------- ---------------------------------
Internal Error: Delivery Report Out of Range qmail-lspawn or qmail-rspaw returns a transmission report for a non-existing send item ID.
Qmail-Clean Unable to Clean Up Qmail-Clean cannot delete a file.
Trouble fsyncing qmail-send cannot rewrite the disk.
Trouble In SELECT A possible operating system error.
Trouble INJECTING BOUNCE Message Qmail-Send cannot queue a return message.
Trouble Marking Qmail-Send cannot record the result of unsuccessful transmission.
Trouble Opening QMail-Send cannot open a list of local and remote recipients.
Trouble Reading QMail-send cannot be a list of receipts.
Trouble Writing to qmail-send cannot handle messages in a list.
Trouble to create qmail-send cannot handle messages in a list.
Unable to open qmail-send cannot read a letterhead in a queuing message.
Unable to start qmail-que qmail-queue qmail-send can't queue a return message.
Unable to stat qmail-send cannot get a message about a file.
Unable to unlink qmail-send can't delete a file.
Unable to utime qmail-send cannot record the next schedule transmission time.
Unknown Record Type in qmail-send or a serious error in qmail-queue.
-------------------------------------------------- -------------------------------- 6.2.9 Log Management Tools
QMAIL log file is a state message, sending a message, a complex body of the problem message. By checking the log, you can shrink
And find problems. I am very worried about watching a lot of log files. Can reduce workers with some log tools
The amount.
Commonly used tools have QMAILANALOG developed by Dan Bernstein.
Web site http://cr.yp.to/qmailanalog.html. His utility is Matchup, XRecipient, X Shender tool.
The second is Daemontook software, his Multlog tool is a good choice. Use it to replace UNIX
Logger program. His Web site: http://cr.yp.to/daemontools/daemontools.html. Interested, everyone can
Take a look.
summary;
In fact, the problem is a variety of, all aspects. Through good analysis of logs, you can help you find out asking
Questions and prevention accidents. Here is just a simple introduction, the logs and problems, and there is a combination of returning information, etc.
Come, better discovery of problems, solve problems. Of course, the log is not absolute, the specific situation,
The body is analyzed.
