Logs are very important for security. He records a variety of things that happen every day, you can check the cause of the wrong occurrence, or the traces left when attacked. The main functions of the log are: audit and monitoring. He can also monitor system status, monitor, and track invasants. In the Linux system, there are three major log subsystems: connection time log - executed by multiple programs, write records to / var / log / wtmp and / var / run / utmp, login and other programs update WTMP and UTMP Files make system administrators to track when to log in to the system. Process statistics - executed by the system kernel. When a process is terminated, a record is written to the process statistics file (PACCT or ACCT) for each process. The purpose of process statistics is to provide commands to use statistics for basic services in the system. Error log - executed by syslogd (8). Various system daemons, user programs and kernels report to file / var / log / messages via syslog (3). There are also many UNIX programs to create logs. Servers that provide network services like HTTP and FTP also maintain a detailed log. Common log files are as follows: Access-log record HTTP / Web Transfer ACCT / PACCT Record User Command Aculog Record MODEM Activity BTMP Record Failed Record Lastlog Record Recent Successfully Log in Events and the last unsuccessful login Messages from syslog SudoLog Record SUDOG Record Using SULOG Record Using SULOG Record Using SU Command Syslog Syslog Record Information in Syslog (usually linked to Messages File) UTMP Record Each user of each user of the current login for each user WTMP The permanent record of sub-login entry and exit time XFerlog Record FTP session UTMP, WTMP, and LastLog log files are the key to multi-reuse UNIX log subsystems - keep users log in to enter and exit records. Information on the current login user is recorded in the file UTMP; log in to enter and exit records in the file wtmp; the last login file can be viewed by the lastLog command. Data exchange, shutdown and restart are also recorded in the WTMP file. All records contain timestamps. These files (LastLog is usually not large) grow very rapidly in systems with a large number of users. For example, the WTMP file can be infinitely increased unless periodic interception. Many systems configure the WTMP into cyclic uses in units one day or one week. It is usually modified by the script running by cron. These scripts are renamed and cycled with the WTMP file. Typically, WTMP is named wtmp.1 after the first day; WTMP.1 is changed to WTMP.2 after the second day until WTMP.7. Every time there is a user login, the Login program takes place to see the user's UID in the file lastlog. If you find it, write the user to the standard output last time, exit time, and host name, and then login new login time in LastLog. After the new LastLog record, the UTMP file opens and inserts the user's UTMP record. This record has been deleted when the user logs in and exits. UTMP files are used by various command files, including WHO, W, Users, and Finger. Next, the Login program opens the UTMP record of the file WTMP additional user. When the user logs in to exit, the same UTMP record with the update timestamp is attached to the file. The WTMP file is used by the programs Last and AC. 2. The specific command WTMP and UTMP files are binary files, they cannot be scrapped or merged (using the cat command) such as a tail command (using the cat command). Users need to use WHO, W, Users, Last, and AC to use the information contained in these two files. The Who: who command queries the UTMP file and reports each user currently logged in.
The default output of WHO includes user name, terminal type, login date, and remote host. For example: WHO (Enter) Show chyang PTS / 0 AUG 18 15:06 Ynguo PTS / 2 AUG 18 15:32 YNGUO PTS / 3 AUG 18 13:55 Lewis PTS / 4 AUG 18 13:35 YNGUO PTS / 7 AUG 18 14:12 YLOU PTS / 8 AUG 18 14:15 If the WTMP file name is specified, the who command queries all previous records. Command WHO / VAR / LOG / WTMP will report every login since the WTMP file is created or deleted. The W: w command queries the UTMP file and displays the process information for each user in the current system and it runs. For example: W (Enter) Show: 3: 36pm Up 1 Day, 22:34, 6 Users, Load Average: 0.23, 0.29, 0.27 User Tty from login @ idle jcpu pcpu what chYANG PTS / 0 202.38.68.242 3:06 PM 2:04 0.08s 0.04s - Bash YNGUO PTS / 2 202.38.79.47 3:32 PM 0.00S 0.14S 0.05 W Lewis PTS / 3 202.38.64.233 1:55 PM 30:39 0.27S 0.22s - Bash Lewis PTS / 4 202.38. 64.233 1:35 PM 6.00S 4.03S 0.01S sh / home / users / YNGUO PTS / 7 Simba.nic.ustc.e 2:12 PM 0.00S 0.47S 0.24S Telnet Mail Ylou PTS / 8 202.38.64.235 2:15 PM 1: 09M 0.10S 0.04s -bash users: Users print out the current login user with a separate line, each displayed a login session. If a user has more than one login session, then his username will display the same number. For example: Users (Enter) Display: ChYANG Lewis Lewis Ylou Ynguo Ynguo Last: The last command recovers WTMP to display users who have been logged in since the file was created.
For example: Chyang PTS / 9 202.38.68.242 Tue Aug 1 08:34 - 11:23 (02:49) CFAN PTS / 6 202.38.64.224 Tue Aug 1 08:33 - 08:48 (00:14) Chyang PTS / 4 202.38.68.242 Tue Aug 1 08:32 - 12:13 (03:40) Lewis PTS / 3 202.38.64.233 Tue Aug 1 08:06 - 11:09 (03:03) Lewis PTS / 2 202.38.64.233 Tue Aug 1 07:56 - 11:09 (03:12) If the user is specified, then Last only reports the user's recent activities, for example: Last Ynguo (Enter) Show: YNGUO PTS / 4 Simba.nic.ustc.e fri Aug 4 16:50 - 08:20 (15:30) YNGUO PTS / 4 Simba.nic.ustc.E thu Aug 3 23:55 - 04:40 (04:44) YNGUO PTS / 11 Simba.nic.ustc.e THU AUG 3 20:45 - 22:02 (01:16) YNGUO PTS / 0 Simba.nic.ustc.E Thu Aug 3 03:17 - 05:42 (02:25) YNGUO PTS / 0 Simba.nic.USTC .e WED AUG 2 01:04 - 03:16 1 02: 12) YNGUO PTS / 0 Simba.nic.ustc.e WED AUG 2 00:43 - 00:54 (00:11) YNGUO PTS / 9 SIMBA. Nic.ustc.e thu Aug 1 20:30 - 21:26 (00:55) AC: AC command to report the time (hour) of the user connection according to the login entry and exit in the current / var / log / wtmp file, If you do not use a flag, the total time is reported. For example: AC (Enter) Show: Total 5177.47 AC -D (Enter) Show Daily Time Aug 12 Total 261.87 AUG 13 Total 351.39 AUG 14 Total 396.09 AUG 15 Total 462.63 AUG 16 Total 270.45 Aug 17 Total 104.29 Today Total 179.02 AC -P (Enter) Shows the total connection time of each user YNGUO 193.23 Yucao 3.35 rong 133.40 HDAI 10.52 ZJZHU 52.87 ZQZHOU 13.14 LiangLiu 24.34 Total 5178.24 LastLog: LastLog file is queried when a user is logged in. You can use the LastLog command to check the time for a particular user last login, and format the contents of the last login log / var / log / lastlog. It displays the login name, port number (TTY) and last login time according to UID sorting. If a user has never logged in, LastLog displays "** never logged **.
Note that you need to run this command with root, for example: rong 5 202.38.64.187 fri aug 18 15:57:01 0800 2000 dbb ** never logged in ** pb9511 ** never logged in ** Xchen 0 202.38.64.190 Sun AUG 13 10:01:22 0800 2000 In addition, some parameters can be added, for example, Last -u 102 will report the UID 102 user; Last -t 7 represents a report of the last week. 3. Process Statistics Unix can track each command running in each user. If you want to know which important files have been messy last night, the process statistics can tell you. It is helpful to track an invasator. Unlike the connection time log, the process statistics subsystem default is not activated, it must start. In the Linux system Starting Process Statistics Using the accton command, you must run with root identity. The form of accton commands accton file, file must exist first. First use the touch command to create a PACCT file: Touch / VAR / LOG / PACCT, then run accton: accton / var / log / pACCT. Once Accton is activated, you can use the LastComm command to monitor the commands performed in the system. To turn off the statistics, you can use the accton command without any parameters. The Lastcomm command reports the previously executed file. When there is no parameters, the LastComm command displays information about all commands recorded during the current statistics file lifecycle. Including the CPU time and a timestamp that the command name, user, TTY, command cost. If there are many users in the system, the input may be very long. The following example: crd f root ?? 0.00 secs sun aug 20 00:16 promisc_check.s s root ?? 0.04 second sun aug 20 00:16 promisc_check root ?? 0.01 SECS SUN AUG 20 00:16 grep root ?? 0.02 SECS Sun aug 20 00:16 Tail root ?? 0.01 SECS SUN AUG 20 00:16 sh root ?? 0.01 seconds sun aug 20 00:15 ping s root ?? 0.01 second sun aug 20 00:15 ping6.pl f root ?? 0.01 SECS SUN AUG 20 00:15 Sh Root ?? 0.01 SECS Sun Aug 20 00:15 ping S root ?? 0.02 SECS Sun Aug 20 00:15 ping6.pl f root ?? 0.02 SECS Sun Aug 20 00:15 sh Root ?? 0.02 Secs Sun Aug 20 00:15 ping s root ?? 0.00 secs sun aug 20 00:15 ping6.pl f root ?? 0.01 second sun aug 20 00:15 sh root ?? 0.01 second sun aug 20 00:15 Ping S root ?? 0.01 second ?? 0.02 SECS Sun Aug 20 00:15 ping s root ?? 1.34 SECS SUN AUG 20 00:15 Locate root ttyp0 1.34 SECS Sun Aug 20 00:15 Accton S root ttyp0 0.00 Secs Sun AUG 20 00:15 A problem with process statistics is that the PACCT file may grow very rapidly.
At this time, you need to interactively or through the CRON mechanism to run the SA command to keep log data in system control. SA command report, clean up and maintain process statistics. It can compress the information in / var / log / pACCT to the summary file / var / log / savacct and / var / log / usracct. These summary contain system statistics classified by command name and username. SA is default, read them first, then read the PACCT file, so that the report can contain all available information. SA output has some of the following tag items: avio - the average I / O operation of each execution CP - user and system time summary, the average CPU time used by the minute CPC - and CP, Take 1K-cPU storage integrity, in 1k-core second re-- real-time time, in minutes S - system time, Total number of TiO - I / O operations in minutes U - users Time, in minutes, for example: 842 173.26R 4.30CP 0AVIO 358K 2 10.98RE 4.06CP 0AVIO 299K Find 9 24.80re 0.05cp 0avio 291k *** Other 105 30.44re 0.03CP 0AVIO 302K PING 104 30.55RE 0.03CP 0AVIO 394K SH 162 0.11re 0.03cp 0avio 413k security.sh * 154 0.03re 0.02cp 0avio 273k ls 56 31.61re 0.02cp 0avio 823k ping6.pl * 2 3.23re 0.02cp 0avio 822k ping6.pl 35 0.02re 0.01cp 0avio 257k md5sum 97 0.02re 0.01CP 0AVIO 263K INITLOG 12 0.19R 0.01CP 0AVIO 399K Promisc_Check.s 15 0.09R 0.00CP 0AVIO 288K GREP 11 0.08RE 0.00CP 0avio 332k awk users can also provide a summary report according to user rather than commands. For example, SA -M is shown as follows: 885 173.28RE 4.31CP 0avk root 879 173.23RE 4.31CP 0AVK Alias 3 0.05RE 0.00CP 0AVK QMAILP 3 0.01RE 0.00CP 0avk 4. Syslog Device Syslog has been adopted by many log functions, it is used in many Among the protection measures - any program can pass the Syslog Record event. Syslog can record system events, you can write to a file or device, or send a user to the user. It can record local events or record the events on another host through the network. Syslog devices are based on two important files: / etc / syslogd (daemon), and /etc/syslog.conf profiles, most Syslog information is written to the / var / ADM or / var / log directory information file Messages. *). A typical syslog record includes the name of the generator and a text message. It also includes a device and a priority range (but does not appear in day).
Each Syslog message is given one of the main devices below: log_auth - authentication system: login, su, getty, etc. LOG_AUTHPRIV - with LOG_AUTH, but only log in to the selected single user readable file log_cron - cron guardian Process log_daemon - Other system daemon, such as ROUTED log_ftp - file transfer protocol: ftpd, tftpd log_kern - the log_lpr - system printer buffer pool: LPR, LPD log_mail - Email system log_news - Network News System log_syslog - The internal message generated by syslogd (8) log_user - the message generated by the random user process log_uucp - UUCP Subsystem log_local0 ~ log_local7 - For the local use of Syslog for each event to give several different priorities: Log_emerg - emergency log_alert - should be immediately corrected, such as system database destroying log_crit - important cases, such as hard disk error log_err - Error log_warning - warning information log_notice - not error, but may need to handle log_info- - Intelligence information log_debug - Information containing information, usually aims to use the syslog.conf file when using the syslog.conf file when debugging a program, and the program queries the configuration file at startup. This file consists of a single entry classified by different programs or messages, each accounting. Provide a selection domain and an action domain for each type of message. These domains are separated by TAB: Select the domain to indicate the type and priority of the message; the action domain indicates that the Syslogd is not performed when the message matches the message. Each option is composed of device and priority. When a priority is specified, Syslogd will record a message with the same or higher priority. So if you specify "crit", the message that is labeled crit, Alert, and Emerg will be recorded. Each line of action indicates where the selection is selected after a given message is selected. For example, if you want to record all message messages into a file, you have your own log on the following place mail. * / Var / log / maillog other devices also have their own log. UUCP and NEWS devices can generate many external messages. It saves these messages to their own log (/ var / log / spooler) and limits the level as "ERR" or higher. For example: # save mail and news errors of level err and higher in assecial file. Uucp, news.crit / var / log / spooler When an emergency message arrives, you may want to get all users. May also want your log to receive and save it. #Everybody Gets Emergency Messages, Plus Log THEM ON ANTHER MACHINE * .Emerg * * .emerg @ Linuxaid.com.cn Alert message should be written to Root and Tiger personal account: #root and tiger get alert and higher messages * .lart Root, Tiger sometimes syslogd will produce a lot of messages. For example, the kernel ("Kern" device) may be very lengthy. Users may want to record kernel messages into / dev / console.
