FreeBSD system logs and backup
Since FreeBSD is a multi-user system, you will need to make daily maintenance, especially for the system of network servers, will cause a large loss because of the lack of maintenance, it will cause great loss. Even if the FreeBSD system of a single user is also implemented, these indispensable maintenance tasks are also required, but because the system is used by personal use, the requirements for maintenance are not so high, and the maintenance task is relaxed.
System log
The system logging provides detailed audits for system activity, these logs are used to evaluate, review the system's operating environment and various operations. For general conditions, logging includes logging time, login location, what operations do, etc. If you use, logging can provide system administrators with very useful information about hazardous security or intrusion attempts.
BSD provides detailed various log records, as well as a large number of tools and utilities related to logs. These audit records are typically automatically generated by the program, which is part of the default settings to help UNIX administrators to find problems in the system and is very useful for system maintenance. There are other logging, requiring administrators to set up. Most logging files are saved in the / var / log directory, in this directory, in addition to saving the system generated log, some application software log files are included. Other subdirectories in the / var directory will also record some other types of logging files, depending on the settings of the specific application.
$ LS / VAR / LOG
AddUser Maillog.5.gz sendmail.st.1
Dmesg.toDay Maillog.6.gz sendmail.st.10
Dmesg.yesterday Mailog.7.gz sendmail.st.2
httpd-access.log message sendmail.st.3
httpd-error.log messages.0.gz sendmail.st.4
Kerberos.log messages.1.gz sendmail.st.5
LastLog Messages.2.gz sendmail.st.6
LPD-Errs Messages.3.gz sendmail.st.7
Maillog Messages.4.gz sendmail.st.8
Maillog.0.gz message.5.gz sendmail.st.9
Maillog.1.gz news setuid.today
Mailog.2.gz ppp.log setuid.yesterday
Maillog.3.gz sendmail.st userlog
Mailog.4.gz sendmail.st.0 wtmp
System login log
The system saves the login record of each user, including the user's name, login start end time, and wherever enters the system. They are saved to / var / log / limitedLog, / var / log / wtmp and / var / run / utmp file, which saves these users' login data in binary format.
Where / var / run / uTMP file saved in the current system user login record, so this file continues to change as the user enters and leaves the system, and it will not reserve a long record for users, only to retain User records online at the time. The system is required to query the current user status, such as WHO, W, need to access this file. UTMP may not include all precise information, some burst errors terminate the user login session, and when there is no timely update UTMP record, UTMP record is not 100% can be trusted. / Var / log / wtmp saves all login, exit information, and system startup, shutdown record, so the size of its size will grow larger and increased with the system as the system is operating normally. User login number. So this log can be used to view the user's login record, the last command is obtained by accessing this file, and the user's login record is displayed in the reverse order, and the Last can also display according to the user, terminal TTY or time display. Corresponding records. The AC command also uses data generated by data in WTMP, but its display is different. It can display information according to the user (AC -P), or by date (AP -D), so that the administrator can get some very useful abnormal information, such as a usually not active user suddenly logs in and connected for a long time. There is reason to suspect that this account is stolen.
Note: X WINDOW will increase the user's login connection time due to the simultaneous opening of multiple terminal windows.
LastLog files save the last login information of each user, including login time and location, which typically only uses the login program, through the user's UID, to find the corresponding record in the lastLog file, then report its last login time And terminal TTY. Then, the login program uses new records to update this file.
These three files are saved using binary format, so they cannot directly view the contents, and the related commands need to be used. Of course, you can also access these three files through the program, which requires understanding the data structure they use. Where UTMP and WTMP use the same data structure, LastLog uses another data structure, and can use the Man to check the specific structure. If the number of users users have a lot, the size of the WTMP file will increase rapidly, and in the case of system / var file system space, this file system is accounted for. The system does not actively control the size of this file, so this requires administrator intervention, and it needs to be cleared manually, or writes shell scripts to save and clear.
The system can also provide the function of accounting statistics. To open the system's accounting function, you need to use the accton command. Note that accton must follow the name of the account log file as a parameter, without the argument of Accton will close the billing process.
When the billing function is turned on, you can use the LastComm to check the information of all commands executed in the system, including the executed command, the user who executes the command, the terminal TTY used by the user, the time, execution time, etc. From Lastcomm output, you can help administrators check possible invasion.
In addition, the AC command can be used to query the user's connection time report, the SA command to query the user's reporting processor time.
Syslog log record
Initially, Syslog is just a message log tool designed for sendmail, because it provides a central control point, so that Sys log is very easy to configure, so many programs today use Syslog to send their record information. Syslog is a powerful log record that can not only save the log in a local file, but also sends the syslog record to another host on the network according to the settings. The system that supports the Syslog mode launches the syslogd daemon, which obtains records of Syslog from the local UNIX socket and listens on the Internet socket on the 514 port (UDP). The process in this machine uses the Syslog system call to send the SY SLOG record, then saved them to the correct file or sends them to the other to run the syslogd host.
Syslogd's setup file is /etc/syslog.conf, defines the corresponding target corresponding to the message, and a message can reach multiple targets, or it may be ignored.
# $ ID: SYSLOG.CONF, V 1.9 1998/10/14 21:59:55 Nate EXP $
#
# Spaces are not valid field separators in this file.
# Consult the syslog.conf (5) ManPage.
* .err; kern.debug; auth.notice; mail.crit / dev / console
* .notice; kern.debug; lpr.info; mail.crit; news.err / var / log / messages
Mail.info / var / log / maillog
Lpr.info / var / log / lpd-errs
Cron. * / var / cron / log
* .err root
* .notice; news.err root
* .lart root
* .emerg *
PPP
*. * /VAR/LOG/ppp.log
The configuration of syslog.conf can be divided into two parts, the first part is used to distinguish the type of message, and the other is used to set the destination sent by the message. Typically, the type of message includes the generator of the message, for example, KERN represents the message generated by the kernel, and the AUTH represents the message generated by the authentication system, and the level of the message, such as EMERG means very important emergency information, Alert represents the system alarm state , Crit represents a key state, Err represents a general error message, Warning indicates warning information, NOTICE indicates prompt information, but not errors, INFO indicates general information, debug represents debugging information, so the type of message may be: kern.debug , Mail.info, etc., but page can match the wildcard *.
From the above Syslog.conf setting, you can see that there are many important information in the system running, such as error message * .rr, kernel debugging information kern.debuf, certification report auth.notice et al. Directed console, There are also some important information to be output to / var / log / messages file, and send mail records will be saved in / var / log / mail log file, print records / var / log / lpd-errs, etc. Make the administrator to query the relevant records according to these files, perform statistics or find system issues. Among them, the information of the root login is included in the Messages file using Syslog records, and the user has multiple information on the failed taste, which is important to system security. Therefore, after the system is subjected to attack, the attacker will set up attempt clear correlation according to syslog.conf Document in the document. Therefore, for a higher security requirement, you can attempt to send Syslog to another, or output into some of the device files, such as immediate print output on the printer. The system will check the Messages files and Mailog files outputted by Syslog using newslog, saved the old data to backup files, such as Messages.1.gz.
Other logs
In addition to the system login record and Syslog record, there are some applications that use their own records.
The system automatically checks the security settings of the system every day, including the check of the execution file of SetUID, SetgID, and the result will be output to / var / log / security.today file, the administrator can be with /var/log/security.yeste rday File comparison, find changes in system security settings.
If the system uses Sendmail, SENDMAIL statistics are saved in the SENDMAIL.ST file.
When the system is started, output the kernel's detection information to the screen, which helps the user's hardware state in the system. Generally use the D MESG command to view this detection information output at the last start. This information is also saved in the system in the /var/log/dmesg.tod ay file, and another file DMESG.YESTERDAY is also available in the system. It is the last launch detection information. You can understand the system. Changes in hardware and kernel configurations.
LPD-ERRS records the error message generated by LPD in the system.
In addition, various shells also record the command history used by the user. It uses the files under the user's home directory to record these command history, usually the name of this file is .history (csh), or .bash-history, etc..