One of the key to successfully manageing any system is to know what happens in the system. Exception logs are provided in Linux, and the details of the log are configurable. The Linux log is stored in a clear text, so the user does not require special tools to search and read them. You can also write scripts to scan these logs and automatically perform certain features based on their content. Linux logs are stored in the / var / log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read only the root account, but the access rights to the file can be read.
Redhat linux common log file
The redhat Linux common log file details the following /VAR/LOG/Boot.log This file records the event that the system is in the boot process is the information displayed by the Linux system boot automatic process.
/ var / log / cron This log file records the action of the child's process derived by the Crontab daemon, before adding users, login time, and PID, and the action of derived processes. One action of CMD is a common situation that cron is derived from a dispatch process. Replace Action Record the user's update to its cron file, which lists the task scheduling to periodically execute. The RELOAD action has occurred shortly after the Replace action, which means that cron noticed that the cron file of a user was updated and cron needs to reload it to memory. This file may find some abnormalities.
/ var / log / maillog This log file records each activity sent to the system or from the system. It can be used to see which system sending tools that users use or which system sent to data. Here is a fragment of the log file:
Sep 4 17:23:52 Unix Sendmail [1950]: g849npp01950: from = root, size = 25, class = 0, nrcpts = 1, MSGID = <200209040923.g849npp01950@redhat.pfcc.com.cn>, relay = root @localhostsep 4 17:23:55 Unix Sendmail [1950]: g849npp01950: to = lzy @ fcceec.net, ctladdr = root (0), delay = 00: 00: 04, xdelay = 00: 00: 03, MAILER = ESMTP, PRI = 30025, Relay = fcceec.net. [10.152.8.2], DSN = 2.0.0, Stat = SENT (Message Queued) / var / log / messages
The log file is a summary of many process log files, which can see any invasion attempt or successful invasion from this file. As follows:
Sep 3 08:30:17 Unix login [1275]: Failed login 2 from (null) for Suying, Authentication Failuresep 4 17:40:28 UNIX - Suying [2017]: login on PTS / 1 by Suying fromfcceec.www. Ec8.pfcc.com.cnsep 4 17:40:39 Unix Su (PAM_UNIX) [2048]: Session Opened for User Rootby Suying (UID = 999)
The format of the file is the date, host name, program name, and later, which contains the PID or kernel identifier, a colon and a space, and finally the message. This file has a deficiencies that are recorded intrusion attempts and successful intrusion events, which are submerged in a large number of normal processes. But the file can be customized by the / etc / syslog file. Decide how the system writes / var / messages by the /etc/syslog.conf profile. About how to configure the /etc/syslog.conf file to determine the behavior of the system logging, will be described in detail later. / var / log / syslog default Redhat Linux does not generate the log file, but you can configure /etc/syslog.conf to let the system generate the log file. It is different from the / etc / log / messages log file, which only records warning information, often information on the system, so you should pay more attention to this file. To generate the log file, plus: *. Warning / var / log / syslog file in the /etc/slog.conf file, can record the error password in login login when the user logs in, SUMAIL problem, SU Command execution failed and other information. Here is a record:
SEP 6 16:47:52 Unix login [2384]: Check pass; user unknown / var / log / secure This log file records and security-related information. The part of the log file is as follows: SEP 4 16:05:09 Unix Xinetd [711]: start: ftp pid = 1815 from = 127.0.0.1 Sep 4 16:05:09 Unix xinetd [1815]: UserId: ftp other: Root Sep 4 16:07:24 Unix Xinetd [711]: EXIT: FTP PID = 1815 DURATION = 135 (Sec) Sep 4 16: 10: 05Unix Xinetd [711]: start: ftp pid = 1846 from = 127.0.0.1 SEP 4 16: 10: 05Unix Xinetd [1846]: Root Sep 4 16:16:26 Unix Xinetd [711]: EXIT: FTP PID = 1846 DURATION = 381 (Sec) SEP 4 17: 40: 20Unix Xinetd [711]: START: Telnet PID = 2016 from = 10.152.8.2 / var / log / lastlog
The log file records the recent successful login event and the last unsuccessful login event, generated by login. When the user is logged in, the file is a binary, you need to use the lastlog command to view the login name, port number, and last login time according to the UID sort. If a user has never gone? ** neverLogged in ** ". This command can only be executed with root permission. Simply enter the lastlog command, you will see the following information:
Username Port from LateStroot TTY2 TUE SEP 3 08:32:27 0800 2002bin ** NEVER Logged in ** DAEMON ** NEVER Logged in ** ADM ** NEVER Logged in ** lp ** never logged in ** sync ** NEVER logged in ** shutdown ** never logged in ** mail ** never logged in ** news ** never logged in ** uucp ** never logged in ** Operator ** NEVER Logged In ** games ** never logged in ** gopher ** never logged in ** ftp ftp unix Tue Sep 3 14:49:04 0800 2002NOBODY * * Never logged in ** nscd ** never logged in ** mailnull ** never logged in ** ipc ** never logged in ** rpcuser ** never logged in ** XFS ** NEVER Logged in ** gdm ** never logged in ** postgres ** never logged in ** apache ** never logged in ** lzy tty2 mon Jul 15 08:50:37 0800 2002suying tty2 tue sep 3 08:31:17 0800 2002
System accounts such as Bin, Daemon, ADM, UUCP, MAIL, should not be logged in, if these accounts have been logged in, indicating that the system may have been invaded. If the time to find the record is not the time you log in last time, the user's account has been discussed. / var / log / wtmp
The log file permanently records the startup of each user login, logout, and system. Therefore, with the increase of the normal running time of the system, the size of the file will be larger and large, and the increase in the speed of the system depends on the number of system users logged in. The log file can be used to view the user's login record, and the last command gets this information by accessing this file, and displays the user's login record in the reverse order, the Last can also display the corresponding according to the user, terminal TTY or time. recording.
Command Last has two optional parameters:
The Last -u username shows the case where the user is logged in last time.
Last -T days displays the user login before the specified number of days
/ var / run / utmp
The log file records information about each user currently logged in. So this file will continue to change as the user logs in and logouts the system, it only keeps the user record that online, does not preserve permanent records for the user. The system needs to be queried in the system, such as WHO, W, Users, finger, etc., you need to access this file. The log file does not include all precise information, because some burst errors terminate the user login session, and the system does not update UTMP record in time, so the log file is not 100% trustworthy.
The three files mentioned above (/ var / log / wtmp, / var / run / utmp, / var / log / LOG / LOG / LOG / LOSTLOG) are key files for the log subsystem, and the user login is recorded. All records of these files contain timestamps. These files are saved by binary, so they cannot use these files directly with commands such as LESS, CAT, but they need to use these files to view these files. Among them, the data structure of the UTMP and WTMP files is the same, and the LastLog file uses additional data structures, and the specific data structure on their specific data can be queried using the Man command.
When there is a user login each time, the Login program views the user's UID in the file lastlog. If there is, write the user to the standard output last login, logout time, and host name, and then login the new login time in LastLog, open the UTMP file and insert the user's UTMP record. This record has been deleted when the user logs in. UTMP files are used by various commands, including WHO, W, USERS, and Finger.
Next, the login program opens the UTMP record of the file WTMP additional user. When the user logs in to exit, the same UTMP record with the update timestamp is attached to the file. The WTMP file is used by the program last.
/ var / log / xferlog
The log file logs the FTP session, which can display a file from the FTP server or copy from the server. This file will display the user copy to the malicious program used to invade the server, and which files have been copied for him for him.
The format of this file is: The first domain is the date and time, the second domain is the number of seconds, the remote system name, file size, local path name, transmission type (A: ASCII, B: binary) , With compression-related flags or TAR, or "without compression), transmission orientation (relative to the server: i representative into, O represents), access mode (A: anonymous, g: input password, R: real user), user name, service name (usually ftp), authentication method (L: RFC931, or 0), authenticated user ID or "*". Below is a record of this file: WED SEP 4 08:14:03 2002 1 Unix 275531 / var / ftp / lib / libnss_files-2.2.2.so b _ OA-Root @ UNIX FTP 0 * C / VAR / LOG / Kernlog
RedHat Linux does not record the log file by default. To enable the log file, you must add a line in the /etc/slog.conf file: kern. * / Var / log / kernlog. This enables the function of logging all kernel messages to / var / log / kernlog files. This file records the case where the device is loaded or used when the system is started. Generally is a normal operation, but if you record these operations that have not authorized users, you should pay attention, because it is possible that this is the behavior of malicious users. Below is some of the contents of the file:
SEP 5 09:38:42 UNIX KERNEL: NET4: Linux TCP / IP 1.0 for Net4.0sep 5 09:38:42 Unix Kernel: IP Protocols: ICMP, UDP, TCP, IGMPSEP 5 09:38:42 UNIX KERNEL: IP : routing cache hash table of 512buckets, 4KbytesSep 5 09:38:43 UNIX kernel: TCP: hash tables configured (established4096 bind 4096) Sep 5 09:38:43 UNIX kernel: Linux IP multicast router 0.06 plus PIM-SMSep 5 09: 38:43 UNIX KERNEL: NET4: UNIX DOMAIN SOCKETS 1.0 / Smp for Linux Net4.0.Sep 5 09:38:44 Unix Kernel: ext2-fs Warning: Checktime Reached, Running E2FSCK IS Recommendedsep 5 09:38:44 UNIX KERNEL : Vfs: mounted root (ext2 filesystem). Sep 5 09:38:44 Unix kernel: SCSI SUBSYSTEM Driver Revision: 1.00 / var / log / xfree86.x.log
The log file records the X-WINDOW startup. In addition, in addition to / var / log / outside, malicious users may also leave traces in other places, pay attention to the following places: root and other account shell history documents; users' various mailboxes, such as .sent, Mbox, And mailboxes stored in / var / spool / mail / and / var / spool / mqueue; temporary files / TMP, / usr / tmp, / var / tmp; hidden directory; other malicious users created files, usually "." The file with hidden attributes, etc. Specific command
The WTMP and UTMP files are binaries that cannot be scrapped or merged by commands such as Tail (using the cat command). Users need commands such as WHO, W, USERS, LAST, and ACs to use the information contained in these two files.
WHO command
The who command queries the UTMP file and reports each user currently logged in. The default output of WHO includes username, terminal type, login date, and remote host. For example, type the who command, then press Enter, will display the following:
Chyang PTS / 0 AUG 18 15: 06Ynguo PTS / 2 AUG 18 15: 32Ynguo PTS / 3 AUG 18 13: 55LEWIS PTS / 4 AUG 18 13: 35YNGUO PTS / 7 AUG 18 14: 12YLOU PTS / 8 AUG 18 14:15
If the WTMP file name is specified, the who command queries all previous records. Command WHO / VAR / LOG / WTMP will report every login since the WTMP file is created or deleted.
w command
w Command Query the UTMP file and display the process information of each user in the current system and it runs. For example, type a W command, then press Enter, will display the following:
3:36 PM Up 1 Day, 22:34, 6 Users, Load Average: 0.23, 0.29, 0.27User Tty from login @ idle jcpu pcpu whatchyang PTS / 0 202.38.68.242 3:06 PM 2:04 0.08s 0.04s -bashynguo PTS / 2 202.38.79.47 3:32 PM 0.00S 0.14S 0.05 WLEWIS PTS / 3 202.38.64.233 1:55 PM 30:39 0.27S 0.22S -Bashlewis PTS / 4 202.38.64.233 1:35 PM 6.00S 4.03S 0.01 SH / Home / Users / YNGUO PTS / 7 Simba.nic.ustc.e 2:12 PM 0.00S 0.47S 0.24S Telnet Mailylou PTS / 8 202.38.64.235 2:15 PM 1: 09M 0.10S 0.04S -BASH
Users command
Use a separate line to print out the current login user, each displayed username corresponding to a login session. If a user has more than one login session, then his username will display the same number. For example, type the user command, then press Enter, will display the following:
Chyang Lewis Lewis Ylou Ynguo Ynguo
Last command
The Last Command Reuses the WTMP to display users who have logged in since the file was created. E.g:
ChYANG PTS / 9 202.38.68.242 Tue Aug 1 08:34 - 11:23 (02:49) CFAN PTS / 6 202.38.64.224 Tue Aug 1 08:33 - 08:48 (00:14) ChYANG PTS / 4 202.38. 68.242 Tue Aug 1 08:32 - 12:13 (03:40) Lewis PTS / 3 202.38.64.233 Tue Aug 1 08:06 - 11:09 (03:03) Lewis PTS / 2 202.38.64.233 Tue Aug 1 07: 56 - 11:09 (03:12) If the user specifies the user, then Last only reports the user's recent activity, for example, type the last Ynguo command, and then press Enter key, will display the following:
YNGUO PTS / 4 SIMBA. Nic.ustc.e fri Aug 4 16:50 - 08:20 (15:30) YNGUO PTS / 4 Simba.nic.ustc.e Thu Aug 3 23:55 - 04:40 (04: 44) YNGUO PTS / 11 SIMBA. Nic.ustc.e Thu Aug 3 20:45 - 22:02 (01:16) YNGUO PTS / 0 Simba.nic.ustc.e Thu Aug 3 03:17 - 05:42 ( 02:25) YNGUO PTS / 0 SIMBA. Nic.ustc.e WED AUG 2 01:04 - 03:16 1 02: 12) YNGUO PTS / 0 Simba.nic.ustc.e Wed Aug 2 00:43 - 00 : 54 (00:11) YNGUO PTS / 9 simba.nic.ustc.e thu aug 1 20:30 - 21:26 (00:55)
AC command
The AC command reports the time (hour) of the user connection according to the login entry and exit in the current / var / log / wtmp file. If the logo is not used, the total time is reported. For example, type an ac command, and then press Enter, will display the following:
Total 5177.47
Type the AC -D command, then press Enter, will display the total connection time of daily:
AUG 12 Total 261.87AUG 13 Total 351.39AUG 14 Total 396.09Aug 15 Total 462.63Aug 16 Total 270.45Aug 17 Total 104.29Today Total 179.02
Type the AC -P command, then press Enter, will display the total connection time of each user:
YNGUO 193.23YUCAO 3.35RONG 133.40HDAI 10.52ZJZHU 52.87zqzhou 13.14liangliu 24.34 Total 5178.24
LastLog Command
The LastLog file is queried when you log in every time you log in. You can use the LastLog command to check the time for a specific user last login, and format the output last logged in log / var / log / lastlog. It displays the login name, port number (TTY) and last login time according to UID sorting. If a user has never logged in, LastLog displays ** neverlogged **. Note that you need to run this command as root, for example:
Rong 5 202.38.64.187 fri aug 18 15:57:01 0800 2000dbb ** never logged in ** xinchen ** never logged in ** pb9511 ** never logged in ** xchen 0 202.38.64.190 sun aug 13 10:01 : 22 0800 2000
In addition, some parameters can be added, for example, the "LAST -U 102" command will report the UID 102 user; "The Last -T 7" command indicates the report as a previous week. Process statistics
UNIX can track each command running in each user. If you want to know which important files have been messy last night, the process statistics subsystem can tell you. It also helps to track an invasator. Unlike the connection time log, the process statistics is not activated by default, it must start. In the Linux system Starting Process Statistics Using the accton command, you must run with root identity. The form of the accton command is: acctonfile, file must exist in advance. First create a PACCT file using the touch command: Touch / VAR / LOG / PACCT, then run accton: accton / var / log / pACCT. Once Accton is activated, you can use the LastComm command to monitor the commands performed in the system. To turn off the statistics, you can use the accton command without any parameters.
The Lastcomm command reports the previously executed file. When there is no parameters, the LastComm command displays information about all commands recorded in the current statistic file lifecycle. Including the CPU time and a timestamp that the command name, user, TTY, command cost. If there are many users in the system, the input may be very long. Look at the example below:
Crond f root ?? 0.00 Secs Sun Aug 20 00: 16Promisc_check.s s root ?? 0.04 SECS SUN AUG 20 00: 16Promisc_Check Root ?? 0.01 Secs Sun Aug 20 00: 16GREP ROOT ?? 0.02 SECS Sun Aug 20 00: 16tail Root ?? 0.01 SECS Sun Aug 20 00: 16sh root ?? 0.01 Secs Sun Aug 20 00: 15PING S root ?? 0.01 second SUN AUG 20 00: 15PING6.PL f root ?? 0.01 SECS Sun AUG 20 00: 15SH root ?? 0.01 SECS Sun AUG 20 00: 15PING S ROOT ?? 0.02 SECS Sun AUG 20 00: 15PING6.PL F ROOT ?? 0.02 SECS Sun AUG 20 00: 15SH root ?? 0.02 SECS Sun AUG 20 00: 15PING S root ?? 0.00 SECS Sun Aug 20 00: 15PING6.PL F ROOT ?? 0.01 SECS Sun Aug 20 00: 15sh root ?? 0.01 SECS Sun Aug 20 00: 15PING S root ?? 0.01 Secs Sun Aug 20 00: 15sh root ?? 0.02 SECS Sun AUG 20 00: 15PING S root ?? 1.34 SECS Sun Aug 20 00: 15Locate root ttyp0 1.34 SECS Sun AUG 20 00: 15ACCTON S ROOT TTYP0 0.00 SECS Sun Aug 20 00:15
One problem with process statistics is that the PACCT file may grow very quickly. At this time, you need to interactively or through the CRON mechanism to run the SA command to ensure log data in system control. SA command report, clean up and maintain process statistics. It can compress the information in / var / log / pACCT to the summary file / var / log / savacct and / var / log / usracct. These summary contain system statistics classified by command name and username. By default, SA reads them first, then read the PACCT file so that the report can contain all available information. The output of SA has some of the following tags.
AVIO: Average I / O operation per execution. CP: The user and system time total, in minutes.
CPU: Like CP.
K: The average CPU time used in the kernel, in units of 1K.
K * sec: CPU storage integrity, units in 1k-core seconds.
Re: Real-time time for minute.
S: System time for minute.
TIO: The total number of I / O operations.
u: User time, in minutes.
E.g:
842 173.26re 4.30cp 0avio 358k2 10.98re 4.06cp 0avio 299k find9 24.80re 0.05cp 0avio 291k *** other105 30.44re 0.03cp 0avio 302k ping104 30.55re 0.03cp 0avio 394k sh162 0.11re 0.03cp 0avio 413k security.sh * 154 0.03 re 0.02cp 0avio 273k ls56 31.61re 0.02cp 0avio 823k ping6.pl * 2 3.23re 0.02cp 0avio 822k ping6.pl35 0.02re 0.01cp 0avio 257k md5sum97 0.02re 0.01cp 0avio 263k initlog12 0.19re 0.01cp 0avio 399k promisc_check.s15 0.09 RE 0.00cp 0avio 288k grep11 0.08re 0.00CP 0AVIO 332K awk
The user can also provide a summary report according to the user rather than a command. For example, type the command "SA -M" will display the following:
885 173.28RE 4.31CP 0AVKROOT 879 173.23RE 4.31CP 0AVKALIAS 3 0.05RE 0.00CP 0AVKQMailp 3 0.01RE 0.00CP 0avk
Syslog equipment
Syslog has been adopted by many log functions, which is used in many protection measures. Any program can be recorded via Syslog. Syslog can record system events, you can write to a file or device, or send a user to send a message. It records local events or records events on another host via the network.
Syslog devices are based on two important files: / etc / syslogd (daemon) and /etc/syslog.conf profile. It is accustomed to the information files written in / VAR / ADM or / VAR / LOG directory (Messages. *). A typical Syslog record includes the name of the generator and a text message. It also includes a device and a priority range (but not in the log).
Each Syslog message is given one of the following primary devices:
LOG_AUTH: Authentication system login, su, getty, etc. Log_AUTHPRIV: With LOG_AUTH, just log in to the selected single user readable file. Log_cron: cron daemon. Log_daemon: Other system daemon, such as ROUTED. LOG_FTP: File Transfer Protocol FTPD, TFTPD. Log_kern: the message generated by the kernel. LOG_LPR: System printer buffer pool LPR, LPD. LOG_MAIL: Email System. Log_News: Network News System. LOG_SYSLOG: Internal message generated by syslogd (8). Log_user: The message generated by a random user process. Log_UUCP: UUCP subsystem. LOG_LOCAL0 ~ LOG_LOCAL7: Reserved for local use. Syslog gives each event to several different priorities: log_emerg: emergency. LOG_ALERT: The problem should be corrected immediately, such as the system database is destroyed. LOG_CRIT: Important, such as hard disk errors. Log_err: Error. Log_Warning: Warning information. LOG_NOTICE: Monozoi 觯 ? Log_info: Information information. Log_debug: Information containing information, usually only used when debugging a program. The syslog.conf file indicates the behavior of the syslogd program log log, which queries the configuration file at startup. This file consists of a single entry classified by different programs or messages, each accounting. Provide a selection domain and an action domain for each type of message. These domains are separated by Tab: Select domains to specify the type and priority of the message; the action domain indicates that the SyslogD is performed when the message matches the message that matches the selection criterion. Each option consists of devices and priorities. When a priority is specified, Syslogd will record a message with the same or higher priority. So if "crit" is specified, the message whose labeled crit, Alert, and Emerg will be recorded. Each row of action domain indicates where the selected domain selects a given message. For example, if you want to record all mail messages into a file, as shown below:
#Log all the mail messages in one placemail. * / Var / log / maillog
Other devices also have their own logs. UUCP and NEWS devices can generate many external messages. It saves these messages to their own log (/ var / log / spooler) and limits the level as "ERR" or higher. E.g:
# Save mail and news errors of level err and higher in schement file.uucp, news.crit / var / log / spooler
When an emergency is coming, you may want to get all users, or you may want your log to receive and save:
#Everybody Gets Emergency Messages, Plus Log The on Anther Machine * .emerg **. Emerge @ Linuxaid.com.cn
Alert message should be written to the Root and Tiger personal accounts:
#Root and Tiger Get alert and higher message * .lart root, Tiger
Sometimes syslogd will produce a lot of news. For example, the kernel ("Kernel" device) may be very lengthy. Users may want to record kernel messages into / dev / console. The following example shows that the kernel log record is commented: #log all kernel message to the console # Logging Much else clutters up The screen # kern. * / Dev / console
Users can specify all devices in a row. The following example sent the INFO or higher message to / var / log / messages, except for Mail. Level "None" forbidden a device:
#Log anything (Except mail) of level info or higher # do't log private authentication messages! *. Info: mail.none; authpriv.none / var / log / messages
In some cases, you can send the log to the printer so that the network intruder has modified the log. It is usually widely recorded. Syslog devices are a significant goal of an attacker. A system for other host maintenance logs is particularly fragile for server attacks, so pay special attention.
There is a small command logger to provide a shell command interface for the Syslog (3) system log file, enabled entries in the log file.
Usage: Logger
For example: Logger this is a test!
It will produce a Syslog record as follows: AUG 19 22:22:34 Tiger: this is a test!
Note that don't fully believe the log, because the attacker is easy to modify it.
Program logs and others
Many programs reflect the system's security by maintaining logs. The su command allows the user to get the permissions of another user, so it is very important, its log file is Sulog. There is also Sudolog. In addition, there are two logs like Apache: Access_log and Error_Log. There are also some other log tools that are commonly used, and we will not explain them. Interested readers can refer to the contents of the URL below.
Chklastlog:
ftp://coast.cs.purdue.edu/pub/tools/unix/chklastlog/
Chkwtmp:
ftp://coast.cs.purdue.edu/pub/tools/unix/chkwtmp/
DUMP_LASTLOG:
FTP: //coast.cs.purdue.edu/pub/tools/unix/dump_lastlog.z
SPAR:
ftp://coast.cs.purdue.edu/pub/tools/unix/tamu/
Swatch:
http://www.lomar.org/komar/alek/pres/swatch/cover.html
Zap:
ftp://caost.cs.purdue.edu/pub/tools/unix/zap.tar.gz
Log classification method:
http://csrc.nist.gov/nissc/1998/proceedings/paperd1.pdf
