UNIX log system
From: http://kunming.cyberpolice.cn/aqjs/20002.html
Basic log files Directory for different versions of UNIX log files are different, the most common directory is: / usr / adm Early version of UNIX / VAR / ADM newer version of Unix / var / log for Solaris, Linux, BSD, etc. / etc Unix System V Early version under these directories, or in its subdirectory, you can find the following log file (maybe it): LastLog records the last successful login time loginlog's Login Try to record the Messages record output to System Main Control Station and Message UTMP Record Generated by Syslog System Server UTMPX Extended UTMP WTMP Record Record Permatist Information WTMPX Extension WTMP Vold.log Record User Errors Extended WTMP VOLD.LOG Record XFerkig Log Access Sulog Record SU Command Usage ACCT Record AcuLog All User Use Commun Dialing Auto Call Record The LastLog File Unix is recorded in the LastLog log file to record each user registration into the system The last time, when you enter the system, the system will display this time: login: blackéyes password: h3ll0last login: Tue Jul 27 09:55:50 on TTY01 LastLog tells users to check the time to enter the system Whether it is worth it, if the system displayed does not match the time you enter the system last time, the registration of unauthorized users has occurred. If this happens, the user should immediately modify the account password, and notify the administrator. At each registration, LastLog's new content rushed out of the old content. Standard version of Unix does not provide a service program to read the lastlog file, some programs can provide this service, and what is not too big to talk about it here, and later said. Loginlog Document Unix System V Version, you can record unsuccessful login behavior in / var / adm / loginlog. To register unsuccessful registration, you can use the following command to create / var / adm / loginlog file: #touch / var / adm / loginlog #Chmod 600 / var / adm / loginlog # chown root / var / adm / loginlog If you know A system's username, and you want to guess your password, / var / adm / loginlog will record your failed login attempt administrator to see / var / adm / loginlog's content, your attempt is reveaped: # Cat / var / adm / loginlog Hacker: from 202.88.88.xx: Tue Jul 27 02:40:50 1999 Hacker: from 202.88.88.xx: Tue Jul 27 02:41:50 1999 Hacker: from 202.88.88. xx: Tue Jul 27 02:42:50 199.88.xx: Tue Jul 27 02:43:50 1999 Hacker: from 202.88.88.xx: Tue Jul 27 02:44:50 1999 Messages File Record Output to the system main control station and messages generated by the Syslog System Server first look at the syslog problem Syslog uses configurable, unified system registration procedures, accepts the log request from the system at any time, then according to /etc/slog.conf The preset writes the log information into the corresponding file, mailed to a specific user or directly to the console in a message.
It is worth noting that in order to prevent robbery server from modifying, delete the record information in the Messages, you can use the printer to record or cross the network registration to setback the robbery server. Syslog.conf detailed in Sun Solaris Operating System, Version 2.5.1. Take the general format of /etc/syslog.conf as follows: Equipment. Behavior level [; device. behavior level] record behavior device Description Auth used by Authorization Systems (login) authentication system that is asking for a username and password cron used for the cron and at systems system timing system daemon system / netword daemon daemonskern produced other systems by kernel messages kernel lpr printing system printer system mail mail system mail system mark internally used for Time Stamps Timing Message Time Scale News Reserved for the News System News System User Default Facility use behavioral-level description of the message when the message of debug normally used for debugging debugger info informational messages information message notice conditions that may require attention to pay attention to the warning any warnings warning err any errors generic error crit critical conditions like hardware problems serious cases alert any condition That Demand Immediate Attention should be corrected immediately Emerg Any Emergency Condition emergency None Do Not send Messages from the indeicated service program not gives the selected Facility to the SELECTED FILE. File Send Information Record Home (Example) Draw / Dev / console send Messages to Devices Console / VAR / ADM / Messages Write Messages To FILES Writing / VAR / ADM / Messages @ loghost Forward Messages To a loghost other log record server Fred, user1 send message to users send messages Give User * send Messages to all logged-in users Transfer Messages Gave All Online Users below is a pattern of /etc/slog.conf * .notice; mail.info / var/log/notice*.crit / var / log / Criticalkern, mark.debug /dev/consolekern.err @ server * .emerg **. Alert root, operator * .lart; auth.warning / var / log / author If you use a printer to log files, you can use the following method: The printer is connected to the terminal port / dev / ttya, add configuration statements in /etc/slog.conf, for example: auth. * Dev / ttya can record information such as incorrect passwords.
