Actual topic of Linux log analysis: Liu Zhiyong Guo Conghui dispatch time: 2004.11.23
From:
http://tech.ccidnet.com/pub/Article/c322_a180627_p1.html
The log is also one of the places where the user should pay attention. Do not underestimate the important role of network security, because the log files can record a variety of events that occur every day. Users can check the causes of errors through log files or track the trails of attackers when they are attacked and hackers. Two more important roles of logs are: review and monitoring. Configured Linux logs very powerful. For Linux systems, all log files are under / var / log. By default, Linux's log files are strong enough, but there is no event of FTP. Users can record all activities of FTP by modifying / etc / ftpacess.
Linux Log System Introduction
Linux log system
The log is very important for the system's security. It records a variety of things that happen daily. Users can check the cause of the error, or find the traces left when attacked when attacked. The main function of the log is to audit and monitor. It also monitors system status, monitor and track invasants in real time.
Linux systems typically have three major log subsystems: connection time logs, process statistics logs, and error logs.
Connection time log
The connection time log is executed by multiple programs to write records to / var / og / wtmp and / var / run / utmp. OGIN and other programs update the WTMP and UTMP files, allowing system administrators to track when when they log in to the system.
Process statistics log
Process statistics logs are performed by the system kernel. When a process is terminated, a record is written to the process statistics (PACCT or ACCT) for each process. The purpose of process statistics is to provide commands to use statistics for basic services in the system.
Wrong log
The error log is executed by SYSOGD (8). Various system daemons, user programs and kernels report to file / var / og / messages by sysog (3). There are also many UNIX class programs to create logs, and servers that provide network services such as HTTP and FTP also have a detailed log.
Redhat Linux Common log files and common commands
One of the key to successfully manageing any system is to know what happens in the system. Exception logs are provided in Linux, and the details of the log are configurable. The Linux log is stored in a clear text, so the user does not require special tools to search and read them. You can also write scripts to scan these logs and automatically perform certain features based on their content. Linux logs are stored in the / var / log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read only the root account, but the access rights to the file can be read. RedHat Linux common log file Redhat Linux FAQ file details the following /var/log/boot.log This file records the event that the system occurs during the boot process is the information displayed by the Linux system. / Var / log / cron This log file records the action of the child's process derived by the Crontab daemon, before adding users, login time, and PID, and the action of derived processes. One action of CMD is a common situation that cron is derived from a dispatch process. Replace Action Record the user's update to its cron file, which lists the task scheduling to periodically execute. The RELOAD action has occurred shortly after the Replace action, which means that cron noticed that the cron file of a user was updated and cron needs to reload it to memory. This file may find some abnormalities. / Var / log / maillog This log file records each activity sent to the system or from the system. It can be used to see which system sending tools that users use or which system sent to data. Here is a fragment of the log file: Sep 4 17:23:52 Unix Sendmail [1950]: g849npp01950: from = root, size = 25,
Class = 0, nrcpts = 1,
Msgid = <200209040923.G849NPP01950@redhat.pfcc.com.cn>,
Relay = root @ localhost
Sep 4 17:23:55 Unix Sendmail [1950]: g849npp01950: to=lzy@fcceec.net,
CTLADDR = root (0/0), delay = 00: 00: 04, xdelay = 00: 00: 03, MAILER = ESMTP, PRI = 30025,
RELAY = fcceec.net. [10.152.8.2], DSN = 2.0.0, Stat = SENT (Message Queued)
/ var / log / messages
The log file is a summary of many process log files, which can see any invasion attempt or successful invasion from this file. As follows:
Sep 3 08:30:17 UNIX Login [1275]: Failed Login 2 from (null) for suying,
Authentication Failure
Sep 4 17:40:28 Unix - Suying [2017]: login on pts / 1 by suying from
Fcceec.www.ec8.pfcc.com.cn
Sep 4 17:40:39 Unix Su (PAM_UNIX) [2048]: sessions Opened for user root by suying (uid = 999)
The format of the file is the date, host name, program name, and later, which contains the PID or kernel identifier, a colon and a space, and finally the message. This file has a deficiencies that are recorded intrusion attempts and successful intrusion events, which are submerged in a large number of normal processes. But the file can be customized by the / etc / syslog file. Decide how the system writes / var / messages by the /etc/syslog.conf profile. About how to configure the /etc/syslog.conf file to determine the behavior of the system logging, will be described in detail later. / var / log / syslog
Default Redhat Linux does not generate the log file, but you can configure /etc/syslog.conf to let the system generate the log file. It is different from the / etc / log / messages log file, which only records warning information, often information on the system, so you should pay more attention to this file. To generate the log file, plus: *. Warning / var / log / syslog file in the /etc/slog.conf file, can record the error password in login login when the user logs in, SUMAIL problem, SU Command execution failed and other information. Here is a record:
Sep 6 16:47:52 Unix login (PAM_UNIX) [2384]: Check Pass; User Unknown
/ VAR / log / secure
This log file records information with security. The part of the log file is as follows:
Sep 4 16:05:09 Unix Xinetd [711]: start: ftp pid = 1815 from = 127.0.0.1
Sep 4 16:05:09 Unix Xinetd [1815]: Userid: FTP Other: root
Sep 4 16:07:24 UNIX Xinetd [711]: EXIT: FTP PID = 1815 DURATION = 135 (SEC)
Sep 4 16:10:05 Unix Xinetd [711]: start: ftp pid = 1846 from = 127.0.0.1
Sep 4 16:10:05 Unix Xinetd [1846]: Userid: ftp other: root
Sep 4 16:16:26 Unix Xinetd [711]: EXIT: FTP PID = 1846 DURATION = 381 (SEC)
Sep 4 17:40:20 Unix xinetd [711]: start: telnet pid = 2016 from = 10.152.8.2
/ var / log / placelog
The log file records the recent successful login event and the last unsuccessful login event, generated by login. When the user is logged in, the file is a binary, you need to use the lastlog command to view the login name, port number, and last login time according to the UID sort. If a user has never logged in, it is displayed as "** never logged in **". This command can only be executed with root privileges. After you simply enter the lastlog command, you will see the following information:
Username Port from Latest
Root Tty2 Tue Sep 3 08:32:27 0800 2002
Bin ** never logged in **
Daemon ** never logged in **
ADM ** NEVER Logged in ** lp ** never logged in **
Sync ** never logged in **
Shutdown ** never logged in **
HALT ** NEVER Logged in **
Mail ** never logged in **
News ** never logged in **
UUCP ** NEVER Logged in **
Operator ** never logged in **
Games ** never logged in **
Gopher ** never logged in **
FTP FTP UNIX Tue Sep 3 14:49:04 0800 2002
NoBody ** never logged in **
Nscd ** never logged in **
Mailnull ** never logged in **
IDENT ** NEVER Logged in **
RPC ** never logged in **
RPCUSER ** NEVER Logged in **
XFS ** never logged in **
GDM ** NEVER Logged in **
Postgres ** never logged in **
Apache ** never logged in **
Lzy TTY2 MON JUL 15 08:50:37 0800 2002
Suying TTY2 Tue Sep 3 08:31:17 0800 2002
System accounts such as Bin, Daemon, ADM, UUCP, MAIL, should not be logged in, if these accounts have been logged in, indicating that the system may have been invaded. If the time to find the record is not the time you log in last time, the user's account has been discussed. / Var / log / wtmp This log file permanently records the startup of each user login, logout, and system. Therefore, with the increase of the normal running time of the system, the size of the file will be larger and large, and the increase in the speed of the system depends on the number of system users logged in. The log file can be used to view the user's login record, and the last command gets this information by accessing this file, and displays the user's login record in the reverse order, the Last can also display the corresponding according to the user, terminal TTY or time. recording. Command Last has two optional parameters: Last -u username displays the case where the user logs in last time. The number of Last -T days displays the user login before the specified number of days. / Var / run / utmp This log file records information about each user currently logged in. So this file will continue to change as the user logs in and logouts the system, it only keeps the user record that online, does not preserve permanent records for the user. The system needs to be queried in the system, such as WHO, W, Users, finger, etc., you need to access this file. The log file does not include all precise information, because some burst errors terminate the user login session, and the system does not update UTMP record in time, so the log file is not 100% trustworthy. The three files mentioned above (/ var / log / wtmp, / var / run / utmp, / var / log / LOG / LOG / LOG / LOSTLOG) are key files for the log subsystem, and the user login is recorded. All records of these files contain timestamps. These files are saved by binary, so they cannot use these files directly with commands such as LESS, CAT, but they need to use these files to view these files. Among them, the data structure of the UTMP and WTMP files is the same, and the LastLog file uses additional data structures, and the specific data structure on their specific data can be queried using the Man command. When there is a user login each time, the Login program views the user's UID in the file lastlog. If there is, write the user to the standard output last login, logout time, and host name, and then login the new login time in LastLog, open the UTMP file and insert the user's UTMP record. This record has been deleted when the user logs in. UTMP files are used by various commands, including WHO, W, USERS, and Finger. Next, the login program opens the UTMP record of the file WTMP additional user. When the user logs in to exit, the same UTMP record with the update timestamp is attached to the file. The WTMP file is used by the program last. / Var / log / xferlog This log file records the FTP session, which can display the user to the FTP server or copy from the server. This file will display the user copy to the malicious program used to invade the server, and which files have been copied for him for him.
The format of this file is: The first domain is the date and time, the second domain is the number of seconds, the remote system name, file size, local path name, transmission type (A: ASCII, B: binary) , With compression-related flags or TAR, or "without compression), transmission orientation (relative to the server: i representative into, O represents), access mode (A: anonymous, g: input password, R: real user), user name, service name (usually ftp), authentication method (L: RFC931, or 0), authenticated user ID or "*". Below is a record of the file: WED SEP 4 08:14:03 2002 1 Unix 275531
/VAR/FTP/LIB/LIBNSS_FILES-2.2.2.so B _ O a -root @ UNIX FTP 0 * C
/ var / log / kernlog
RedHat Linux does not record the log file by default. To enable the log file, you must add a line in the /etc/slog.conf file: kern. * / Var / log / kernlog. This enables the function of logging all kernel messages to / var / log / kernlog files. This file records the case where the device is loaded or used when the system is started. Generally is a normal operation, but if you record these operations that have not authorized users, you should pay attention, because it is possible that this is the behavior of malicious users. Below is some of the contents of the file:
Sep 5 09:38:42 UNIX KERNEL: NET4: Linux TCP / IP 1.0 for Net4.0
Sep 5 09:38:42 UNIX KERNEL: IP Protocols: ICMP, UDP, TCP, IGMP
Sep 5 09:38:42 UNIX KERNEL: IP: Routing Cache Hash Table of 512 Buckets, 4KBYTES
Sep 5 09:38:43 UNIX KERNEL: TCP: Hash Tables Configured (Established 4096 Bind 4096)
Sep 5 09:38:43 UNIX KERNEL: Linux IP Multicast Router 0.06 Plus PIM-SM
Sep 5 09:38:43 Unix Kernel: Net4: UNIX Domain Sockets 1.0 / Smp for Linux Net4.0.
Sep 5 09:38:44 UNIX KERNEL: EXT2-FS WARNING: CheckTime Reached, Running E2FSCK IS Recommended
Sep 5 09:38:44 UNIX Kernel: VFS: MOUNTED ROOT (EXT2 FileSystem).
Sep 5 09:38:44 UNIX KERNEL: SCSI Subsystem Driver Revision: 1.00
/VAR/LOG/xfree86.x.log
The log file records the X-WINDOW startup. In addition, in addition to / var / log / outside, malicious users may also leave traces in other places, pay attention to the following places: root and other account shell history documents; users' various mailboxes, such as .sent, Mbox, And mailboxes stored in / var / spool / mail / and / var / spool / mqueue; temporary files / TMP, / usr / tmp, / var / tmp; hidden directory; other malicious users created files, usually "." The file with hidden attributes, etc. The specific commands WTMP and UTMP files are binary files that cannot be scrapped or incorporated by commands such as TAIL (using a CAT command). Users need commands such as WHO, W, USERS, LAST, and ACs to use the information contained in these two files. The who command who command queries the UTMP file and reports each user currently logged in. The default output of WHO includes username, terminal type, login date, and remote host. For example, type the who command, then press Enter, will display the following: chYANG PTS / 0 AUG 18 15:06
YNGUO PTS / 2 AUG 18 15:32
YNGUO PTS / 3 AUG 18 13:55
Lewis PTS / 4 AUG 18 13:35
YNGUO PTS / 7 AUG 18 14:12
Ylou PTS / 8 AUG 18 14:15
If the WTMP file name is specified, the who command queries all previous records. Command WHO / VAR / LOG / WTMP will report every login since the WTMP file is created or deleted. W Command W Commands Query the UTMP file and displays the process information that each user in the current system and it runs. For example, type a W command, then press Enter, will display the following:
3:36 PM Up 1 Day, 22:34, 6 Uses, Load Average: 0.23, 0.29, 0.27
User Tty from login @ idle jcpu pcpu what
Chyang PTS / 0 202.38.68.242 3:06 PM 2:04 0.08S 0.04S -Bash
YNGUO PTTS / 2 202.38.79.47 3:32 PM 0.00S 0.14S 0.05 W
Lewis PTS / 3 202.38.64.233 1:55 PM 30:39 0.27S 0.22S -BASH
Lewis PTS / 4 202.38.64.233 1:35 PM 6.00S 4.03S 0.01S SH / Home / Users /
YNGUO PTS / 7 Simba.nic.ustc.e 2:12 PM 0.00S 0.47S 0.24S Telnet Mail
Ylou PTS / 8 202.38.64.235 2:15 PM 1: 09M 0.10S 0.04S -BASH
Users command users command to print out the current login user, each of which corresponds to a login session. If a user has more than one login session, then his username will display the same number. For example, type the user command, then press Enter, will display the following: ChYANG Lewis Lewis Ylou Ynguo Ynguo Last Command Last Command Replies WTMP to display users who have been logged in since the file was created. E.g:
Chyang PTS / 9 202.38.68.242 Tue Aug 1 08:34 - 11:23 (02:49)
CFAN PTS / 6 202.38.64.224 Tue Aug 1 08:33 - 08:48 (00:14)
ChYANG PTS / 4 202.38.68.242 Tue Aug 1 08:32 - 12:13 (03:40) Lewis PTS / 3 202.38.64.233 Tue Aug 1 08:06 - 11:09 (03:03)
Lewis PTS / 2 202.38.64.233 Tue Aug 1 07:56 - 11:09 (03:12)
If the user is specified, then Last only reports the user's recent activity, for example, type the last Ynguo command, then press Enter, will display the following:
YNGUO PTS / 4 Simba.nic.ustc.e fri Aug 4 16:50 - 08:20 (15:30)
YNGUO PTS / 4 Simba.nic.ustc.e Thu Aug 3 23:55 - 04:40 (04:44)
YNGUO PTS / 11 Simba.nic.ustc.e Thu Aug 3 20:45 - 22:02 (01:16)
YNGUO PTS / 0 SIMBA. Nic.ustc.e Thu Aug 3 03:17 - 05:42 (02:25)
YNGUO PTS / 0 SIMBA. Nic.ustc.e Wed Aug 2 01:04 - 03:16 1 02: 12)
YNGUO PTS / 0 simba.nic.ustc.e WED AUG 2 00:43 - 00:54 (00:11)
YNGUO PTS / 9 Simba.nic.ustc.e Thu Aug 1 20:30 - 21:26 (00:55)
The AC command AC command reports the time (hour) of the user connection according to the login entry and exits in the current / var / wtmp file. If the logo is not used, the total time is reported. For example, type the AC command, then press Enter, will display the following: Total 5177.47 Type the AC -D command, then press Enter to display the total connection time of daily:
Aug 12 Total 261.87
Aug 13 Total 351.39
Aug 14 Total 396.09
AUG 15 Total 462.63
AUG 16 Total 270.45
Aug 17 Total 104.29
Today Total 179.02
Type the AC -P command, then press Enter, will display the total connection time of each user:
YNGUO 193.23
Yucao 3.35
Rong 133.40
HDai 10.52
ZJZHU 52.87
ZqZhou 13.14
LiangLiu 24.34
Total 5178.24
The LastLog Command LastLog file is queried when you log in every time you log in. You can use the LastLog command to check the time for a specific user last login, and format the output last logged in log / var / log / lastlog. It displays the login name, port number (TTY) and last login time according to UID sorting. If a user has never logged in, LastLog displays ** never logged **. Note that you need to run this command as root, for example:
Rong 5 202.38.64.187 fri Aug 18 15:57:01 0800 2000
DBB ** never logged in **
xinchen ** never logged in **
PB9511 ** never logged in **
Xchen 0 202.38.64.190 Sun aug 13 10:01:22 0800 2000
In addition, some parameters can be added, for example, the "LAST -U 102" command will report the UID 102 user; "The Last -T 7" command indicates the report as a previous week. Process Statistics Unix can track each command running in each user. If you want to know which important files have been messy last night, the process statistics can tell you. It also helps to track an invasator. Unlike the connection time log, the process statistics is not activated by default, it must start. In the Linux system Starting Process Statistics Using the accton command, you must run with root identity. The form of the accton command is: accton file, file must exist in advance. First create a PACCT file using the touch command: Touch / VAR / LOG / PACCT, then run accton: accton / var / log / pACCT. Once Accton is activated, you can use the LastComm command to monitor the commands performed in the system. To turn off the statistics, you can use the accton command without any parameters. The Lastcomm command reports the previously executed file. When there is no parameters, the LastComm command displays information about all commands recorded in the current statistic file lifecycle. Including the CPU time and a timestamp that the command name, user, TTY, command cost. If there are many users in the system, the input may be very long. Look below: Crond f root ?? 0.00 secs sun aug 20 00:16
PROMISC_CHECK.S S root ?? 0.04 second sun aug 20 00:16
PROMISC_CHECK ROOT ?? 0.01 Secs Sun Aug 20 00:16
Grep root ?? 0.02 second sun aug 20 00:16
Tail root ?? 0.01 second sun aug 20 00:16
SH root ?? 0.01 second sun aug 20 00:15
Ping s root ?? 0.01 second sun aug 20 00:15
PING6.PL F root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.01 second sun aug 20 00:15
Ping S root ?? 0.02 second sun aug 20 00:15
PING6.PL F root ?? 0.02 second sun aug 20 00:15
SH root ?? 0.02 second sun aug 20 00:15
Ping S root ?? 0.00 secs sun aug 20 00:15
PING6.PL F root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.01 second sun aug 20 00:15
Ping s root ?? 0.01 second sun aug 20 00:15
SH root ?? 0.02 second sun aug 20 00:15
Ping S root ?? 1.34 SECS SUN AUG 20 00:15
Locate root ttyp0 1.34 second sun aug 20 00:15
Accton S root ttyp0 0.00 secs sun aug 20 00:15
One problem with process statistics is that the PACCT file may grow very quickly. At this time, you need to interactively or through the CRON mechanism to run the SA command to ensure log data in system control. SA command report, clean up and maintain process statistics. It can compress the information in / var / log / pACCT to the summary file / var / log / savacct and / var / log / usracct. These summary contain system statistics classified by command name and username. By default, SA reads them first, then read the PACCT file so that the report can contain all available information. The output of SA has some of the following tags. AVIO: Average I / O operation per execution. CP: The user and system time total, in minutes. CPU: Like CP. K: The average CPU time used in the kernel, in units of 1K. K * sec: CPU storage integrity, units in 1k-core seconds. Re: Real-time time for minute. S: System time for minute. TIO: The total number of I / O operations. u: User time, in minutes. For example: 842 173.26RE 4.30CP 0AVIO 358K
2 10.98R 4.06CP 0AVIO 299K FIND
9 24.80RE 0.05cp 0avio 291k *** Other
105 30.44RE 0.03CP 0AVIO 302K PING
104 30.55RE 0.03CP 0AVIO 394K SH
162 0.11Re 0.03CP 0AVIO 413K Security.sh *
154 0.03RE 0.02CP 0AVIO 273K LS
56 31.61RE 0.02CP 0AVIO 823K ping6.pl *
2 3.23RE 0.02cp 0avio 822k ping6.pl
35 0.02RE 0.01CP 0AVIO 257K MD5SUM
97 0.02RE 0.01CP 0AVIO 263K Initlog
12 0.19Re 0.01cp 0avio 399k promisc_check.s
15 0.09R 0.00CP 0AVIO 288K GREP
11 0.08R 0.00CP 0AVIO 332K AWK
The user can also provide a summary report according to the user rather than a command. For example, type the command "SA -M" will display the following:
885 173.28RE 4.31CP 0avk
Root 879 173.23RE 4.31CP 0avk
Alias 3 0.05RE 0.00CP 0avk
QMAILP 3 0.01RE 0.00cp 0avk
Syslog Devices Syslog has been adopted by many log functions, which is used in many protection measures. Any program can be recorded via Syslog. Syslog can record system events, you can write to a file or device, or send a user to send a message. It records local events or records events on another host via the network. Syslog devices are based on two important files: / etc / syslogd (daemon) and /etc/syslog.conf profile. It is accustomed to the information files written in / VAR / ADM or / VAR / LOG directory (Messages. *). A typical Syslog record includes the name of the generator and a text message. It also includes a device and a priority range (but not in the log). Each Syslog message is given one of the following primary devices:
LOG_AUTH: Authentication system login, su, getty, etc.
Log_AUTHPRIV: With LOG_AUTH, just log in to the selected single user readable file.
Log_cron: cron daemon.
Log_daemon: Other system daemon, such as ROUTED. LOG_FTP: File Transfer Protocol FTPD, TFTPD.
Log_kern: the message generated by the kernel.
LOG_LPR: System printer buffer pool LPR, LPD.
LOG_MAIL: Email System.
Log_News: Network News System.
LOG_SYSLOG: Internal message generated by syslogd (8).
Log_user: The message generated by a random user process.
Log_UUCP: UUCP subsystem.
LOG_LOCAL0 ~ LOG_LOCAL7: Reserved for local use.
Syslog gives each event to several different priorities:
LOG_EMERG: Emergency situation.
LOG_ALERT: The problem should be corrected immediately, such as the system database is destroyed.
LOG_CRIT: Important, such as hard disk errors.
Log_err: Error.
Log_Warning: Warning information.
LOG_NOTICE: Not an error, but may need to be processed.
LOG_INFO: Information information.
Log_debug: Information containing information, usually only used when debugging a program.
The syslog.conf file indicates the behavior of the syslogd program log log, which queries the configuration file at startup. This file consists of a single entry classified by different programs or messages, each accounting. Provide a selection domain and an action domain for each type of message. These domains are separated by Tab: Select domains to specify the type and priority of the message; the action domain indicates that the SyslogD is performed when the message matches the message that matches the selection criterion. Each option consists of devices and priorities. When a priority is specified, Syslogd will record a message with the same or higher priority. So if "crit" is specified, the message whose labeled crit, Alert, and Emerg will be recorded. Each row of action domain indicates where the selected domain selects a given message. For example, if you want to record all mail messages into a file, as shown below:
#Log all the mail message in one place
Mail. * / var / log / maillog
Other devices also have their own logs. UUCP and NEWS devices can generate many external messages. It saves these messages to their own log (/ var / log / spooler) and limits the level as "ERR" or higher. E.g:
# Save mail and news errors of level err and higher in schement file.
UUCP, news.crit / var / log / spooler
When an emergency is coming, you may want to get all users, or you may want your log to receive and save:
#Everybody Gets Emergency Messages, Plus log the on anti
* .emerg *
* .emerg @ Linuxaid.com.cn
Alert message should be written to the Root and Tiger personal accounts:
#Root and Tiger Get alert and higher messages
* .lert root, Tiger
Sometimes syslogd will produce a lot of news. For example, the kernel ("Kernel" device) may be very lengthy. Users may want to record kernel messages into / dev / console. The following example shows that the kernel log record is commented:
#Log all kernel messages to the console
#Logging much else clutters up The screen # kern. * / Dev / console
Users can specify all devices in a row. The following example sent the INFO or higher message to / var / log / messages, except for Mail. Level "None" forbidden a device:
#Log anything (except mail) of level info or higher
# Don't log private authentication messages!
* .info: mail.none; authpriv.none / var / log / messages
In some cases, you can send the log to the printer so that the network intruder has modified the log. It is usually widely recorded. Syslog devices are a significant goal of an attacker. A system for other host maintenance logs is particularly fragile for server attacks, so pay special attention. There is a small command logger to provide a shell command interface for the Syslog (3) system log file, enabled entries in the log file. Usage: Logger, for example: Logger this is a test! It will produce a Syslog record as follows: Aug 19 22:22:34 Tiger: this is a test! Note, don't fully believe the log, because the attacker is easy to modify it. The program log reflects the security status of the system by maintaining the log with many other programs. The su command allows the user to get the permissions of another user, so it is very important, its log file is Sulog. There is also Sudolog. In addition, there are two logs like Apache: Access_log and Error_Log. There are also some other log tools that are commonly used, and we will not explain them. Interested readers can refer to the contents of the URL below. Chklastlog: ftp://coast.cs.purdue.edu/pub/tools/unix/chklastlog/ chkwtmp: ftp://coast.cs.purdue.edu/pub/tools/unix/chkwtmp/ dump_lastlog: ftp: // Coast.cs.purdue.edu/pub/tools/unix/dump_lastlog.z spar: ftp://coast.cs.purdue.edu/pub/tools/unix/tamu/ Swatch: http://www.lomar.org /komar/alek/pres/swatch/cover.html zap: ftp://caost.cs.purdue.edu/pub/tools/unix/zap.tar.gz log classification method: http://csrc.nist.gov /NISSC/1998/Proceedings/paperd1.pdf Configure Linux log file logs should also be a place where users pay attention. Do not underestimate the important role of network security, because the log files can record a variety of events that occur every day, users can check the cause of the error through the log file, or track the attacker when it is attacked Trace. Two more important roles of logs are review and monitoring. Configured Linux logs very powerful. For Linux systems, all log files are under / var / log. By default, Linux log files do not have a FTP activity. Users can record all activities of FTP by modifying / etc / ftpacess. /Etc/slog.conf's format Linux system log files are configurable, and how to customize Apache, WU-ftpd, sendmail log files in the previous chapter. The LINUX system log file is determined by /etc/syslog.conf, and the user must take the time to configure /etc/syslog.conf. Here is an example of /etc/syslog.conf: # Log all kernel Messages to the Kernlog.
# Logging Much Else Clutters up The screen.
Kern. * / var / log / kernlog
# Log anything (Except mail) of level info or higher.
# Don't log private authentication messages! *. Info; mail.none; news.none; authpriv.none; cron.none
/ var / log / messages
* .warning / var / log / syslog
# The Authpriv File Has RESTRICTED Access.
Authpriv. * / var / log / secure
# Log all the mail message. In one.
Mail. * / var / log / maillog
# Log cron stuff
Cron. * / var / log / cron
# Everybody Gets Emergency Messages, Plus log the on another
#machine.
* .emerg
# Save mail and news errors of level err and higher in a
# Special file.
UUCP, news.crit / var / log / spooler
# Save boot message also to boot.log
Local7. * /VAR/LOG/Boot.log
# Inn
News. = crit / var/log/news/news.crit
News. = err /var/log/news/news.err
News.notice /var/log/news/news.notice
It can be seen that the first field of each row of the configuration file lists the type of information to be recorded, and the second field is listed in the recorded position. The first field uses the following format: facility.level [; facility.Level ...] The Faciity here is a system application or tool that generates information. Level is the importance of this information. The importance of Level is: Debug (Debug Messaging), Notice, Warning (Warning), ERR (General Error), CRIT (Warning), Alert (Or EMERG, emergency). Facility includes: auth (authentication system, such as login or su, asking username and password), cron (information issued while performing timing tasks), Daemon (syslog of some system daemon, generated by in.ftpd) LOG), KERN (kernel information), LPR (information of the printer), Mail (information issued by the daemon of the message), Mark (timing signature program), news (information of the daemon of the newsgroup) ), User (information of the application of the local user), UUCP (information of the UUCP subsystem) and "*" (indicating the possible facility). Remove the log file to the remote host If there is another Linux or UNIX system, you can configure the log file to send the message to another system and record it. This is also why all log files above record the reasons for host names. To implement this feature, in this configuration file, specify a record action, then take a host name of the remote system starting by "@", as in the following example: *. Warn; Authpriv.Notice; Auth.notice @ Bright.hacker. COM.CN At the same time, it is also necessary to set the destination system of the message to allow this operation. This case's syslogd daemon of the host Bright.hacker.com is started with the -R parameter. If the -R parameter is not used, the Syslogd of the target host will drop this message to avoid the DOS attack to make the hard disk filled with false messages. And make sure the target host's / etc / service file must set the UDP port 514 used by the Syslog service (this is also the default setting of the RedHat Linux). If the syslogd daemon uses the -R and -H parameters, the parameters-h will allow forwarding messages. That is, if system B's syslogd is used to use -H parameters so that when system A is forwarded to system B, system B forwards from system A and its own message to system C. Send a warning message to the console syslogd to send any information from the core to the Emerge or Alert to the console. The console refers to the xterm of the -c parameter when the virtual console or starts. To achieve this, add the following line in the /etc/syslog.conf file: kern.emerg / dev / console, when a message is issued, the user can immediately know and proceed. If you use "*", once an error occurs, send the message to all online users, but only the user is being logged in to see it.
After modifying the /etc/slog.conf file, you must restart the syslogd daemon to make the configuration change take effect. Do this below: # / etc / rc.d / init.d / syslog restart management log file tool LOGROTATE Introduction If the server has a large number of users, the size of these log files will increase soon, and when the server hard drive is not very sufficient, it is necessary to take the measures to prevent the log file from exploding the hard disk. Modern Linux versions have a small program called logrotate, which is used to help users manage log files, which work with their own daemon. Logrotate periodically rotates the log file, can periodically rename each log file into a backup name, then let its daemon begin to use a new copy of a log file. That's why many file names such as Mailog, Mailog.1, Mailog.2, Boot.log.1, Mailog.2, Boot.log.1, and under / log /. It is driven by a profile, the file is /etc/logroatate.conf, below is an example: # See "man logrotate" for detail
# Rotate log files weekly
WEEKLY
# In 7 days into one cycle
# Keep 4 Weeks Worth of Backlogs
Rotate 4
# 备 份 日 文件 every 4 weeks
# send errors to root
Errors root
# 错 错 r r r
# CREATE New (Empty) Log Files After Rotating Old Ones
Create
# 转 完 日 日 文件 日 日 日 日 日 日
# UNComment this if you want your log file worth compressed
#compress
# Specify whether to compress the log file
# RPM Packages Drop Log Rotation Information Into this Directory
INCLUDE / Etc/logrotate.d
# no packages OWN LastLog or WTMP - We'll Rotate Them Here
/ var / log / wtmp {
Monthly
Create 0664 root uTMP
Rotate 1
}
# xiStem-specific logs may be configured here
Logcheck under Linux Logcheck Introduction For a large number of accounts, the system is busy Linux system, its log file is extremely large, and many of the unused information will be overwhelmed, and it brings very much to the user analysis log. Large inconvenience. There are now some tools that are specifically used to analyze logs such as Logcheck and Friends. Logcheck is used to analyze huge log files, filter out a log project with potential security or other abnormal conditions, and then notify the specified user in the form of an email. It is developed by Psionic, can be downloaded by http://www.psionic.com/tools/logcheck-1.1.1.tar.gz. Or go http://www.psionic.com/abacus / logcheck / see if there is a new version. The installation of the program is quite convenient. After decompression, run the Make file, follow its prompt to select the type of operating system, you can compile it. The configuration file and the runtime script are installed by default in / usr / local / etc /. Logcheck.sh This is the latch script of Logcheck and is used to analyze this log file and report the result. Logcheck.hacking This file is set in the keywords that filter in the log file, which prompts information about potential security risks. Users can customize their log files, add or delete keywords in the logcheck.hacking file. Logcheck.violations This file settings the keywords that appear in the log file to analyze the filter system. Logcheck.violations.ignore If the system has an abnormal situation, but contains the keywords in this file, it is considered to be normal, not written to the LogCheck's analysis report file. Logcheck.ignore If the system log file records a message that may experience, but contains keywords in the logcheck.ignore file, logcheck is treated normally, and these messages are not included in the analysis report file. After installing the Logcheck, you have to modify the parameters in the logcheck.sh file to comply with the user's request. There are two points worth noting. The following command: # Person to send log activity to. Sysadmin = root
Logcheck defaults to ROOT. If you want to send a specified email address, you can change here. If you want to send a report to multiple users, you can define the alias of Mail. To check the setting of the log file:
# Linux $ logTail / Var / log / syslog> $ TMPDIR / Check. $$ $ TMPDIR / CHECK. $$ Can add log files to check as needed, for example: $ Logtail /var/log/auth.log >> $ TMPDIR / Check. $$ $ log >> $ TMPDIR / Check. $$ $ LogTail /var/log/mail.log >> $ TMPDIR / Check. $$
Finally, use the cron arrangement server to repeat the logcheck.sh script file. From: http://tech.ccidnet.com/pub/Article/c322_a180627_p1.html
