The log file records the daily events of the system in detail. Users can check the cause of errors through log files, or track down attackers when they are attacked and hacked. Two important functions of the log are auditing and monitoring.

Logs of Linux system are mainly divided into two types:

1. Process log

Logs generated by user processes or other system service processes, such as access_log and error_log log files on the server.

2. System log messages

The log recorded by the system system log. Any system process or user process that wants to log can call syslog to log.

Logging system can be divided into three subsystems:

1. Connection Time Log-It is executed by multiple programs, and records are written into /var/log/wtmp and /var/run/utmp, login and other programs to update wtmp and utmp files, so that the system administrator can track who logged into the system when.

2. Process statistics-executed by the system kernel. When a process terminates, write a record for each process in the process statistics file (pacct or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.

3. Error Log-Executed by syslogd(8). Various system daemons, user programs and kernels report noteworthy events to the file /var/log/messages through syslog(3).

2. Check the log file

All log files of Linux system are under /var/log, and you must have root permission to view them.

The log file is actually a plain text file, and each line is a message. There are many ways to see it.

1.cat command. The log file is always large, because messages have been accumulated in the log file since Linux was first started. If the file is more than one page, the contents of the file will be unclear because the display scrolls too fast.

2. Text editor. It is best not to open the log file with a text editor, because it consumes a lot of memory on the one hand, and it is not allowed to change the log file at will on the other.

3. Show the program in the form of a page, if more or less.

4. Use grep to find a specific message.

Each line represents a message and consists of four fields in a fixed format:

N timestamp, indicating the date and time when the message was sent.

N hostname (escher in our example) indicates the name of the computer that generated the message. If there is only one computer, the host name may not be necessary. However, if you use syslog in a network environment, you may need to send messages from different hosts to the server for centralized processing.

N The name of the subsystem that generated the message. It can be "kernel", which means that the message comes from the kernel, or it can be a process name, which means the name of the program that sent the message. In square brackets is the PID of the process.

N messages, and the rest is the content of the message.

For example:

Enter: tail /var/log/messages at the [root@localhost root]# prompt.

The last message of jan0521:55: 51localhost was repeated three times.

1 May 5th 2 1:55:5 1 local host kernel: AGP 0.99 on [drm] Intel I 810 @ 0xf0000000128m.

B

Jan0521:55: 51localhost kernel: [drm] Initialize i8301.3.2 2002108 on minor.

Jan0521:55: 51localhost kernel: mtrr: base(0xf0000000) is not aligned on siz.

E(0x 12c000) boundary

GDM (PAM _ UNIX) [4079]: Session in F.

Or user root by (uid=0).

Jan0521:56: 39 localhost1:56: 39 gconfd (root-4162): Start (version 2.

2.0), pid 4 162 user "root"

Jan 0521:56: 39 localhost 65438+1October 28 21:56: 39 gconfd (root-4162): the parsed address "xml:re.

Only ad:/etc/gconf/gconf.xml.mandatory "points to the read-only configuration source at 0.

Jan 0521:56: 39 localhost 65438+1October 28 21:56: 39 gconfd (root-4162): the parsed address "xml:re.

Adwrite:/root/。 Gconf "points to the writable configuration source at 1.

Jan 0521:56: 39 localhost 65438+1October 28 21:56: 39 gconfd (root-4162): the parsed address "xml:re.

Only ad:/etc/gconf/gconf.xml.defaults "points to the read-only configuration source at 2.

Jan 05 2 1:58:20 local host kernel: MSDOS FS: IO charset cp936.

It is worth noting that, unlike the connection time log, the process statistics subsystem is not activated by default and must be started. On Linux

The startup process statistics in the system uses the accton command and must run as root. The accton command takes the form of accton.

File, file must exist in advance. First, use the touch command to create a pacct file: touch.

/var/log/pacct and then run accton:accton.

/var/log/pacct. Once accton is activated, you can use the lastcomm command to monitor the commands executed at any time in the system. To turn off statistics, you can use.

Accton command for parameters.

3. Working principle and configuration of log system

3. 1 system log

It uses closelog and openlog * * * to send messages to the system log program.

Linux kernel consists of many subsystems, including network, file access, memory management and so on. The subsystem needs to send some messages to users, including the source and importance of the messages. All subsystems should send messages to the maintainable common message area. So, there is a program called Syslog.

This program is responsible for receiving messages (such as error messages, warning messages and other information generated by the system core and many system programs, each containing an importance level) and distributing the messages to the appropriate locations. usually

, all messages are recorded in a specific file-log file (usually the message file in the /var/adm or /var/log directory), and particularly important messages are also used.

It is displayed on the user terminal window.

The syslog tool has two important files: syslogd and syslog. meeting

It can accept the log information of the access system and handle it according to the instructions in the "/etc/syslog.conf" configuration file. Daemons and kernels provide log information for accessing the system. Therefore, any program that wants to generate log information can call the syslog interface to generate this information.

3.2 syslogd daemon

Like other complex operating systems, Linux is composed of many different subsystems. Some programs called daemon have been running in the background. namely

They are "unknown" and don't need to interact with users), dealing with some daily tasks such as printing, sending emails, establishing internet connections and so on. Each subsystem will give a log message when sending it.

The message specifies a type. A message is divided into two parts: "facilities" and "levels". "Device" identifies the subsystem that sends the message, and can combine messages of the same type. "Level" indicates the importance of the message, ranging from debugging (least important) to emergency (most important). The combination of facilities and levels is called priority. (See 5.3 for detailed explanation)

This is defined in/usr/include/sys/syslog.h.

Users can't see daemons because they don't have windows and user interfaces. However, these programs sometimes have to convey some information to users. In order to achieve this goal, a special mechanism is needed. A good example of a daemon is syslogd, which runs in the background and transfers messages from the log area to the log file.

Functional interface

# Including

void openlog( char *，int，int)

Where can be an OR combination of the following values:

LOG_CONS: If the message cannot be sent to syslogd, it will be directly output to the system console.

LOG_NDELAY: Open the connection to syslogd immediately. By default, the connection opens only when the message is written for the first time.

LOG_PERROR: Send the message to stderr at the same time.

LOG_PID: records the PID in each message.

void syslog( int，char *)

Among them is the OR combination of facilities and levels.

void closelog( void)

Generally, you only need to use the syslog () function, and other functions can be omitted.

3.3 syslog.conf

This is a very important document. Located in the "/etc/" directory. Tell syslogd how to report information based on device and information severity.

The file uses the following format:

Facility-level action

The first column of syslog.conf, facility.level, is used to specify logging function and logging level. , you can use * to match.

All recording functions and recording levels. The second column, action, is the distribution target of the message.

Blank lines and lines starting with # are comments and can be ignored.

The Facility.level field is also called a selector.

N facility specifies the syslog function, which mainly includes the following contents:

Pam_pwdb reported Auth authentication activity.

Authpriv includes authentication activities for privileged information, such as user names.

Information about Cron and at.

Information about daemons and inetd daemons.

Kern kernel information is first transmitted through klogd.

Lpr information related to printing service.

E-mail-related mail information

The flag syslog intrinsic function is used to generate the timestamp.

News information from the news server

System log information generated by system log.

User information generated by the user program.

Uucp information generated by uucp

Local 0-Local 7 is used to customize programs, such as using local5 as an ssh function.

* Wildcards represent all functions except mark.

The level determines the importance of the message.

The priority of each function is arranged in a certain order, emerg is the highest level, followed by alert, and so on. By default, the level specified in the /etc/syslog.conf record is this level and above. If you want to use a certain level, you can use two operators! (unequal) and =

For example, users. =info tells syslog to accept all user function information at the information level.

The importance of grades below n gradually decreases:

The system is not available in an emergency.

Alert conditions that need to be modified immediately.

Crit is an error condition that prevents some tools or subsystems from realizing their functions.

Err is an error condition that prevents tools or some subsystems from realizing certain functions.

Warning warning information

General conditions of important notice

A message that provides information.

Debugging does not contain other information about functional conditions or problems.

None has no importance level and is usually used for debugging.

* All levels except none.

N Action field is an action field, and the activities it represents have great flexibility. In particular, name pipes can be used to make syslogd generate post-processing information.

The system log mainly supports the following activities:

File appends the message to the specified end of the file.

Terminal or print complete serial or parallel device identifier.

@ Host Remote Log Server

Username writes the message to the specified user.

The named pipe specifies the absolute path of the FIFO file created with the mkfifo command.

* Write messages to all users.

Select a domain to indicate the type and priority of the message; The Action field indicates the action taken by syslogd when it receives a message that matches the selection criteria. Each option consists of a device and a priority. When priority is indicated, syslogd will record messages with the same or higher priority. For example, if "crit" is specified, all messages marked with crit, alert and emerg will be logged. The operation field of each row indicates where a given message should be sent when the selection field selects it.

The following is the configuration (syslog.conf) file of the actual site:

# Store important things in key places

#

*. = crit; kern.none /var/adm/critical

This will preferentially save all information in the /var/adm/critical file, except some kernel information.

# Kernel messages are first stored in the kernel.

# Files, key messages and higher messages will also be deleted.

# To another host and console

#

Kern. * /var/adm/kernel

kern.crit @finlandia

Kern. crit/dev/ console

Kern.info kern ! err /var/adm/kernel-info

The first piece of code instructs some kernel devices to access the information in the /var/adm/kernel file.

The second code directly guides all kernel information with crit and higher priority to access the remote host. If they are also stored on a remote host, you can still try to find the cause of the damage.

The fourth line shows that syslogd saves all kernel information with priority from info to warning in the /var/adm/kernel-info folder. Eliminate all errors and higher priority.

# The tcp wrapper log with mail.info that we show.

All connections on # tty 12

#

Mail. =info /dev/tty 12

This will direct all messages using mail.info (insourcelog _ mail | log _ info) to /dev/tty 12, numbered 12.

A console. Such as tcpwrapper.

tcpd

(8) This option is used by default.

# Store all materials-related emails in one file.

Mail. *; Mail. ! = Information/Variables/Management/Mail

This pattern matches all information with mail function, except information with information priority. They will be saved in the file /var/adm/mail.

# Record all mail.info and news.info messages to info.

#

Mail, news. = Information/Variables/Management/Information

Extract all information about the priority of mail.info or news.info function and store it in the file /var/adm/info.

# Log information and notification messages to a message file

#

*.= info*.= notification; \

mail.none /var/log/messages

Store all information with info or notice function in syslogd log in /var/log/messages file, except all information with mail function.

# Log information messages to a message file

#

*.= info\

Mail, news. No /var/log/ message

This statement stores all information with info priority in the syslogd log in the /var/log/messages file. But some information with mail or news function cannot be stored.

# Emergency messages will be displayed on the wall.

#

*. = Urgent *

This line of code tells syslogd to write all emergency information into all currently logged-in user logs. This will come true.

# Messages that will be directed to priority alerts

# For the operator

#

*. Remind Root, Joey

*.* @finlandia

This code directs all information with warning or higher authority to the terminal operation.

The second line of code sends all information to a remote host named Finland. This code is very useful, especially when all syslog information will be saved to a clustered computer on one machine.

3.4 klogd daemon

Klog is a device that accepts messages from the UNIX kernel.

Claude

Daemon obtains and records Linux kernel information. Usually, syslogd records klogd.

All the information received. In other words, klogd will read the kernel information and forward it to the syslogd process. However, if klogd is called with the -f file name variable.

Klogd records all information in filename instead of passing it to syslogd. When another file is specified for logging, klogd

All levels or priorities are written to the file. There is no configuration file like /etc/syslog.conf in Klogd. Use klogd instead of it.

The advantage of syslogd is that many errors can be found.

abstract

Where the arrow indicates sending a message to the target process or writing information to the target file.

Figure 1 Linux log system

Log management and log protection

The Logrotate program is used to help users manage log files. It works as its own daemon. Logrotate rotates the log files periodically, and you can rename each log file periodically.

Create a backup name, and then let its daemon start using a new copy of the log file. Under /var/log/, such as maillog, maillog. 1,

Maillog.2, boot.log. 1, boot.log.2 and so on. It is driven by a configuration file that is

/etc/logroatate.conf .

The following is an example of the logroatate.conf file:

# For more information, see Manual Log Rotation.

# Rotate the log file every week

hebdomadal

# 7-day cycle

# Keep a 4-week backlog

Rotation 4

# Back up the log file every 4 weeks.

# Send an error to the root user

Root of error

# Report an error to the root user

# Create a new (empty) log file after rotating the old log file.

create

# Create a new log file after transferring the old log file.

# If you want to compress the log file, uncomment it.

# Compression

# Specifies whether to compress the log file.

The # RPM package puts log cycle information into this directory.

Include/etc/logrotate.d.

# No package owns lastlog or wtmp-we will rotate them here.

/var/log/wtmp {

monthly

Create 0664 root utmp

Rotation 1

}

# System-specific logs can be configured here.

In network application, there is a method to protect logs. Set a secret syslog host in the network, and the network card of this host is set to promiscuous mode to monitor all syslog packets in the subnet.

For example, all hosts that need to send logs can be configured to send logs to non-existent hosts. In this way, even if the hacker captures the target host, the owner of the backup log cannot be found through the syslog.conf file.

Machine, it's just a nonexistent host. In fact, the switch configuration can be supplemented to ensure that the syslog process on the backup log host can accept syslog packets. Like putting

The transport log host in syslog.conf is set to.

@192.168.0.13, but this log host does not exist in the actual network. Actually, 192. 168.0.250 or other hosts are accepting syslog packets.