System log Edit 请登陆,再编辑

Summary

The main function of system log is auditing and monitoring. It keeps looking and recording events happened in system. Users can check system logs to find the cause of errors, or trace the hackers when system is intruded.

Basic concepts

Subsystem

There are three subsystem of system logging:connection time log, process statistics log and error log.

  • Connection time log: Generated by several programs, and stored in /var/log/wtmp and /var/run/utmp. Used by administrator to track the login time of each user.

  • Process statistics log: Generated by system kernel. When a process terminates, a record is written to the statistics file (acct or pacct). This is for statistics of command usage for basic service in the system.

  • Error log: Generated by syslogd. Daemons, user process and kernel reports notable events to file "/var/log/message" through syslog.

Some other Unix-like service create their own logs, like those generated by HTTP or FTP server.

Log message level

  • 0 EMERG (Emergent): Issues that may cause hosts unavailable for use
  • 1 ALERT (Alert): Issues that require immediate solutions
  • 2 CRIT (Critical): Serious conditions
  • 3 ERR (Error): Run-time errors.
  • 4 WARNING (Warning): Events that may affect the system function
  • 5 NOTICE (Notice): Not affecting to system, but worthy of notice
  • 6 INFO (Info): General information
  • 7 DEBUG (Debug): Information generated for debug purpose

Log file

In Linux, all log files are store in directory /var/log. They can be categorized as follows:

  • /var/log/messages General system information, including logs generated during startup. The content of logs of mail, cron, daemon, kern and auth are included here as well.

  • /var/log/dmesg Messages from kernel ring buffer. Usually hardware related information is recorded here. Use command “dmesg” to show it.

  • /var/log/auth.log Authentication messages of system, including user logins and the permission used.

  • /var/log/boot.log Messages generated during startup.

  • /var/log/daemon.log Messages generated by background daemons.

  • /var/log/dpkg.log Logs from "dpkg" command, related to installation and uninstallation of dpkg packages.

  • /var/log/kern.log All messages generated by Linux kernel. It can be used to solve problems when using a customized kernel.

  • /var/log/lastlog Login information of all users.

  • /var/log/maillog and /var/log/mail.log Logs of mail servers. For example, all messages from sendmail program are recorded here.

  • /var/log/Xorg.x.log Messages for X server.

  • /var/log/alternatives.log Logs from "alternative" command.

  • /var/log/btmp All bad login attempts are recorded here. Use command "lastb" to display it.

  • /var/log/cups All messages concerning printing.

  • /var/log/anaconda.log System installation log for Red Hat Linux and its derivatives.

  • /var/log/yum.log Logs from "dpkg" command, related to installation and uninstallation of packages.

  • /var/log/cron Information generated by cron when starting working.

  • /var/log/secure Verification and authentication information. For example, sshd will all logins (including the failed logins) here.
  • /var/log/wtmp and /var/log/utmp Information of logins. Used to find out the active users in the system.

  • /var/log/faillog Failed logins and the commands used are recorded here.

There are some subdirectories in /var/log, reserved for special uses:

  • /var/log/httpd/ and /var/log/apache2 Including file of "access_log" and "error_log" generated by httpd (Apache) server.

  • /var/log/lighttpd/ Logs from light httpd server.

  • /var/log/mail/ Extra logs from mail server.

  • /var/log/prelink/ Records of all .so file that have been modified by prelink.

  • /var/log/audit/ Information stored by Linux audit daemon.

  • /var/log/samba/ Logs from samba service.

  • /var/log/sa/ SAR files generated by sysstat.

  • /var/log/sssd/ Used by System Security Services Daemon (SSSD).

Log management

who

Use command "who" to show login information of all users in the local system. It will display: the login name, TTY used, login time and date. Use who am i or whoami to show the information of the current user. If a user logins from a remote machine, its hostname will also be shown.

"who" can also display the PID of the shell, changes of logins,

Based on the options given, who can also list the user's name, terminal line, login time, elapsed time since activity occurred on the line, and the process ID of the command interpreter for each current system user.

Syntax:

who [ -a | -b -d -i -l -m -p -q -r -s -t -u -w -A -H -T ] [ File ]
who am { i | I }

Options:

-a    Process file /etc/utmp,  or the named file with option -bdlprtTu.
-b    Display the time and date of the last system reboot.
-d    Show a list of all processes that have expired and not  been re-spawned  by the init system process. This can be useful in determining why a process terminated.
-l    List only those lines on which  the  system is  waiting  for  someone to login.
-m    Output only information about the current terminal. This equals to "who am i" and "who am I".
-p    List  any other process that is currently active and has been previously spawned by init.
-q    List only the names and the  number  of  users  currently logged on.
-r    Write the current run-level of the init process.
-s    List only the <name>, <line>, and <time> fields. This is the default case. Thus "who -s" equals to "who".
-t    Indicate the last change to the system clock. If command "date" has not been changed since the installing of system, "who -t" will produce no output.
-u    Show an extra field of "idle time" for each user displayed.
-H    Show a header above the regular output.
--help    Show help information.

Examples:

To show all active users in the local system:

$ who
joe lft/0 Jun 8 08:34

To show your username:

$ who am i
george lft/0 Jun 8 08:34

To show the run-level of the local system:

$ who -r
run-level 2 2013-10-13 15:37

w

Use "w" to show users that have logged in, and the programs they are running. Running "w" without any options will display all active users. You can specify the user to show.

Syntax:

w [-fhlsuV][Username]

Options:

-f    Toggle  printing  the "from" (remote hostname) field
-h    Don't print the header.
-s    Use the short format, excluding fields of login time, JCPU and PCPU.
-u    Ignores the username while figuring out the current process and CPU times.
-V    Show version information.

last

Use "last" to list the information of current and previous logins.

Running "last" without any options with parse the content of /var/log/wtmp and display a list of users that recently logged in to the system.

Syntax:

last [-adRx][-f <LogFile>][-n <Lines>][Username...][Terminal...]

Options:

-a    Display the hostname in the last column.
-d    Translate IP addressees to hostnames.
-f <LogFile>    Specify the log file to read.
-n <Lines> or -<Lines>    Limit the number of lines to output.
-R    Do not display the hostname.
-x    Display the system shutdown entries and run level changes.

lastlog

Use "lastlog" to view current logins of all users, or the specified user.

Syntax:

lastlog [Options]

Options

 -b, --before DAYS    Show records before the specified days only.
 -h, --help    Display help information.
 -R, --root CHROOT_DIR    Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
 -t, --time DAYS    Show records after the specified day only.
 -u, --user LOGIN|RANGE    Show recent logins of the specified user.

References

鸟哥私房菜:认识与分析登录文件

Linux日志系统详细介绍

/var/log目录下的20个Linux日志文件功能详解

百度百科:who