Brief Analysis of Linux File Log File Explanation

Posted by trazan on Wed, 28 Aug 2019 15:14:10 +0200

Functions of logs

  • Used to record all kinds of events occurring in the running of system and program
  • Reading logs helps to diagnose and solve system failures

Classification of log files

  • Kernel and System Log:
    It is managed by syslog system service, and the log format is basically similar.

  • User logs:
    Record system user login and exit information

  • Procedure log:
    Log files independently managed by various applications with different recording formats

Log save location

The default is in: / var/log directory

Introduction to Major Log Files

Log file type Log File Directory
Kernel and Public Message Log /var/log/messages
Scheduled Task Log /var/log/cron
System Boot Log /var/log/dmesg
Mail System Log /var/log/maillog
User login log /var/log/lastlog,/var/log/secure,/var/log/wtmp,/var/run/btmp

Level of log messages

Viewing Log Files

cat command: Display the entire file

Common Options:

- n: Number of lines for all outputs starting from 1
 - b:-n is similar except that blank lines are not numbered
 - s: When there are more than two blank lines in a row, replace them with one blank line.

more command: View logs in read mode (enter scrolls down, space scrolls down, b scrolls up, q exits)

Less command: Similar to more command, but less can view the last page, more command automatically exits reading mode until the last page.

Head command: View from the head of a text file to see the beginning of a text file

 - n: Specifies how many rows to display

tail command: Starting at the end of a text file to display the last few lines of a text file, usually to view additional log information

   - n: Specifies how many rows to display    
   - f: Automatically display new file contents

User Log Analysis

Relevant information such as user login and exit system is saved.

/var/log/lastlog:                     //Recent user login events
/var/log/wtmp:                        //User login, logout and system turn-on and shutdown events
/var/run/utmp:                        //Details of each user currently logged in
/var/log/secure:                     //Security events related to user authentication

Analysis tools

  • users,who,W,last, lastb

User command: Display the current logged-in user name, each of which corresponds to a logged-in session

[root@localhost ~]# users
jiang root root
[root@localhost ~]#

who command: view the user currently logged in

[root@localhost ~]# who
root     :1           2019-08-09 19:58 (:1)
root     pts/1        2019-08-28 19:18 (192.168.52.1)
jiang    :2           2019-08-28 19:32 (:2)
[root@localhost ~]#

w command: view current system information and user login information

[root@localhost ~]# w
 19:39:20 up  1:19,  4 users,  load average: 0.00, 0.09, 0.13
USER     TTY      FROM             LOGIN@   IDLE   JCPU     WHAT
root     :1       :1               098 Month 19 ?xdm?   1:39   0.09s /usr/libexec/gnome-session-binary --sess
root     pts/1    192.168.52.1     19:18    0.00s  0.08s  0.02s w
jiang    :2       :2               19:32   ?xdm?   1:39   0.10s /usr/libexec/gnome-session-binary --sess
[root@localhost ~]#

last command: Query the user information that successfully logged in to the system, and the latest information is displayed at the front.

[root@localhost ~]# last
jiang    :2           :2               Wed Aug 28 19:32   still logged in   
root     pts/1        192.168.52.1     Wed Aug 28 19:18   still logged in   
root     pts/0        :1               Wed Aug 28 19:18 - 19:18  (00:00)    
root     pts/0        :1               Tue Aug 13 16:20 - 16:21  (00:00)    
root     pts/0        :1               Fri Aug  9 20:24 - 20:27  (00:03)    
root     pts/0        :1               Fri Aug  9 20:23 - 20:24  (00:00)    
root     pts/0        :1               Fri Aug  9 20:23 - 20:23  (00:00)    
root     pts/0        :1               Fri Aug  9 20:22 - 20:22  (00:00)    
root     pts/0        :1               Fri Aug  9 20:14 - 20:20  (00:05)    
root     pts/0        :1               Fri Aug  9 20:01 - 20:11  (00:09)    
root     :1           :1               Fri Aug  9 19:58   still logged in   
jiang    :0           :0               Fri Aug  9 19:48 - 19:58  (00:09)    
reboot   system boot  3.10.0-693.el7.x Fri Aug  9 19:32 - 19:41 (19+00:09)  

wtmp begins Fri Aug  9 19:32:34 2019
[root@localhost ~]#

lastb command: query logon failure user records, such as user name, password errors are recorded, belong to security events, you can also query relevant information from the security log / var / log / security

[root@localhost ~]# lastb
jiang    :0           :0               Wed Aug 28 19:59 - 19:59  (00:00)    
jiang    :0           :0               Wed Aug 28 19:59 - 19:59  (00:00)    
jiang    :0           :0               Wed Aug 28 19:59 - 19:59  (00:00)    

btmp begins Wed Aug 28 19:59:19 2019
[root@localhost ~]#

Program Log Analysis

Independently managed by the corresponding application

  • Web services: / var/log/httpd/
    access log, error log
  • Agent services: / var/log/squid/
    access.log, cache.log,
  • FTP service: / var/log/xferlog

Analytical tools:

  • Text Viewing, grep Filtering Retrieval, Viewing in Webmin Management Suite

  • Text filtering and formatting editing tools such as awk and sed

  • Special Log Analysis Tools such as Webalizer and Awstats

Log Management Strategy

  • Timely backup and filing
  • Extension of log retention period

  • Control log access rights
    Logs may contain sensitive information such as accounts, passwords, etc.

  • Centralized management logs
    Send the server's log files to Unified-Log File Server
    Facilitate the Unification of Log Information - Collection, Collation and Analysis
    Eliminate accidental loss, malicious tampering or deletion of log information

Topics: Linux Session less ftp

Hot Topics

©2024 Programmer Think