How to perform log management and auditing on Linux systems-Linux Operation and Maintenance-php.cn

Home

Operation and Maintenance

Linux Operation and Maintenance

How to perform log management and auditing on Linux systems

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Nov 07, 2023 am 10:30 AM

System monitoringAudit loglinux log management

How to perform log management and auditing on Linux systems

How to carry out log management and auditing in Linux systems

Overview:
In Linux systems, log management and auditing are very important. Through correct log management and auditing strategies, the operation of the system can be monitored in real time, problems can be discovered in a timely manner and corresponding measures can be taken. This article will introduce how to perform log management and auditing on Linux systems, and provide some specific code examples for reference.

1. Log management

1.1 Location and naming rules of log files
In Linux systems, log files are usually located in the /var/log directory. Different systems and applications generate their own log files, so you can review the appropriate log files as needed. Common log files include:

/var/log/messages: Important information and error logs for systems and applications.
/var/log/auth.log: Authentication and authorization information and error logs.
/var/log/syslog: Detailed log of system running status.
/var/log/secure: Security-related information and error logs.

In order to better distinguish log files, you can use naming rules, such as adding date and host name information to the log file name.
Sample code:

filename=`date +%Y-%m-%d`_`hostname`.log

1.2 Set log rotation
In order to prevent the log file from becoming too large, you can set log rotation rules. In Linux systems, the commonly used log rotation tool is logrotate. By configuring logrotate, log files can be backed up or compressed regularly, and then new log files can be created.

Sample code:
Create the logrotate configuration file /etc/logrotate.d/mylog and configure the rotation rules:

/var/log/mylog {
    monthly
    rotate 4
    compress
    missingok
    notifempty
}

Description: The above configuration indicates that the log file will be rotated once a month and the most recent will be retained. 4 backups; perform compression operation during rotation; ignore if the log file does not exist; do not rotate if the log file is empty.

1.3 Using log monitoring tools
In order to more conveniently monitor log information in real time, you can use some log monitoring tools. Commonly used log monitoring tools include Logcheck and Logwatch. These tools can regularly check log files and then send key log information to administrators via email.

2. Audit

2.1 Configure audit rules
Linux system provides an audit system (audit system), which can record security-related events in the system. By configuring audit rules, key events in the system can be recorded in real time, such as file access, permission changes, logins, etc.

Sample code:
Create audit rules:

auditctl -w /etc/shadow -p w -k shadow_changes

Description: In the above example, the audit rules are configured to monitor the write permission changes of the /etc/shadow file, and audit events will be recorded if changes occur. , and set the keyword to shadow_changes.

2.2 View the audit log
The audit system will record all audit events and save them in the /var/log/audit/audit.log file. You can view the contents of the audit log through the command aureport.

Sample code:
View all audit events:

aureport

2.3 Using audit tools
In order to view and analyze audit logs more conveniently, you can use some audit tools. Commonly used audit tools include AIDE and OSSEC-HIDS. These tools monitor your system for security events in real time and provide reporting and alerting capabilities.

Conclusion:
Through correct log management and auditing strategies, system anomalies and security issues can be discovered in a timely manner. In actual applications, log management and audit rules can be configured according to specific needs, and corresponding tools can be used for monitoring and analysis. Through log management and auditing, the security and stability of the system can be improved.

The above is the detailed content of How to perform log management and auditing on Linux systems. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Linux: A Look at Its Fundamental StructureApr 16, 2025 am 12:01 AM

The basic structure of Linux includes the kernel, file system, and shell. 1) Kernel management hardware resources and use uname-r to view the version. 2) The EXT4 file system supports large files and logs and is created using mkfs.ext4. 3) Shell provides command line interaction such as Bash, and lists files using ls-l.

Linux Operations: System Administration and MaintenanceApr 15, 2025 am 12:10 AM

The key steps in Linux system management and maintenance include: 1) Master the basic knowledge, such as file system structure and user management; 2) Carry out system monitoring and resource management, use top, htop and other tools; 3) Use system logs to troubleshoot, use journalctl and other tools; 4) Write automated scripts and task scheduling, use cron tools; 5) implement security management and protection, configure firewalls through iptables; 6) Carry out performance optimization and best practices, adjust kernel parameters and develop good habits.

Understanding Linux's Maintenance Mode: The EssentialsApr 14, 2025 am 12:04 AM

Linux maintenance mode is entered by adding init=/bin/bash or single parameters at startup. 1. Enter maintenance mode: Edit the GRUB menu and add startup parameters. 2. Remount the file system to read and write mode: mount-oremount,rw/. 3. Repair the file system: Use the fsck command, such as fsck/dev/sda1. 4. Back up the data and operate with caution to avoid data loss.

How Debian improves Hadoop data processing speedApr 13, 2025 am 11:54 AM

This article discusses how to improve Hadoop data processing efficiency on Debian systems. Optimization strategies cover hardware upgrades, operating system parameter adjustments, Hadoop configuration modifications, and the use of efficient algorithms and tools. 1. Hardware resource strengthening ensures that all nodes have consistent hardware configurations, especially paying attention to CPU, memory and network equipment performance. Choosing high-performance hardware components is essential to improve overall processing speed. 2. Operating system tunes file descriptors and network connections: Modify the /etc/security/limits.conf file to increase the upper limit of file descriptors and network connections allowed to be opened at the same time by the system. JVM parameter adjustment: Adjust in hadoop-env.sh file

How to learn Debian syslogApr 13, 2025 am 11:51 AM

This guide will guide you to learn how to use Syslog in Debian systems. Syslog is a key service in Linux systems for logging system and application log messages. It helps administrators monitor and analyze system activity to quickly identify and resolve problems. 1. Basic knowledge of Syslog The core functions of Syslog include: centrally collecting and managing log messages; supporting multiple log output formats and target locations (such as files or networks); providing real-time log viewing and filtering functions. 2. Install and configure Syslog (using Rsyslog) The Debian system uses Rsyslog by default. You can install it with the following command: sudoaptupdatesud

How to choose Hadoop version in DebianApr 13, 2025 am 11:48 AM

When choosing a Hadoop version suitable for Debian system, the following key factors need to be considered: 1. Stability and long-term support: For users who pursue stability and security, it is recommended to choose a Debian stable version, such as Debian11 (Bullseye). This version has been fully tested and has a support cycle of up to five years, which can ensure the stable operation of the system. 2. Package update speed: If you need to use the latest Hadoop features and features, you can consider Debian's unstable version (Sid). However, it should be noted that unstable versions may have compatibility issues and stability risks. 3. Community support and resources: Debian has huge community support, which can provide rich documentation and

TigerVNC share file method on DebianApr 13, 2025 am 11:45 AM

This article describes how to use TigerVNC to share files on Debian systems. You need to install the TigerVNC server first and then configure it. 1. Install the TigerVNC server and open the terminal. Update the software package list: sudoaptupdate to install TigerVNC server: sudoaptinstalltigervnc-standalone-servertigervnc-common 2. Configure TigerVNC server to set VNC server password: vncpasswd Start VNC server: vncserver:1-localhostno

Debian mail server firewall configuration tipsApr 13, 2025 am 11:42 AM

Configuring a Debian mail server's firewall is an important step in ensuring server security. The following are several commonly used firewall configuration methods, including the use of iptables and firewalld. Use iptables to configure firewall to install iptables (if not already installed): sudoapt-getupdatesudoapt-getinstalliptablesView current iptables rules: sudoiptables-L configuration

See all articles