Master Linux log analysis skills: comprehensive learning from format to analysis

The log files in the Linux system carry the system running status and the running information of various applications. They are crucial for system diagnosis and error debugging. Therefore, learning how to read and analyze Linux log files is a skill that every Linux user must master. This article will introduce you to the types, formats and common reading methods of Linux log files, helping you to easily understand and solve system problems.

Three types of logs

• # Kernel and system logs:

This kind of log data is managed uniformly by the system service rsyslog, and the kernel messages and various Where are system program messages logged? A considerable number of programs in the system will have their log files managed by rsyslog, so the log records used by these programs also have a similar format.

User log:

This kind of log data is used to record

Linux

operating system user login and exit related information, including user name, login terminal, login time, source host, and process operations in use wait.

Program log:

Some applications will choose to manage a log file independently (instead of leaving it to the

rsyslog

service management) to record various event information during the running of the program. Since these programs are only responsible for managing their own log files, the logging formats used by different programs may vary greatly.

Common log files

#

path	illustrate
/var/log/messages	Record Linux kernel messages and public log information of various applications
/var/log/cron	Record event information generated by crond scheduled tasks
/var/log/dmesg	Record various event information of the Linux operating system during the boot process
/var/log/maillog	Log email activity entering or leaving the system
/var/log/lastlog	Record the most recent login events for each user
/var/log/secure	Record security event information related to user authentication
/var/log/wtmp	Record each user's login, logout and system startup and shutdown events
/var/log/btmp	Record failed, incorrect login attempts and authentication events

Priority level of log

#“

The smaller the number level, the higher the priority and the more important the message.

”

level	English vocabulary	Chinese definition	illustrate
#0	EMERG	urgent	Will cause the host system to become unavailable
1	ALERT	warn	Problems that must be solved immediately
2	CRIT	serious	Serious situation
3	ERR	mistake	Error occurred during operation
4	WARNING	remind	Important events that may affect system functions and need to remind users
5	NOTICE	Notice	Will not affect normal functions, but events that need attention
6	INFO	information	General information
7	DEBUG	debug	Program or system debugging information, etc.

User log related commands

#users

• # The users command simply outputs the names of the currently logged in users, with each displayed user name corresponding to a login session. If a user has more than one login session, his username will be displayed the same number of times.

[root@localhost ~]# users
root

who

• # The who command is used to report information about each user currently logged in to the system. Using this command, the system administrator can check which illegal users exist in the current system to audit and handle them. The default output of who includes username, terminal type, login date and remote host.

[root@localhost ~]# who
root     pts/0        2019-09-06 23:56 (192.168.28.1)

w

• # The w command is used to display information about each user in the current system and the processes they are running. It is richer than the output of the users and who commands.

 23:57:33 up 4 min,  1 user,  load average: 0.02, 0.18, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    192.168.28.1     23:56    5.00s  0.11s  0.02s w

last

• # The last command is used to query user records that successfully logged into the system. The most recent login status will be displayed at the front. The last command can be used to grasp the login status of the Linux host in real time. If an unauthorized user is found to have logged in, it means that the current host may have been invaded.

[root@localhost ~]# last
root     pts/0        192.168.28.1     Fri Sep  6 23:56   still logged in
reboot   system boot  3.10.0-693.el7.x Fri Sep  6 23:52 - 23:58  (00:05)
ll       :0           :0               Wed Sep  4 14:09 - crash  (00:07)
reboot   system boot  3.10.0-693.el7.x Wed Sep  4 14:06 - 14:24  (00:18)

wtmp begins Wed Sep  4 14:06:18 2019

lastb

• # The lastb command is used to query user records that failed to log in. For example, incorrect login user name, incorrect password, etc. will be recorded. A failed login is a security incident because it means someone may be trying to guess your password.

[root@localhost ~]# lastb
ll       ssh:notty    192.168.28.1     Sat Sep  7 00:01 - 00:01  (00:00)
ll       :0           :0               Fri Sep  6 23:59 - 23:59  (00:00)

btmp begins Fri Sep  6 23:59:42 2019

In this article, we introduce three common Linux log file types, including system logs, application logs, and security logs, and describe their formats and record contents in detail. We also discussed how to use command line tools and log viewers to analyze and read log files. I believe you already know how to handle log files in Linux systems. If you have any questions or suggestions, please leave a message in the comment area and we will be happy to answer you.

The above is the detailed content of Master Linux log analysis skills: comprehensive learning from format to analysis. For more information, please follow other related articles on the PHP Chinese website!