oO̮eQsҩANOԲӦӽTꪺΪ̬OƥtΪnCOnɩOH²檺ANOOtάʰOXɮסAҦpGɡBa]ӷ IP ^BH] login name ^BFʧ@At~NOtΦbɭF˪欰ɡAoͤF˪ƥAnDOAڭ̪ Linux DbIUA۷h daemons bu@ۡAoǤu@{`O|@ǰTܡAoܪTNOObnɷաA]NOAOoǨtΪnTANOnɩҶi檺u@eFCѩoǰOu@etΪTӸԲӤFAYQoNivTtΪwʡA]Aq`oǵnɥu root iHi\I
nOPѪRnɩOHoOѩOɦXӭn\G
- ѨMtΪ~GoӹtκzӻOܭnTAҦpG}L{쪺wTƷ|OOAѩoǰTiHѧڭAѵwTAҥHpGAtεoͰDɡAiHUF dmesg ݬݵw骺SoͿ~OIt~ApGtθ귽QӺɡB֤߬ʵoͿ~ƥoͪɭԡAhtεnɥ|N~TObnɤ]q`O /var/log/messages ^AodziHǥHo~oͮɪTAå[HJADII
- ѨMAȪDGbw˩γ]wsAȪMɡA̱`ϥΨoӥ\FIҦpbw˱Ұ sendmail ɡApG sendmail LkѪAȪɭԡALkѪAȪDh|QnɷhAhunRnɴNiHAѰDIAǥHѨMDաI( ҥHڭ̱`yѧUۧU̡zOuաI(1)ùW~TP(2)nɪ~TAXGiHѨMj Linux DI )
]A@Ӧg窥DzA|HHad\@UۤvnɡAHHɴxtΪ̷s߰ʡIXӵnɦǩOH@ӨAUXӡG
- OnTGoӪF۷nIҦpGѱz apache o WWW AȱFAADɱHӳ̫nJ̬O֡HIoiHǥѤR apache nɨӨoTF~AU@@ѱztγQJIAåBQQΨӧLHDAoӮɭԹ𫍧DdXOz Linux bi欰AoӮɭԧAnpizDOѩQJIҾɭPDAåBU~ӷldOHIIɵnɥiO۷nOI
nFAOFoǵnɤAڭnRrIHWA@ӦntκzjDy@DtdAȳ̦nֺɶqzAoONOH]NOAoDlDNMtdlu@Anٷd WWW AȡIo˦XӦnBAFtΪwʸΤ~]]} port ܤ֤FI^AOɪѪR]|²I]ڭ̪ /var/log/secure OnJ̸TN|@PʡIڭ̴NiHdߤ@UCnJϥΪ̱bջP~TյI]MoApGAWeBg״IܡA@DWw˩ҦAȤ]OiHաI^WAˬd/var/log/messagesB/var/log/secureoǭɮפ]N۷FI]tεoͪ~Ϊ̬OĵiTq`|gJoɮפC
- /var/log/secureGOnJtΦsƪɮסAҦp pop3, ssh, telnet, ftp |ObɮפF
- /var/log/wtmpGOnJ̪TơAѩɮפwgQsXLAҥHϥ last oӫOӨXɮתeF
- /var/log/messagesGoɮ۷nAXGtεoͪ~T]Ϊ̬OnT^|OboɮפF
- /var/log/boot.logGO}Ϊ̬O@ǪAȱҰʪɭԡAܪҰʩTF
- /var/log/maillog /var/log/mail/*GlsΩ( sendmail P pop3 )ϥΪ̰OF
- /var/log/cronGoӬOΨӰO crontab oӨҦʪAȪeI
- /var/log/httpd, /var/log/news, /var/log/mysqld.log, /var/log/samba, /var/log/procmail.logG OOXӤPAȪOɰաI
@
OApGڤ𨷿ƤQDHڭnn@@h log file OHI˹ݷ|Hz?]Aڭ̩U]ϥΤ@²nɨӤR Red Hat Mandrake o Linux distribution nɧaI
[root @test
root]# ps -aux|grep syslog
root 782 0.0 0.8 1340 508 ? S Oct30 0:00 syslogd -m 0 root 11044 0.0 1.1 2408 732 pts/1 S 00:03 0:00 grep syslog |
[root @test
root]# vi /var/log/secure
Nov 4 16:28:35 test xinetd[7831]: START: telnet pid=7841 from=192.168.1.11 Nov 4 16:28:35 test xinetd[7841]: FAIL: telnet address from=192.168.1.11 Nov 4 23:41:17 test sshd[10803]: Accepted password for test from 192.168.1.11 port 3117 ssh2 Nov 4 23:41:17 test sshd(pam_unix)[10805]: session opened for user test by (uid=500) Nov 4 23:41:29 test su(pam_unix)[10838]: authentication failure; logname=test uid=500 euid=0 tty= ruser=test rhost= user=root Nov 4 23:41:34 test su(pam_unix)[10839]: session opened for user root by test(uid=500) |
AȦW.Tš@@@sܦaI |
D@GpGڭnNڪmailƵLgJ/var/log/maillogAb/etc/syslog.confNngG
mail.info /var/log/maillog`NWAڭ̪ŨϥinfoɡAyjinfo(tinfooӵ)WTA|QgJ᭱ɮפIzo˥iHAѶܡH]NOAڭ̥iHNҦmailnTb/var/log/maillog̭NաI |
DGGڭnNsDsո(news)ΨҦʩROT(cron)gJ@Ӻ٬/var/log/cronnewsɮפAOoӵ{ǪĵiTOb/var/log/cronnews.warnӦp]wڪɮשOH²աIJMOӵ{ǡAunHӹj}FA~AѩĤGӫwɮפAڥunOĵiTA]]wWݭnwy=zoӲŸAҥHNFG
news.*;cron.* /var/log/cronnewsWӡy=zNObwŪNաIѩwFšA]AuoӵŪT~|Qboɮ̭OI |
DTGڪmessagesoɮݭnOҦTAONOQnOcron,mailnewsTAӫg~nHiHؼgkAOOG
*.*;news,cron,mail.none /var/log/messages *.*;news.none;cron.none;mail.none /var/log/messagesϥΡy,zjɡAťunb̫@ӧYiApGOHy;zӤܡANݭnNAȻPųgWhoIo˷|]wFaI |
Ĥ@ӨҤlGӦ Red Hat
7.x syslog.conf eG
#kern.* /dev/console # unO kernel ͪTAe console hI # oӶعw]OILAunz@NAiH}ҴNOFI *.info;mail.none;authpriv.none;cron.none
/var/log/messages
authpriv.*
/var/log/secure
mail.*
/var/log/maillog
cron.*
/var/log/cron
*.emerg
*
uucp,news.crit
/var/log/spooler
local7.*
/var/log/boot.log
|
ĤGӨҤlGӦ Mandrake
9.0 syslog.conf eI
# UبtΪT # UT椤AOOOG # 1. Ĥ@OOyT{zTAunOynJzDAY # yJbPKXz{ǮɡAO auth.log ̭hFAoODnG # xinet(telnet, ftp), ssh, su, postfix, pop3 # 2. ĤGhOFOT~ALݭnOb/var/log/syslogI # 3. ĤThOOF user 檺OIstΥ\ҲͪYǰTI auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog user.* -/var/log/user.log # oӳhObOTIW
/var/log/syslog IƤFI
# {ҸTT|Qb
/var/log/secure oɮA
# lT|bUILA٬OTӵŨӰOA
# oӳhObO@ǨҦʩRO]wBI
# oOO֤ߦTIҦpڭ̦be@쪺ҲոJA
# oOLTաI
# oOsDsեDT
# oӴNOҦAȬɮoI
# NҦwge{yY~TzHYoeثebDWHI
# Mandrake
Linux ]wuAܪT|QboɮפI
|
[root @test
root]# chattr +a /var/log/messages
[root @test root]# lsattr /var/log/messages ----a--------- messages |
- logrotateG
nFIڭ̤wgNnƼgJFOɤFA]wgQchattr]wFaoݩʤFAӦpi log rotate u@OIHo̽ЯSOdNOA syslog DOQ demand 觋ӱҰʪAݨDɭԥߨN|Q檺AO log rotate oObWwɶF~Ӷi log files rotate 欰AҥHo logrotate {dzOb cron Ui檺Io@IЯSOdNInFA logrotate oӵ{ѼƳ]wɦb̩OHIIҼ{Ӧa
@@
- /etc/logrotate.conf
- /etc/logrotate.d
`NoI logrotate.conf ~ODnѼɮסAܩ logrotate.d O@ӥؿA̭Ҧɮ׳|QDʪŪJ /etc/logrotate.conf ӶiIt~Ab/etc/logrotate.ḓɮפApGSWw쪺@Dzӳ]wAhH/etc/logrotate.confoɮתWwӫww]ȡInFAڭ̴ log rotate Dn\NONªnɮײʦɡAåBsإߤ@ӷsŪɮרӰOAL浲GIUϥܡG
@@
ѤWϥܧڭ̥iHMDAĤ@槹rotateA쥻messages|ܦmessages.1ӥB|sy@ӪŪmessagestΨxsnɡCӲĤG椧Ahmessages.1|ܦmessages.2messages|ܦmessages.1ASy@ӪŪmessagesxsnɡIpGڭ̶ȳ]wOdTӵnɦӤwܡAĥ|ɡAhmessages.3oɮ״N|QRAåѫ᭱sOsnɩҨNIu@NOo˰աI
@
h[i@ logrotate u@OHIodzOb logrotate.conf ̭Aڭ̨Ӭݤ@Uw] logrotate eaI
@@
# U]wO logrotate w]]wȡApGӧOɮ׳]wFLѼơA
# NHӧOɮ׳]wDAYɮרS]w쪺ѼơA
# hHoɮתew]ȡI# C§i@ rotate u@
weekly# OdXӵnɩOHw]OOd|ӡI
rotate 4# O_إ߷snɨӰOOH]ڭ̭n~OAҥHMOإoI
create# rotate᪺nɡAnnYAq`OnYաA
# OpGAtΫܦLAܧAnɫejɭԡA
# ̦nNOLY@U|ŶI
Compress# NUoӥؿҦɮ׳ŪiӰ rotate u@I
include /etc/logrotate.d# ܩnTAϥ last Ӭn̸TNOOboɮפI
# UNO /var/log/wtmp oɮת rotate pALNOG
# 1. CӤi@ log rotate u@F
# 2. Nɮתv]w 664 oI
# 3. ȫOse@Ӥ몺 rotate ƥIoӥiHj@IAҦp 5 IOsӤAHQl
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}# Uoɮ /var/log/wtmp I
/var/log/lastlog {
monthly
rotate 1
}
ѳoɮת]wڭ̥iHD /etc/logrotate.d NO /etc/logrotate.conf ҳWXӪؿAҥHAڭ̥iHNҦƳLgJ /etc/logrotate.conf YiAOoˤ@ӳoɮ״NbOӽFA]AWߥXӤ@ RPM M N@ rotate ɮסAIGOXz@ӤkIWTOtΪw]rotatepALAziHۦ檺קאּۤvw˦AҦpApGztΪŶjAåB߰HbȪDAiHG
@@
- N rotate 4 令 rotate 9 kAHOshƥɮסF
- jnɤݭn compress oIOŶӤpNݭn compress IרOܦwЪŶhttpdݭncompressI
nFAWڭ̤jPФF /var/log/wtmp oɮת]wAO٬OܸԲӰաAҥHUڭ̥H /etc/logrotate.d/syslog oӽ syslog oӪAȪɮסAӬݬݸӦp]wLrotateOG
@@
/var/log/auth.log /var/log/syslog /var/log/user.log /var/log/secure /var/log/messages /var/log/boot.log /var/log/mail/errors /var/log/mail/info /var/log/mail/warnings /var/log/cron/errors /var/log/cron/info /var/log/cron/warnings /var/log/kernel/errors /var/log/kernel/info /var/log/kernel/warnings /var/log/lpr/errors /var/log/lpr/info /var/log/lpr/warnings /var/log/news/news.err /var/log/news/news.notice /var/log/news/news.crit /var/log/daemons/errors /var/log/daemons/info /var/log/daemons/warnings /var/log/explanations {
@@@@sharedscripts
@@@@rotate 5
@@@@weekly
@@@@postrotate
@@@@/usr/bin/killall -HUP syslogd #
@@@@endscript
}
T logrotate gkG
@@
- N log file W١]]t|^gbeAiHϥΪťզrjh log files F
- { } ]AҦ]wF
- ]wػPe쪺ۦPAåBi[J rotate e (pre) P (post) @ǯS檺OI
- prerotateGbҰ logrotate ei檺OAҦpק log file ݩʡII
- postrotateGb logrotate ҰʪOAҦpsҰʡ] kill -1 kill -HUP ^YӪAȡI
- PrerotatePpostrotatewg[WFSݩʪɮ׳BzWAO۷n{ǡI
ѩڭ̤wgNnɪݩʳ]wFchattr +aAҥHݭnblogrotateeNoݩʮAæblogrotateAANoݩʥ[^hIҥHoAprerotatePpostrotateN㪺۷nաI]ڭ̶Ȱw/var/log̭Xɮ׳]wݩʡG
@@
- messages
- secure
- auth.log
ӦpקWܪeOHIAiHo˰G
@@
/var/log/auth.log /var/log/syslog /var/log/user.log /var/log/secure /var/log/messages /var/log/boot.log /var/log/mail/errors /var/log/mail/info /var/log/mail/warnings /var/log/cron/errors /var/log/cron/info /var/log/cron/warnings /var/log/kernel/errors /var/log/kernel/info /var/log/kernel/warnings /var/log/lpr/errors /var/log/lpr/info /var/log/lpr/warnings /var/log/news/news.err /var/log/news/news.notice /var/log/news/news.crit /var/log/daemons/errors /var/log/daemons/info /var/log/daemons/warnings /var/log/explanations {
@@@@sharedscripts
@@@@rotate 5
@@@@weekly
@@@@prerotate
@@@@@@@@/usr/bin/chattr -a /var/log/auth.log
@@@@@@@@/usr/bin/chattr -a /var/log/messages
@@@@@@@@/usr/bin/chattr -a /var/log/secure
@@@@endscript
@@@@postrotate
@@@@@@@@/usr/bin/killall -HUP syslogd
@@@@@@@@/usr/bin/chattr +a /var/log/auth.log
@@@@@@@@/usr/bin/chattr +a /var/log/messages
@@@@@@@@/usr/bin/chattr +a /var/log/secure
@@@@endscript
}
ݨ_HNOLh a oݩʡAMFAAL[JoݩʡIЯSOdNOA /usr/bin/killall VHUP syslogd NqAo@檺تbNtΪ syslogd sHѼɡ] syslog.conf ^ŪJ@I]iHQO reload NաIѩڭ̫إߤF@ӷsŪɡApG榹@ӭsҰʪAȪܡAOɭԱN|oͿ~II(Ц^귽z`Ū@U kill ᭱ signal e)I
@
LogrotateաG
nFA]wAڭ̨Ӵլݬݳo˪]wO_iOHL橳UOG
@@
[root @test root]# logrotate Vf /etc/logrotate.conf
[root @test root]# lsattr /var/log/auth.log /var/log/messages /var/log/secure
----a--------- /var/log/auth.log
----a--------- /var/log/messages
----a--------- /var/log/secure
W -f 㦳yjzNApG@]wSDܡAzפWAz /var/log oӥؿN|_ܤoIӥBӤ|X{~T~IKKIo˴N OK FIܴΤOܡHInFAw]logrotateɭOHIξߡAtΤwgڭ̳]wnFIb̩OH
@/etc/cron.daily/logrotate
@
`Nݤ@ṶeG
@/usr/sbin/logrotate /etc/logrotate.conf
@
ѩ logrotate u@wg[J crontab YFIҥH{bCѨtγ|۰ʪLd logrotate oIξߪաIIuOn`N@U /var/log/messages YO_``GyJun 23 04:02:00 test syslogd 1.4.1: restart.zo˪rˡIHoO syslogd sҰʪɶա]NO] /etc/logrotate.d/syslog ]wtGI^
@@
DGڪ/var/log/messagesuƱO@Ǭ۷nTAcronewgb/var/log/croṋOFAҥHڷQNcronTAӫקڪsyslog.conf]wOH
GWAAiHo˳]wաI[root @test root]# vi /etc/syslog.conf
ק /var/log/messages @AϦUҼ˴NiHFI
*.info;mail.none;;news.none;authpriv.none;cron.none -/var/log/messages
[root @test root]# /etc/rc.d/init.d/syslog restart
o˴NiHաI²檺ܡI
DGN procmail logfile ]/var/log/procmail.log^[J logrotate I]ڭ̤wgN procmail [J sendmail {FAåBwgҰʥLAoӮɭԡApGڷQnCӤ@ logrotate AåBOdӤnƳƥAӫ@OH
Gϥ vi إߤ@ɮסAɦW /etc/logrotate.d/procmailAoɮתeG# This file is creating by VBird 2002/06/18WOG
/var/log/procmail.log {
@@@@monthly
@@@@size=10M
@@@@rotate 5
@@@@nocompress
}1. Yӵnɤu@WL@ӤF
2. θӵnɤjpWL 10 MBF
3. OsӳƥɮסF
4. ƥɮפnYIIMxs}Aoˤ@ӡACӤN|۰ʪNnƳƥUoIݭn檺աI쪺O size ѼơIpGznɦѬOܤjɭԡAiHҼ{[J size oӰѼƻILWسAOOy k P M zAШϥ man logrotate ӸԲӬdݤ@UΪkoI
- dmesg
bOCҦJdmesgYiIѩtΦb}L{|Nw mount WӡAҥHLkNƪLŪ log file hAOFWKAҥHb}L{T٬OnOUӡAoӮɭԨtδNN ram }F@Ӥp϶xsoӸoIoӶ}Oɮ״NOGy/proc/kmsgzաIPɡAw] RAM ϶eqbPäۦPAثew]O 16KB jp
[root @test /root]# dmesg
@
- last
pGnsXӤWӤ몺nJƩOHIiHϥΤWĤGӽdҡI
[root @test /root]# last
ѼƻG
-number Gnumber ƦrApGznJTӦhFAiHϥγoӫOI
dҡG
[test @test /root]# last -5
test pts/0 192.168.1.2 Tue Apr 9 20:34 - 20:35 (00:01)
test pts/0 192.168.1.2 Tue Apr 9 20:14 - 20:30 (00:15)
test ftpd21546 192.168.1.2 Tue Apr 9 02:55 - 03:06 (00:10)
test ftpd15813 192.168.1.2 Tue Apr 9 01:20 - 01:21 (00:00)
test pts/0 192.168.1.2 Mon Apr 8 20:14 - 00:27 (04:13)
wtmp begins Tue Apr 2 01:12:26 2002
[root @test /root]# last -f /var/log/wtmp.1 <==sXWӤ몺nJơI
ڪ]pz²ANO¤Rڭ̱``ϥΪXӪAȡG
# 2.3a FTP
{for proftpd}
echo "========================== " >> $logfile echo "3. FTP nɪnJƲέp" >> $logfile echo "b ӷ} "|awk '{printf("\%-15s \%-25s \%-4s\n", $1, $2, $3)}' >> $logfile echo "FTPnJ: `cat $basedir/messageslog|grep "FTP session opened." | wc -l`"|awk '{printf( "\%-41s \%3d\n", $1, $2)}' >> $logfile # add login ip script cat $basedir/messageslog | grep "FTP session opened."|awk '{print $7}'|cut -d"[" -f2 | cut -d"]" -f1 >"$basedir/ftploginip" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ }; END{ for( course in Number ) printf( "\%-41s \%3d\n", course, Number[course])}' $basedir/ftploginip|sort +2 -gr |awk '{printf("\%-41s \%3d\n", $1, $2)}'>>$logfile echo " " >> $logfile echo "FTPnJ\b" >> $logfile cat $basedir/messageslog | grep "(ftp) session opened for user" | awk '{print $11}' > "$basedir/messagesftp" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ }; END{ for( course in Number ) printf( "\%-41s \%3d\n", course, Number[course])}' $basedir/messagesftp|sort +2 -gr|awk '{printf("\%-41s \%3d\n", $1, $2)}'>>$logfile echo " " >> $logfile cat $basedir/messageslog|grep "Authentication failure." >$basedir/ftperr cat $basedir/messageslog|grep "no such user '" >>$basedir/ftperr echo "FTP~nJ:`cat $basedir/ftperr| wc -l`"|awk '{printf( "\%-41s \%3d\n", $1, $2)}' >> $logfile cat $basedir/ftperr|grep "failure."|awk '{print $7 " " $9}'|cut -d'[' -f2|cut -d':' -f1|awk '{print $2 " " $1}'|cut -d'M' -f2|cut -d']' -f1>"$basedir/ftpfail" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ }; END{ for( course in Number ) printf( "\%-15s \%3d\n", course, Number[course])}' $basedir/ftpfail|sort +2 -gr|awk '{printf("\%-15s \%-25s \%3d\n", $1, $2, $3)}'>>$logfile cat $basedir/ftperr|grep "no such user '"|awk '{print $7 " " $12}'|cut -d'[' -f2|awk '{print $2 " " $1}'|cut -d']' -f1>"$basedir/ftpxusr" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ }; END{ for( course in Number ) printf( "\%-15s \%3d\n", course, Number[course])}' $basedir/ftpxusr|sort +2 -gr|awk '{printf("\%-15s \%-25s \%3d\n", $1, $2, $3)}'>>$logfile echo " " >> $logfile |