Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
Rsyslog and journald – monitoring of activity in Linux
Rsyslog and journald daemons gives you an opportunity to control what happens in the system. You may trace users and their interaction with other daemons. They increase security, cause based on the logs you can make decisions regarding users that unusuall behaviour you’ve noticed. Also, if there is a problem with system stability or system is not running properly both services will come forward.
Rsyslog is a daemon that is reponsible for collecting data and events. We may define which logs that should be generated and how in /etc/rsyslog.conf file. If we are talking about Rsyslog we think about system logs, very often other programs have their own log files. Logs are being kept in /var/log/ folder.
Let’s have a look on the most important system logs.
/var/log/audit/audit.log – messages from the kernel audit subsystem
/var/log/anaconda.log- logs from installation process
/var/log/cron – information from scripts run by the cron daemon
/var/log/boot.log – associated with services that start and shut down processes
/var/log/secure – information regarding authentication
/var/log/lastlog.log – info about last login of each user to the system, binary using
lastlog
/var/log/sssd – messages asociated with System Security Services daemon
/var/log/tallylog – supports pam-tally which locks out a user after excesive login failure
/var/log/xferlog – messages associated with file transfer from FTP server
/var/log/Xorg.0.log – messages for the X WIndow System
/var/log/yum.log – logs packages installed, updated, removed with yum
/var/log/messages – contains system messages including system startup messages
/var/log/setroubleshoot/ – SELinux messages
/var/log/dmesg – contains Kernel Ring Buffer info. when the system boots up, it prints
a number of messages on the screen that displays info about the hardware devices that kernel has detected
Logs in binary format that require ‘utmpdump‘ tool.
utmpdump /var/run/utmp – shows currently running sessions
utmpdump /var/log/wtmp.log – information about loggin, logout rebooting command
utmpdump /var/log/btmp.log – information about failed loggin tries
Reading log files.
Sometimes logs are excessively long, so finding required information may be cumbersome.
less log.log – viewing a file, we will be able to read log from the start, as many lines as may squeezed on the screen. If we prees ‘Enter” we will get to another line , ‘Space’ we will get to another screen
head -n 20 log.log – as the output we get the first 20 lines of the log
tail -n 20 log.log – last 20 lines – as the output we get last 20 lines of the log
grep “string” log.log – as usuall with ‘grep’ searching for a string in log
Systemd – journald
The main advantage of journald over rsysylog is that it store not only kernel and syslog messages but also the other output that services send standard output and error. We don’t have to know where given daemon sends its logs because everything is being captured by systemd and logged into the journal. The messages are divided in groups : err, crit, emerg, alert.
By efault ‘journalctl’ command shows all messages and events stored in the journal. There is a couple of useful switches that ease us working with its.
journalctl -p err – shows only messages with ‘error’ priority
journalctl -since / until – show messages from the range of time
journalctl -n 20 – last 20 lines of journal
journalctl _UUID=100 – messages for user with UUID 100
journalctl -u httpd.service – messages for specific service (httpd)
journalctl –boot – messages since last boot
journalctl /dev/sdb – messages for device /dev/sdb