The log files in the Linux system carry the system running status and the running information of various applications. They are crucial for system diagnosis and error debugging. Therefore, learning how to read and analyze Linux log files is a skill that every Linux user must master. This article will introduce you to the types, formats and common reading methods of Linux log files, helping you to easily understand and solve system problems.
Three types of logs
This kind of log data is managed uniformly by the system service rsyslog
, and the kernel messages and various Where are system program messages logged? A considerable number of programs in the system will have their log files managed by rsyslog
, so the log records used by these programs also have a similar format.
operating system user login and exit related information, including user name, login terminal, login time, source host, and process operations in use wait.
service management) to record various event information during the running of the program. Since these programs are only responsible for managing their own log files, the logging formats used by different programs may vary greatly.
# Priority level of log #“ The smaller the number level, the higher the priority and the more important the message. ” User log related commands #users who w last lastb In this article, we introduce three common Linux log file types, including system logs, application logs, and security logs, and describe their formats and record contents in detail. We also discussed how to use command line tools and log viewers to analyze and read log files. I believe you already know how to handle log files in Linux systems. If you have any questions or suggestions, please leave a message in the comment area and we will be happy to answer you.
path
illustrate
/var/log/messages
Record Linux kernel messages and public log information of various applications
/var/log/cron
Record event information generated by crond scheduled tasks
/var/log/dmesg
Record various event information of the Linux operating system during the boot process
/var/log/maillog
Log email activity entering or leaving the system
/var/log/lastlog
Record the most recent login events for each user
/var/log/secure
Record security event information related to user authentication
/var/log/wtmp
Record each user's login, logout and system startup and shutdown events
/var/log/btmp
Record failed, incorrect login attempts and authentication events
level
English vocabulary
Chinese definition
illustrate
#0
EMERG
urgent
Will cause the host system to become unavailable
1
ALERT
warn
Problems that must be solved immediately
2
CRIT
serious
Serious situation
3
ERR
mistake
Error occurred during operation
4
WARNING
remind
Important events that may affect system functions and need to remind users
5
NOTICE
Notice
Will not affect normal functions, but events that need attention
6
INFO
information
General information
7
DEBUG
debug
Program or system debugging information, etc.
users
command simply outputs the names of the currently logged in users, with each displayed user name corresponding to a login session. If a user has more than one login session, his username will be displayed the same number of times. [root@localhost ~]# users
root
who
command is used to report information about each user currently logged in to the system. Using this command, the system administrator can check which illegal users exist in the current system to audit and handle them. The default output of who
includes username, terminal type, login date and remote host. [root@localhost ~]# who
root pts/0 2019-09-06 23:56 (192.168.28.1)
w
command is used to display information about each user in the current system and the processes they are running. It is richer than the output of the users
and who
commands. 23:57:33 up 4 min, 1 user, load average: 0.02, 0.18, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.28.1 23:56 5.00s 0.11s 0.02s w
last
command is used to query user records that successfully logged into the system. The most recent login status will be displayed at the front. The last
command can be used to grasp the login status of the Linux
host in real time. If an unauthorized user is found to have logged in, it means that the current host may have been invaded. [root@localhost ~]# last
root pts/0 192.168.28.1 Fri Sep 6 23:56 still logged in
reboot system boot 3.10.0-693.el7.x Fri Sep 6 23:52 - 23:58 (00:05)
ll :0 :0 Wed Sep 4 14:09 - crash (00:07)
reboot system boot 3.10.0-693.el7.x Wed Sep 4 14:06 - 14:24 (00:18)
wtmp begins Wed Sep 4 14:06:18 2019
lastb
command is used to query user records that failed to log in. For example, incorrect login user name, incorrect password, etc. will be recorded. A failed login is a security incident because it means someone may be trying to guess your password. [root@localhost ~]# lastb
ll ssh:notty 192.168.28.1 Sat Sep 7 00:01 - 00:01 (00:00)
ll :0 :0 Fri Sep 6 23:59 - 23:59 (00:00)
btmp begins Fri Sep 6 23:59:42 2019
The above is the detailed content of Master Linux log analysis skills: comprehensive learning from format to analysis. For more information, please follow other related articles on the PHP Chinese website!