**
In a Linux system, there are three main logging subsystems:
Connection time log : It is executed by multiple programs, and records are written to /var/log/wtmp and /var/run/utmp. Programs such as login will update the wtmp and utmp files, so that the system administrator can track who logged in when To the system.
Process statistics : Executed by the system kernel, when a process terminates, a record is written to the process statistics file for each process. The purpose of process statistics is to provide command usage statistics for basic services in the system.
Error log : Executed by the rsyslog daemon, various system daemons, user programs and kernels report notable events to the file /var/log/messages through the rsyslog daemon. In addition, there are many Linux programs that create logs. Servers that provide network services like HTTP and FTP also maintain detailed logs.
Log storage location The
default location: /var/log directory
Main log file introduction
Kernel and public message log: /var/log/messages
Scheduled task log: /var/log/cron
system boot log: /var/log/dmesg
mail system Log: /var/log/maillog
User login log: /var/log/lastlog //Recent user login events
/var/log/secure //Security events related to user authentication
/var/log/wtmp //Current login User details
/var/run/utmp //User login, logout and system startup and shutdown events
User log
Information about the currently logged-in user is recorded in the file utmp; the utmp file is used by various commands, including who, w, users, and finger.
Login and logout are recorded in the file wtmp; data exchange, shutdown, and restart information are also recorded in the wtmp file; the wtmp file is used by the commands last and ac.
All records include a time stamp. Timestamps are very important for logs, because many analysis of attack behaviors are greatly related to time.
These two files are binary files and cannot be accessed or operated by commands such as tail and cat.
View and count the
kernel and system logs.
Unified management by the system service rsyslog
Software package: rsyslog-7.4.7-7.el7_0.x86_64
Main program: /usr/sbin/rsyslogd
Configuration file: /etc/rsyslog.conf
View the content of the configuration file grep -v "^$" /etc/rsyslog.conf
log message level
0 EMERG (emergency): a situation that will cause the host system to be unavailable
1 ALERT (alert): problems that must be resolved immediately
2 CRIT (serious): comparison Serious situation
3 ERR (error): an error occurred during operation
4 WARNING: an event that may affect the function of the system
5 NOTICE: it will not affect the system but it is worth noting
6INFO (information): general information
7 DEBUG (debugging): program or system debugging information, etc.
The general format of
logging configuration log server
Step 1 : Install Apache service yum -y install httpd*
Step 2 : Install MariaDB database yum -y install mariadb*
Step 3 : Install PHP and other related software packages
yum -y install php php-gd php-xml php-mysqlnd rsyslog-mysql
yum -y install libcurl-devel net-snmp-devel
Step 4 : Set up the database to run and set the password of
the database administrator root Step 5 : Set up Apache to run, and Start it
Step 6 : Create a test page and test
firefox http://10.0.0.11/test.php
Configure the log server database
Configure the main configuration file of the server rsyslogd
vim /etc/rsyslog.conf
Configure the firewall, open TCP and UDP514 ports , TCP 3306 port, TCP80 port. If Selinux is not disabled, please set it to run the
configuration log client in warning mode. Add at the end of the
vim /etc/rsyslog.conf
document
Edit /etc/bashrc, write all the commands executed by the client to the system log /var/log/messages, add export PROMPT_COMMAND='{msg=$(history 1 | {read xy;echo KaTeX parse error: Expected'EOF', got'}' at position 3: y;}̲);logger"[euid= (whoami)]": (whoami): [′ pwd ′] "(who am i):['pwd' ]"(whoami):[′pwd′ ]"Msg";}'
Verify that the configuration is successful
Client
Server
