[Learn a little new knowledge every day] Linux log analysis

Table of contents

1. History file command

2. User login log

3. System log 

4. Linux log viewing skills 

| grep search filter

Uniq command: Check to delete repeated rows/columns in text files; it does not work when the repeated two rows are not adjacent, you need to combine the sorting command sort

 sort command: sort the content in units of lines, and sort by ASCII code by default

cut command: Cuts bytes, characters, and fields from each line of a file and writes these bytes, characters, and fields to standard output. If the File parameter is not specified, the cut command will read standard input.

AWK Commands: Commands for Processing Text Files

5. supplement

---

1. History file command

• #Root user's command log location (in bash environment)

/root/.bash_history

• #Every user has a hidden .bash_history

/home/<account>/.bash_history

• Or use directly on the command line

# cat .bash_history

• View historical commands

# history

• Clear history command (need to take effect in the case of bash, otherwise an error will be reported)

# history -c (you can clear all the output commands of this login, but not clear the .bash_history file, so after the next login, the old commands will still appear)

• #Root user's command log location ( in the zsh environment )

/root/.zsh_history

• Clear history commands ( in zsh environment )

# rm -rf /root/.zsh_history (this is to delete the file, and -rf is generally not recoverable, use with caution)
# echo "" > .zsh_history

2.  User login log

/var/log/lastlog (last login information of each user)
/var/log/wtmp (login/logout of each user, system startup/shutdown)
/var/log/utmp (currently logged in user information)
/var/ log/vtmp (all failed login messages)

Take /var/log/wtmp as an example, opening is garbled (binary stream file)

 last -f /var/log/wtmp formatted output of this binary stream file

3. System log 

The /var directory stores files that are normally changed by the system, such as cache, login files, files generated by program running, etc.

Store log files under /var/log

• View information about scheduled task runs, including run dates

#cat /var/log/cron

• Check the installation log

#cat /var/log/yum.log View installation log

• See what is loaded each time the host boots

#cat /var/log/boot.log content loaded each time the host boots

4. Linux log viewing skills 

• | grep search filter

"-E" retrieves content in the form of regular expressions by specifying the parameter big E

# cat /var/log/secure | grep -E “192.168.222.1.*9952 ssh2”

Or use the egrep command, you can use the regular expression directly without -E

# cat /var/log/secure | egrep “192.168.222.1.*9952 ssh2”

"-e" sets multiple retrieval conditions by specifying the parameter e, but the relationship is or

cat /var/log/secure | grep -e “Accepted” -e “Failed”

Multiple | grep can achieve conditional retrieval with

cat /var/log/secure | grep -e “Accepted” -e “Failed” | grep “34406”

"-v" means negation, which is equivalent to not

cat /var/log/secure | grep -e “Accepted” -e “Failed” | grep -v “34406”

我的kali里没有secure这个日志，这里用boot.log代替

cat boot.log | grep -e "Started" 

cat boot.log | grep "Started" | grep "Daily" 

cat boot.log | grep -e "Started" -e "Daily" 

• Uniq命令：检查以删除文本文件重复出现的行/列；当重复的两行不相邻时不起作用，需要结合排序命令sort

Uniq -c可以统计该行出现的次数

Cat testfile | sort | uniq -c

在testfile文件里随机写入下面内容

 该命令就会帮我们统计次数,那如果不使用sort排序会怎样呢?

不使用sort,我们可以看到,它无法将不相邻的相同内容统计到一起

 

 sort 命令：将内容以行为单位进行排序，默认以ASCII码排序

sort -n 按照数值大小排序

sort -r 按照相反的顺序进行排序

• cut命令：从文件的每一行剪切字节、字符和字段并将这些字节、字符和字段写至标准输出。如果不指定File参数，cut命令将读取标准输入。

-d ：自定义分隔符，默认为制表符

-f ：指定显示哪个区域

-c ：以字符为单位进行分割

# cut -d “ ” -f 11 /var/log/secure | egrep “^[1-9].*[1-9]$”

#cat secure | grep “Failed ” | cut -d “ “ -f 12 | sort | uniq -c

以boot.log为例,先按OK筛选,再按照" "分割,显示出第六块内容(为什么是第六块?因为[ OK ]之间都有两个空格)

cat boot.log | grep "OK" | cut -d " " -f 6

• AWK命令：处理文本文件的命令

-F specifies the delimiter (default space), fs is a string or a regular expression

# awk -F " " '$6==”Accepted”{print $11}' /var/log/secure
($6==”Accepted”: if the content of the sixth block after division is equal to Accepted)
({print $11}: then Output the data content of the 11th block)

Note that here is $4 (represents the fourth piece of content separated by spaces)

cat boot.log | grep "OK" | awk -F " " '{print $4}'

 

Combine uniq and sort to complete the statistics

cat boot.log | grep "OK" | awk -F " " '{print $4}' | sort | uniq -c

5. supplement

Add a linux command that I am not familiar with

• View the first 10 lines of /etc/profile

# head -n 10 /etc/profile

• View the last 5 lines of /etc/profile

# tail -n 5 /etc/profile

• output the absolute path of the directory you are in

# pwd

• delete file rm

# rm file.txt delete files normally
# rm -r emptydir/ delete empty directory
# rm -rf mydir/ delete directory and all files under it (use with caution)

• mv move file path or rename

# mv file.txt /home/myfiles
# mv oldname.txt newname.txt

• View the command manual (man+command name)

# man mkdir

• Update the access and modification times of the specified files

# touch -m file name (modify the time of the file to the current time modification)

# touch newfile (create an empty file)

•  chmod to change permissions

r (read only)\w (write)\x (execute)

r=4，w=2，x=1

# chmod 777 file (see the picture below, it should be easy to understand)

•  View the running processes of the current shell session

# ps

• View system information

# uname -a