System Log Analysis
Case 3: System Log Analysis
3.1 problem
This example requires familiarity with common Linux system log file, use the command necessary tools to complete the following tasks:
- Keyword list contains all system log messages of 8909
- View start when the mouse device identification information
- List the last user logon message two successful / unsuccessful
- List the last 10 and above the importance of the ERR log messages
- List all service -related messages httpd
- Former listed within four hours of the new record log
3.2 program
Common system logs and their uses:
- / Var / log / messages, record kernel messages, public services messages
- / Various messages var / log / dmesg, the recording system boot process
- / Var / log / cron, cron recorded message associated with the scheduled task
- / Var / log / maillog, recording related mail message
- / Var / log / secure, record and restrict access to security-related news
Priority (high log messages -> Low):
- Case level 0, the system is unavailable: EMERG (emergency)
- ALERT (alert): level 1, must immediately take the measures
- CRIT (critical): Level 2, serious situation
- ERR (error): Level 3 errors
- WARNING (Warning): Level 4, it is worth warning the situation
- NOTICE (Note): Level 5, an ordinary event but it is worth attention
- INFO (Information): Level 6, General Information
- DEBUG (debug): Level 7, program / service debug messages
Common usage journalctl logging facilities RHEL7 provided:
- journalctl | grep Keywords
- journalctl -u name -p priority service
- journalctl -n number of message
- journalctl --since="yyyy-mm-dd HH:MM:SS" --until="yyyy-mm-dd HH:MM:SS"
Step 3.3
This case needs to be achieved in the following steps.
Step a: Analysis System log and user log
1) list all log messages containing the keywords 8909
Simple simulate a fault ( SELinux prevents Web open port 8909):
- [ The root svr7 @ ~] # Vim / etc / the httpd / the conf . D / 8909 . The conf // Add opening 8909 Port Configuration
- Listen 8909
- [ Root @ svr7 ~] # setenforce 1 // turn enforcement mode
- [ Root @ svr7 ~] # systemctl // httpd restart from a service failure
- Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
From the log file to retrieve information / var / log / messages in:
- [ Root @ svr7 ~] # grep 8909 / was / log / messages
- Jan 6 17:53:48 svr7 setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909. For complete SELinux messages. run sealert -l 6d37b8f0-ab8a-4082-9295-c784f4f57190
- Jan 6 17:53:48 svr7 python: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909.#012#012***** Plugin bind_ports (92.2 confidence) suggests ************************#012#012If you want to allow /usr/sbin/httpd to bind to network port 8909#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 8909#012 where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.#012#012***** Plugin catchall_boolean (7.83 confidence) suggests ******************#012#012If you want to allow nis to enabled#012Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.#012#012Do#012setsebool -P nis_enabled 1#012#012***** Plugin catchall (1.41 confidence) suggests **************************#012#012If you believe that httpd should be allowed name_bind access on the port 8909 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep httpd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
- .. ..
After use remember to delete the test configuration file:
- [root@svr7 ~]# rm -rf /etc/httpd/conf.d/8909.conf
- [root@svr7 ~]# systemctl restart httpd
2) mouse device identification information when viewing start
- [root@svr7 ~]# dmesg | grep -i mouse
- [ 1.020385] mousedev: PS/2 mouse device common for all mice
- [ 1.249422] input: ImPS/2 Generic Wheel Mouse as /devices/platform/i8042/serio1/input/input2
- [ 2.279665] usb 2-1: Product: VMware Virtual USB Mouse
- [ 2.603999] input: VMware VMware Virtual USB Mouse as /devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-1/2-1:1.0/input/input3
- [ 2.604222] hid-generic 0003:0E0F:0003.0001: input,hidraw0: USB HID v1.10 Mouse [VMware VMware Virtual USB Mouse] on usb-0000:02:00.0-1/input0
3) lists the user login Message Last two successful / unsuccessful
View event messages successful login:
- [root@svr7 ~]# last -2
- zhsan pts/2 192.168.4.207 Fri Jan 6 18:00 - 18:00 (00:00)
- pts to set a root / a 2 1921684110 on Fri to Jan 6 And 17 And : 26 to - 17 And : of 59 ( '00' : 33 And )
- wtmp begins Thu Aug 4 00:10:16 2016
View failed login event messages:
- [root@svr7 ~]# lastb -2
- anonymou ssh:notty 192.168.4.207 Fri Jan 6 18:00 - 18:00 (00:00)
- anonymou ssh:notty 192.168.4.207 Fri Jan 6 18:00 - 18:00 (00:00)
- btmp begins Fri Jan 6 18:00:34 2017
Step 2: Using journalctl log extraction tool
1) lists the ERR and over the last 10 log messages of importance
- [root@svr7 ~]# journalctl -p err -n 10
- -- Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:01:01 CST. --
- Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from getattr access on the file /rhel7/repodata/repomd.xml. For complete SELinux mes
- Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from read access on the file repomd.xml. For complete SELinux messages. run sealert
- Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from read access on the file repomd.xml. For complete SELinux messages. run sealert
- Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from lock access on the file /rhel7/repodata/repomd.xml. For complete SELinux messag
- Jan 06 17:53:48 svr7 setroubleshoot[33743]: Plugin Exception restorecon_source
- Jan 06 17:53:48 svr7 setroubleshoot[33743]: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909. For complete SELinux messages. run
- Jan 06 17:53:53 svr7 setroubleshoot[33743]: SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket port 8909. For complete SELinux messages.
- Jan 06 17:53:54 svr7 systemd[1]: Failed to start The Apache HTTP Server.
- .. ..
- lines 1-11/11 (END)
2) List all news related to the service httpd
- [root@svr7 ~]# journalctl -u httpd
- -- Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:01:01 CST. --
- Jan 06 14:57:16 svr7 systemd[1]: Starting The Apache HTTP Server...
- Jan 06 14:57:16 svr7 httpd[23812]: AH00557: httpd: apr_sockaddr_info_get() failed for svr7
- Jan 06 14:57:16 svr7 httpd[23812]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directi
- Jan 06 14:57:16 svr7 systemd[1]: Started The Apache HTTP Server.
- Jan 06 17:53:44 svr7 systemd[1]: Stopping The Apache HTTP Server...
- Jan 06 17:53:46 svr7 systemd[1]: Starting The Apache HTTP Server...
- Jan 06 17:53:46 svr7 httpd[33741]: AH00557: httpd: apr_sockaddr_info_get() failed for svr7
- .. ..
3) a new log record lists within the first 4 hours
Previous push the current date and time 4 hours, to determine the start and --until --since end time:
- [root@svr7 ~]# journalctl --since "2017-01-06 14:11" --until "2017-01-06 18:11"
- -- Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:10:01 CST. --
- Jan 06 14:20:01 svr7 systemd[1]: Started Session 160 of user root.
- Jan 06 14:20:01 svr7 CROND[22869]: (root) CMD (/usr/lib64/sa/sa1 1 1)
- Jan 06 14:20:01 svr7 systemd[1]: Starting Session 160 of user root.
- Jan 06 14:30:01 svr7 systemd[1]: Started Session 161 of user root.
- Jan 06 14:30:01 svr7 CROND[23028]: (root) CMD (/usr/lib64/sa/sa1 1 1)
- Jan 06 14:31:39 svr7 systemd[1]: Starting Session 162 of user root.
- Jan 06 14:32:17 svr7 sshd[23046]: pam_unix(sshd:session): session closed for user root
- Jan 06 14:31:39 svr7 systemd[1]: Started Session 162 of user root.
- Jan 06 14:31:39 svr7 sshd[23046]: pam_unix(sshd:session): session opened for user root by (uid=0)
- Jan 06 14:31:39 svr7 systemd-logind[985]: New session 162 of user root.
- .. .