System Log Analysis

Others 2019-11-27 11:33:36 views: null

                                                                                      System Log Analysis

 

 

Case 3: System Log Analysis

3.1 problem

This example requires familiarity with common Linux system log file, use the command necessary tools to complete the following tasks:

  1. Keyword list contains all system log messages of 8909
  2. View start when the mouse device identification information
  3. List the last user logon message two successful / unsuccessful
  4. List the last 10 and above the importance of the ERR log messages
  5. List all service -related messages httpd
  6. Former listed within four hours of the new record log

3.2 program

Common system logs and their uses:

  • / Var / log / messages, record kernel messages, public services messages
  • / Various messages var / log / dmesg, the recording system boot process
  • / Var / log / cron, cron recorded message associated with the scheduled task
  • / Var / log / maillog, recording related mail message
  • / Var / log / secure, record and restrict access to security-related news

Priority (high log messages -> Low):

  • Case level 0, the system is unavailable: EMERG (emergency)
  • ALERT (alert): level 1, must immediately take the measures
  • CRIT (critical): Level 2, serious situation
  • ERR (error): Level 3 errors
  • WARNING (Warning): Level 4, it is worth warning the situation
  • NOTICE (Note): Level 5, an ordinary event but it is worth attention
  • INFO (Information): Level 6, General Information
  • DEBUG (debug): Level 7, program / service debug messages

Common usage journalctl logging facilities RHEL7 provided:

  • journalctl | grep Keywords
  • journalctl -u name -p priority service
  • journalctl -n number of message
  • journalctl --since="yyyy-mm-dd HH:MM:SS" --until="yyyy-mm-dd HH:MM:SS"

Step 3.3

This case needs to be achieved in the following steps.

Step a: Analysis System log and user log

1) list all log messages containing the keywords 8909

Simple simulate a fault ( SELinux prevents Web open port 8909):

  1. [ The root svr7 @ ~] # Vim   / etc / the httpd / the conf . D / 8909 . The conf // Add opening 8909 Port Configuration
  2. Listen 8909
  3. [ Root @ svr7 ~] # setenforce 1                              // turn enforcement mode
  4. [ Root @ svr7 ~] # systemctl // httpd restart from a service failure
  5. Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

From the log file to retrieve information / var / log / messages in:

  1. [ Root @ svr7 ~] # grep   8909   / was / log / messages
  2. Jan  6 17:53:48 svr7 setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909. For complete SELinux messages. run sealert -l 6d37b8f0-ab8a-4082-9295-c784f4f57190
  3. Jan  6 17:53:48 svr7 python: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909.#012#012*****  Plugin bind_ports (92.2 confidence) suggests   ************************#012#012If you want to allow /usr/sbin/httpd to bind to network port 8909#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 8909#012    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.#012#012*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************#012#012If you want to allow nis to enabled#012Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.#012#012Do#012setsebool -P nis_enabled 1#012#012*****  Plugin catchall (1.41 confidence) suggests   **************************#012#012If you believe that httpd should be allowed name_bind access on the port 8909 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep httpd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
  4. .. ..

After use remember to delete the test configuration file:

  1. [root@svr7 ~]# rm  -rf  /etc/httpd/conf.d/8909.conf
  2. [root@svr7 ~]# systemctl  restart  httpd

2) mouse device identification information when viewing start

  1. [root@svr7 ~]# dmesg  |  grep  -i  mouse
  2. [    1.020385] mousedev: PS/2 mouse device common for all mice
  3. [    1.249422] input: ImPS/2 Generic Wheel Mouse as /devices/platform/i8042/serio1/input/input2
  4. [    2.279665] usb 2-1: Product: VMware Virtual USB Mouse
  5. [    2.603999] input: VMware VMware Virtual USB Mouse as /devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-1/2-1:1.0/input/input3
  6. [    2.604222] hid-generic 0003:0E0F:0003.0001: input,hidraw0: USB HID v1.10 Mouse [VMware VMware Virtual USB Mouse] on usb-0000:02:00.0-1/input0

3) lists the user login Message Last two successful / unsuccessful

View event messages successful login:

  1. [root@svr7 ~]# last  -2
  2. zhsan    pts/2        192.168.4.207    Fri Jan  6 18:00 - 18:00  (00:00)    
  3. pts to set a root / a 2         1921684110     on Fri to Jan   6 And  17 And : 26 to  -  17 And : of 59   ( '00' : 33 And )    
  5. wtmp begins Thu Aug  4 00:10:16 2016

View failed login event messages:

  1. [root@svr7 ~]# lastb  -2
  2. anonymou ssh:notty    192.168.4.207    Fri Jan  6 18:00 - 18:00  (00:00)    
  3. anonymou ssh:notty    192.168.4.207    Fri Jan  6 18:00 - 18:00  (00:00)    
  5. btmp begins Fri Jan  6 18:00:34 2017

Step 2: Using journalctl log extraction tool

1) lists the ERR and over the last 10 log messages of importance

  1. [root@svr7 ~]# journalctl  -p err  -n  10
  2. -- Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:01:01 CST. --
  3. Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from getattr access on the file /rhel7/repodata/repomd.xml. For complete SELinux mes
  4. Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from read access on the file repomd.xml. For complete SELinux messages. run sealert
  5. Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from read access on the file repomd.xml. For complete SELinux messages. run sealert
  6. Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from lock access on the file /rhel7/repodata/repomd.xml. For complete SELinux messag
  7. Jan 06 17:53:48 svr7 setroubleshoot[33743]: Plugin Exception restorecon_source
  8. Jan 06 17:53:48 svr7 setroubleshoot[33743]: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909. For complete SELinux messages. run
  9. Jan 06 17:53:53 svr7 setroubleshoot[33743]: SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket port 8909. For complete SELinux messages. 
  10. Jan 06 17:53:54 svr7 systemd[1]: Failed to start The Apache HTTP Server.
  11. .. ..
  12. lines 1-11/11 (END)

2) List all news related to the service httpd

  1. [root@svr7 ~]# journalctl   -u  httpd
  2. -- Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:01:01 CST. --
  3. Jan 06 14:57:16 svr7 systemd[1]: Starting The Apache HTTP Server...
  4. Jan 06 14:57:16 svr7 httpd[23812]: AH00557: httpd: apr_sockaddr_info_get() failed for svr7
  5. Jan 06 14:57:16 svr7 httpd[23812]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directi
  6. Jan 06 14:57:16 svr7 systemd[1]: Started The Apache HTTP Server.
  7. Jan 06 17:53:44 svr7 systemd[1]: Stopping The Apache HTTP Server...
  8. Jan 06 17:53:46 svr7 systemd[1]: Starting The Apache HTTP Server...
  9. Jan 06 17:53:46 svr7 httpd[33741]: AH00557: httpd: apr_sockaddr_info_get() failed for svr7
  10. .. ..

3) a new log record lists within the first 4 hours

Previous push the current date and time 4 hours, to determine the start and --until --since end time:

  1. [root@svr7 ~]# journalctl  --since  "2017-01-06 14:11"  --until  "2017-01-06 18:11"
  2. -- Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:10:01 CST. --
  3. Jan 06 14:20:01 svr7 systemd[1]: Started Session 160 of user root.
  4. Jan 06 14:20:01 svr7 CROND[22869]: (root) CMD (/usr/lib64/sa/sa1 1 1)
  5. Jan 06 14:20:01 svr7 systemd[1]: Starting Session 160 of user root.
  6. Jan 06 14:30:01 svr7 systemd[1]: Started Session 161 of user root.
  7. Jan 06 14:30:01 svr7 CROND[23028]: (root) CMD (/usr/lib64/sa/sa1 1 1)
  8. Jan 06 14:31:39 svr7 systemd[1]: Starting Session 162 of user root.
  9. Jan 06 14:32:17 svr7 sshd[23046]: pam_unix(sshd:session): session closed for user root
  10. Jan 06 14:31:39 svr7 systemd[1]: Started Session 162 of user root.
  11. Jan 06 14:31:39 svr7 sshd[23046]: pam_unix(sshd:session): session opened for user root by (uid=0)
  12. Jan 06 14:31:39 svr7 systemd-logind[985]: New session 162 of user root.
  13. .. .

Guess you like

Origin www.cnblogs.com/qingbai/p/11940676.html
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com