Linux Log Management

waji97

Waji

Posted on February 10, 2023

Linux Log Management

Introduction

There are two types of log in Linux systems

  • Normal Text logs
  • Binary logs

There are several different commands to analyze these logs

πŸ‘‰ vi, cat, tail, head, etc. are used for normal logs

πŸ‘‰ last, w, who, etc. are used for binary logs

Analyzing important Linux Log

There are different log files found under /var/log/ directory. The following are some of them:

  • UTMP πŸ‘‰ contains info about the current state of the system
who
root     pts/0        2023-02-10 10:16 (192.168.1.1)
Enter fullscreen mode Exit fullscreen mode

  • WTMP πŸ‘‰ updated each time a user logs in or out or even when a terminal line is opened or closed
last root
root     pts/0        192.168.1.1      Fri Feb 10 10:16   still logged in   
root     pts/0        192.168.1.1      Thu Feb  9 12:50 - crash  (21:24)    
Enter fullscreen mode Exit fullscreen mode

  • BTMP πŸ‘‰ similar to wtmp however it just keeps a record of past logins and logouts
lastb
root     tty1                          Thu Feb  9 11:58 - 11:58  (00:00)    

btmp begins Thu Feb  9 11:58:13 2023
Enter fullscreen mode Exit fullscreen mode

  • Secure πŸ‘‰ stores information about security-related events (such as authentication attempts, SSH login attempts)
tail -5 /var/log/secure
Feb 10 12:02:29 Linux-1 polkitd[652]: Unregistered Authentication 
Enter fullscreen mode Exit fullscreen mode

  • Last πŸ‘‰ keeps track of all system reboots and shutdowns (stored inside /var/log/wtmp file)
-t 5
μ‚¬μš©μžμ΄λ¦„       포트     μ–΄λ””μ„œ           μ΅œκ·Όμ •λ³΄
root             pts/0    192.168.1.1      금  2μ›” 10 10:16:38 +0900 2023
Enter fullscreen mode Exit fullscreen mode

  • Messages πŸ‘‰ stores a wide variety of system-related messages
tail /var/log/messages
Feb 10 13:12:30 Linux-1 dhcpd: DHCPREQUEST for 192.168.1.52 from 00:0c:29:b1:be:84 (Linux-2) via ens32
Feb 10 13:12:30 Linux-1 dhcpd: DHCPACK on 192.168.1.52 to 00:0c:29:b1:be:84 (Linux-2) via ens32
Enter fullscreen mode Exit fullscreen mode

psacct Tool

We can also use the psacct package. The package provides a set of tools and services for logging information about processes that run on the system.

Installing the package using yum

yum -y install psacct
Enter fullscreen mode Exit fullscreen mode

Starting the package daemon

systemctl start psacct
Enter fullscreen mode Exit fullscreen mode

Now if we use the ac command,

ac -d root
Jan 10  total        2.73
Jan 26  total        2.02
Jan 31  total        1.14
Feb  2  total        5.74
Enter fullscreen mode Exit fullscreen mode

πŸ‘‰ The ac -d root command is used to display the accumulated accounting information for the root user.

We can also use the lastcomm command,

lastcomm ls
ls                     root     pts/0      0.00 secs Fri Feb 10 13:52

lastcomm root
kworker/0:1       F    root     __         0.17 secs Fri Feb 10 13:49
lastcomm               root     pts/0      0.00 secs Fri Feb 10 14:03
clear                  root     pts/0      0.00 secs Fri Feb 10 14:02
Enter fullscreen mode Exit fullscreen mode

πŸ‘‰ This command displays information about previously executed commands on the system.


logrotate Tool

Another tool we have in hand is logrotate. The purpose of logrotate is to rotate, compress, and remove old log files, so that they do not consume excessive disk space.

How it works

  1. The logrotate configuration file specifies the log files to be managed and the policies for how those files should be rotated, compressed, and removed.

  2. When logrotate runs, it checks each log file specified in the configuration file to determine if it needs to be rotated. The decision to rotate a log file is based on the size of the file and the time it was last rotated.

  3. If a log file needs to be rotated, logrotate will create a new log file and rename the existing log file by appending a date/time stamp to the file name. The renamed log file will be compressed (if configured to do so) and saved to disk.

  4. After rotating and compressing the log files, logrotate will remove any log files that are older than the specified number of days (if specified in the configuration file).

πŸ’– πŸ’ͺ πŸ™… 🚩
waji97
Waji

Posted on February 10, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Linux Log Management
linux Linux Log Management

February 10, 2023