Waji
Posted on February 10, 2023
Introduction
There are two types of log in Linux systems
- Normal Text logs
- Binary logs
There are several different commands to analyze these logs
π vi
, cat
, tail
, head
, etc. are used for normal logs
π last
, w
, who
, etc. are used for binary logs
Analyzing important Linux Log
There are different log files found under /var/log/
directory. The following are some of them:
- UTMP π contains info about the current state of the system
who
root pts/0 2023-02-10 10:16 (192.168.1.1)
- WTMP π updated each time a user logs in or out or even when a terminal line is opened or closed
last root
root pts/0 192.168.1.1 Fri Feb 10 10:16 still logged in
root pts/0 192.168.1.1 Thu Feb 9 12:50 - crash (21:24)
-
BTMP π similar to
wtmp
however it just keeps a record of past logins and logouts
lastb
root tty1 Thu Feb 9 11:58 - 11:58 (00:00)
btmp begins Thu Feb 9 11:58:13 2023
- Secure π stores information about security-related events (such as authentication attempts, SSH login attempts)
tail -5 /var/log/secure
Feb 10 12:02:29 Linux-1 polkitd[652]: Unregistered Authentication
-
Last π keeps track of all system reboots and shutdowns (stored inside
/var/log/wtmp
file)
-t 5
μ¬μ©μμ΄λ¦ ν¬νΈ μ΄λμ μ΅κ·Όμ 보
root pts/0 192.168.1.1 κΈ 2μ 10 10:16:38 +0900 2023
- Messages π stores a wide variety of system-related messages
tail /var/log/messages
Feb 10 13:12:30 Linux-1 dhcpd: DHCPREQUEST for 192.168.1.52 from 00:0c:29:b1:be:84 (Linux-2) via ens32
Feb 10 13:12:30 Linux-1 dhcpd: DHCPACK on 192.168.1.52 to 00:0c:29:b1:be:84 (Linux-2) via ens32
psacct Tool
We can also use the psacct
package. The package provides a set of tools and services for logging information about processes that run on the system.
Installing the package using yum
yum -y install psacct
Starting the package daemon
systemctl start psacct
Now if we use the ac
command,
ac -d root
Jan 10 total 2.73
Jan 26 total 2.02
Jan 31 total 1.14
Feb 2 total 5.74
π The ac -d root command is used to display the accumulated accounting information for the root user.
We can also use the lastcomm
command,
lastcomm ls
ls root pts/0 0.00 secs Fri Feb 10 13:52
lastcomm root
kworker/0:1 F root __ 0.17 secs Fri Feb 10 13:49
lastcomm root pts/0 0.00 secs Fri Feb 10 14:03
clear root pts/0 0.00 secs Fri Feb 10 14:02
π This command displays information about previously executed commands on the system.
logrotate Tool
Another tool we have in hand is logrotate
. The purpose of logrotate is to rotate, compress, and remove old log files, so that they do not consume excessive disk space.
How it works
The
logrotate
configuration file specifies the log files to be managed and the policies for how those files should be rotated, compressed, and removed.When
logrotate
runs, it checks each log file specified in the configuration file to determine if it needs to be rotated. The decision to rotate a log file is based on the size of the file and the time it was last rotated.If a log file needs to be rotated,
logrotate
will create a new log file and rename the existing log file by appending a date/time stamp to the file name. The renamed log file will be compressed (if configured to do so) and saved to disk.After rotating and compressing the log files,
logrotate
will remove any log files that are older than the specified number of days (if specified in the configuration file).
Posted on February 10, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.