DarkMatter in Cyberspace

Linux System Log

ArchLinux

# journalctl -f

CentOS

sudo tail -f /var/log/messages or sudo tail -f /var/log/syslog;

System logs

The login/logout of every user (including root) is recorded in /var/log/secure. All system logs are under the folder /var/log:

  • cron -- Logs for all cronjobs that are run on the server

  • dmesg -- Logs from dmesg program which is used to examine or control the kernel ring buffer.

  • lastlog -- The binary log that contains all of the last login information. (Type "last" to view)

  • messages -- System logs from syslogd

  • mysqld.log -- Logs from the mysqld process

  • secure -- Access logs from the sshd process

  • yum.log -- Logs from system updates via yum

Who loged in as root? cd /var/log; grep 'session opened for user root by' *

Get the user gaia last 5 login records: 

$ last -5 gaia
gaia     pts/5        10.21.2.82       Wed Apr  2 10:30 - 15:04  (04:33)
...

So you can get the login source IP, login duration, etc.

Configure logs

File "/etc/logrotate.conf" define the log file rotation frequency, count, etc.

If you want to add a system log, add a definition file in /etc/logrotate.d/.

Command history

Add "export HISTTIMEFORMAT=' %F %T '" into /etc/profile, then when use command history, you will see the command with a timestamp. This only works for bash, it's invalid for zsh.

A use case

A couple of days ago, some users find they can't write in their $HOME folder. I found it's because the owner of their home folder is changed to another user. Obviously this is done by root, but who and when do this actually? The following is how I worked it out.

  1. Find out when this happened?

    $ su -

    history|grep chown

    ... 804 2014-03-12 11:24:33 chown -R gcp /home ...

  2. Who did this?

    cd /var/log; grep 'session opened for user root by' *

    ... secure-20140316:Mar 12 09:44:12 bocoty49 su: pam_unix(su:session): session opened for user root by gcp(uid=501) ...

  3. Who is the 'gcp'?

    last -10 gcp

    ... gcp pts/6 10.21.2.106 Wed Mar 12 08:33 - 13:35 (05:01) ...

This whole story: the man with IP "10.21.2.106" ssh to the server at 08:33, switch to root with "su" at 09:44:12, run "chown -R gcp /home" at 11:24:33.

Published

Last Updated

Category

Tech

Tags

Contact