ä¸ã/varç®å½
/var æææå¡çç»å½çæ件æé误信æ¯æ件ï¼LOG FILES)é½å¨/var/logä¸ï¼æ¤å¤ï¼ä¸äºæ°æ®åºå¦MySQLåå¨/var/libä¸ï¼è¿æï¼ç¨æ·æªè¯»çé®ä»¶çé»è®¤åæ¾å°ç¹ä¸º/var/spool/mail
äºã:/var/log/
ç³»ç»çå¼å¯¼æ¥å¿:/var/log/boot.log
ä¾å¦:Feb 26 10:40:48 sendmial : sendmail startup succeeded
å°±æ¯é®ä»¶æå¡å¯å¨æå!
ç³»ç»æ¥å¿ä¸è¬é½åå¨/var/logä¸
常ç¨çç³»ç»æ¥å¿å¦ä¸:
æ ¸å¿å¯å¨æ¥å¿:/var/log/dmesg
ç³»ç»æ¥éæ¥å¿:/var/log/messages
é®ä»¶ç³»ç»æ¥å¿:/var/log/maillog
FTPç³»ç»æ¥å¿:/var/log/xferlog
å®å ¨ä¿¡æ¯åç³»ç»ç»å½ä¸ç½ç»è¿æ¥çä¿¡æ¯:/var/log/secure
ç»å½è®°å½:/var/log/wtmp è®°å½ç»å½è 讯å½ï¼äºè¿å¶æ件ï¼é¡»ç¨lastæ¥è¯»åå 容 who -u /var/log/wtmp æ¥çä¿¡æ¯
Newsæ¥å¿:/var/log/spooler
RPM软件å :/var/log/rpmpkgs
XFree86æ¥å¿:/var/log/XFree86.0.log
å¼å¯¼æ¥å¿:/var/log/boot.log è®°å½å¼æºå¯å¨è®¯æ¯ï¼dmesg | more
cron(å®å¶ä»»å¡æ¥å¿)æ¥å¿:/var/log/cron
å®å ¨ä¿¡æ¯åç³»ç»ç»å½ä¸ç½ç»è¿æ¥çä¿¡æ¯:/var/log/secure
æ件 /var/run/utmp è®°å½èç°å¨ç»å ¥çç¨æ·ã
æ件 /var/log/wtmp è®°å½ææçç»å ¥åç»åºã
æ件 /var/log/lastlog è®°å½æ¯ä¸ªç¨æ·æå¾çç»å ¥ä¿¡æ¯ã
æ件 /var/log/btmp è®°å½é误çç»å ¥å°è¯ã
less /var/log/auth.log éè¦èº«ä»½ç¡®è®¤çæä½
ä¸ãé¨åå½ä»¤è¯¦è§£
/var/log/messages
messages æ¥å¿æ¯æ ¸å¿ç³»ç»æ¥å¿æ件ãå®å å«äºç³»ç»å¯å¨æ¶çå¼å¯¼æ¶æ¯ï¼ä»¥åç³»ç»è¿è¡æ¶çå ¶ä»ç¶ææ¶æ¯ãIO é误ãç½ç»é误åå ¶ä»ç³»ç»é误é½ä¼è®°å½å°è¿ä¸ªæ件ä¸ãå ¶ä»ä¿¡æ¯ï¼æ¯å¦æ个人ç身份åæ¢ä¸º rootï¼ä¹å¨è¿éååºãå¦ææå¡æ£å¨è¿è¡ï¼æ¯å¦ DHCP æå¡å¨ï¼æ¨å¯ä»¥å¨ messages æ件ä¸è§å¯å®çæ´»å¨ãé常ï¼/var/log/messages æ¯æ¨å¨åæ éè¯ææ¶é¦å è¦æ¥ççæ件ã
/var/log/XFree86.0.log
è¿ä¸ªæ¥å¿è®°å½çæ¯ Xfree86 Xwindows æå¡å¨æåä¸æ¬¡æ§è¡çç»æãå¦ææ¨å¨å¯å¨å°å¾å½¢æ¨¡å¼æ¶éå°äºé®é¢ï¼ä¸è¬æ åµä»è¿ä¸ªæ件ä¸ä¼æ¾å°å¤±è´¥çåå ã
http://www.guanwei.org/post/LINUXnotes/01/linuxlogs.html
æ åå°ç®¡çä»»ä½ç³»ç»çå ³é®ä¹ä¸ï¼æ¯è¦ç¥éç³»ç»ä¸æ£å¨åçä»ä¹äºãLinux ä¸æä¾äºå¼å¸¸æ¥å¿ï¼å¹¶ä¸æ¥å¿çç»èæ¯å¯é ç½®çãLinux æ¥å¿é½ä»¥ææå½¢å¼åå¨ï¼æ以ç¨æ·ä¸éè¦ç¹æ®çå·¥å ·å°±å¯ä»¥æç´¢åé 读å®ä»¬ãè¿å¯ä»¥ç¼åèæ¬ï¼æ¥æ«æè¿äºæ¥å¿ï¼å¹¶åºäºå®ä»¬çå 容å»èªå¨æ§è¡æäºåè½ã Linux æ¥å¿åå¨å¨ /var/log ç®å½ä¸ãè¿éæå 个ç±ç³»ç»ç»´æ¤çæ¥å¿æ件ï¼ä½å ¶ä»æå¡åç¨åºä¹å¯è½ä¼æå®ä»¬çæ¥å¿æ¾å¨è¿éã大å¤æ°æ¥å¿åªærootè´¦æ·æå¯ä»¥è¯»ï¼ä¸è¿ä¿®æ¹æ件ç访é®æé å°±å¯ä»¥è®©å ¶ä»äººå¯è¯»ã
æ¥å¿æ件åç±»
/var/log/boot.log
该æ件记å½äºç³»ç»å¨å¼å¯¼è¿ç¨ä¸åççäºä»¶ï¼å°±æ¯Linuxç³»ç»å¼æºèªæ£è¿ç¨æ¾ç¤ºçä¿¡æ¯ã
/var/log/cron
该 æ¥å¿æ件记å½crontabå®æ¤è¿ç¨crondææ´¾ççåè¿ç¨çå¨ä½ï¼åé¢å ä¸ç¨ æ·ãç»å½æ¶é´åPIDï¼ä»¥åæ´¾çåºçè¿ç¨çå¨ä½ãCMDçä¸ä¸ªå¨ä½æ¯cronæ´¾çåºä¸ä¸ªè°åº¦è¿ç¨ç常è§æ åµãREPLACEï¼æ¿æ¢ï¼å¨ä½è®°å½ç¨æ·å¯¹å®ç cronæ件çæ´æ°ï¼è¯¥æ件ååºäºè¦å¨ææ§æ§è¡çä»»å¡è°åº¦ã RELOADå¨ä½å¨REPLACEå¨ä½åä¸ä¹ åçï¼è¿æå³çcron注æå°ä¸ä¸ªç¨æ·çcronæ件被æ´æ°ècronéè¦æå®éæ°è£ å ¥å åã该æ件å¯è½ä¼æ¥ å°ä¸äºå常çæ åµã
/var/log/maillog
该æ¥å¿æ件记å½äºæ¯ä¸ä¸ªåéå°ç³»ç»æä»ç³»ç»ååºççµåé®ä»¶çæ´»å¨ãå®å¯ä»¥ç¨æ¥æ¥çç¨æ·ä½¿ç¨åªä¸ªç³»ç»åéå·¥å ·æææ°æ®åéå°åªä¸ªç³»ç»ãä¸é¢æ¯è¯¥æ¥å¿æ件çç段ï¼
Sep 4 17:23:52 UNIX sendmail[1950]: g849Npp01950: from=root, size=25,
class=0, nrcpts=1,
msgid=<200209040923.g849Npp01950@redhat.pfcc.com.cn>,
relay=root@localhost
Sep 4 17:23:55 UNIX sendmail[1950]: g849Npp01950: to=lzy@fcceec.net,
ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=30025,
relay=fcceec.net. [10.152.8.2], dsn=2.0.0, stat=Sent (Message queued)
/var/log/messages
该æ¥å¿æ件æ¯è®¸å¤è¿ç¨æ¥å¿æ件çæ±æ»ï¼ä»è¯¥æ件å¯ä»¥çåºä»»ä½å ¥ä¾µä¼å¾ææåçå ¥ä¾µãå¦ä»¥ä¸å è¡ï¼
Sep 3 08:30:17 UNIX login[1275]: FAILED LOGIN 2 FROM (null) FOR suying,
Authentication failure
Sep 4 17:40:28 UNIX -- suying[2017]: LOGIN ON pts/1 BY suying FROM
fcceec.www.ec8.pfcc.com.cn
Sep 4 17:40:39 UNIX su(pam_unix)[2048]: session opened for user root by suying(uid=999)
该 æ件çæ ¼å¼æ¯æ¯ä¸è¡å å«æ¥æã主æºåãç¨åºåï¼åé¢æ¯å å«PIDæå æ ¸æ è¯çæ¹æ¬ å·ãä¸ä¸ªåå·åä¸ä¸ªç©ºæ ¼ï¼æåæ¯æ¶æ¯ã该æ件æä¸ä¸ªä¸è¶³ï¼å°±æ¯è¢«è®°å½çå ¥ä¾µä¼å¾åæåçå ¥ä¾µäºä»¶ï¼è¢«æ·¹æ²¡å¨å¤§éçæ£å¸¸è¿ç¨çè®°å½ä¸ãä½è¯¥æ件å¯ä»¥ç± /etc/syslogæ件è¿è¡å®å¶ãç± /etc/syslog.confé ç½®æ件å³å®ç³»ç»å¦ä½åå ¥/var/messagesãæå ³å¦ä½é ç½®/etc/syslog.confæ件å³å®ç³»ç»æ¥å¿ è®°å½çè¡ä¸ºï¼å°å¨åé¢è¯¦ç»åè¿°ã
/var/log/syslog
é» è®¤RedHat Linuxä¸çæ该æ¥å¿æ件ï¼ä½å¯ä»¥é ç½®/etc/syslog.conf让系ç»çæ该æ¥å¿æ件ãå®å/etc/log/messagesæ¥å¿æ件ä¸åï¼ å®åªè®°å½è¦åä¿¡æ¯ï¼å¸¸å¸¸æ¯ç³»ç»åºé®é¢çä¿¡æ¯ï¼æ以æ´åºè¯¥å ³æ³¨è¯¥æ件ãè¦è®©ç³»ç»çæ该æ¥å¿æ件ï¼å¨/etc/syslog.confæ件ä¸å ä¸ï¼ *.warning /var/log/syslog 该æ¥å¿æ件è½è®°å½å½ç¨æ·ç»å½æ¶loginè®°å½ä¸çé误å£ä»¤ãSendmailçé®é¢ãsuå½ä»¤æ§è¡å¤±è´¥çä¿¡æ¯ãä¸é¢æ¯ä¸æ¡è®°å½ï¼
Sep 6 16:47:52 UNIX login(pam_unix)[2384]: check pass; user unknown
/var/log/secure
该æ¥å¿æ件记å½ä¸å®å ¨ç¸å ³çä¿¡æ¯ã该æ¥å¿æ件çé¨åå 容å¦ä¸ï¼
Sep 4 16:05:09 UNIX xinetd[711]: START: ftp pid=1815 from=127.0.0.1
Sep 4 16:05:09 UNIX xinetd[1815]: USERID: ftp OTHER :root
Sep 4 16:07:24 UNIX xinetd[711]: EXIT: ftp pid=1815 duration=135(sec)
Sep 4 16:10:05 UNIX xinetd[711]: START: ftp pid=1846 from=127.0.0.1
Sep 4 16:10:05 UNIX xinetd[1846]: USERID: ftp OTHER :root
Sep 4 16:16:26 UNIX xinetd[711]: EXIT: ftp pid=1846 duration=381(sec)
Sep 4 17:40:20 UNIX xinetd[711]: START: telnet pid=2016 from=10.152.8.2
/var/log/lastlog
该 æ¥å¿æ件记å½æè¿æåç»å½çäºä»¶åæåä¸æ¬¡ä¸æåçç»å½äºä»¶ï¼ç±loginçæã å¨æ¯æ¬¡ç¨æ·ç»å½æ¶è¢«æ¥è¯¢ï¼è¯¥æ件æ¯äºè¿å¶æ件ï¼éè¦ä½¿ç¨ lastlogå½ä»¤æ¥çï¼æ ¹æ®UIDæåºæ¾ç¤ºç»å½åã端å£å·åä¸æ¬¡ç»å½æ¶é´ãå¦ææç¨æ·ä»æ¥æ²¡æç»å½è¿ï¼å°±æ¾ç¤ºä¸º"**Never logged in**"ã该å½ä»¤åªè½ä»¥rootæéæ§è¡ãç®åå°è¾å ¥lastlogå½ä»¤åå°±ä¼çå°ç±»ä¼¼å¦ä¸çä¿¡æ¯ï¼
Username Port From Latest
root tty2 Tue Sep 3 08:32:27 +0800 2002
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
news **Never logged in**
uucp **Never logged in**
operator **Never logged in**
games **Never logged in**
gopher **Never logged in**
ftp ftp UNIX Tue Sep 3 14:49:04 +0800 2002
nobody **Never logged in**
nscd **Never logged in**
mailnull **Never logged in**
ident **Never logged in**
rpc **Never logged in**
rpcuser **Never logged in**
xfs **Never logged in**
gdm **Never logged in**
postgres **Never logged in**
apache **Never logged in**
lzy tty2 Mon Jul 15 08:50:37 +0800 2002
suying tty2 Tue Sep 3 08:31:17 +0800 2002
ç³»ç»è´¦æ·è¯¸å¦binãdaemonãadmãuucpãmailçå³ä¸åºè¯¥ç»å½ï¼å¦æåç°è¿äºè´¦æ·å·²ç»ç»å½ï¼å°±è¯´æç³»ç»å¯è½å·²ç»è¢«å ¥ä¾µäºãè¥åç°è®°å½çæ¶é´ä¸æ¯ç¨æ·ä¸æ¬¡ç»å½çæ¶é´ï¼å说æ该ç¨æ·çè´¦æ·å·²ç»æ³å¯äºã
/var/log/wtmp
该 æ¥å¿æä»¶æ°¸ä¹ è®°å½æ¯ä¸ªç¨æ·ç»å½ã注éåç³»ç»çå¯å¨ãåæºçäºä»¶ãå æ¤éçç³»ç»æ£å¸¸ è¿è¡æ¶é´çå¢å ï¼è¯¥æ件ç大å°ä¹ä¼è¶æ¥è¶å¤§ï¼å¢å çé度åå³äºç³»ç»ç¨æ·ç»å½ç次æ°ã该æ¥å¿æ件å¯ä»¥ç¨æ¥æ¥çç¨æ·çç»å½è®°å½ï¼lastå½ä»¤å°±éè¿è®¿é®è¿ä¸ªæ 件è·å¾è¿äºä¿¡æ¯ï¼å¹¶ä»¥ååºä»åååæ¾ç¤ºç¨æ·çç»å½è®°å½ï¼lastä¹è½æ ¹æ®ç¨æ·ãç»ç«¯ ttyææ¶é´æ¾ç¤ºç¸åºçè®°å½ã
å½ä»¤lastæ两个å¯éåæ°ï¼
last -u ç¨æ·å æ¾ç¤ºç¨æ·ä¸æ¬¡ç»å½çæ åµã
last -t å¤©æ° æ¾ç¤ºæå®å¤©æ°ä¹åçç¨æ·ç»å½æ åµã
/var/run/utmp
该 æ¥å¿æ件记å½æå ³å½åç»å½çæ¯ä¸ªç¨æ·çä¿¡æ¯ãå æ¤è¿ä¸ªæ件ä¼éçç¨æ·ç»å½å注éç³» ç»èä¸æååï¼å®åªä¿çå½æ¶èæºçç¨æ·è®°å½ï¼ä¸ä¼ä¸ºç¨æ·ä¿çæ°¸ä¹ çè®°å½ãç³»ç»ä¸éè¦æ¥è¯¢å½åç¨æ·ç¶æçç¨åºï¼å¦ whoãwãusersãfingerçå°±éè¦è®¿é®è¿ä¸ªæ件ã该æ¥å¿æ件并ä¸è½å æ¬ææ精确çä¿¡æ¯ï¼å 为æäºçªåé误ä¼ç»æ¢ç¨æ·ç»å½ä¼è¯ï¼èç³»ç»æ²¡æåæ¶ æ´æ° utmpè®°å½ï¼å æ¤è¯¥æ¥å¿æ件çè®°å½ä¸æ¯ç¾åä¹ç¾å¼å¾ä¿¡èµçã
以 ä¸æåç3个æ件ï¼/var/log/wtmpã/var/run/utmpã /var/log/lastlogï¼æ¯æ¥å¿åç³»ç»çå ³é®æ件ï¼é½è®°å½äºç¨æ·ç»å½çæ åµãè¿äºæ件çææè®°å½é½å å«äºæ¶é´æ³ãè¿äºæ件æ¯æäºè¿å¶ä¿åçï¼æ ä¸è½ç¨lessãcatä¹ç±»çå½ä»¤ç´æ¥æ¥çè¿äºæ件ï¼èæ¯éè¦ä½¿ç¨ç¸å ³å½ä»¤éè¿è¿äºæ件èæ¥çãå ¶ä¸ï¼utmpåwtmpæ件çæ°æ®ç»ææ¯ä¸æ ·çï¼è lastlogæ件å使ç¨å¦å¤çæ°æ®ç»æï¼å ³äºå®ä»¬çå ·ä½çæ°æ®ç»æå¯ä»¥ä½¿ç¨manå½ä»¤æ¥è¯¢ã
æ¯ æ¬¡æä¸ä¸ªç¨æ·ç»å½æ¶ï¼loginç¨åºå¨æ件lastlogä¸æ¥çç¨æ·çUIDãå¦æåå¨ï¼åæç¨æ·ä¸æ¬¡ç»å½ã注éæ¶é´å主æºååå°æ åè¾åºä¸ï¼ç¶å loginç¨åºå¨lastlogä¸è®°å½æ°çç»å½æ¶é´ï¼æå¼utmpæ件并æå ¥ç¨æ·çutmpè®°å½ã该记å½ä¸ç´ç¨å°ç¨æ·ç»å½éåºæ¶å é¤ãutmpæ件被åç§ å½ä»¤ä½¿ç¨ï¼å æ¬whoãwãusersåfingerã
ä¸ä¸æ¥ï¼loginç¨åºæå¼æ件wtmpéå ç¨æ·çutmpè®°å½ãå½ç¨æ·ç»å½éåºæ¶ï¼å ·ææ´æ°æ¶é´æ³çåä¸utmpè®°å½éå å°æ件ä¸ãwtmpæ件被ç¨åºlast使ç¨ã
/var/log/xferlog
该æ¥å¿æ件记å½FTPä¼è¯ï¼å¯ä»¥æ¾ç¤ºåºç¨æ·åFTPæå¡å¨æä»æå¡å¨æ·è´äºä»ä¹æ件ã该æ件ä¼æ¾ç¤ºç¨æ·æ·è´å°æå¡å¨ä¸çç¨æ¥å ¥ä¾µæå¡å¨çæ¶æç¨åºï¼ä»¥å该ç¨æ·æ·è´äºåªäºæ件ä¾ä»ä½¿ç¨ã
该 æ件çæ ¼å¼ä¸ºï¼ç¬¬ä¸ä¸ªåæ¯æ¥æåæ¶é´ï¼ç¬¬äºä¸ªåæ¯ä¸è½½æ件æè±è´¹çç§æ°ãè¿ç¨ç³»ç» å称ãæ件大å°ãæ¬å°è·¯å¾åãä¼ è¾ç±»åï¼aï¼ASCIIï¼bï¼äºè¿å¶ï¼ãä¸å缩ç¸å ³çæ å¿ætarï¼æ"_"ï¼å¦æ没æå缩çè¯ï¼ãä¼ è¾æ¹åï¼ç¸å¯¹äºæå¡ å¨èè¨ï¼i代表è¿ï¼o代表åºï¼ã访é®æ¨¡å¼ï¼aï¼å¿åï¼gï¼è¾å ¥å£ä»¤ï¼rï¼çå®ç¨æ·ï¼ãç¨æ·åãæå¡åï¼é常æ¯ftpï¼ã认è¯æ¹æ³ï¼lï¼RFC931ï¼æ 0ï¼ï¼è®¤è¯ç¨æ·çIDæ"*"ãä¸é¢æ¯è¯¥æ件çä¸æ¡è®°å½ï¼
Wed Sep 4 08:14:03 2002 1 UNIX 275531
/var/ftp/lib/libnss_files-2.2.2.so b _ o a -root@UNIX ftp 0 * c
/var/log/kernlog
RedHat Linuxé»è®¤æ²¡æè®°å½è¯¥æ¥å¿æ件ãè¦å¯ç¨è¯¥æ¥å¿æ件ï¼å¿ é¡»å¨/etc/syslog.confæ件ä¸æ·»å ä¸è¡ï¼kern.* /var/log/kernlog ãè¿æ ·å°±å¯ç¨äºå/var/log/kernlogæ件ä¸è®°å½ææå æ ¸æ¶æ¯çåè½ã该æ件记å½äºç³»ç»å¯å¨æ¶å 载设å¤æ使ç¨è®¾å¤çæ åµãä¸è¬æ¯æ£å¸¸çæä½ï¼ ä½å¦æè®°å½äºæ²¡æææçç¨æ·è¿è¡çè¿äºæä½ï¼å°±è¦æ³¨æï¼å 为æå¯è½è¿å°±æ¯æ¶æç¨æ·çè¡ä¸ºãä¸é¢æ¯è¯¥æ件çé¨åå 容ï¼
Sep 5 09:38:42 UNIX kernel: NET4: Linux TCP/IP 1.0 for NET4.0
Sep 5 09:38:42 UNIX kernel: IP Protocols: ICMP, UDP, TCP, IGMP
Sep 5 09:38:42 UNIX kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
Sep 5 09:38:43 UNIX kernel: TCP: Hash tables configured (established 4096 bind 4096)
Sep 5 09:38:43 UNIX kernel: Linux IP multicast router 0.06 plus PIM-SM
Sep 5 09:38:43 UNIX kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Sep 5 09:38:44 UNIX kernel: EXT2-fs warning: checktime reached, running e2fsck is recommended
Sep 5 09:38:44 UNIX kernel: VFS: Mounted root (ext2 filesystem).
Sep 5 09:38:44 UNIX kernel: SCSI subsystem driver Revision: 1.00
/var/log/Xfree86.x.log
该 æ¥å¿æ件记å½äºX-Windowå¯å¨çæ åµãå¦å¤ï¼é¤äº/var/log/å¤ï¼æ¶ æç¨æ·ä¹å¯è½å¨å«çå°æ¹çä¸ç迹ï¼åºè¯¥æ³¨æ以ä¸å 个å°æ¹ï¼root åå ¶ä»è´¦æ·çshellåå²æ件ï¼ç¨æ·çåç§é®ç®±ï¼å¦.sentãmboxï¼ä»¥ååæ¾å¨/var/spool/mail/ å /var/spool/mqueueä¸çé®ç®±ï¼ä¸´æ¶æ件/tmpã/usr/tmpã/var/tmpï¼éèçç®å½ï¼å ¶ä»æ¶æç¨æ·å建çæ件ï¼é常æ¯ä»¥ "."å¼å¤´çå ·æéèå±æ§çæ件çã
åãå ·ä½å½ä»¤
wtmpåutmpæ件é½æ¯äºè¿å¶æ件ï¼å®ä»¬ä¸è½è¢«è¯¸å¦tailä¹ç±»çå½ä»¤åªè´´æå并ï¼ä½¿ç¨catå½ä»¤ï¼ãç¨æ·éè¦ä½¿ç¨whoãwãusersãlaståacçå½ä»¤æ¥ä½¿ç¨è¿ä¸¤ä¸ªæ件å å«çä¿¡æ¯ã
whoå½ä»¤
whoå½ä»¤æ¥è¯¢utmpæ件并æ¥åå½åç»å½çæ¯ä¸ªç¨æ·ãwhoçé»è®¤è¾åºå æ¬ç¨æ·åãç»ç«¯ç±»åãç»å½æ¥æåè¿ç¨ä¸»æºãä¾å¦ï¼é®å ¥whoå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
chyang pts/0 Aug 18 15:06
ynguo pts/2 Aug 18 15:32
ynguo pts/3 Aug 18 13:55
lewis pts/4 Aug 18 13:35
ynguo pts/7 Aug 18 14:12
ylou pts/8 Aug 18 14:15
å¦æææäºwtmpæ件åï¼åwhoå½ä»¤æ¥è¯¢ææ以åçè®°å½ãå½ä»¤who /var/log/wtmpå°æ¥åèªä»wtmpæ件å建æå æ¹ä»¥æ¥çæ¯ä¸æ¬¡ç»å½ã
wå½ä»¤
wå½ä»¤æ¥è¯¢utmpæ件并æ¾ç¤ºå½åç³»ç»ä¸æ¯ä¸ªç¨æ·åå®æè¿è¡çè¿ç¨ä¿¡æ¯ãä¾å¦ï¼é®å ¥wå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
3:36pm up 1 day, 22:34, 6 users, load average: 0.23, 0.29, 0.27
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s -bash
ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 w
lewis pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s -bash
lewis pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh /home/users/
ynguo pts/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet mail
ylou pts/8 202.38.64.235 2:15pm 1:09m 0.10s 0.04s -bash
userså½ä»¤
userså½ä»¤ç¨åç¬çä¸è¡æå°åºå½åç»å½çç¨æ·ï¼æ¯ä¸ªæ¾ç¤ºçç¨æ·å对åºä¸ä¸ªç»å½ä¼è¯ãå¦æä¸ä¸ªç¨æ·æä¸æ¢ä¸ä¸ªç»å½ä¼è¯ï¼é£ä»çç¨æ·åå°æ¾ç¤ºç¸åç次æ°ãä¾å¦ï¼é®å ¥userså½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
chyang lewis lewis ylou ynguo ynguo
lastå½ä»¤
lastå½ä»¤å¾åæç´¢wtmpæ¥æ¾ç¤ºèªä»æ件第ä¸æ¬¡å建以æ¥ç»å½è¿çç¨æ·ãä¾å¦ï¼
chyang pts/9 202.38.68.242 Tue Aug 1 08:34 - 11:23 (02:49)
cfan pts/6 202.38.64.224 Tue Aug 1 08:33 - 08:48 (00:14)
chyang pts/4 202.38.68.242 Tue Aug 1 08:32 - 12:13 (03:40)
lewis pts/3 202.38.64.233 Tue Aug 1 08:06 - 11:09 (03:03)
lewis pts/2 202.38.64.233 Tue Aug 1 07:56 - 11:09 (03:12)
å¦æææäºç¨æ·ï¼é£ä¹laståªæ¥å该ç¨æ·çè¿ææ´»å¨ï¼ä¾å¦ï¼é®å ¥last ynguoå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
ynguo pts/4 simba.nic.ustc.e Fri Aug 4 16:50 - 08:20 (15:30)
ynguo pts/4 simba.nic.ustc.e Thu Aug 3 23:55 - 04:40 (04:44)
ynguo pts/11 simba.nic.ustc.e Thu Aug 3 20:45 - 22:02 (01:16)
ynguo pts/0 simba.nic.ustc.e Thu Aug 3 03:17 - 05:42 (02:25)
ynguo pts/0 simba.nic.ustc.e Wed Aug 2 01:04 - 03:16 1+02:12)
ynguo pts/0 simba.nic.ustc.e Wed Aug 2 00:43 - 00:54 (00:11)
ynguo pts/9 simba.nic.ustc.e Thu Aug 1 20:30 - 21:26 (00:55)
acå½ä»¤
acå½ä»¤æ ¹æ®å½åç/var/log/wtmpæ件ä¸çç»å½è¿å ¥åéåºæ¥æ¥åç¨æ·è¿æ¥çæ¶é´ï¼å°æ¶ï¼ï¼å¦æä¸ä½¿ç¨æ å¿ï¼åæ¥åæ»çæ¶é´ãä¾å¦ï¼é®å ¥acå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
total 5177.47
é®å ¥ac -då½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºæ¯å¤©çæ»çè¿æ¥æ¶é´ï¼
Aug 12 total 261.87
Aug 13 total 351.39
Aug 14 total 396.09
Aug 15 total 462.63
Aug 16 total 270.45
Aug 17 total 104.29
Today total 179.02
é®å ¥ac -på½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºæ¯ä¸ªç¨æ·çæ»çè¿æ¥æ¶é´ï¼
ynguo 193.23
yucao 3.35
rong 133.40
hdai 10.52
zjzhu 52.87
zqzhou 13.14
liangliu 24.34
total 5178.24
lastlogå½ä»¤
lastlog æ件å¨æ¯æ¬¡æç¨æ·ç»å½æ¶è¢«æ¥è¯¢ãå¯ä»¥ä½¿ç¨lastlogå½ä»¤æ£æ¥æç¹ å®ç¨æ·ä¸æ¬¡ç»å½çæ¶é´ï¼å¹¶æ ¼å¼åè¾åºä¸æ¬¡ç»å½æ¥å¿ /var/log/lastlogçå 容ãå®æ ¹æ®UIDæåºæ¾ç¤ºç»å½åã端å£å·ï¼ttyï¼åä¸æ¬¡ç»å½æ¶é´ãå¦æä¸ä¸ªç¨æ·ä»æªç»å½è¿ï¼lastlogæ¾ç¤º **Never logged**ã注æéè¦ä»¥root身份è¿è¡è¯¥å½ä»¤ï¼ä¾å¦ï¼
rong 5 202.38.64.187 Fri Aug 18 15:57:01 +0800 2000
dbb **Never logged in**
xinchen **Never logged in**
pb9511 **Never logged in**
xchen 0 202.38.64.190 Sun Aug 13 10:01:22 +0800 2000
å¦å¤ï¼å¯å ä¸äºåæ°ï¼ä¾å¦ï¼"last -u 102"å½ä»¤å°æ¥åUID为102çç¨æ·ï¼"last -t 7"å½ä»¤è¡¨ç¤ºéå¶ä¸ºä¸ä¸å¨çæ¥åã
äºãè¿ç¨ç»è®¡
UNIX å¯ä»¥è·è¸ªæ¯ä¸ªç¨æ·è¿è¡çæ¯æ¡å½ä»¤ï¼å¦ææ³ç¥éæ¨æå¼ä¹±äºåªäºéè¦çæ件ï¼è¿ ç¨ç»è®¡åç³»ç»å¯ä»¥åè¯ä½ ãå®è¿å¯¹è·è¸ªä¸ä¸ªä¾µå ¥è æ帮å©ãä¸è¿æ¥æ¶é´æ¥å¿ä¸åï¼è¿ç¨ç»è®¡åç³»ç»é»è®¤ä¸æ¿æ´»ï¼å®å¿ é¡»å¯å¨ãå¨Linuxç³»ç»ä¸å¯å¨è¿ç¨ç»è®¡ä½¿ç¨ acctonå½ä»¤ï¼å¿ é¡»ç¨root身份æ¥è¿è¡ã
acctonå½ä»¤çå½¢å¼ä¸ºï¼accton fileï¼fileå¿ é¡»äºå åå¨ã
å 使ç¨touchå½ä»¤å建pacctæ件ï¼touch /var/log/pacctï¼ç¶åè¿è¡acctonï¼accton /var/log/pacctãä¸æ¦accton被æ¿æ´»ï¼å°±å¯ä»¥ä½¿ç¨lastcommå½ä»¤çæµç³»ç»ä¸ä»»ä½æ¶åæ§è¡çå½ä»¤ãè¥è¦å ³éç»è®¡ï¼å¯ä»¥ä½¿ç¨ä¸å¸¦ä»»ä½ åæ°çacctonå½ä»¤ã
lastcommå½ä»¤æ¥å以åæ§è¡çæ件ãä¸å¸¦åæ°æ¶ï¼lastcommå½ä»¤æ¾ç¤ºå½åç»è®¡æ件çå½å¨æå è®°å½çææå½ä»¤çæå ³ä¿¡æ¯ãå æ¬å½ä»¤åãç¨æ·ãttyãå½ä»¤è±è´¹çCPUæ¶é´åä¸ä¸ªæ¶é´æ³ãå¦æç³»ç»æ许å¤ç¨æ·ï¼è¾å ¥åå¯è½å¾é¿ãçä¸é¢çä¾åï¼
crond F root ?? 0.00 secs Sun Aug 20 00:16
promisc_check.s S root ?? 0.04 secs Sun Aug 20 00:16
promisc_check root ?? 0.01 secs Sun Aug 20 00:16
grep root ?? 0.02 secs Sun Aug 20 00:16
tail root ?? 0.01 secs Sun Aug 20 00:16
sh root ?? 0.01 secs Sun Aug 20 00:15
ping S root ?? 0.01 secs Sun Aug 20 00:15
ping6.pl F root ?? 0.01 secs Sun Aug 20 00:15
sh root ?? 0.01 secs Sun Aug 20 00:15
ping S root ?? 0.02 secs Sun Aug 20 00:15
ping6.pl F root ?? 0.02 secs Sun Aug 20 00:15
sh root ?? 0.02 secs Sun Aug 20 00:15
ping S root ?? 0.00 secs Sun Aug 20 00:15
ping6.pl F root ?? 0.01 secs Sun Aug 20 00:15
sh root ?? 0.01 secs Sun Aug 20 00:15
ping S root ?? 0.01 secs Sun Aug 20 00:15
sh root ?? 0.02 secs Sun Aug 20 00:15
ping S root ?? 1.34 secs Sun Aug 20 00:15
locate root ttyp0 1.34 secs Sun Aug 20 00:15
accton S root ttyp0 0.00 secs Sun Aug 20 00:15
è¿ç¨ç»è®¡çä¸ä¸ªé®é¢æ¯pacctæ件å¯è½å¢é¿å¾ååè¿ éãè¿æ¶éè¦äº¤äºå¼å°æç»è¿ cronæºå¶è¿è¡saå½ä»¤æ¥ä¿è¯æ¥å¿æ°æ®å¨ç³»ç»æ§å¶å ãsaå½ä»¤æ¥åãæ¸ ç并维æ¤è¿ç¨ç»è®¡æ件ãå®è½æ/var/log/pacctä¸çä¿¡æ¯å缩å°æè¦æ 件/var/log/savacctå /var/log/usracctä¸ãè¿äºæè¦å å«æå½ä»¤ååç¨æ·ååç±»çç³»ç»ç»è®¡æ°æ®ãå¨é»è®¤æ åµä¸saå 读å®ä»¬ï¼ç¶å读pacctæ件ï¼ä½¿æ¥åè½å å« ææçå¯ç¨ä¿¡æ¯ãsaçè¾åºæä¸é¢ä¸äºæ 记项ã
/var/logç®å½ä¸ç20个Linuxæ¥å¿æ件åè½è¯¦è§£ :
å¦ææ¿æå¨Linuxç¯å¢æ¹é¢è±è´¹äºæ¶é´ï¼é¦å å°±åºè¯¥ç¥éæ¥å¿æ件çæå¨ä½ç½®ä»¥åå®ä»¬å å«çå 容ãå¨ç³»ç»è¿è¡æ£å¸¸çæ åµä¸å¦ä¹ äºè§£è¿äºä¸åçæ¥å¿æ件æå©äºä½ å¨éå°ç´§æ¥æ åµæ¶ä»å®¹æ¾åºé®é¢å¹¶å 以解å³ã
以ä¸ä»ç»çæ¯20个ä½äº/var/log/ ç®å½ä¹ä¸çæ¥å¿æ件ãå ¶ä¸ä¸äºåªæç¹å®çæ¬éç¨ï¼å¦dpkg.logåªè½å¨åºäºDebiançç³»ç»ä¸çå°ã
/var/log/messages â å æ¬æ´ä½ç³»ç»ä¿¡æ¯ï¼å ¶ä¸ä¹å å«ç³»ç»å¯å¨æé´çæ¥å¿ãæ¤å¤ï¼mailï¼cronï¼daemonï¼kernåauthçå 容ä¹è®°å½å¨var/log/messagesæ¥å¿ä¸ã
/var/log/dmesg â å å«å æ ¸ç¼å²ä¿¡æ¯ï¼kernel ring bufferï¼ãå¨ç³»ç»å¯å¨æ¶ï¼ä¼å¨å±å¹ä¸æ¾ç¤ºè®¸å¤ä¸ç¡¬ä»¶æå ³çä¿¡æ¯ãå¯ä»¥ç¨dmesgæ¥çå®ä»¬ã
/var/log/auth.log â å å«ç³»ç»ææä¿¡æ¯ï¼å æ¬ç¨æ·ç»å½å使ç¨çæéæºå¶çã
/var/log/boot.log â å å«ç³»ç»å¯å¨æ¶çæ¥å¿ã
/var/log/daemon.log â å å«åç§ç³»ç»åå°å®æ¤è¿ç¨æ¥å¿ä¿¡æ¯ã
/var/log/dpkg.log â å æ¬å®è£ ædpkgå½ä»¤æ¸ é¤è½¯ä»¶å çæ¥å¿ã
/var/log/kern.log â å å«å æ ¸äº§ççæ¥å¿ï¼æå©äºå¨å®å¶å æ ¸æ¶è§£å³é®é¢ã
/var/log/lastlog â è®°å½ææç¨æ·çæè¿ä¿¡æ¯ãè¿ä¸æ¯ä¸ä¸ªASCIIæ件ï¼å æ¤éè¦ç¨lastlogå½ä»¤æ¥çå 容ã
/var/log/maillog /var/log/mail.log â å å«æ¥çç³»ç»è¿è¡çµåé®ä»¶æå¡å¨çæ¥å¿ä¿¡æ¯ãä¾å¦ï¼sendmailæ¥å¿ä¿¡æ¯å°±å ¨é¨éå°è¿ä¸ªæ件ä¸ã
/var/log/user.log â è®°å½ææç级ç¨æ·ä¿¡æ¯çæ¥å¿ã
/var/log/Xorg.x.log â æ¥èªXçæ¥å¿ä¿¡æ¯ã
/var/log/alternatives.log â æ´æ°æ¿ä»£ä¿¡æ¯é½è®°å½å¨è¿ä¸ªæ件ä¸ã
/var/log/btmp â è®°å½ææ失败ç»å½ä¿¡æ¯ã使ç¨lastå½ä»¤å¯ä»¥æ¥çbtmpæ件ãä¾å¦ï¼âlast -f /var/log/btmp | moreâã
/var/log/cups â æ¶åæææå°ä¿¡æ¯çæ¥å¿ã
/var/log/anaconda.log â å¨å®è£ Linuxæ¶ï¼ææå®è£ ä¿¡æ¯é½å¨åå¨è¿ä¸ªæ件ä¸ã
/var/log/yum.log â å å«ä½¿ç¨yumå®è£ ç软件å ä¿¡æ¯ã
/var/log/cron â æ¯å½cronè¿ç¨å¼å§ä¸ä¸ªå·¥ä½æ¶ï¼å°±ä¼å°ç¸å ³ä¿¡æ¯è®°å½å¨è¿ä¸ªæ件ä¸ã
/var/log/secure â å å«éªè¯åæææ¹é¢ä¿¡æ¯ãä¾å¦ï¼sshdä¼å°ææä¿¡æ¯è®°å½ï¼å ¶ä¸å æ¬å¤±è´¥ç»å½ï¼å¨è¿éã
/var/log/wtmpæ/var/log/utmp â å å«ç»å½ä¿¡æ¯ã使ç¨wtmpå¯ä»¥æ¾åºè°æ£å¨ç»éè¿å ¥ç³»ç»ï¼è°ä½¿ç¨å½ä»¤æ¾ç¤ºè¿ä¸ªæ件æä¿¡æ¯çã
/var/log/faillog â å å«ç¨æ·ç»å½å¤±è´¥ä¿¡æ¯ãæ¤å¤ï¼é误ç»å½å½ä»¤ä¹ä¼è®°å½å¨æ¬æ件ä¸ã
é¤äºä¸è¿°Logæ件以å¤ï¼ /var/logè¿åºäºç³»ç»çå ·ä½åºç¨å å«ä»¥ä¸ä¸äºåç®å½ï¼
/var/log/httpd/æ/var/log/apache2 â å å«æå¡å¨access_logåerror_logä¿¡æ¯ã
/var/log/lighttpd/ â å å«light HTTPDçaccess_logåerror_logã
/var/log/mail/ â è¿ä¸ªåç®å½å å«é®ä»¶æå¡å¨çé¢å¤æ¥å¿ã
/var/log/prelink/ â å å«.soæ件被prelinkä¿®æ¹çä¿¡æ¯ã
/var/log/audit/ â å å«è¢« Linux audit daemonå¨åçä¿¡æ¯ã
/var/log/samba/ â å å«ç±sambaåå¨çä¿¡æ¯ã
/var/log/sa/ â å å«æ¯æ¥ç±sysstat软件å æ¶éçsaræ件ã
/var/log/sssd/ â ç¨äºå®æ¤è¿ç¨å®å ¨æå¡ã
é¤äºæå¨åæ¡£åæ¸ é¤è¿äºæ¥å¿æ件以å¤ï¼è¿å¯ä»¥ä½¿ç¨logrotateå¨æ件达å°ä¸å®å¤§å°åèªå¨å é¤ãå¯ä»¥å°è¯ç¨viï¼tailï¼grepålessçå½ä»¤æ¥çè¿äºæ¥å¿æ件ã
/var æææå¡çç»å½çæ件æé误信æ¯æ件ï¼LOG FILES)é½å¨/var/logä¸ï¼æ¤å¤ï¼ä¸äºæ°æ®åºå¦MySQLåå¨/var/libä¸ï¼è¿æï¼ç¨æ·æªè¯»çé®ä»¶çé»è®¤åæ¾å°ç¹ä¸º/var/spool/mail
äºã:/var/log/
ç³»ç»çå¼å¯¼æ¥å¿:/var/log/boot.log
ä¾å¦:Feb 26 10:40:48 sendmial : sendmail startup succeeded
å°±æ¯é®ä»¶æå¡å¯å¨æå!
ç³»ç»æ¥å¿ä¸è¬é½åå¨/var/logä¸
常ç¨çç³»ç»æ¥å¿å¦ä¸:
æ ¸å¿å¯å¨æ¥å¿:/var/log/dmesg
ç³»ç»æ¥éæ¥å¿:/var/log/messages
é®ä»¶ç³»ç»æ¥å¿:/var/log/maillog
FTPç³»ç»æ¥å¿:/var/log/xferlog
å®å ¨ä¿¡æ¯åç³»ç»ç»å½ä¸ç½ç»è¿æ¥çä¿¡æ¯:/var/log/secure
ç»å½è®°å½:/var/log/wtmp è®°å½ç»å½è 讯å½ï¼äºè¿å¶æ件ï¼é¡»ç¨lastæ¥è¯»åå 容 who -u /var/log/wtmp æ¥çä¿¡æ¯
Newsæ¥å¿:/var/log/spooler
RPM软件å :/var/log/rpmpkgs
XFree86æ¥å¿:/var/log/XFree86.0.log
å¼å¯¼æ¥å¿:/var/log/boot.log è®°å½å¼æºå¯å¨è®¯æ¯ï¼dmesg | more
cron(å®å¶ä»»å¡æ¥å¿)æ¥å¿:/var/log/cron
å®å ¨ä¿¡æ¯åç³»ç»ç»å½ä¸ç½ç»è¿æ¥çä¿¡æ¯:/var/log/secure
æ件 /var/run/utmp è®°å½èç°å¨ç»å ¥çç¨æ·ã
æ件 /var/log/wtmp è®°å½ææçç»å ¥åç»åºã
æ件 /var/log/lastlog è®°å½æ¯ä¸ªç¨æ·æå¾çç»å ¥ä¿¡æ¯ã
æ件 /var/log/btmp è®°å½é误çç»å ¥å°è¯ã
less /var/log/auth.log éè¦èº«ä»½ç¡®è®¤çæä½
ä¸ãé¨åå½ä»¤è¯¦è§£
/var/log/messages
messages æ¥å¿æ¯æ ¸å¿ç³»ç»æ¥å¿æ件ãå®å å«äºç³»ç»å¯å¨æ¶çå¼å¯¼æ¶æ¯ï¼ä»¥åç³»ç»è¿è¡æ¶çå ¶ä»ç¶ææ¶æ¯ãIO é误ãç½ç»é误åå ¶ä»ç³»ç»é误é½ä¼è®°å½å°è¿ä¸ªæ件ä¸ãå ¶ä»ä¿¡æ¯ï¼æ¯å¦æ个人ç身份åæ¢ä¸º rootï¼ä¹å¨è¿éååºãå¦ææå¡æ£å¨è¿è¡ï¼æ¯å¦ DHCP æå¡å¨ï¼æ¨å¯ä»¥å¨ messages æ件ä¸è§å¯å®çæ´»å¨ãé常ï¼/var/log/messages æ¯æ¨å¨åæ éè¯ææ¶é¦å è¦æ¥ççæ件ã
/var/log/XFree86.0.log
è¿ä¸ªæ¥å¿è®°å½çæ¯ Xfree86 Xwindows æå¡å¨æåä¸æ¬¡æ§è¡çç»æãå¦ææ¨å¨å¯å¨å°å¾å½¢æ¨¡å¼æ¶éå°äºé®é¢ï¼ä¸è¬æ åµä»è¿ä¸ªæ件ä¸ä¼æ¾å°å¤±è´¥çåå ã
http://www.guanwei.org/post/LINUXnotes/01/linuxlogs.html
æ åå°ç®¡çä»»ä½ç³»ç»çå ³é®ä¹ä¸ï¼æ¯è¦ç¥éç³»ç»ä¸æ£å¨åçä»ä¹äºãLinux ä¸æä¾äºå¼å¸¸æ¥å¿ï¼å¹¶ä¸æ¥å¿çç»èæ¯å¯é ç½®çãLinux æ¥å¿é½ä»¥ææå½¢å¼åå¨ï¼æ以ç¨æ·ä¸éè¦ç¹æ®çå·¥å ·å°±å¯ä»¥æç´¢åé 读å®ä»¬ãè¿å¯ä»¥ç¼åèæ¬ï¼æ¥æ«æè¿äºæ¥å¿ï¼å¹¶åºäºå®ä»¬çå 容å»èªå¨æ§è¡æäºåè½ã Linux æ¥å¿åå¨å¨ /var/log ç®å½ä¸ãè¿éæå 个ç±ç³»ç»ç»´æ¤çæ¥å¿æ件ï¼ä½å ¶ä»æå¡åç¨åºä¹å¯è½ä¼æå®ä»¬çæ¥å¿æ¾å¨è¿éã大å¤æ°æ¥å¿åªærootè´¦æ·æå¯ä»¥è¯»ï¼ä¸è¿ä¿®æ¹æ件ç访é®æé å°±å¯ä»¥è®©å ¶ä»äººå¯è¯»ã
æ¥å¿æ件åç±»
/var/log/boot.log
该æ件记å½äºç³»ç»å¨å¼å¯¼è¿ç¨ä¸åççäºä»¶ï¼å°±æ¯Linuxç³»ç»å¼æºèªæ£è¿ç¨æ¾ç¤ºçä¿¡æ¯ã
/var/log/cron
该 æ¥å¿æ件记å½crontabå®æ¤è¿ç¨crondææ´¾ççåè¿ç¨çå¨ä½ï¼åé¢å ä¸ç¨ æ·ãç»å½æ¶é´åPIDï¼ä»¥åæ´¾çåºçè¿ç¨çå¨ä½ãCMDçä¸ä¸ªå¨ä½æ¯cronæ´¾çåºä¸ä¸ªè°åº¦è¿ç¨ç常è§æ åµãREPLACEï¼æ¿æ¢ï¼å¨ä½è®°å½ç¨æ·å¯¹å®ç cronæ件çæ´æ°ï¼è¯¥æ件ååºäºè¦å¨ææ§æ§è¡çä»»å¡è°åº¦ã RELOADå¨ä½å¨REPLACEå¨ä½åä¸ä¹ åçï¼è¿æå³çcron注æå°ä¸ä¸ªç¨æ·çcronæ件被æ´æ°ècronéè¦æå®éæ°è£ å ¥å åã该æ件å¯è½ä¼æ¥ å°ä¸äºå常çæ åµã
/var/log/maillog
该æ¥å¿æ件记å½äºæ¯ä¸ä¸ªåéå°ç³»ç»æä»ç³»ç»ååºççµåé®ä»¶çæ´»å¨ãå®å¯ä»¥ç¨æ¥æ¥çç¨æ·ä½¿ç¨åªä¸ªç³»ç»åéå·¥å ·æææ°æ®åéå°åªä¸ªç³»ç»ãä¸é¢æ¯è¯¥æ¥å¿æ件çç段ï¼
Sep 4 17:23:52 UNIX sendmail[1950]: g849Npp01950: from=root, size=25,
class=0, nrcpts=1,
msgid=<200209040923.g849Npp01950@redhat.pfcc.com.cn>,
relay=root@localhost
Sep 4 17:23:55 UNIX sendmail[1950]: g849Npp01950: to=lzy@fcceec.net,
ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=30025,
relay=fcceec.net. [10.152.8.2], dsn=2.0.0, stat=Sent (Message queued)
/var/log/messages
该æ¥å¿æ件æ¯è®¸å¤è¿ç¨æ¥å¿æ件çæ±æ»ï¼ä»è¯¥æ件å¯ä»¥çåºä»»ä½å ¥ä¾µä¼å¾ææåçå ¥ä¾µãå¦ä»¥ä¸å è¡ï¼
Sep 3 08:30:17 UNIX login[1275]: FAILED LOGIN 2 FROM (null) FOR suying,
Authentication failure
Sep 4 17:40:28 UNIX -- suying[2017]: LOGIN ON pts/1 BY suying FROM
fcceec.www.ec8.pfcc.com.cn
Sep 4 17:40:39 UNIX su(pam_unix)[2048]: session opened for user root by suying(uid=999)
该 æ件çæ ¼å¼æ¯æ¯ä¸è¡å å«æ¥æã主æºåãç¨åºåï¼åé¢æ¯å å«PIDæå æ ¸æ è¯çæ¹æ¬ å·ãä¸ä¸ªåå·åä¸ä¸ªç©ºæ ¼ï¼æåæ¯æ¶æ¯ã该æ件æä¸ä¸ªä¸è¶³ï¼å°±æ¯è¢«è®°å½çå ¥ä¾µä¼å¾åæåçå ¥ä¾µäºä»¶ï¼è¢«æ·¹æ²¡å¨å¤§éçæ£å¸¸è¿ç¨çè®°å½ä¸ãä½è¯¥æ件å¯ä»¥ç± /etc/syslogæ件è¿è¡å®å¶ãç± /etc/syslog.confé ç½®æ件å³å®ç³»ç»å¦ä½åå ¥/var/messagesãæå ³å¦ä½é ç½®/etc/syslog.confæ件å³å®ç³»ç»æ¥å¿ è®°å½çè¡ä¸ºï¼å°å¨åé¢è¯¦ç»åè¿°ã
/var/log/syslog
é» è®¤RedHat Linuxä¸çæ该æ¥å¿æ件ï¼ä½å¯ä»¥é ç½®/etc/syslog.conf让系ç»çæ该æ¥å¿æ件ãå®å/etc/log/messagesæ¥å¿æ件ä¸åï¼ å®åªè®°å½è¦åä¿¡æ¯ï¼å¸¸å¸¸æ¯ç³»ç»åºé®é¢çä¿¡æ¯ï¼æ以æ´åºè¯¥å ³æ³¨è¯¥æ件ãè¦è®©ç³»ç»çæ该æ¥å¿æ件ï¼å¨/etc/syslog.confæ件ä¸å ä¸ï¼ *.warning /var/log/syslog 该æ¥å¿æ件è½è®°å½å½ç¨æ·ç»å½æ¶loginè®°å½ä¸çé误å£ä»¤ãSendmailçé®é¢ãsuå½ä»¤æ§è¡å¤±è´¥çä¿¡æ¯ãä¸é¢æ¯ä¸æ¡è®°å½ï¼
Sep 6 16:47:52 UNIX login(pam_unix)[2384]: check pass; user unknown
/var/log/secure
该æ¥å¿æ件记å½ä¸å®å ¨ç¸å ³çä¿¡æ¯ã该æ¥å¿æ件çé¨åå 容å¦ä¸ï¼
Sep 4 16:05:09 UNIX xinetd[711]: START: ftp pid=1815 from=127.0.0.1
Sep 4 16:05:09 UNIX xinetd[1815]: USERID: ftp OTHER :root
Sep 4 16:07:24 UNIX xinetd[711]: EXIT: ftp pid=1815 duration=135(sec)
Sep 4 16:10:05 UNIX xinetd[711]: START: ftp pid=1846 from=127.0.0.1
Sep 4 16:10:05 UNIX xinetd[1846]: USERID: ftp OTHER :root
Sep 4 16:16:26 UNIX xinetd[711]: EXIT: ftp pid=1846 duration=381(sec)
Sep 4 17:40:20 UNIX xinetd[711]: START: telnet pid=2016 from=10.152.8.2
/var/log/lastlog
该 æ¥å¿æ件记å½æè¿æåç»å½çäºä»¶åæåä¸æ¬¡ä¸æåçç»å½äºä»¶ï¼ç±loginçæã å¨æ¯æ¬¡ç¨æ·ç»å½æ¶è¢«æ¥è¯¢ï¼è¯¥æ件æ¯äºè¿å¶æ件ï¼éè¦ä½¿ç¨ lastlogå½ä»¤æ¥çï¼æ ¹æ®UIDæåºæ¾ç¤ºç»å½åã端å£å·åä¸æ¬¡ç»å½æ¶é´ãå¦ææç¨æ·ä»æ¥æ²¡æç»å½è¿ï¼å°±æ¾ç¤ºä¸º"**Never logged in**"ã该å½ä»¤åªè½ä»¥rootæéæ§è¡ãç®åå°è¾å ¥lastlogå½ä»¤åå°±ä¼çå°ç±»ä¼¼å¦ä¸çä¿¡æ¯ï¼
Username Port From Latest
root tty2 Tue Sep 3 08:32:27 +0800 2002
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
news **Never logged in**
uucp **Never logged in**
operator **Never logged in**
games **Never logged in**
gopher **Never logged in**
ftp ftp UNIX Tue Sep 3 14:49:04 +0800 2002
nobody **Never logged in**
nscd **Never logged in**
mailnull **Never logged in**
ident **Never logged in**
rpc **Never logged in**
rpcuser **Never logged in**
xfs **Never logged in**
gdm **Never logged in**
postgres **Never logged in**
apache **Never logged in**
lzy tty2 Mon Jul 15 08:50:37 +0800 2002
suying tty2 Tue Sep 3 08:31:17 +0800 2002
ç³»ç»è´¦æ·è¯¸å¦binãdaemonãadmãuucpãmailçå³ä¸åºè¯¥ç»å½ï¼å¦æåç°è¿äºè´¦æ·å·²ç»ç»å½ï¼å°±è¯´æç³»ç»å¯è½å·²ç»è¢«å ¥ä¾µäºãè¥åç°è®°å½çæ¶é´ä¸æ¯ç¨æ·ä¸æ¬¡ç»å½çæ¶é´ï¼å说æ该ç¨æ·çè´¦æ·å·²ç»æ³å¯äºã
/var/log/wtmp
该 æ¥å¿æä»¶æ°¸ä¹ è®°å½æ¯ä¸ªç¨æ·ç»å½ã注éåç³»ç»çå¯å¨ãåæºçäºä»¶ãå æ¤éçç³»ç»æ£å¸¸ è¿è¡æ¶é´çå¢å ï¼è¯¥æ件ç大å°ä¹ä¼è¶æ¥è¶å¤§ï¼å¢å çé度åå³äºç³»ç»ç¨æ·ç»å½ç次æ°ã该æ¥å¿æ件å¯ä»¥ç¨æ¥æ¥çç¨æ·çç»å½è®°å½ï¼lastå½ä»¤å°±éè¿è®¿é®è¿ä¸ªæ 件è·å¾è¿äºä¿¡æ¯ï¼å¹¶ä»¥ååºä»åååæ¾ç¤ºç¨æ·çç»å½è®°å½ï¼lastä¹è½æ ¹æ®ç¨æ·ãç»ç«¯ ttyææ¶é´æ¾ç¤ºç¸åºçè®°å½ã
å½ä»¤lastæ两个å¯éåæ°ï¼
last -u ç¨æ·å æ¾ç¤ºç¨æ·ä¸æ¬¡ç»å½çæ åµã
last -t å¤©æ° æ¾ç¤ºæå®å¤©æ°ä¹åçç¨æ·ç»å½æ åµã
/var/run/utmp
该 æ¥å¿æ件记å½æå ³å½åç»å½çæ¯ä¸ªç¨æ·çä¿¡æ¯ãå æ¤è¿ä¸ªæ件ä¼éçç¨æ·ç»å½å注éç³» ç»èä¸æååï¼å®åªä¿çå½æ¶èæºçç¨æ·è®°å½ï¼ä¸ä¼ä¸ºç¨æ·ä¿çæ°¸ä¹ çè®°å½ãç³»ç»ä¸éè¦æ¥è¯¢å½åç¨æ·ç¶æçç¨åºï¼å¦ whoãwãusersãfingerçå°±éè¦è®¿é®è¿ä¸ªæ件ã该æ¥å¿æ件并ä¸è½å æ¬ææ精确çä¿¡æ¯ï¼å 为æäºçªåé误ä¼ç»æ¢ç¨æ·ç»å½ä¼è¯ï¼èç³»ç»æ²¡æåæ¶ æ´æ° utmpè®°å½ï¼å æ¤è¯¥æ¥å¿æ件çè®°å½ä¸æ¯ç¾åä¹ç¾å¼å¾ä¿¡èµçã
以 ä¸æåç3个æ件ï¼/var/log/wtmpã/var/run/utmpã /var/log/lastlogï¼æ¯æ¥å¿åç³»ç»çå ³é®æ件ï¼é½è®°å½äºç¨æ·ç»å½çæ åµãè¿äºæ件çææè®°å½é½å å«äºæ¶é´æ³ãè¿äºæ件æ¯æäºè¿å¶ä¿åçï¼æ ä¸è½ç¨lessãcatä¹ç±»çå½ä»¤ç´æ¥æ¥çè¿äºæ件ï¼èæ¯éè¦ä½¿ç¨ç¸å ³å½ä»¤éè¿è¿äºæ件èæ¥çãå ¶ä¸ï¼utmpåwtmpæ件çæ°æ®ç»ææ¯ä¸æ ·çï¼è lastlogæ件å使ç¨å¦å¤çæ°æ®ç»æï¼å ³äºå®ä»¬çå ·ä½çæ°æ®ç»æå¯ä»¥ä½¿ç¨manå½ä»¤æ¥è¯¢ã
æ¯ æ¬¡æä¸ä¸ªç¨æ·ç»å½æ¶ï¼loginç¨åºå¨æ件lastlogä¸æ¥çç¨æ·çUIDãå¦æåå¨ï¼åæç¨æ·ä¸æ¬¡ç»å½ã注éæ¶é´å主æºååå°æ åè¾åºä¸ï¼ç¶å loginç¨åºå¨lastlogä¸è®°å½æ°çç»å½æ¶é´ï¼æå¼utmpæ件并æå ¥ç¨æ·çutmpè®°å½ã该记å½ä¸ç´ç¨å°ç¨æ·ç»å½éåºæ¶å é¤ãutmpæ件被åç§ å½ä»¤ä½¿ç¨ï¼å æ¬whoãwãusersåfingerã
ä¸ä¸æ¥ï¼loginç¨åºæå¼æ件wtmpéå ç¨æ·çutmpè®°å½ãå½ç¨æ·ç»å½éåºæ¶ï¼å ·ææ´æ°æ¶é´æ³çåä¸utmpè®°å½éå å°æ件ä¸ãwtmpæ件被ç¨åºlast使ç¨ã
/var/log/xferlog
该æ¥å¿æ件记å½FTPä¼è¯ï¼å¯ä»¥æ¾ç¤ºåºç¨æ·åFTPæå¡å¨æä»æå¡å¨æ·è´äºä»ä¹æ件ã该æ件ä¼æ¾ç¤ºç¨æ·æ·è´å°æå¡å¨ä¸çç¨æ¥å ¥ä¾µæå¡å¨çæ¶æç¨åºï¼ä»¥å该ç¨æ·æ·è´äºåªäºæ件ä¾ä»ä½¿ç¨ã
该 æ件çæ ¼å¼ä¸ºï¼ç¬¬ä¸ä¸ªåæ¯æ¥æåæ¶é´ï¼ç¬¬äºä¸ªåæ¯ä¸è½½æ件æè±è´¹çç§æ°ãè¿ç¨ç³»ç» å称ãæ件大å°ãæ¬å°è·¯å¾åãä¼ è¾ç±»åï¼aï¼ASCIIï¼bï¼äºè¿å¶ï¼ãä¸å缩ç¸å ³çæ å¿ætarï¼æ"_"ï¼å¦æ没æå缩çè¯ï¼ãä¼ è¾æ¹åï¼ç¸å¯¹äºæå¡ å¨èè¨ï¼i代表è¿ï¼o代表åºï¼ã访é®æ¨¡å¼ï¼aï¼å¿åï¼gï¼è¾å ¥å£ä»¤ï¼rï¼çå®ç¨æ·ï¼ãç¨æ·åãæå¡åï¼é常æ¯ftpï¼ã认è¯æ¹æ³ï¼lï¼RFC931ï¼æ 0ï¼ï¼è®¤è¯ç¨æ·çIDæ"*"ãä¸é¢æ¯è¯¥æ件çä¸æ¡è®°å½ï¼
Wed Sep 4 08:14:03 2002 1 UNIX 275531
/var/ftp/lib/libnss_files-2.2.2.so b _ o a -root@UNIX ftp 0 * c
/var/log/kernlog
RedHat Linuxé»è®¤æ²¡æè®°å½è¯¥æ¥å¿æ件ãè¦å¯ç¨è¯¥æ¥å¿æ件ï¼å¿ é¡»å¨/etc/syslog.confæ件ä¸æ·»å ä¸è¡ï¼kern.* /var/log/kernlog ãè¿æ ·å°±å¯ç¨äºå/var/log/kernlogæ件ä¸è®°å½ææå æ ¸æ¶æ¯çåè½ã该æ件记å½äºç³»ç»å¯å¨æ¶å 载设å¤æ使ç¨è®¾å¤çæ åµãä¸è¬æ¯æ£å¸¸çæä½ï¼ ä½å¦æè®°å½äºæ²¡æææçç¨æ·è¿è¡çè¿äºæä½ï¼å°±è¦æ³¨æï¼å 为æå¯è½è¿å°±æ¯æ¶æç¨æ·çè¡ä¸ºãä¸é¢æ¯è¯¥æ件çé¨åå 容ï¼
Sep 5 09:38:42 UNIX kernel: NET4: Linux TCP/IP 1.0 for NET4.0
Sep 5 09:38:42 UNIX kernel: IP Protocols: ICMP, UDP, TCP, IGMP
Sep 5 09:38:42 UNIX kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
Sep 5 09:38:43 UNIX kernel: TCP: Hash tables configured (established 4096 bind 4096)
Sep 5 09:38:43 UNIX kernel: Linux IP multicast router 0.06 plus PIM-SM
Sep 5 09:38:43 UNIX kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Sep 5 09:38:44 UNIX kernel: EXT2-fs warning: checktime reached, running e2fsck is recommended
Sep 5 09:38:44 UNIX kernel: VFS: Mounted root (ext2 filesystem).
Sep 5 09:38:44 UNIX kernel: SCSI subsystem driver Revision: 1.00
/var/log/Xfree86.x.log
该 æ¥å¿æ件记å½äºX-Windowå¯å¨çæ åµãå¦å¤ï¼é¤äº/var/log/å¤ï¼æ¶ æç¨æ·ä¹å¯è½å¨å«çå°æ¹çä¸ç迹ï¼åºè¯¥æ³¨æ以ä¸å 个å°æ¹ï¼root åå ¶ä»è´¦æ·çshellåå²æ件ï¼ç¨æ·çåç§é®ç®±ï¼å¦.sentãmboxï¼ä»¥ååæ¾å¨/var/spool/mail/ å /var/spool/mqueueä¸çé®ç®±ï¼ä¸´æ¶æ件/tmpã/usr/tmpã/var/tmpï¼éèçç®å½ï¼å ¶ä»æ¶æç¨æ·å建çæ件ï¼é常æ¯ä»¥ "."å¼å¤´çå ·æéèå±æ§çæ件çã
åãå ·ä½å½ä»¤
wtmpåutmpæ件é½æ¯äºè¿å¶æ件ï¼å®ä»¬ä¸è½è¢«è¯¸å¦tailä¹ç±»çå½ä»¤åªè´´æå并ï¼ä½¿ç¨catå½ä»¤ï¼ãç¨æ·éè¦ä½¿ç¨whoãwãusersãlaståacçå½ä»¤æ¥ä½¿ç¨è¿ä¸¤ä¸ªæ件å å«çä¿¡æ¯ã
whoå½ä»¤
whoå½ä»¤æ¥è¯¢utmpæ件并æ¥åå½åç»å½çæ¯ä¸ªç¨æ·ãwhoçé»è®¤è¾åºå æ¬ç¨æ·åãç»ç«¯ç±»åãç»å½æ¥æåè¿ç¨ä¸»æºãä¾å¦ï¼é®å ¥whoå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
chyang pts/0 Aug 18 15:06
ynguo pts/2 Aug 18 15:32
ynguo pts/3 Aug 18 13:55
lewis pts/4 Aug 18 13:35
ynguo pts/7 Aug 18 14:12
ylou pts/8 Aug 18 14:15
å¦æææäºwtmpæ件åï¼åwhoå½ä»¤æ¥è¯¢ææ以åçè®°å½ãå½ä»¤who /var/log/wtmpå°æ¥åèªä»wtmpæ件å建æå æ¹ä»¥æ¥çæ¯ä¸æ¬¡ç»å½ã
wå½ä»¤
wå½ä»¤æ¥è¯¢utmpæ件并æ¾ç¤ºå½åç³»ç»ä¸æ¯ä¸ªç¨æ·åå®æè¿è¡çè¿ç¨ä¿¡æ¯ãä¾å¦ï¼é®å ¥wå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
3:36pm up 1 day, 22:34, 6 users, load average: 0.23, 0.29, 0.27
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s -bash
ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 w
lewis pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s -bash
lewis pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh /home/users/
ynguo pts/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet mail
ylou pts/8 202.38.64.235 2:15pm 1:09m 0.10s 0.04s -bash
userså½ä»¤
userså½ä»¤ç¨åç¬çä¸è¡æå°åºå½åç»å½çç¨æ·ï¼æ¯ä¸ªæ¾ç¤ºçç¨æ·å对åºä¸ä¸ªç»å½ä¼è¯ãå¦æä¸ä¸ªç¨æ·æä¸æ¢ä¸ä¸ªç»å½ä¼è¯ï¼é£ä»çç¨æ·åå°æ¾ç¤ºç¸åç次æ°ãä¾å¦ï¼é®å ¥userså½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
chyang lewis lewis ylou ynguo ynguo
lastå½ä»¤
lastå½ä»¤å¾åæç´¢wtmpæ¥æ¾ç¤ºèªä»æ件第ä¸æ¬¡å建以æ¥ç»å½è¿çç¨æ·ãä¾å¦ï¼
chyang pts/9 202.38.68.242 Tue Aug 1 08:34 - 11:23 (02:49)
cfan pts/6 202.38.64.224 Tue Aug 1 08:33 - 08:48 (00:14)
chyang pts/4 202.38.68.242 Tue Aug 1 08:32 - 12:13 (03:40)
lewis pts/3 202.38.64.233 Tue Aug 1 08:06 - 11:09 (03:03)
lewis pts/2 202.38.64.233 Tue Aug 1 07:56 - 11:09 (03:12)
å¦æææäºç¨æ·ï¼é£ä¹laståªæ¥å该ç¨æ·çè¿ææ´»å¨ï¼ä¾å¦ï¼é®å ¥last ynguoå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
ynguo pts/4 simba.nic.ustc.e Fri Aug 4 16:50 - 08:20 (15:30)
ynguo pts/4 simba.nic.ustc.e Thu Aug 3 23:55 - 04:40 (04:44)
ynguo pts/11 simba.nic.ustc.e Thu Aug 3 20:45 - 22:02 (01:16)
ynguo pts/0 simba.nic.ustc.e Thu Aug 3 03:17 - 05:42 (02:25)
ynguo pts/0 simba.nic.ustc.e Wed Aug 2 01:04 - 03:16 1+02:12)
ynguo pts/0 simba.nic.ustc.e Wed Aug 2 00:43 - 00:54 (00:11)
ynguo pts/9 simba.nic.ustc.e Thu Aug 1 20:30 - 21:26 (00:55)
acå½ä»¤
acå½ä»¤æ ¹æ®å½åç/var/log/wtmpæ件ä¸çç»å½è¿å ¥åéåºæ¥æ¥åç¨æ·è¿æ¥çæ¶é´ï¼å°æ¶ï¼ï¼å¦æä¸ä½¿ç¨æ å¿ï¼åæ¥åæ»çæ¶é´ãä¾å¦ï¼é®å ¥acå½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºå¦ä¸å 容ï¼
total 5177.47
é®å ¥ac -då½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºæ¯å¤©çæ»çè¿æ¥æ¶é´ï¼
Aug 12 total 261.87
Aug 13 total 351.39
Aug 14 total 396.09
Aug 15 total 462.63
Aug 16 total 270.45
Aug 17 total 104.29
Today total 179.02
é®å ¥ac -på½ä»¤ï¼ç¶åæå车é®ï¼å°æ¾ç¤ºæ¯ä¸ªç¨æ·çæ»çè¿æ¥æ¶é´ï¼
ynguo 193.23
yucao 3.35
rong 133.40
hdai 10.52
zjzhu 52.87
zqzhou 13.14
liangliu 24.34
total 5178.24
lastlogå½ä»¤
lastlog æ件å¨æ¯æ¬¡æç¨æ·ç»å½æ¶è¢«æ¥è¯¢ãå¯ä»¥ä½¿ç¨lastlogå½ä»¤æ£æ¥æç¹ å®ç¨æ·ä¸æ¬¡ç»å½çæ¶é´ï¼å¹¶æ ¼å¼åè¾åºä¸æ¬¡ç»å½æ¥å¿ /var/log/lastlogçå 容ãå®æ ¹æ®UIDæåºæ¾ç¤ºç»å½åã端å£å·ï¼ttyï¼åä¸æ¬¡ç»å½æ¶é´ãå¦æä¸ä¸ªç¨æ·ä»æªç»å½è¿ï¼lastlogæ¾ç¤º **Never logged**ã注æéè¦ä»¥root身份è¿è¡è¯¥å½ä»¤ï¼ä¾å¦ï¼
rong 5 202.38.64.187 Fri Aug 18 15:57:01 +0800 2000
dbb **Never logged in**
xinchen **Never logged in**
pb9511 **Never logged in**
xchen 0 202.38.64.190 Sun Aug 13 10:01:22 +0800 2000
å¦å¤ï¼å¯å ä¸äºåæ°ï¼ä¾å¦ï¼"last -u 102"å½ä»¤å°æ¥åUID为102çç¨æ·ï¼"last -t 7"å½ä»¤è¡¨ç¤ºéå¶ä¸ºä¸ä¸å¨çæ¥åã
äºãè¿ç¨ç»è®¡
UNIX å¯ä»¥è·è¸ªæ¯ä¸ªç¨æ·è¿è¡çæ¯æ¡å½ä»¤ï¼å¦ææ³ç¥éæ¨æå¼ä¹±äºåªäºéè¦çæ件ï¼è¿ ç¨ç»è®¡åç³»ç»å¯ä»¥åè¯ä½ ãå®è¿å¯¹è·è¸ªä¸ä¸ªä¾µå ¥è æ帮å©ãä¸è¿æ¥æ¶é´æ¥å¿ä¸åï¼è¿ç¨ç»è®¡åç³»ç»é»è®¤ä¸æ¿æ´»ï¼å®å¿ é¡»å¯å¨ãå¨Linuxç³»ç»ä¸å¯å¨è¿ç¨ç»è®¡ä½¿ç¨ acctonå½ä»¤ï¼å¿ é¡»ç¨root身份æ¥è¿è¡ã
acctonå½ä»¤çå½¢å¼ä¸ºï¼accton fileï¼fileå¿ é¡»äºå åå¨ã
å 使ç¨touchå½ä»¤å建pacctæ件ï¼touch /var/log/pacctï¼ç¶åè¿è¡acctonï¼accton /var/log/pacctãä¸æ¦accton被æ¿æ´»ï¼å°±å¯ä»¥ä½¿ç¨lastcommå½ä»¤çæµç³»ç»ä¸ä»»ä½æ¶åæ§è¡çå½ä»¤ãè¥è¦å ³éç»è®¡ï¼å¯ä»¥ä½¿ç¨ä¸å¸¦ä»»ä½ åæ°çacctonå½ä»¤ã
lastcommå½ä»¤æ¥å以åæ§è¡çæ件ãä¸å¸¦åæ°æ¶ï¼lastcommå½ä»¤æ¾ç¤ºå½åç»è®¡æ件çå½å¨æå è®°å½çææå½ä»¤çæå ³ä¿¡æ¯ãå æ¬å½ä»¤åãç¨æ·ãttyãå½ä»¤è±è´¹çCPUæ¶é´åä¸ä¸ªæ¶é´æ³ãå¦æç³»ç»æ许å¤ç¨æ·ï¼è¾å ¥åå¯è½å¾é¿ãçä¸é¢çä¾åï¼
crond F root ?? 0.00 secs Sun Aug 20 00:16
promisc_check.s S root ?? 0.04 secs Sun Aug 20 00:16
promisc_check root ?? 0.01 secs Sun Aug 20 00:16
grep root ?? 0.02 secs Sun Aug 20 00:16
tail root ?? 0.01 secs Sun Aug 20 00:16
sh root ?? 0.01 secs Sun Aug 20 00:15
ping S root ?? 0.01 secs Sun Aug 20 00:15
ping6.pl F root ?? 0.01 secs Sun Aug 20 00:15
sh root ?? 0.01 secs Sun Aug 20 00:15
ping S root ?? 0.02 secs Sun Aug 20 00:15
ping6.pl F root ?? 0.02 secs Sun Aug 20 00:15
sh root ?? 0.02 secs Sun Aug 20 00:15
ping S root ?? 0.00 secs Sun Aug 20 00:15
ping6.pl F root ?? 0.01 secs Sun Aug 20 00:15
sh root ?? 0.01 secs Sun Aug 20 00:15
ping S root ?? 0.01 secs Sun Aug 20 00:15
sh root ?? 0.02 secs Sun Aug 20 00:15
ping S root ?? 1.34 secs Sun Aug 20 00:15
locate root ttyp0 1.34 secs Sun Aug 20 00:15
accton S root ttyp0 0.00 secs Sun Aug 20 00:15
è¿ç¨ç»è®¡çä¸ä¸ªé®é¢æ¯pacctæ件å¯è½å¢é¿å¾ååè¿ éãè¿æ¶éè¦äº¤äºå¼å°æç»è¿ cronæºå¶è¿è¡saå½ä»¤æ¥ä¿è¯æ¥å¿æ°æ®å¨ç³»ç»æ§å¶å ãsaå½ä»¤æ¥åãæ¸ ç并维æ¤è¿ç¨ç»è®¡æ件ãå®è½æ/var/log/pacctä¸çä¿¡æ¯å缩å°æè¦æ 件/var/log/savacctå /var/log/usracctä¸ãè¿äºæè¦å å«æå½ä»¤ååç¨æ·ååç±»çç³»ç»ç»è®¡æ°æ®ãå¨é»è®¤æ åµä¸saå 读å®ä»¬ï¼ç¶å读pacctæ件ï¼ä½¿æ¥åè½å å« ææçå¯ç¨ä¿¡æ¯ãsaçè¾åºæä¸é¢ä¸äºæ 记项ã
/var/logç®å½ä¸ç20个Linuxæ¥å¿æ件åè½è¯¦è§£ :
å¦ææ¿æå¨Linuxç¯å¢æ¹é¢è±è´¹äºæ¶é´ï¼é¦å å°±åºè¯¥ç¥éæ¥å¿æ件çæå¨ä½ç½®ä»¥åå®ä»¬å å«çå 容ãå¨ç³»ç»è¿è¡æ£å¸¸çæ åµä¸å¦ä¹ äºè§£è¿äºä¸åçæ¥å¿æ件æå©äºä½ å¨éå°ç´§æ¥æ åµæ¶ä»å®¹æ¾åºé®é¢å¹¶å 以解å³ã
以ä¸ä»ç»çæ¯20个ä½äº/var/log/ ç®å½ä¹ä¸çæ¥å¿æ件ãå ¶ä¸ä¸äºåªæç¹å®çæ¬éç¨ï¼å¦dpkg.logåªè½å¨åºäºDebiançç³»ç»ä¸çå°ã
/var/log/messages â å æ¬æ´ä½ç³»ç»ä¿¡æ¯ï¼å ¶ä¸ä¹å å«ç³»ç»å¯å¨æé´çæ¥å¿ãæ¤å¤ï¼mailï¼cronï¼daemonï¼kernåauthçå 容ä¹è®°å½å¨var/log/messagesæ¥å¿ä¸ã
/var/log/dmesg â å å«å æ ¸ç¼å²ä¿¡æ¯ï¼kernel ring bufferï¼ãå¨ç³»ç»å¯å¨æ¶ï¼ä¼å¨å±å¹ä¸æ¾ç¤ºè®¸å¤ä¸ç¡¬ä»¶æå ³çä¿¡æ¯ãå¯ä»¥ç¨dmesgæ¥çå®ä»¬ã
/var/log/auth.log â å å«ç³»ç»ææä¿¡æ¯ï¼å æ¬ç¨æ·ç»å½å使ç¨çæéæºå¶çã
/var/log/boot.log â å å«ç³»ç»å¯å¨æ¶çæ¥å¿ã
/var/log/daemon.log â å å«åç§ç³»ç»åå°å®æ¤è¿ç¨æ¥å¿ä¿¡æ¯ã
/var/log/dpkg.log â å æ¬å®è£ ædpkgå½ä»¤æ¸ é¤è½¯ä»¶å çæ¥å¿ã
/var/log/kern.log â å å«å æ ¸äº§ççæ¥å¿ï¼æå©äºå¨å®å¶å æ ¸æ¶è§£å³é®é¢ã
/var/log/lastlog â è®°å½ææç¨æ·çæè¿ä¿¡æ¯ãè¿ä¸æ¯ä¸ä¸ªASCIIæ件ï¼å æ¤éè¦ç¨lastlogå½ä»¤æ¥çå 容ã
/var/log/maillog /var/log/mail.log â å å«æ¥çç³»ç»è¿è¡çµåé®ä»¶æå¡å¨çæ¥å¿ä¿¡æ¯ãä¾å¦ï¼sendmailæ¥å¿ä¿¡æ¯å°±å ¨é¨éå°è¿ä¸ªæ件ä¸ã
/var/log/user.log â è®°å½ææç级ç¨æ·ä¿¡æ¯çæ¥å¿ã
/var/log/Xorg.x.log â æ¥èªXçæ¥å¿ä¿¡æ¯ã
/var/log/alternatives.log â æ´æ°æ¿ä»£ä¿¡æ¯é½è®°å½å¨è¿ä¸ªæ件ä¸ã
/var/log/btmp â è®°å½ææ失败ç»å½ä¿¡æ¯ã使ç¨lastå½ä»¤å¯ä»¥æ¥çbtmpæ件ãä¾å¦ï¼âlast -f /var/log/btmp | moreâã
/var/log/cups â æ¶åæææå°ä¿¡æ¯çæ¥å¿ã
/var/log/anaconda.log â å¨å®è£ Linuxæ¶ï¼ææå®è£ ä¿¡æ¯é½å¨åå¨è¿ä¸ªæ件ä¸ã
/var/log/yum.log â å å«ä½¿ç¨yumå®è£ ç软件å ä¿¡æ¯ã
/var/log/cron â æ¯å½cronè¿ç¨å¼å§ä¸ä¸ªå·¥ä½æ¶ï¼å°±ä¼å°ç¸å ³ä¿¡æ¯è®°å½å¨è¿ä¸ªæ件ä¸ã
/var/log/secure â å å«éªè¯åæææ¹é¢ä¿¡æ¯ãä¾å¦ï¼sshdä¼å°ææä¿¡æ¯è®°å½ï¼å ¶ä¸å æ¬å¤±è´¥ç»å½ï¼å¨è¿éã
/var/log/wtmpæ/var/log/utmp â å å«ç»å½ä¿¡æ¯ã使ç¨wtmpå¯ä»¥æ¾åºè°æ£å¨ç»éè¿å ¥ç³»ç»ï¼è°ä½¿ç¨å½ä»¤æ¾ç¤ºè¿ä¸ªæ件æä¿¡æ¯çã
/var/log/faillog â å å«ç¨æ·ç»å½å¤±è´¥ä¿¡æ¯ãæ¤å¤ï¼é误ç»å½å½ä»¤ä¹ä¼è®°å½å¨æ¬æ件ä¸ã
é¤äºä¸è¿°Logæ件以å¤ï¼ /var/logè¿åºäºç³»ç»çå ·ä½åºç¨å å«ä»¥ä¸ä¸äºåç®å½ï¼
/var/log/httpd/æ/var/log/apache2 â å å«æå¡å¨access_logåerror_logä¿¡æ¯ã
/var/log/lighttpd/ â å å«light HTTPDçaccess_logåerror_logã
/var/log/mail/ â è¿ä¸ªåç®å½å å«é®ä»¶æå¡å¨çé¢å¤æ¥å¿ã
/var/log/prelink/ â å å«.soæ件被prelinkä¿®æ¹çä¿¡æ¯ã
/var/log/audit/ â å å«è¢« Linux audit daemonå¨åçä¿¡æ¯ã
/var/log/samba/ â å å«ç±sambaåå¨çä¿¡æ¯ã
/var/log/sa/ â å å«æ¯æ¥ç±sysstat软件å æ¶éçsaræ件ã
/var/log/sssd/ â ç¨äºå®æ¤è¿ç¨å®å ¨æå¡ã
é¤äºæå¨åæ¡£åæ¸ é¤è¿äºæ¥å¿æ件以å¤ï¼è¿å¯ä»¥ä½¿ç¨logrotateå¨æ件达å°ä¸å®å¤§å°åèªå¨å é¤ãå¯ä»¥å°è¯ç¨viï¼tailï¼grepålessçå½ä»¤æ¥çè¿äºæ¥å¿æ件ã
温馨提示:内容为网友见解,仅供参考
第1个回答 2020-02-15
1、打开WDCP服务管理系统登录界面,输入用户名和密码,点击登录。
2、进入登录界面后,查看左侧主菜单,你会发现登录日志。
3、点击【登录日志】,会发现登录的用户名ID号码。
4、查看右侧的记录,也会发现登录的时间与状态。
5、查看完登录日志后,点击操作日志,红框中已经标出。
6、在操作日志中,可以看到进行的操作,必要时可以找回误删的数据。
本回答被网友采纳第2个回答 2016-01-14
Linux系统拥有非常灵活和强大的日志功能,可以保存几乎所有的操作记录,并可以从中检索出需要的信息。
大部分Linux发行版默认的日志守护进程为 syslog,位于 /etc/syslog 或 /etc/syslogd,默认配置文件为 /etc/syslog.conf,任何希望生成日志的程序都可以向 syslog 发送信息
/sbin/syslogd
在修改syslog配置后,需要重新启动syslogd守护进程才能使新的配置生效。其命令如下所示。
# killall -HUP syslogd
Red Hat Enterprise Linux 5.2安装后默认就已经在syslog中定义了一些日志文件。
说明
/var/log/message
系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一
/var/log/secure
与安全相关的日志信息
/var/log/maillog
与邮件相关的日志信息
/var/log/cron
与定时任务相关的日志信息
/var/log/spooler
与UUCP和news设备相关的日志信息
/var/log/boot.log
守护进程启动和停止相关的日志消息
大部分Linux发行版默认的日志守护进程为 syslog,位于 /etc/syslog 或 /etc/syslogd,默认配置文件为 /etc/syslog.conf,任何希望生成日志的程序都可以向 syslog 发送信息
/sbin/syslogd
在修改syslog配置后,需要重新启动syslogd守护进程才能使新的配置生效。其命令如下所示。
# killall -HUP syslogd
Red Hat Enterprise Linux 5.2安装后默认就已经在syslog中定义了一些日志文件。
说明
/var/log/message
系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一
/var/log/secure
与安全相关的日志信息
/var/log/maillog
与邮件相关的日志信息
/var/log/cron
与定时任务相关的日志信息
/var/log/spooler
与UUCP和news设备相关的日志信息
/var/log/boot.log
守护进程启动和停止相关的日志消息
linux系统日志在哪里
1、打开linux系统,在linux的桌面的空白处右击。2、在弹出的下拉选项里,点击打开终端。3、在终端窗口中输入ls\/var\/log命令,回车后即可查看到系统的日志。
linux系统日志在哪里?
使用命令行工具查看系统日志 1. journalctl 命令用于查看系统日志,显示所有日志条目或特定服务的日志,例如查看所有日志:journalctl 或查看nginx服务日志:journalctl -u nginx。2. dmesg 命令查看内核日志,列出内核缓冲区中的所有日志条目,使用-n参数查看最新日志条目或使用grep命令过滤关键字。查看系统日志...
如何查看linux系统警告日志
默认RedHat Linux不生成该日志文件,但可以配置\/etc\/syslog.conf让系统生成该日志文件。它和\/etc\/log\/messages日志文件不同, 它只记录警告信息,常常是系统出问题的信息,所以更应该关注该文件。要让系统生成该日志文件,在\/etc\/syslog.conf文件中加上: *.warning \/var\/log\/syslog 该日志文件能记录当用户登录时login记...
如何在 Linux 系统中查看系统日志
1. **命令行工具**:Linux提供了强大的journalctl命令,用于查看systemd的日志,可按时间顺序或特定单元查看。dmesg则用于内核日志,同样支持筛选和查看最新条目。例如,`journalctl -n 50`可查看最近50条日志。2. **日志文件**:系统日志文件如\/var\/log\/messages、\/var\/log\/syslog、\/var\/log\/auth.log...
Linux系统日志怎么查看
Linux系统日志文件通常位于`\/var\/log\/`目录下,例如ngix的日志路径为`\/var\/log\/nginx\/`。若要查看特定服务的日志,可以使用`systemctl status xxx`命令,例如查看ssh服务的状态可以使用`systemctl status sshd`。Linux服务的日志查看 在Linux中,配置文件位于`\/etc\/rsyslog.d\/`目录,其中包含了日志配置...
查看linux系统日志的命令
查看Linux系统日志的命令:1. cat命令 使用cat命令可以查看日志文件的内容。例如,如果要查看名为syslog的日志文件,可以输入“cat \/var\/log\/syslog”。2. less命令 当日志文件内容较多时,可以使用less命令以分页形式查看。例如,“less \/var\/log\/messages”可以查看系统消息日志。
Linux系统日志怎么查看
查看系统日志对于故障排除、监视和维护Linux系统至关重要。有多种方法可以在Linux中访问和查看日志文件。1、通过终端 tail命令:显示日志文件末尾的几行。例如:tail \/var\/log\/syslog grep命令:在日志文件中搜索特定字符串。例如:grep error \/var\/log\/syslog journalctl命令:显示系统日志journal的条目。
在linux中怎么查看错误日志
1、连接上相应的linux主机,进入到等待输入shell指令的linux命令行状态下。2、其次,在linux命令行中输入:tail \/var\/log\/messages。3、最后,按下回车键执行shell指令,此时会看到linux的错误日志被打印出。
如何查看日志
对于大多数Linux和Unix系统,查看日志通常涉及使用`cat`、`tail`、`less`或`more`等命令。例如,使用`tail -f \/var\/log\/syslog`命令可以实时查看系统日志文件的最新内容。这些命令允许你查看、搜索和过滤日志文件的内容,以便快速找到你感兴趣的信息。Windows系统则提供了事件查看器这一工具来查看和管理...
linux有哪些系统日志文件?
一、使用命令行工具查看系统日志 1. 使用 journalctl 命令查看系统日志 journalctl 命令是 systemd 日志管理器客户端,查看 systemd 生成日志,使用命令:`journalctl` 列出所有日志条目,从最新开始,滚动内容使用 PageUp 和 PageDown 键。查看特定单元日志,如 `nginx`,命令:`journalctl -u nginx`。2....
相似回答
