| Lesson 2 | Examining system logs |
| Objective | Examine contents of System Logs for Significant Events |
Examine contents of System Logs for Significant Events
Before you begin looking through logfiles for significant events, you must know the format of logfiles. Most Linux logfiles have a common, fixed format that has four elements
- The date and time of the message
- The hostname from where the message came, which is important when you have enabled centralized system logging
- The name of the application or subsystem from where the message came, for example,
kernel,ftpd, and so on - The actual message,>which is the remainder of the line following the colon
The following diagram below shows typical entries from a
/var/log/messages logfile.
Logfiles used for Troubleshooting
/var/log/dmesg /var/log/messages /var/log/maillog /var/log/xferlog
Kernel boot Messages
Kernel boot messages. Stores messages from the kernel that were raised during the boot process. Standard system error messages. Contains message from system software, nonkernel boot issues, and messages that go to dmesg. Service-specific errors. Contains messages and errors from your sendmail SMTP subsystem. Look here if you are experiencing mail set-up problems.
Service-specific errors. Contains messages and errors from your ftpd FTP subsystem.Look here if you are experiencing FTP set-up problems.
/var/log/dmesg : This file contains the messages that are sent to the console terminal as the system boots up, including messages relating to the kernel being started and hardware being recognized. If a piece of hardware is not working, you can check here to make sure that the kernel found the hardware and configured it properly.
Moving around the file
Besides the few movement commands described earlier, there are other ways of moving around a vi file.
To try these out, you may want to open a large file that you can’t do much damage to. (How about copying
/var/log/messages to /tmp?) Here are some possibilities:
- Ctrl+f : Page ahead, one page at a time.
- Ctrl+b : Page back, one page at a time.
- Ctrl+d : Page ahead 1/2 page at a time.
- Ctrl+u : Page back 1/2 page at a time.
- G : Go to the last line of the file.
- 1G : Go to the first line of the file. (Instead of 1, you could use any number to go to that line number in the file.)
The xferlog logfile has its own format. Check the xferlog man page for a description of each field.
Looking for significant events
Examining Root Logins
Examining the system logs is an important part of system administration. To ensure that problems are caught and resolved in a timely fashion, you should check your system's logs for significant events. View the table below to see how to identify commonly logged, significant events
If you have built a monolithic kernel for your firewall (strongly suggested), check for module insertion activity with grep insmod /var/log/messages.
A monolithic kernel should not have any modules inserted into it; if someone tried, it might be a sign of security compromise.
If you have built a monolithic kernel for your firewall (strongly suggested), check for module insertion activity with grep insmod /var/log/messages.
A monolithic kernel should not have any modules inserted into it; if someone tried, it might be a sign of security compromise.
| Event | How to identify |
|---|---|
| root logins | grep "login.*for user root" /var/log/messages |
| root login failures | grep "FAILED LOGIN.*FOR root" /var/log/messages |
| su failures | grep "failure.*root for su" /var/log/messages |
| anonymous ftp | grep "ANONYMOUS" /var/log/messages |
| password updates | grep "password" /var/log/messages |
| general error strings | egrep -i "(fatal|unauthorized|illegal|denied|hack|sniff|spoof|spy)" /var/log/messages |
The next lesson explains how to configure the system log