User Accounting   «Prev  Next»

Lesson 6 Logfiles
Objective Use logfiles for accounting and auditing.

Use logfiles for Accounting and Auditing

Logfiles may be generated either by the default Linux installation or by installing utilities to create additional logging. These logfiles assist process accounting by retaining details that can aid in troubleshooting and detecting attacks. Normally, you can find these files in the var/log directory, broken up into groups relating to networks, users, and processes. The default Red Hat installation provides mechanisms for gathering information on network connections. Two network logs are automatically created, one for tracking FTP connections, 
/var/log/xferlog
, and the other listing all failed remote connection attempts, 
/var/log/secure
. Both these files can be viewed using the less or head command, which will show you the latest additions.
Logfiles are also automatically created to keep track of what users are doing. The file /var/run/utmp provides a listing of all currently connected users, which you can view by issuing the who command. A history of all users logged in is kept in the /var/log/utmp file, and can also be viewed by issuing the who command. Viewing the files may assist you in finding people who are abusing your system.
The logfiles that keep track of process executions are not created automatically for you, and must be configured into your system. Once installed and enabled, the file /var/log/pacct will contain the information of process execution and may be viewed by issuing the lastcomm command. This information may be valuable in troubleshooting and security problems.
The following series of images describe what these log files look like.
Logfile Contents in Redhat Linux
1) This shows the end of the messages log, /var/log/message. It shows the date, time, machine, user, and message generated.
1) This shows the end of the messages log, /var/log/message. It shows the date, time, machine, user, and message generated.

2) This shows the end of the security log, /var/log/secure. It lists all failed attempts to access the machine. It lists date, time, host machine, network service requested, and where the service was requested.
2) This shows the end of the security log, /var/log/secure. It lists all failed attempts to access the machine. It lists date, time, host machine, network service requested, and where the service was requested.

3) The file, /var/log/xferlog, shows incoming and outgoing file transfers. It lists the date, time, machine name the information is being transferred to
3) The file, /var/log/xferlog, shows incoming and outgoing file transfers. It lists the date, time, machine name the information is being transferred to, file being transferred, user requesting the transfer, service used for transfer, and whether it was complete.

4) This shows all the users who are currently connected, by listing the end of /var/run/utmp
4) This shows all the users who are currently connected, by listing the end of /var/run/utmp.

5) This shows a history of all the users who have logged in by examining /var/log/utmp It lists the user name, where they logged in from, and date and time of the log in.
5) This shows a history of all the users who have logged in by examining   /var/log/utmp. It lists the user name, where they logged in from, and date and time of the log in.

6) This shows the last few entries from the process accounting log.
6) This shows the last few entries from the process accounting log. Currently, there are no entries, indicating either the logfiles were recently rotated or process accounting was just started.

Command in Red Hat Linux to view log files

In Red Hat Linux, the command to view log files is "tail". The "tail" command allows you to view the last few lines of a log file, which can be useful for monitoring system activity and troubleshooting issues. To view the last 10 lines of a log file, you can use the following command: 
tail -n 10 /var/log/<logfile>

Replace "<logfile>" with the name of the log file you want to view. For example, to view the last 10 lines of the system log file, you can use: 
tail -n 10 /var/log/messages

If you want to continuously monitor the log file and view new entries as they are added, you can use the "tail -f" command. For example: 
tail -f /var/log/messages

This command will display the last few lines of the log file and then continuously monitor the file for new entries. Any new entries will be displayed in real-time as they are added to the log file. To exit the "tail -f" command, press "Ctrl + C".

View Logfiles Command in Red Hat Linux

The following screen illustrates the results when viewing logfiles.
Viewing Log files in Redhat
Viewing Log files in Redhat

How Do I View Logs Files on Linux?
I am a new Linux user and would like to know where are the log files located under on Debian/Ubuntu or CentOS/RHEL/Fedora Linux server?
Question: How do I open or view log files on Linux operating systems?
Almost all logfiles are located under /var/log directory and its sub-directories on Linux.
You can change to this directory using the cd command. You need be the root user to view or access log files on Linux or Unix like operating systems. You can use the following commands to see the log files:
All of the following commands can be used in Red Hat Linux to view and interact with log files.
Here's a brief overview of how each command can be used:
  1. `less` command: Opens a file for viewing one page at a time. You can scroll up and down through the log file. Useful for large log files.
    • Example: less /var/log/syslog
  2. `more` command: Similar to `less`, but you can only scroll forward. It’s an older command and not as flexible as `less`.
    • Example: more /var/log/syslog
  3. `cat` command: Displays the entire content of a file at once. If the log file is large, it may be difficult to read.
    • Example: cat /var/log/syslog
  4. `grep` command: Searches for specific patterns or strings in a file. Useful for filtering log entries.
    • Example: grep "error" /var/log/syslog
  5. `tail` command: Displays the last few lines of a file. It’s useful for monitoring log files in real time using the `-f` option.
    • Example: tail -f /var/log/syslog
  6. `zcat` command: Used to view the contents of compressed log files (`.gz` format) without decompressing them.
    • Example: zcat /var/log/syslog.gz
  7. `zgrep` command: Similar to `grep`, but works on compressed files (`.gz` format).
    • Example: zgrep "error" /var/log/syslog.gz
  8. `zmore` command: Similar to `more`, but for compressed files. It allows viewing a compressed file page by page.
    • Example: zmore /var/log/syslog.gz

These commands are all commonly used in Red Hat Linux for inspecting log files, and each has its own advantages depending on your needs, such as viewing large logs, searching for specific entries, or working with compressed log files.
The next lesson concludes this module.


SEMrush Software 5 SEMrush Banner 5