Log Management in Linux System

Logging is very important for security. It records the various things that happen every day in the system. You can use it to check the cause of the error, or the attacker is attacked. Traces left behind. The main functions of the log are: auditing and monitoring. It also monitors system status in real time, monitors and tracks intruders, etc. So where is the log stored? Our /var/log is the location where the logs are stored

The commonly used log files are as follows: btmp records the information of denglu failures lastlog records the events of the last few successful logins and the last unsuccessful login messages recorded from syslog Information (some links to syslog files) utmp records each user currently logged in wtmp system login: login logout

view of login information We can also view the login log content through the last command which user is in which When is the time to log in to the system?

/var/log/lastlog #Last login information lastlog #Record when all users have logged in to the system /var/log/btmp #User login system error message lastb View # If you find that your btmp file has become very large, it means that there is a great possibility that someone is brute-hacking your host
 the difference between lastlog and last: last View IP lastlog View the backdoor account
 Log record mode Log type: daemon background process related kern kernel generated information lpr print system generated authp Riv security authentication cron timing related mail mail related syslog log service itself news news system local 0local 7 8 system reserved classes for other programs to use /or user-defined log level: light and heavy debug troubleshooting information info normal Information notice attention warn warning err error crit critical error alert alert energ emergency 
 log service old version rhel5
service name syslog configuration file /etc/syslog.confrhel6-7 service name rsyslog configuration File /etc/rsyslog.conf#Edit configuration file vim /etc/rsyslog.conf#kern.* #All levels of kernel type logs are stored in /dev/console*.info;mail.none;authpriv.none;cron.none /var/log/messages All category levels are info above except mail, authpriv, cron (too many logs generated, not easy to view) Category. Level authpriv.* Authentication information stored /var/log/securemail.* Mail related Information storage - /var /log /maillogcron. * plan to store related information /var/log/cronlocal7.* Information displayed when booting--> /var/log/boot.log Note: “- ” No.: There is more information about the mail, and now the data is stored in the memory, reaching a certain level. Size, all written to the hard disk. Helps reduce the overhead of the I/O process. The data is stored in the memory. If the data is not properly shut down, the data is deleted. 
 The rules for logging the input. The information above the info level is all recorded to a file. Record a log equal to a certain level. Example: .=info only records the log at the info level! The level records all the level information except for a certain level. Example.!err Recording all none except err refers to excluding a category
 Customizing the ssh service log
#Editing the rsyslog configuration file vi /etc/rsyslog.conf entering local 0 .* /var/log/sshd.log #Log save path#Defining the ssh service Log level #edit sshd service main configuration file vim /etc/ssh/sshd_config
 
# restart rsyslog service (effective configuration) systemctl restart rsyslog# restart sshd service. Generate log systemctl restart sshd #看看一下有There is no corresponding log to generate 
 log rollback. The log under linux is periodically rolled back. The configuration files that control the system to perform log rollback operations are: /etc/logrotate.conf and /etc/logrotate.d/The detailed configuration file under this directory. The log is very large. If you let the log unrestricted record is a terrible thing, there are hundreds of megabytes of disk space occupied by the accumulated time. If you want to find out a certain available information, the needle rewinding principle is: When the log reaches a certain size, we classify the log, keep a backup of the previous log, and then generate a file with the same name to save the new log.
vim /etc/logrotate.conf # see "man logrotate" for details# rotate log files weeklyweekly #? Weekly execution rollback # keep 4 weeks worth of backlogsrotate 4 #留4副本# create new (empty) log files after rotating old onescreate #Create a new file store Data # use date as a suffix of the rotated filedateext #Use the date as the suffix of the rollback file # can go to the /var/log directory to see # uncomment this if you want your log files compressed#compress# RPM packages drop log rotation information Into this directoryinclude /etc/logrotate.d# no packages own wtmp and btmp -- we'll rotate them here/var/log/wtmp { #Specified log file monthly #created once per month create 0664 root utmp minsize 1M #Log file must be greater than 1M to rotate (rollback) rotate 1 #Save a rotation log}/var/log/btmp { missingok # The log file does not exist and continues to process the next file without generating an error message. Monthly create 0600 root utmp #Set utmp The permissions of this log file, the owner, the group rotate 1}
 Similarly, we can also customize the ssh log based on the log rollback 
vim /etc/logrotate.conf/var/log/sshd.log{ missingok # If the log file does not exist, continue processing the next file without generating an error message. Monthly create 0600 root utmp #root user, utmp group create minsize 1M rotate 1}
 Configure remote log server -> Implement log group management Prepare two servers server side configuration
# Edit /etc/Rsyslog.conf#Provides TCP syslog reception $ModLoad imtcp #Open the module supporting tcp $InputTCPServerRun 514 #Allow the log from the port receiving tcp 514 #UDP speed does not guarantee the integrity of the data #TCP安全.完整# Using TCP , Remove ##注# Restart rsyslogsystemctl restart rsyslog 
 View the status of the service listener
 netstat -anlput |
 Grep 514tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 4471/rsyslogd tcp 0 0 192.168.75.129:514 192.168.75.128:33801 ESTABLISHED 4471/rsyslogd tcp6 0 0 :::514 :::* LISTEN 4471/rsyslogd 
 client-side configuration: 
vim /etc/rsyslog.conf# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514# remote host is: name/ip:port, eg 192.168.0.1:514 , port optional#*.* @@remote-host:514*.* @@192.168.75.129:514 #Add this line server
 . All categories and levels of logs @@192.168.1.63:514 Server IP: port