系统日志记录着系统运行中的记录信息,在服务或者系统发生故障的时候,通过查询系统日志,可以帮助我们诊断。系统日志可以预警安全问题,系统日志一般都存放在/var/log目录下
[root@edu-web2 /]# cd /var/log
[root@edu-web2 log]# pwd;ls -l wtmp secure dmesg messages lastlog maillog
/var/log
-rw-r--r-- 1 root root 31888 01-21 13:51 dmesg
-rw-r--r-- 1 root root 146584 01-21 14:39 lastlog
-rw------- 1 root root 706 01-21 04:02 maillog
-rw------- 1 root root 596714 01-21 15:27 messages
-rw------- 1 root root 17715 01-21 14:40 secure
-rw-rw-r-- 1 root utmp 1079424 01-21 14:40 wtmp
......
/var/log/dmesg //核心启动日志,日志文件写在系统每次启动时,包含了核心装入时系统所有的输出数据查看方法:dmesg或less /var/log/dmesg
例:tail -f /var/log/messages //查寻文件的结尾信息
/var/log/maillog //此日志包含所有由sendmail、postfix送出的信息和报错邮件系统日志
/var/log/secure //包含了所有与系统相关的信息,诸如登录,tcp_wrapper与xinetd服务,系统登录与网络连接的信息
[root@edu-web2 log]# cat /var/log/secure
Jan 20 11:37:30 edu-web2 passwd: pam_unix(passwd:chauthtok): password changed for root
Jan 20 12:21:31 edu-web2 sshd[3937]: Server listening on :: port 22.
Jan 20 12:21:31 edu-web2 sshd[3937]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Jan 20 12:22:35 edu-web2 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jan 20 12:22:35 edu-web2 login: ROOT LOGIN ON tty1
Jan 20 13:08:34 edu-web2 sshd[4958]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.254.230.194 user=root
Jan 20 13:08:36 edu-web2 sshd[4958]: Failed password for root from 192.168.1.194 port 18226 ssh2
Jan 20 13:08:51 edu-web2 last message repeated 2 times
Jan 20 13:09:39 edu-web2 sshd[4958]: Accepted password for root from 192.168.1.194 port 18226 ssh2
........
/var/log/wtmp //系统的每一次登录,都会在此日志中添加记录,为了防止有人篡改,该文件为二进制文件查看方式:可以用last命令输出文件的内容
[root@edu-web2 log]# last
root pts/1 192.168.1.194 Tue Jan 21 14:39 - 14:40 (00:01)
root pts/0 192.168.1.195 Tue Jan 21 14:35 still logged in
root pts/0 192.168.1.195 Tue Jan 21 13:52 - 14:28 (00:36)
reboot system boot 2.6.11-308.1.1.e Tue Jan 21 13:51 (01:44)
root pts/2 192.168.1.195 Tue Jan 21 13:11 - down (00:31)
root pts/1 192.168.1.194 Tue Jan 21 12:57 - down (00:45)
root pts/0 192.168.1.195 Tue Jan 21 12:15 - down (01:27)
reboot system boot 2.6.11-308.1.1.e Tue Jan 21 12:00 (01:41)
root pts/0 192.168.1.195 Tue Jan 21 11:49 - down (00:04)
root pts/0 192.168.1.195 Tue Jan 21 11:39 - 11:48 (00:08)
reboot system boot 2.6.11-308.1.1.e Tue Jan 21 11:38 (00:14)
root pts/0 192.168.1.195 Tue Jan 21 10:17 - down (01:13)
reboot system boot 2.6.11-308.1.1.e Tue Jan 21 10:16 (01:14)
......
或者用 last -f /var/log/wtmp 查看