日志文件内容格式查看
一般来说经过syslog服务记录下来的日志数据每条信息会有下面几个比较重要的数据字段
- 事件发生的时间与日期
- 发生此时间的主机名
- 产生此日志的服务
- 该日志的实际内容
[root@localhost tmp]# cat /var/log/secure
Apr 16 17:49:55 localhost polkitd[931]: Loading rules from directory /etc/polkit-1/rules.d
Apr 16 17:49:55 localhost polkitd[931]: Loading rules from directory /usr/share/polkit-1/rules.d
Apr 16 17:49:55 localhost polkitd[931]: Finished loading, compiling and executing 2 rules
Apr 16 17:49:55 localhost polkitd[931]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr 16 17:50:01 localhost sshd[1471]: Server listening on 0.0.0.0 port 22.
Apr 16 17:50:01 localhost sshd[1471]: Server listening on :: port 22.
Apr 16 17:50:13 localhost unix_chkpwd[9425]: password check failed for user (root)
Apr 16 17:50:13 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root
Apr 16 17:50:13 localhost login: pam_succeed_if(login:auth): requirement "uid >= 1000" not met by user "root"
Apr 16 17:50:16 localhost login: FAILED LOGIN 1 FROM tty1 FOR root, Authentication failure
Apr 16 17:50:21 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Apr 16 17:50:21 localhost login: ROOT LOGIN ON tty1
Apr 16 17:59:26 localhost polkitd[931]: Registered Authentication Agent for unix-process:10961:57355 (system bus name :1.17 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 16 17:59:27 localhost polkitd[931]: Unregistered Authentication Agent for unix-process:10961:57355 (system bus name :1.17, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Apr 16 18:02:22 localhost sshd[11364]: Accepted password for root from 192.168.137.1 port 51303 ssh2
Apr 16 18:02:22 localhost sshd[11364]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 16 20:01:20 localhost su: pam_unix(su:session): session opened for user lalin by root(uid=0)
Apr 16 20:01:49 localhost su: pam_unix(su:session): session opened for user root by root(uid=1000)
Apr 16 20:01:49 localhost su: pam_unix(su:session): session closed for user root
Apr 16 20:03:23 localhost su: pam_unix(su:session): session opened for user root by root(uid=1000)
Apr 16 20:12:16 localhost su: pam_unix(su:session): session opened for user lalin by root(uid=0)
Apr 16 20:12:32 localhost sudo: lalin : TTY=pts/0 ; PWD=/etc ; USER=root ; COMMAND=/bin/passwd root
Apr 16 20:13:03 localhost su: pam_unix(su:session): session closed for user lalin
Apr 16 20:13:06 localhost su: pam_unix(su:session): session closed for user root
Apr 16 20:13:06 localhost su: pam_unix(su:session): session closed for user lalin
Apr 16 20:13:06 localhost sshd[11364]: pam_unix(sshd:session): session closed for user root
Apr 16 20:13:26 localhost sshd[25935]: Accepted password for root from 192.168.137.1 port 55195 ssh2
Apr 16 20:13:26 localhost sshd[25935]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 16 20:13:33 localhost su: pam_unix(su:session): session opened for user lalin by root(uid=0)
Apr 16 20:13:48 localhost unix_chkpwd[25974]: password check failed for user (lalin)
Apr 16 20:13:48 localhost sudo: pam_unix(sudo:auth): authentication failure; logname=root uid=1000 euid=0 tty=/dev/pts/0 ruser=lalin rhost= user=lalin
Apr 16 20:13:57 localhost sudo: lalin : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/vim /etc/sudoers
Apr 16 20:14:47 localhost sudo: lalin : command not allowed ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/passwd rootlinux常见日志文件位置
/var/log/cron 记录任务调度
/var/log/dmesg 记录开机过程中内核检测阶段产生的信息
/var/log/lastlog 记录系统账面的所有账号最近一次的登录时候的信息
/var/log/mailllog或/var/log/mail* 记录邮件来往信息
/var/log/message 几乎系统发生的所有错误信息 都会记录在这个文件中
/var/log/secure 涉及到登录相关的操作都会记录在这个文件中
/var/log/wtmp,/var/log/faillog 记录正确登录系统者的账号信息与错误登录时产生的账号信息
/var/log/httpd/*,/var/log/news/*,/var/log/samba/* 不同的网络服务所产生的日志信息
以上是常见的日志文件的位置,不同的linux版本中,日志文件文件名也会略有差异
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
