Linux操作系统中有三种主要的日志子系统:
(1)连接时间日志
(2)进程统计日志
(3)系统和服务日志
连接时间日志和进程统计日志由rsyslog(旧版是syslog)日志服务驱动,系统和服务日志由相对应的网络服务驱动和管理;
连接时间日志
连接时间日志由/var/run/utmp和/var/log/wtmp两个文件记录,系统自动更新;这两个文件不能通过cat命令来查看,但是可以通过w/who/ac/finger/last/lastlog等命令查看。(关于/var/run/utmp的字段定义放在/usr/include/utmp.h中,有兴趣可以仔细研究一下)
w/who/ac/finger命令主要是读取/var/run/utmp文件信息,看下面的示例
(1)w命令# w -help
w: invalid option -- 'e'
usage: w -hlsufV [user]
-h skip header
-l long listing (default)
-s short listing
-u ignore uid of processes
-f toggle FROM field (default on)
-V display version
# w
21:48:53 up 36 days, 18:04, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
yucz pts/1 116.6.101.193 21:16 0.00s 0.01s 0.00s sshd: yucz [priv]
(2)who命令显示当前登用用户# who --help
Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]
Print information about users who are currently logged in.
-a, --all same as -b -d --login -p -r -t -T -u
-b, --boot time of last system boot
-d, --dead print dead processes
-H, --heading print line of column headings
-l, --login print system login processes
--lookup attempt to canonicalize hostnames via DNS
-m only hostname and user associated with stdin
-p, --process print active processes spawned by init
-q, --count all login names and number of users logged on
-r, --runlevel print current runlevel
-s, --short print only name, line, and time (default)
-t, --time print last system clock change
-T, -w, --mesg add user's message status as +, - or ?
-u, --users list users logged in
--message same as -T
--writable same as -T
--help display this help and exit
--version output version information and exit
# who
yucz pts/1 2015-02-25 21:16 (116.6.101.193)
(3)ac命令来显示用户连接时间#ac --help
Usage: ac [-dhpVy] [-f ] [people] ...
#ac -d root
Aug 8 total 0.00
Aug 11 total 5.62
Aug 12 total 2.21
Aug 13 total 7.74
(4)finger命令显示用户的连接状态和其他信息#finger root
Login: root Name: root
Directory: /root Shell: /bin/bash
Last login Wed Aug 13 03:26 2014 (CDT) on pts/4 from 116.6.101.193
No mail.
No Plan.
lastb/lastlog/last命令主要是读取/var/log/btmp文件信息,看下面的示例
(1)last命令可以查看本地计算机用户的登陆情况,同时可以看到系统的启动和重启状态;#last | tail -10
root pts/0 116.6.101.193 Tue Aug 12 04:42 - down (00:49)
root pts/1 116.6.101.193 Mon Aug 11 21:05 - 23:19 (02:14)
root pts/1 116.6.101.193 Mon Aug 11 21:02 - 21:04 (00:02)
root pts/0 116.6.101.193 Mon Aug 11 20:39 - 00:58 (04:19)
reboot system boot 2.6.32-431.23.3. Fri Aug 8 04:11 - 05:31 (4+01:20)
root pts/0 10.0.80.185 Fri Aug 8 04:08 - 04:09 (00:00)
reboot system boot 2.6.32-431.23.3. Fri Aug 8 04:08 - 04:09 (00:01)
reboot system boot 2.6.32-431.el6.x Thu Aug 7 23:01 - 04:06 (05:05)
(2)lastlog查看用户最后登陆系统的状态# lastlog -h
Usage: lastlog [options]
Options:
-b, --before DAYS print only lastlog records older than DAYS
-h, --help display this help message and exit
-t, --time DAYS print only lastlog records more recent than DAYS
-u, --user LOGIN print lastlog record of the specified LOGIN
# lastlog -u root
Username Port From Latest
root pts/4 116.6.101.193 Wed Aug 13 03:26:29 -0500 2014
(3)lastb主要显示登陆失败的情况# lastb
yucz ssh:notty 116.6.101.193 Wed Feb 25 21:16 - 21:16 (00:00)
yucz ssh:notty 116.6.101.193 Thu Feb 12 00:49 - 00:49 (00:00)
yucz ssh:notty 116.6.101.193 Mon Feb 9 02:29 - 02:29 (00:00)
yucz ssh:notty 184.173.65.76 Fri Feb 6 03:52 - 03:52 (00:00)
yucz ssh:notty 184.173.65.76 Fri Feb 6 03:51 - 03:51 (00:00)
yucz ssh:notty 116.6.101.193 Wed Feb 4 03:33 - 03:33 (00:00)