How to perform log management and auditing on Linux systems

How to carry out log management and auditing in Linux systems

Overview:
In Linux systems, log management and auditing are very important. Through correct log management and auditing strategies, the operation of the system can be monitored in real time, problems can be discovered in a timely manner and corresponding measures can be taken. This article will introduce how to perform log management and auditing on Linux systems, and provide some specific code examples for reference.

1. Log management

1.1 Location and naming rules of log files
In Linux systems, log files are usually located in the /var/log directory. Different systems and applications generate their own log files, so you can review the appropriate log files as needed. Common log files include:

• /var/log/messages: Important information and error logs for systems and applications.
• /var/log/auth.log: Authentication and authorization information and error logs.
• /var/log/syslog: Detailed log of system running status.
• /var/log/secure: Security-related information and error logs.

In order to better distinguish log files, you can use naming rules, such as adding date and host name information to the log file name.
Sample code:

filename=`date +%Y-%m-%d`_`hostname`.log

1.2 Set log rotation
In order to prevent the log file from becoming too large, you can set log rotation rules. In Linux systems, the commonly used log rotation tool is logrotate. By configuring logrotate, log files can be backed up or compressed regularly, and then new log files can be created.

Sample code:
Create the logrotate configuration file /etc/logrotate.d/mylog and configure the rotation rules:

/var/log/mylog {
    monthly
    rotate 4
    compress
    missingok
    notifempty
}

Description: The above configuration indicates that the log file will be rotated once a month and the most recent will be retained. 4 backups; perform compression operation during rotation; ignore if the log file does not exist; do not rotate if the log file is empty.

1.3 Using log monitoring tools
In order to more conveniently monitor log information in real time, you can use some log monitoring tools. Commonly used log monitoring tools include Logcheck and Logwatch. These tools can regularly check log files and then send key log information to administrators via email.

2. Audit

2.1 Configure audit rules
Linux system provides an audit system (audit system), which can record security-related events in the system. By configuring audit rules, key events in the system can be recorded in real time, such as file access, permission changes, logins, etc.

Sample code:
Create audit rules:

auditctl -w /etc/shadow -p w -k shadow_changes

Description: In the above example, the audit rules are configured to monitor the write permission changes of the /etc/shadow file, and audit events will be recorded if changes occur. , and set the keyword to shadow_changes.

2.2 View the audit log
The audit system will record all audit events and save them in the /var/log/audit/audit.log file. You can view the contents of the audit log through the command aureport.

Sample code:
View all audit events:

aureport

2.3 Using audit tools
In order to view and analyze audit logs more conveniently, you can use some audit tools. Commonly used audit tools include AIDE and OSSEC-HIDS. These tools monitor your system for security events in real time and provide reporting and alerting capabilities.

Conclusion:
Through correct log management and auditing strategies, system anomalies and security issues can be discovered in a timely manner. In actual applications, log management and audit rules can be configured according to specific needs, and corresponding tools can be used for monitoring and analysis. Through log management and auditing, the security and stability of the system can be improved.

The above is the detailed content of How to perform log management and auditing on Linux systems. For more information, please follow other related articles on the PHP Chinese website!