The log files in the Linux system carry the system running status and the running information of various applications. They are crucial for system diagnosis and error debugging. Therefore, learning how to read and analyze Linux log files is a skill that every Linux user must master. This article will introduce you to the types, formats and common reading methods of Linux log files, helping you to easily understand and solve system problems.
Three types of logs
- #
Kernel and system logs:
This kind of log data is managed uniformly by the system service rsyslog, and the kernel messages and various Where are system program messages logged? A considerable number of programs in the system will have their log files managed by rsyslog, so the log records used by these programs also have a similar format.
User log:
-
This kind of log data is used to record
Linux
operating system user login and exit related information, including user name, login terminal, login time, source host, and process operations in use wait.
Program log:
-
Some applications will choose to manage a log file independently (instead of leaving it to the
rsyslog
service management) to record various event information during the running of the program. Since these programs are only responsible for managing their own log files, the logging formats used by different programs may vary greatly.
Common log files
#
| path |
illustrate |
| /var/log/messages |
Record Linux kernel messages and public log information of various applications |
| /var/log/cron |
Record event information generated by crond scheduled tasks |
| /var/log/dmesg |
Record various event information of the Linux operating system during the boot process |
| /var/log/maillog |
Log email activity entering or leaving the system |
| /var/log/lastlog |
Record the most recent login events for each user |
| /var/log/secure |
Record security event information related to user authentication |
| /var/log/wtmp |
Record each user's login, logout and system startup and shutdown events |
| /var/log/btmp |
Record failed, incorrect login attempts and authentication events |
Priority level of log
#“
The smaller the number level, the higher the priority and the more important the message.
”
| level |
English vocabulary |
Chinese definition |
illustrate |
| #0 |
EMERG |
urgent |
Will cause the host system to become unavailable |
| 1 |
ALERT |
warn |
Problems that must be solved immediately |
| 2 |
CRIT |
serious |
Serious situation |
| 3 |
ERR |
mistake |
Error occurred during operation |
| 4 |
WARNING |
remind |
Important events that may affect system functions and need to remind users |
| 5 |
NOTICE |
Notice |
Will not affect normal functions, but events that need attention |
| 6 |
INFO |
information |
General information |
| 7 |
DEBUG |
debug |
Program or system debugging information, etc. |
User log related commands
#users
- #
The
users command simply outputs the names of the currently logged in users, with each displayed user name corresponding to a login session. If a user has more than one login session, his username will be displayed the same number of times.
[root@localhost ~]# users
root
Copy after login
who
- #
The
who command is used to report information about each user currently logged in to the system. Using this command, the system administrator can check which illegal users exist in the current system to audit and handle them. The default output of who includes username, terminal type, login date and remote host.
[root@localhost ~]# who
root pts/0 2019-09-06 23:56 (192.168.28.1)
Copy after login
w
- #
The
w command is used to display information about each user in the current system and the processes they are running. It is richer than the output of the users and who commands.
23:57:33 up 4 min, 1 user, load average: 0.02, 0.18, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.28.1 23:56 5.00s 0.11s 0.02s w
Copy after login
last
- #
The
last command is used to query user records that successfully logged into the system. The most recent login status will be displayed at the front. The last command can be used to grasp the login status of the Linux host in real time. If an unauthorized user is found to have logged in, it means that the current host may have been invaded.
[root@localhost ~]# last
root pts/0 192.168.28.1 Fri Sep 6 23:56 still logged in
reboot system boot 3.10.0-693.el7.x Fri Sep 6 23:52 - 23:58 (00:05)
ll :0 :0 Wed Sep 4 14:09 - crash (00:07)
reboot system boot 3.10.0-693.el7.x Wed Sep 4 14:06 - 14:24 (00:18)
wtmp begins Wed Sep 4 14:06:18 2019
Copy after login
lastb
- #
The
lastb command is used to query user records that failed to log in. For example, incorrect login user name, incorrect password, etc. will be recorded. A failed login is a security incident because it means someone may be trying to guess your password.
[root@localhost ~]# lastb
ll ssh:notty 192.168.28.1 Sat Sep 7 00:01 - 00:01 (00:00)
ll :0 :0 Fri Sep 6 23:59 - 23:59 (00:00)
btmp begins Fri Sep 6 23:59:42 2019
Copy after login
In this article, we introduce three common Linux log file types, including system logs, application logs, and security logs, and describe their formats and record contents in detail. We also discussed how to use command line tools and log viewers to analyze and read log files. I believe you already know how to handle log files in Linux systems. If you have any questions or suggestions, please leave a message in the comment area and we will be happy to answer you.
The above is the detailed content of Master Linux log analysis skills: comprehensive learning from format to analysis. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
