utmp、wtmp、lastlog、messages、secure…
本文验证自centos7.7
ssh的日志是/var/log/secure,记录登录系统存取数据的文件(例如:pop3,ssh,telnet,ftp等都会记录在此)。默认添加logrotate回滚切割,注意看同名日志切割文件。系统日志则放在/var/log/auth.log,如果前者没有可以查找后者
# less -N /var/log/secure
1 Mar 29 10:58:20 centos76 sshd[54779]: Accepted password for root from 192.168.138.41 port 40494 ssh2
2 Mar 29 10:58:20 centos76 sshd[54779]: pam_unix(sshd:session): session opened for user root by (uid=0)
此文件可能没有被创建,而是指向了wtmp,默认添加logrotate回滚月切割,注意看同名日志切割文件
utmp 文 件 用 于 记 录 当 前 系 统 用 户 是 哪 些 人。 但 是 实 际 的 人 数 可 能 比 这 个 数 目要 多 , 因 为 并 非 所 有 用 户 都 用 utmp 登 录。
警告: utmp 必 须 置 为 不 可 写 , 因 为 很 多 系 统 程 序 ( 有 点 傻 的 那 种 ) 依 赖 于 它。 如 果你 将 它 置 为 可 写 , 其 他 用 户 可 能 会 修 改 它 (导 致 程 序 运 行 出 错) 。
/var/log/wtmp是一个二进制文件,记录每个用户的登录次数和持续时间等信息。其记录的是正常登陆的用户信息
该日志文件永久记录每个用户登录、注销及系统的启动、停机的事件。因此随着系统正常运行时间的增加,该文件的大小也会越来越大, 增加的速度取决于系统用户登录的次数。该日志文件可以用来查看用户的登录记录, last命令就通过访问这个文件获得这些信息,并以反序从后向前显示用户的登录记录,last也能根据用户、终端tty或时间显示相应的记录。
[root@centos76 ~]# w 10:43:46 up 6 days, 5:23, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 07Mar20 57:54 0.99s 0.99s -bash root pts/0 100.64.88.1 09:46 2.00s 0.02s 0.00s w [root@centos76 ~]# who root tty1 2020-03-07 09:54 root pts/0 2020-03-29 09:46 (100.64.88.1)
/var/log/btmp是一个二进制文件,其记录的是登陆失败尝试的用户信息,lastb默认无参数时查看此文件,但last -f /var/log/btmp 查看也可以。默认添加logrotate回滚月切割,注意看同名日志切割文件.
/var/log/btmp文件查看命令。
DESCRIPTION # 摘自 man lastb
Last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of
all users logged in (and out) since that file was created. Names of users and tty's can be given, in which case
last will show only those entries matching the arguments. Names of ttys can be abbreviated, thus last 0 is the
same as last tty0.
When last catches a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal (gen‐
erated by the quit key, usually control-\), last will show how far it has searched through the file; in the case
of the SIGINT signal last will then terminate.
The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all
reboots since the log file was created.
Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all
the bad login attempts. # lastb类似于last,但默认读取btmp,该文件记录的是登陆失败信息
[root@localhost ~]# last # 或指定具体文件路径,无参数时即为/var/log/wtmp # last -f /var/log/wtmp # who -u /var/log/wtmp root pts/0 192.168.1.106 Fri Jul 5 04:31 still logged in root pts/1 192.168.1.106 Fri Jul 5 02:41 - 02:41 (00:00) ... root pts/0 192.168.18.138 Fri Jul 5 01:59 - 01:59 (00:00) reboot system boot 2.6.28l7 Fri Jul 5 01:54 (02:37) ... root pts/1 192.168.18.138 Fri Jul 5 00:38 - crash (00:06) root pts/0 192.168.18.138 Fri Jul 5 00:35 - crash (00:09) ...
[root@centos76 ~]# lastb amos ssh:notty 100.64.88.1 Sat Mar 21 22:01 - 22:01 (00:00) amos ssh:notty 100.64.88.1 Sat Mar 21 22:01 - 22:01 (00:00) amos ssh:notty 100.64.88.1 Sat Mar 21 22:01 - 22:01 (00:00) amos ssh:notty 100.64.88.1 Sat Mar 21 22:01 - 22:01 (00:00) root tty1 Wed Mar 4 16:02 - 16:02 (00:00)
/var/log/lastlog # lastlog命令可显示用户登陆统计信息。
lastlog文件在每次有用户登录时被查询。可以使用lastlog命令检查某特定用户上次登录的时间,并格式化输出上次登录日志/var/log/lastlog的内容。它根据UID排序显示登录名、端口号(tty)和上次登录时间。如果一个用户从未登录过,lastlog显示Never logged。注意需要以root身份运行该命令。
# lastlog Username Port From Latest root pts/0 221.6.45.34 Tue Dec 17 09:40:48 +0800 2013 bin **Never logged in** daemon **Never logged in** adm **Never logged in** lp **Never logged in** sync **Never logged in** shutdown **Never logged in**
/var/log/messages几乎所有的开机系统发生的错误都会在此记录
# less -N /var/log/messages ...显示部分 1919 Mar 29 10:58:29 centos76 dhclient[9325]: DHCPREQUEST on ens34 to 100.64.10.24 port 67 (xid=0x6c17c7b0) 1920 Mar 29 10:58:29 centos76 dhclient[9325]: DHCPACK from 100.64.10.24 (xid=0x6c17c7b0) 1921 Mar 29 10:58:29 centos76 dhclient[9325]: bound to 100.64.10.57 -- renewal in 46 seconds. 1922 Mar 29 10:59:15 centos76 dhclient[9325]: DHCPREQUEST on ens34 to 100.64.10.24 port 67 (xid=0x6c17c7b0) 1923 Mar 29 10:59:15 centos76 dhclient[9325]: DHCPACK from 100.64.10.24 (xid=0x6c17c7b0) 1924 Mar 29 10:59:16 centos76 dhclient[9325]: bound to 100.64.10.57 -- renewal in 44 seconds. 1925 Mar 29 11:00:00 centos76 dhclient[9325]: DHCPREQUEST on ens34 to 100.64.10.24 port 67 (xid=0x6c17c7b0) 1926 Mar 29 11:00:00 centos76 dhclient[9325]: DHCPACK from 100.64.10.24 (xid=0x6c17c7b0) 1927 Mar 29 11:00:00 centos76 dhclient[9325]: bound to 100.64.10.57 -- renewal in 50 seconds. 1928 Mar 29 11:00:01 centos76 systemd: Started Session 1727 of user root. 1929 Mar 29 11:00:01 centos76 systemd: Started Session 1724 of user root. 1930 Mar 29 11:00:01 centos76 systemd: Started Session 1726 of user root. 1931 Mar 29 11:00:01 centos76 systemd: Started Session 1725 of user root. 1932 Mar 29 11:00:01 centos76 systemd: Started Session 1728 of user root. 1933 Mar 29 11:00:01 centos76 systemd: Started Session 1729 of user root. 1934 Mar 29 11:00:50 centos76 dhclient[9325]: DHCPREQUEST on ens34 to 100.64.10.24 port 67 (xid=0x6c17c7b0) 1935 Mar 29 11:00:50 centos76 dhclient[9325]: DHCPACK from 100.64.10.24 (xid=0x6c17c7b0) 1936 Mar 29 11:00:50 centos76 dhclient[9325]: bound to 100.64.10.57 -- renewal in 49 seconds. 1937 Mar 29 11:01:01 centos76 systemd: Started Session 1730 of user root. 1938 Mar 29 11:01:39 centos76 dhclient[9325]: DHCPREQUEST on ens34 to 100.64.10.24 port 67 (xid=0x6c17c7b0) 1939 Mar 29 11:01:39 centos76 dhclient[9325]: DHCPACK from 100.64.10.24 (xid=0x6c17c7b0) 1940 Mar 29 11:01:39 centos76 dhclient[9325]: bound to 100.64.10.57 -- renewal in 53 seconds. 1941 Mar 29 11:02:32 centos76 dhclient[9325]: DHCPREQUEST on ens34 to 100.64.10.24 port 67 (xid=0x6c17c7b0) 1942 Mar 29 11:02:32 centos76 dhclient[9325]: DHCPACK from 100.64.10.24 (xid=0x6c17c7b0) 1943 Mar 29 11:02:32 centos76 dhclient[9325]: bound to 100.64.10.57 -- renewal in 51 seconds. 1944 Mar 29 11:03:23 centos76 dhclient[9325]: DHCPREQUEST on ens34 to 100.64.10.24 port 67 (xid=0x6c17c7b0)
/var/log/boot.log 记录一些开机或者关机启动的一些服务显示的启动或者关闭的信息。测试时文件为空,此处不提供示例。
/var/log/cron 用来记录crontab(定时任务)这个服务的内容
less -N /var/log/cron
...显示部分
206 Mar 29 10:01:01 centos76 run-parts(/etc/cron.hourly)[42209]: finished 0anacron
207 Mar 29 10:07:01 centos76 CROND[43545]: (root) CMD (sh /usr/local/bin/my_ttl_index.sh)
208 Mar 29 10:10:01 centos76 CROND[44139]: (root) CMD (/usr/lib64/sa/sa1 1 1)
209 Mar 29 10:14:01 centos76 CROND[45034]: (root) CMD (sh /usr/local/bin/my_ttl_index.sh)
210 Mar 29 10:17:01 centos76 CROND[45660]: (root) CMD (sh /usr/local/bin/my_log_default.sh)
211 Mar 29 10:20:01 centos76 CROND[46382]: (root) CMD (/usr/lib64/sa/sa1 1 1)
212 Mar 29 10:21:01 centos76 CROND[46574]: (root) CMD (sh /usr/local/bin/my_ttl_index.sh)
213 Mar 29 10:27:01 centos76 CROND[47984]: (root) CMD (sh /usr/local/bin/my_log_wrapper.sh)
214 Mar 29 10:28:01 centos76 CROND[48178]: (root) CMD (sh /usr/local/bin/my_ttl_index.sh)
215 Mar 29 10:30:01 centos76 CROND[48601]: (root) CMD (/usr/lib64/sa/sa1 1 1)
216 Mar 29 10:34:01 centos76 CROND[49499]: (root) CMD (sh /usr/local/bin/my_log_default.sh)
217 Mar 29 10:35:01 centos76 CROND[49699]: (root) CMD (sh /usr/local/bin/my_ttl_index.sh)
218 Mar 29 10:37:01 centos76 CROND[50125]: (root) CMD (sh /usr/local/bin/my_metric_index.sh)
219 Mar 29 10:40:01 centos76 CROND[50810]: (root) CMD (/usr/lib64/sa/sa1 1 1)
220 Mar 29 10:42:01 centos76 CROND[51233]: (root) CMD (sh /usr/local/bin/my_ttl_index.sh)
/var/log/dmesg 内核日志,纯文本文件,可以用命令dmesg查看,也可以任意文本查看工具查看。
# dmesg # [ 时间 ] :启动过程操作 [ 10.077216] floppy0: no floppy controllers found [ 11.138882] NET: Registered protocol family 40 [ 12.220906] e1000: ens33 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None ... [ 20.391724] IPv6: ADDRCONF(NETDEV_CHANGE): ens34: link becomes ready [ 26.881268] mongod (1589): drop_caches: 3 [ 38.340459] TECH PREVIEW: Overlay filesystem may not be fully supported. Please review provided documentation for limitations. [ 40.993450] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this. [ 40.997588] Bridge firewalling registered [ 41.033639] nf_conntrack version 0.5.0 (65536 buckets, 262144 max) [ 41.373027] Netfilter messages via NETLINK v0.30. [ 41.376863] ctnetlink v0.93: registering with nfnetlink. ... [43225.472529] sched: RT throttling activated # less -N /var/log/dmesg 1812 [ 3.639106] ip_tables: (C) 2000-2006 Netfilter Core Team 1813 [ 3.639884] systemd[1]: Inserted module 'ip_tables' 1814 [ 5.599223] systemd-journald[679]: Received request to flush runtime journal from PID 1 1815 [ 6.226824] vmw_vmci 0000:00:07.7: Found VMCI PCI device at 0x11080, irq 16 1816 [ 6.226886] vmw_vmci 0000:00:07.7: Using capabilities 0xc 1817 [ 6.227062] vmw_vmci 0000:00:07.7: irq 56 for MSI/MSI-X 1818 [ 6.227125] vmw_vmci 0000:00:07.7: irq 57 for MSI/MSI-X 1819 [ 6.227419] Guest personality initialized and is active 1820 [ 6.227483] VMCI host device registered (name=vmci, major=10, minor=58) 1821 [ 6.227484] Initialized host personality 1822 [ 6.264429] piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled! 1823 [ 7.237601] input: PC Speaker as /devices/platform/pcspkr/input/input5 1824 [ 7.292983] cryptd: max_cpu_qlen set to 1000 1825 [ 7.335910] AVX version of gcm_enc/dec engaged. 1826 [ 7.335912] AES CTR mode by8 optimization enabled 1827 [ 7.338917] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni) 1828 [ 7.339010] alg: No test for __generic-gcm-aes-aesni (__driver-generic-gcm-aes-aesni) 1829 [ 7.374545] sd 0:0:0:0: Attached scsi generic sg0 type 0 1830 [ 7.374615] sr 1:0:0:0: Attached scsi generic sg1 type 5 1831 [ 7.374657] sr 2:0:0:0: Attached scsi generic sg2 type 5 1832 [ 7.398970] ppdev: user-space parallel port driver 1833 [ 7.419770] EDAC sbridge: Seeking for: PCI ID 8086:0ea0
有几次遇到服务器出现大量sendmail进程,导致cpu、内存大量占用宕机情况。可以在此查到根本原因
/var/log/maillog 记录邮件的存取和往来
# less -N /var/log/maillog
...显示部分
1 Mar 29 03:21:01 centos76 postfix/pickup[77010]: C1AC741AEC4E: uid=0 from=<root>
2 Mar 29 03:21:01 centos76 postfix/cleanup[84503]: C1AC741AEC4E: message-id=<20200328192101.C1AC741AEC4E@centos76.loc 2 aldomain>
3 Mar 29 03:21:01 centos76 postfix/qmgr[1707]: C1AC741AEC4E: from=<root@centos76.localdomain>, size=1022, nrcpt=1 (qu 3 eue active)
4 Mar 29 03:21:01 centos76 postfix/local[84506]: C1AC741AEC4E: to=<root@centos76.localdomain>, orig_to=<root>, relay= 4 local, delay=0.06, delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
5 Mar 29 03:21:01 centos76 postfix/qmgr[1707]: C1AC741AEC4E: removed
6 Mar 29 03:27:01 centos76 postfix/pickup[77010]: DA85341AEC4E: uid=0 from=<root>
7 Mar 29 03:27:01 centos76 postfix/cleanup[85784]: DA85341AEC4E: message-id=<20200328192701.DA85341AEC4E@centos76.loc 7 aldomain>
8 Mar 29 03:27:01 centos76 postfix/qmgr[1707]: DA85341AEC4E: from=<root@centos76.localdomain>, size=1024, nrcpt=1 (qu 8 eue active)
9 Mar 29 03:27:01 centos76 postfix/local[85787]: DA85341AEC4E: to=<root@centos76.localdomain>, orig_to=<root>, relay= 9 local, delay=0.06, delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
10 Mar 29 03:27:01 centos76 postfix/qmgr[1707]: DA85341AEC4E: removed
11 Mar 29 03:28:01 centos76 postfix/pickup[77010]: F1CF741AEC4E: uid=0 from=<root>
/var/log/yum.log 使用yum安装的软件包信息
# less -N /var/log/yum.log
... 显示部分
14 Jan 21 22:07:15 Installed: httpd-tools-2.4.6-90.el7.centos.x86_64
15 Jan 21 22:07:15 Installed: php-common-7.4.2-1.el7.remi.x86_64
16 Jan 21 22:07:15 Installed: php-json-7.4.2-1.el7.remi.x86_64
17 Jan 21 22:07:15 Installed: php-pdo-7.4.2-1.el7.remi.x86_64
18 Jan 21 22:07:16 Installed: php-cli-7.4.2-1.el7.remi.x86_64
19 Jan 21 22:07:16 Installed: libxslt-1.1.28-5.el7.x86_64
20 Jan 21 22:07:16 Installed: mailcap-2.1.41-2.el7.noarch
21 Jan 21 22:07:16 Installed: httpd-2.4.6-90.el7.centos.x86_64
22 Jan 21 22:07:17 Installed: php-7.4.2-1.el7.remi.x86_64
23 Jan 21 22:07:17 Installed: php-xml-7.4.2-1.el7.remi.x86_64
24 Jan 21 22:07:17 Installed: php-mysqlnd-7.4.2-1.el7.remi.x86_64
...
得力工具。
/var/log/sa/ 参考 sysstat
只提供思路
# 不要直接删除日志,而是备份或重定向的方式清空文件。 rm -f logfile # logfile代指日志文件 # 原因: # 应用已经打开文件句柄,直接删除会造成: # 1.应用无法正确释放日志文件和写入 # 2.显示磁盘空间未释放 #正确方式: cat /dev/null > logfile # logfile代指日志文件 # 将以下代码保存为.sh后缀的脚本文件,再配合crontab即可实现定时清理日志; #!/bin/sh cat /dev/null > /var/log/secure cat /dev/null > /var/log/btmp cat /dev/null > /var/log/message cat /dev/null > /var/log/boot.log cat /dev/null > /var/log/maillog cat /dev/null > /var/log/cron cat /dev/null > /var/log/lastlog cat /dev/null > /var/log/btmp cat /dev/null > /var/log/dmesg cat /dev/null > /var/log/yum.log
日志保存路径略有不同。
查看ubuntu的登录日志 ssh的日志/var/log/secure 如果没有上面的文件 系统登录日志则放在/var/log/auth.log 查看通过utmp登录到主机的用户 当前登录用户的信息记录在文件/var/run/utmp 中, 属于utmp这个用户组所有 可以使用who命令查看 -b, –boot 上次系统启动时间 -d, –dead 显示已死的进程 -l,–login 显示系统登录进程 -q, –count 列出所有已登录用户的登录名与用户数量 -u, –users 列出已登录的用户 -a, –all 等于-b -d –login -p -r -t -T -u 选项的组合 如果文件未被指定,则使用/var/run/utmp。/var/log/wtmp 是通用的相关文件。 登录进入和退出纪录在文件/var/log/wtmp, 也属于utmp这个组 可以使用w命令查看 最后一次登录记录在 /var/log/lastlog 这个文件中, 也属于utmp这个组 可以使用 lastlog 命令查看 -t, –time DAYS 指定天数 内的记录 -b, –before DAYS -u, –user LOGIN 指定用户的记录 last -R Usage: last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-adioxF] [username..] [tty..] last命令往回搜索wtmp,来显示自从文件第一次创建以来登录过的用户 users用单独的一行列印出当前登录的用户,每个显示的用户名对应一个登录会话 utmp 文件用于记录当前系统用是哪些人。但是实际的人数可能比这个数目要多 .因为并非所有用户都用utmp登录 小工具: wted 编辑wtmp,utmp日志 z2 日志清理工具。可删除utmp,wtmp,lastlog日志文件中有关某个用户名的所有条目 /usr/sbin/dump-utmp The GNU Accounting utilities for process and login accounting工具包,可以转换连接记帐数据为可读的ASCII格式数据