4. /var/log/secure:
This is a text file and can be seen using tail/head/vi/cat/more like commands.
This file has the information related to server authentication of users and their authorization privileges.
So, user logins using ssh and telnet services will be tracked here including unsuccessful login attempts.
Sample output from this file for a successful login is as below:
Feb 26 04:10:01 server2 sudo: appuser : no tty present and no askpass program specified ; TTY=unknown ; PWD=/home/appsur ; USER=root ; COMMAND=/admin/cron
Feb 26 04:10:22 server2 sudo: appuser : TTY=unknown ; PWD=/home/otheruser ; USER=root ; COMMAND=/usr/bin/view
Mar 1 04:59:14 server1 su: pam_unix(su-l:session): session opened for user abc by root(uid=0)
Mar 1 04:59:16 sever1 su: pam_unix(su-l:session): session closed for user abc
Unsuccessful login entry in /var/log/secure file:
Mar 1 05:01:50 server1 sshd[15222]: Failed password for abc from 192.168.1.1 port 41043 ssh2
Mar 1 05:01:54 server1 sshd[15172]: Failed password for abc from 192.168.1.1 port 41047 ssh2
Mar 1 05:01:58 server1 sshd[16172]: Failed password for abc from 192.168.1.1 port 41047 ssh2
Mar 1 05:01:58 server1 sshd[15279]: Connection closed by 192.168.1.1
Mar 1 05:01:58 server1 sshd[15175]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=server1.domainname.com user=abc
I got the above logs after trying 3 times with incorrect password for user “abc”
PURPOSE OF THIS FILE:
- To validate if any unauthorised user is trying to logon to your server.
- To see if some user is trying to use the privileges which are not attributed to him
- To protect your server from any suspicious login attempts
Relevant Command to /var/log/secure file:
We have something like #faillog command to exclusively get login failure attempts of all users or a particular user and even to set the lockout limits after unsuccessful login attempts
#faillog -a ⇒ displays the login failure attempts of all the users on Linux Server
#faillog -u
Example:
[root@server1 ~]# faillog -u abc
Login Failures Maximum Latest On
abc 0 0 12/31/16 19:00:00 -0500
5. /var/log/dmesg:
- I feel this is second important file in Linux after /var/log/message as it has the information about the entire hardware which is associated with your server.
- This file loads the kernel ring buffer information. When the Linux server boots up, we see number of messages on the screen about the hardware devices that the kernel detected during boot process.
- These messages are available in kernel ring buffer and are usually overwritten whenever the new message comes.
The content of this file can also be ready by the command #dmesg
PURPOSE OF THIS FILE:
We usually refer this file or use the command #dmesg to get information about memory available on the system, network cards installed , USBs which are being used on this system, to see all serial ports details (ttys), to check number of CPUs and how many are hot pluggable among them etc..
Example:
[root@server4 ~]# dmesg | grep -i memory
Memory for crash kernel (0x0 to 0x0) notwithin permissible range
Memory: 16407184k/18874368k available (2616k kernel code, 358416k reserved, 1672k data, 224k init)
Freeing initrd memory: 2685k freed
Total HugeTLB memory allocated, 0
Non-volatile memory driver v1.2
Freeing unused kernel memory: 224k freed
6. /var/log/cron:
This file logs the information whenever cron daemon (or anacron) starts running a cron job.
This is a readable file.
Sample Output from /var/log/cron:
Feb 2 01:30:01 server1 CROND[200]: (abcuser) CMD (/home/usr/fssize > /dev/null 2>&1)
Feb 2 02:30:01 server1 CROND[201]: (abcuser) CMD (/home/usr/maintenance.sh > //home/abcuser/log/maintenance.out)
What If, your cron job did not run and you do not know where to see?
Check the below things:
- See if there is any entry in /var/log/cron file for your job, if yes, check the log file which received an output from your script.
- It is recommended a cron job output should generally be redirected to a log file which helps us to debug the job in case of any issues.See if something is written to that output file
- See if your job is commented out in crontab using #crontab -l command
- Try to tally the time lines of /var/log/cron file and your job start time approximately to see if at all the job was kicked off
Apart from the logs mentioned above, you may find the below logs on your Linux Server if you have those applications/servers are installed.
7./var/log/yum ⇒ This file will have details above yum command activities
8./var/log/mysqld.log ⇒ This file will have the details about sql server if you are using it
9./var/log/httpd ⇒ Apache access and error logs directoryHAPPY LINUX LEARNING :)
No comments:
Post a Comment