Flipkart

Friday, 3 March 2017

Logs in Linux (Centos&RedHat) - PART2


This week's article from My blog is about must know Linux(RHEL/CentOS/Fedora) logs apart from /var/log/messages which was covered in Logs in Linux (Centos&RedHat) - PART1 .

 As you might already have noticed, my blog gives preference to practical implementation of the knowledge rather than just putting it down on a paper.
 
 
Below are the list of logs which can be used on daily basis by an enterprise Linux System Administrator and by the people who is fond of Linux to fix various issues on a Linux Server :). 

1. /var/log/maillog:


This log gives the information about the mail server application which is deployed on your Linux server.


 Different mail servers  that can be deployed on a Linux Servers are:
 
1.Mutt – Command Line Email Client (default in Linux)
2.Sendmail
3.Qmail
4.Postfix
5.Alpine
6.Exim
7.Zimbra
 
Entries in /var/log/maillog file are usually like below:
 
Feb 21 04:05:01 Server1 sendmail[1120]: v1Q9916l008142: from=username, size=374, class=0, nrcpts=1, msgid=<2017022119263 .v1q9916l008142="" server1.domainname.com="">, relay=username@localhost
 
Feb 21 04:10:01 server1 sendmail[1953]: v1a0d1rc019730: from=, size=647, class=0, nrcpts=1, msgid=<201702210905 .v1a0d1rc019730="" server1.domainname.com="">, proto=ESMTP, daemon=MTA, relay=username [127.0.0.1]
 
Feb 21 04:10:01 server1 sendmail[1246]: v1Q9x2vg319764: to=username, ctladdr=username (27341/674), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30374, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (v1Q9x2vg319764 Message accepted for delivery) 
 
The above lines show, at what time the message was sent or received, server name, the mail server deployed on Linux, message ID, message size, protocol (Usually SMTP) and relay(Mail server) used for the message to be sent/received. 
server1   ⇒ Linux Servername;
sendmail ⇒ is mail server  that was deployed on my Linux Server;
v1Q9916l008142⇒ message id

 When do you look into maillog?


 1.If mails are not sending or receiving as expected or mails are not at all working

2.If mail sending and receiving is delayed
3.If you see mail server is not accepting the connections message when you try to send an email
4.To see if any spamming is happening or if the messages are still in Queue
5. Just to make sure no other errors and warnings are present in the logs as a regular practise to keep your mail server moving without any disruption. 

Symptoms to doubt in maillog: 


  • Rejecting connections
Fix:  Make sure your smtp server which is configured in /etc/mail/sendmail.cf is reachable and functioning
  • unable to qualify my own domain name (localhost)
Fix:  Add the below line to make this work
(Replace server1 with your server name)
127.0.0.1  server1 localhost.localdomain localhost  

2. /var/log/lastlog:

 

This log file is a data file unlike other log files which are  text files.So, we cannot directly read this file using vi/more/vim/tail/head/cat like commands.
[root@server1 ~]# file /var/log/lastlog
/var/log/lastlog: data
[root@server1 ~]# file /var/log/secure
/var/log/secure: ASCII text
  • Linux has provided #lastlog command to get the readable details from /var/log/lastlog file.
  • #lastlog command gives the details about most recent login of all users or of a given user
Sample Output of #lastlog command is as below:
 
allen                               **Never logged in**
ntp                                 **Never logged in**
appuser           pts/1     Fri Sep 16 15:35:56 -0400 2016
albert            pts/0    192.168.1.1      Wed Mar 16 22:35:05 -0400 2016
general           pts/0    192.168.2.1     Fri Mar 30 22:02:26 -0400 2012
ftp_user          pts/2    x.x.x.x      Wed Jun 25 14:16:06 -0400 2014 
 
In the above output, first column represents username, third column shows the source system from where user jumped onto the target server and the last column shows the most recent login time of the user. 
 
We can get the logon details of a particular user as well like below:
 
[root@server1 ~]# lastlog -u abc
Username         Port     From                         Latest
abc              pts/2    anotherserver.domain.com  Wed Feb  5 10:55:13 -0500 2017
 
 
PURPOSE OF THIS FILE:
 
  1. The output from this file/command can be used to track user’s recent login details or what users visited the server in the recent past.
  2. This file will NOT have any errors, so can be treated as an informative file and rarely used in any troubleshooting.
 
Last but not least,Linux Man Page is available for #lastlog command 

3. /var/log/wtmp:


 This file is also a data file like /var/log/lastlog.

Linux has provided #last OR #lastb commands to read this file to get required information.
However, in some cases, the file /var/log/wtmp may not be present as defined in admin’s local configuration. 
PURPOSE OF THE COMMAND #LAST:
 
  1. #last command displays a list of all users logged in (and out) on the Linux Server
  2. Use #last command to find out easily who was logged in at a particular time (need to specify that time with -t ).
  3. No need to bother about the data file(wtmp) anytime as we have last available readily.
  4. To find out server’s last reboot time details  
Sample output of the command#last: 
root        pts/2        192.168.1.1         Wed Jan 14 10:05 - 11:28  (00:23)
root        pts/0        192.168.1.2         Wed Jan 14 09:29 - 9:11   (00:42)
root        pts/0        server2.domain.com  Tue Jan 13 01:02 - 09:13  (02:11)
appuser   pts/3        192.168.1.4         Mon Jan 12 14:54 - 11:05  (03:11)
admin pts/0        server1.domain.com   Thu Jan  8 00:04 - 00:07  (00:00)
 
Column1 =>Username
Column2=>tty
Column3=>jump server from where user logged onto our Linux Server
Column4=>User logon time
 
IMPORTANT POINT:
 
The pseudo username “reboot” logs in each time the system is rebooted for any reason. So the command  “#last reboot” will show a log of all reboots or at least the last 5 reboots of server which is very useful to troubleshoot any server availability related issues.
 
[root@server3 ~]# last reboot
reboot   system boot  2.6.18-308.el5   Tue Jun 2  09:33         (247+19:50)
reboot   system boot  2.6.18-308.el5   Thu Jan 1  23:47         (529+08:41)
reboot   system boot  2.6.18-274.3.1.e Thu Jan 09 23:29          (00:12)
reboot   system boot  2.6.18-194.26.1. Thu Jan 17 23:13          (00:12)
reboot   system boot  2.6.18-194.26.1. Thu Jan 12 22:29          (00:38)
**There is #lastb command as well which exclusively shows only the logins which are failed or the so called bad logins. 
------------------------------------THE END OF PART2-----------------------------------

HAPPY LINUX LEARNING :)
Click here: Logs in Linux (Centos&RedHat) - PART1
Click here: Logs in Linux (Centos&RedHat) - PART2
Click here: Logs in Linux (Centos&RedHat) - PART3
 

No comments:

Post a Comment