This week's article from My blog is about must know Linux(RHEL/CentOS/Fedora) logs apart from /var/log/messages which was covered in Logs in Linux (Centos&RedHat) - PART1 .
As you might already have noticed, my blog gives preference to practical implementation of the knowledge rather than just putting it down on a paper.
Logs in Linux topic was covered in over all 3 Parts, links are below for the same:
Click here: Logs in Linux (Centos&RedHat) - PART1
Click here: Logs in Linux (Centos&RedHat) - PART2
Click here: Logs in Linux (Centos&RedHat) - PART3
Click here: Logs in Linux (Centos&RedHat) - PART1
Click here: Logs in Linux (Centos&RedHat) - PART2
Click here: Logs in Linux (Centos&RedHat) - PART3
Below are the list of logs which can be used on daily basis by an enterprise Linux System Administrator and by the people who is fond of Linux to fix various issues on a Linux Server :).
1. /var/log/maillog:
This log gives the information about the mail server application which is deployed on your Linux server.
Different mail servers that can be deployed on a Linux Servers are:
1.Mutt – Command Line Email Client (default in Linux)
2.Sendmail
3.Qmail
4.Postfix
5.Alpine
6.Exim
7.Zimbra
Entries in /var/log/maillog file are usually like below:
Feb 21 04:05:01 Server1 sendmail[1120]: v1Q9916l008142: from=username, size=374, class=0, nrcpts=1, msgid=<2017022119263 .v1q9916l008142="" server1.domainname.com="">, relay=username@localhost2017022119263>
Feb 21 04:10:01 server1 sendmail[1953]: v1a0d1rc019730: from=, size=647, class=0, nrcpts=1, msgid=<201702210905 .v1a0d1rc019730="" server1.domainname.com="">, proto=ESMTP, daemon=MTA, relay=username [127.0.0.1]201702210905>
Feb 21 04:10:01 server1 sendmail[1246]: v1Q9x2vg319764: to=username, ctladdr=username (27341/674), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30374, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (v1Q9x2vg319764 Message accepted for delivery)
The above lines show, at what time the message was sent or received, server name, the mail server deployed on Linux, message ID, message size, protocol (Usually SMTP) and relay(Mail server) used for the message to be sent/received.
server1 ⇒ Linux Servername;
sendmail ⇒ is mail server that was deployed on my Linux Server;
v1Q9916l008142⇒ message id
When do you look into maillog?
1.If mails are not sending or receiving as expected or mails are not at all working
2.If mail sending and receiving is delayed
3.If you see mail server is not accepting the connections message when you try to send an email
4.To see if any spamming is happening or if the messages are still in Queue
5. Just to make sure no other errors and warnings are present in the logs as a regular practise to keep your mail server moving without any disruption.
Symptoms to doubt in maillog:
- Rejecting connections
Fix: Make sure your smtp server which is configured in /etc/mail/sendmail.cf is reachable and functioning
- unable to qualify my own domain name (localhost)
Fix: Add the below line to make this work
(Replace server1 with your server name)
127.0.0.1 server1 localhost.localdomain localhost
2. /var/log/lastlog:
This log file is a data file unlike other log files which are text files.So, we cannot directly read this file using vi/more/vim/tail/head/cat like commands.
[root@server1 ~]# file /var/log/lastlog
/var/log/lastlog: data
[root@server1 ~]# file /var/log/secure
/var/log/secure: ASCII text
- Linux has provided #lastlog command to get the readable details from /var/log/lastlog file.
- #lastlog command gives the details about most recent login of all users or of a given user
Sample Output of #lastlog command is as below:
allen **Never logged in**
ntp **Never logged in**
appuser pts/1 Fri Sep 16 15:35:56 -0400 2016
albert pts/0 192.168.1.1 Wed Mar 16 22:35:05 -0400 2016
general pts/0 192.168.2.1 Fri Mar 30 22:02:26 -0400 2012
ftp_user pts/2 x.x.x.x Wed Jun 25 14:16:06 -0400 2014
In the above output, first column represents username, third column shows the source system from where user jumped onto the target server and the last column shows the most recent login time of the user.
We can get the logon details of a particular user as well like below:
[root@server1 ~]# lastlog -u abc
Username Port From Latest
abc pts/2 anotherserver.domain.com Wed Feb 5 10:55:13 -0500 2017
PURPOSE OF THIS FILE:
- The output from this file/command can be used to track user’s recent login details or what users visited the server in the recent past.
- This file will NOT have any errors, so can be treated as an informative file and rarely used in any troubleshooting.
Last but not least,Linux Man Page is available for #lastlog command
3. /var/log/wtmp:
This file is also a data file like /var/log/lastlog.
Linux has provided #last OR #lastb commands to read this file to get required information.
However, in some cases, the file /var/log/wtmp may not be present as defined in admin’s local configuration.
PURPOSE OF THE COMMAND #LAST:
- #last command displays a list of all users logged in (and out) on the Linux Server
- Use #last command to find out easily who was logged in at a particular time (need to specify that time with -t ).
- No need to bother about the data file(wtmp) anytime as we have last available readily.
- To find out server’s last reboot time details
Sample output of the command#last:
root pts/2 192.168.1.1 Wed Jan 14 10:05 - 11:28 (00:23)
root pts/0 192.168.1.2 Wed Jan 14 09:29 - 9:11 (00:42)
root pts/0 server2.domain.com Tue Jan 13 01:02 - 09:13 (02:11)
appuser pts/3 192.168.1.4 Mon Jan 12 14:54 - 11:05 (03:11)
admin pts/0 server1.domain.com Thu Jan 8 00:04 - 00:07 (00:00)
Column1 =>Username
Column2=>tty
Column3=>jump server from where user logged onto our Linux Server
Column4=>User logon time
IMPORTANT POINT:
The pseudo username “reboot” logs in each time the system is rebooted for any reason. So the command “#last reboot” will show a log of all reboots or at least the last 5 reboots of server which is very useful to troubleshoot any server availability related issues.
[root@server3 ~]# last reboot
reboot system boot 2.6.18-308.el5 Tue Jun 2 09:33 (247+19:50)
reboot system boot 2.6.18-308.el5 Thu Jan 1 23:47 (529+08:41)
reboot system boot 2.6.18-274.3.1.e Thu Jan 09 23:29 (00:12)
reboot system boot 2.6.18-194.26.1. Thu Jan 17 23:13 (00:12)
reboot system boot 2.6.18-194.26.1. Thu Jan 12 22:29 (00:38)
**There is #lastb command as well which exclusively shows only the logins which are failed or the so called bad logins.
------------------------------------THE END OF PART2-----------------------------------
HAPPY LINUX LEARNING :)
Click here: Logs in Linux (Centos&RedHat) - PART2
Click here: Logs in Linux (Centos&RedHat) - PART3
No comments:
Post a Comment