Understanding the Linux system log files

You'll find the Linux log files in the /var/log directory. The structure of Linux log files is pretty much the same across all Linux distros. But, in the Linux tradition of trying to keep us all confused, the main log files have different names on different distros. On Red Hat-type systems, the main log file is the messages file, and the log for authentication-related events is the secure file. On Debian-type systems, the main log file is the syslog file, and the authentication log is the auth.log file. Other log files you'll see include the following:

  • /var/log/kern.log: On Debian-type systems, this log contains messages about what's going on with the Linux kernel. As we saw in Chapter 3Securing Your Server with a Firewall - Part 1, and Chapter 4, Securing Your Server with a Firewall - Part 2, this includes messages about what's going on with the Linux firewall. So, if you want to see whether any suspicious network packets have been blocked, this is the place to look. Red Hat-type systems don't have this file. Instead, Red Hat systems send their kernel messages to the messages file.
  • /var/log/wtmp and /var/run/utmp: The two files do essentially the same thing. They both record information about users who are logged in to the system. The main difference is that wtmp holds historical data from utmp. Unlike most Linux log files, these are in binary format, rather than normal text-mode format. The utmp file is the only file we'll look at that isn't in the /var/log directory.
  • /var/log/btmp: This binary file holds information about failed login attempts. The pam_tally2 module that we looked at in Chapter 2, Securing User Accounts, uses the information that's in this file. 
  • /var/log/lastlog: This binary file holds information about the last time that users logged in to the system.
  • /var/log/audit/audit.log: This text-mode file records information from the audited daemon. We already discussed it in Chapter 11, Scanning, Hardening, and Auditing, so I won't discuss it here.

There are quite a few other log files that contain information about applications and system boot-ups. But the log files that I've listed here are the main ones we're concerned about when looking at system security.

Now that we've looked at what log files we have, let's look at them in more detail.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.46.78