0 x00 preface

Linux has a very flexible and powerful logging function that can save almost any operation record and retrieve the information we need from it. This article introduces Linux system logs and log analysis techniques.

0x01 Log Overview

The default directory for storing logs is /var/log/

Run the more /etc/rsyslog.conf command to check log configurations

Important logs include: /var/log/btmp// lastb Record of login failure: /var/log/lastlog// lastlog Record of login success: /var/log/wtmp// last Indicates the login log record: /var/log/secure

Current login user information: /var/run/utmp// w, who, and users

History command records: history Clears only the current user: history -c

0x02 Log Analysis Techniques

A. Common shell commands

Common Shell commands in Linux include find, grep, egrep, awk, sed

Tip:

1. Grep Display the following information:

Grep on standard Unix/Linux controls context with the following parameters: Grep -c 5 foo file Grep -b 5 foo file Grep foo and the first five lines grep -a 5 foo file Grep foo and the last five lines Grep -c 5 foo file Grep the version of the file grep -VCopy the code

2. Grep Find all files containing a certain string

grep -rn "hello,world!" -r indicates the recursive search. -n indicates the line number. -r indicates the search for all files containing subdirectories. -i ignores caseCopy the code

How to display some lines of a file:

Cat input_file | tail - n + 1000 | head - n 2000 # from the beginning of the line 1000, 2000 lines. That is, 1000 to 2999 lines are displayedCopy the code

4、find /etc -name init

// Find the file init in the directory /etcCopy the code

5. Simply display the /etc/passwd account

` cat/etc/passwd | awk -f ':' '{print $1}' ` / / awk - F specified domain separator as' : ', divide the field separator of records in the specified domain, fill in the domain, $0 represents all domains, $1, said the first domain, $n n a domain.Copy the code

6、sed -i ‘153,$d’ .bash_history

Delete only the first 153 rows of historical operationsCopy the code

B. Log analysis skills

A, / var/log/secure

1. Locate how many IP addresses are in the root account of the blasting host: Grep "Failed password for root"/var/log/secure | awk '} {print $11 '| sort | uniq -c | sort - nr | more locate what IP in blasting:  grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) "| uniq -c blasting user name what is in the dictionary? grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n"; } '| | uniq - c sort - nr 2 what are the IP and login successfully: Grep "Accepted"/var/log/secure | awk '} {print $11 '| sort | uniq -c | sort - nr | more login successful date, user name, IP: Grep "Accepted"/var/log/secure | awk '{print $1, $2, $3, $9 to $11}' 3, kali increase a user logs:  Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001 Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali , shell=/bin/bash Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): Password changed for kali #grep "useradd" /var/log/secure delete user 'kali' Jul 10 00:14:17 localhost userdel[2393]: removed group 'kali' owned by 'kali' Jul 10 00:14:17 localhost userdel[2393]: Removed shadow group 'kali' owned by 'kali' # grep "userdel" /var/log/secure 5, su switch user: Jul 10 00:38:13 localhost su: Pam_unix (su-l:session): session opened for user good by root(uid=0) sudo good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r nowCopy the code

2, / var/log/yum. The log

Software installation, upgrade, and uninstallation logs:

yum install gcc [root@bogon ~]# more /var/log/yum.log Jul 10 00:18:23 Updated: X86_64 Jul 10 00:18:24 Updated: libgcc-4.8.5-28.el7_5.1.x86_64 Jul 10 00:18:24 Updated: libgcc-4.8.5-28.el7_5.1.x86_64 Jul 10 00:18:24 Updated: libgcc-4.8.5-28.el7_5.1.x86_64 Jul 10 00:18:24 Updated: libgcc-4.8.5-28.el7_5.1.x86_64 Jul 10 00:18:24 Updated: Libgomp-4.8.5-28.el7_5.1.x86_64 Jul 10 00:18:28 Updated: gcc-4.8.5-28.el7_5.1.x86_64 Jul 10 00:18:28 Updated: gcc-4.8.5-28.el7_5.1.x86_64 Jul 10 00:18:28 Updated: Libgcc 4.8.5-28. El7_5. 1. I686Copy the code