리눅스 로그 종류
1. secure 로그
- 로그파일 위치 : /var/log/secure
- telnet, ssh 접속에 대한 유저 로그인 인증 기록
[root@cafe24 ~]# cat /var/log/secure
Jan 27 07:08:38 localhost sshd[23584]: input_userauth_request: invalid user nagios
Jan 27 07:08:38 localhost sshd[23581]: pam_unix(sshd:auth): check pass; user unknown
Jan 27 07:08:38 localhost sshd[23581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.16
2.121.226
Jan 27 07:08:38 localhost sshd[23581]: pam_succeed_if(sshd:auth): error retrieving information about user nagios
Jan 27 07:08:41 localhost sshd[23581]: Failed password for invalid user nagios from 69.162.121.226 port 60840 ssh2
Jan 27 07:08:41 localhost sshd[23584]: Received disconnect from 69.162.121.226: 11: Bye Bye
Jan 27 07:08:42 localhost sshd[23585]: Invalid user nagios from 69.162.121.226
Jan 27 07:08:42 localhost sshd[23585]: reverse mapping checking getaddrinfo for 226-121-162-69.reverse.lstn.net failed - POSSIBLE BR
EAK-IN ATTEMPT!
[root@cafe24 ~]# |
2. dmesg 로그
- 로그파일 위치 : /var/log/dmesg
- 부팅시 시스템에 의해 기록되는 로그.
[root@cafe24 ~]# dmesg Bootdata ok (command line is ro root=LABEL=/ console=xvc0 graphical utf8)
Linux version 2.6.18-238.19.1.el5xen (mockbuild@builder10.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Fri Jul
15 08:16:59 EDT 2011
BIOS-provided physical RAM map:
Xen: 0000000000000000 - 0000000080000000 (usable)
On node 0 totalpages: 524288
DMA zone: 524288 pages, LIFO batch:31
No mptable found.
Built 1 zonelists. Total pages: 524288
Kernel command line: ro root=LABEL=/ console=xvc0 graphical utf8
Initializing CPU#0
PID hash table entries: 4096 (order: 12, 32768 bytes)
Xen reported: 2400.084 MHz processor.
Console: colour dummy device 80x25
Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)
Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)
Software IO TLB disabled
Memory: 2044028k/2097152k available (2530k kernel code, 52440k reserved, 1736k data, 196k init)
Calibrating delay using timer specific routine.. 6001.99 BogoMIPS (lpj=12003997)
Security Framework v1.0.0 initialized
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
Capability LSM initialized as secondary
Mount-cache hash table entries: 256
CPU: L1 I cache: 32K, L1 D cache: 32K
|
3. message 로그
- 로그파일 위치 : /var/log/message
- syslog에 의한 로그인/설정/장치 정보의 전체적인 로그를 기록합니다.
[root@cafe24 ~]# cat /var/log/message Jan 27 04:02:02 localhost syslogd 1.4.1: restart.
Jan 27 04:02:04 localhost fail2ban.filter : INFO Log rotation detected for /var/log/secure
Jan 27 04:06:13 localhost fail2ban.actions: WARNING [ssh-iptables] Unban 69.162.121.226
Jan 27 05:06:54 localhost fail2ban.filter : INFO Log rotation detected for /var/log/secure
Jan 27 05:13:15 localhost dhclient: DHCPREQUEST on eth1 to 10.100.0.3 port 67
Jan 27 05:13:15 localhost dhclient: DHCPACK from 10.100.0.3
Jan 27 05:13:15 localhost dhclient: bound to 10.100.0.101 -- renewal in 41178 seconds.
Jan 27 05:30:01 localhost fail2ban.actions: WARNING [ssh-iptables] Ban 69.162.121.226
Jan 27 05:40:01 localhost fail2ban.actions: WARNING [ssh-iptables] Unban 69.162.121.226
Jan 27 07:08:47 localhost fail2ban.actions: WARNING [ssh-iptables] Ban 69.162.121.226
Jan 27 07:18:48 localhost fail2ban.actions: WARNING [ssh-iptables] Unban 69.162.121.226
Jan 27 08:37:13 localhost fail2ban.actions: WARNING [ssh-iptables] Ban 69.162.121.226
Jan 27 08:47:13 localhost fail2ban.actions: WARNING [ssh-iptables] Unban 69.162.121.226
Jan 27 10:15:59 localhost fail2ban.actions: WARNING [ssh-iptables] Ban 69.162.121.226
Jan 27 10:26:00 localhost fail2ban.actions: WARNING [ssh-iptables] Unban 69.162.121.226
Jan 27 11:53:35 localhost fail2ban.actions: WARNING [ssh-iptables] Ban 69.162.121.226
Jan 27 12:00:41 localhost dhclient: DHCPREQUEST on eth0 to x.x.x.x port 67 |
4. utmp 로그
- 로그파일 위치 : /var/run/utmp
- 현재 시스템에 로그인한 각 사용자의 상태를 저장하는 파일 바이너리 파일로 되어 있습니다.
- w,who,users,finger 명령어 등으로 내용을 볼 수 있습니다.
[root@cafe24 log]# w
10:10:01 up 5 days, 13:45, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 1.x.x.x 09:58 0.00s 0.01s 0.00s w
[root@cafe24 log]# users
root
[root@cafe24 log]# who
root pts/0 2013-01-29 09:58 (1.x.x.x)
[root@cafe24 log]# finger
Login Name Tty Idle Login Time Office Office Phone
root root pts/0 Jan 29 09:58 (1.x.x.x)
[root@cafe24 log]#
|
5. wtmp 로그
- 로그파일 위치 : /var/log/wtmp
- 로그인,로그아웃,시스템의 재부팅에 대한 정보가 담겨있습니다.
- 바이너리 파일로 되어 있으며 last 명령어로 내용을 확인 할 수 있습니다.
[root@cafe24 log]# last
root pts/0 1.x.x.x Tue Jan 29 09:58 still logged in
root pts/0 1.x.x.x Thu Jan 24 09:10 - 15:55 (06:45)
reboot system boot 2.6.18-238.19.1. Wed Jan 23 20:25 (5+13:47)
root pts/0 1.x.x.x Wed Jan 23 20:23 - down (00:00)
reboot system boot 2.6.18-238.19.1. Wed Jan 23 20:22 (00:01)
root pts/0 1.x.x.x Wed Jan 23 19:23 - down (00:57)
root pts/1 1.x.x.x Tue Jan 22 13:34 - 13:34 (00:00)
root pts/0 1.x.x.x Tue Jan 22 09:20 - 19:05 (1+09:45)
root pts/1 1.x.x.x Mon Jan 21 13:39 - 16:00 (02:20)
root pts/1 1.x.x.x Fri Jan 18 17:01 - 11:33 (2+18:31)
root pts/0 1.x.x.x Fri Jan 18 10:23 - 19:41 (3+09:17)
login_te pts/1 1.x.x.x Thu Jan 17 13:27 - 13:28 (00:00)
kky pts/1 1.x.x.x Thu Jan 17 13:27 - 13:27 (00:00)
root pts/0 1.x.x.x Thu Jan 17 12:51 - 17:41 (04:50)
root pts/0 1.x.x.x Wed Jan 16 15:26 - 12:51 (21:24)
root pts/1 1.x.x.x Wed Jan 16 10:14 - 10:18 (00:04)
root pts/0 1.x.x.x Tue Jan 15 18:11 - 10:18 (16:07)
root pts/0 1.x.x.x Tue Jan 15 18:07 - 18:08 (00:00)
root pts/0 1.x.x.x Mon Jan 14 15:42 - 18:00 (1+02:18)
root pts/0 1.x.x.x Mon Jan 14 10:58 - 14:04 (03:06)
root pts/0 1.x.x.x Fri Jan 11 17:56 - 09:43 (2+15:46)
reboot system boot 2.6.18-238.19.1. Fri Jan 11 17:50 (12+02:31)
root xvc0 Tue Sep 6 12:04 - down (00:56)
reboot system boot 2.6.18-238.19.1. Tue Sep 6 11:27 (01:33)
root xvc0 Tue Sep 6 09:05 - crash (02:21)
root xvc0 Fri Sep 2 19:05 - 09:05 (3+14:00)
reboot system boot 2.6.18-238.19.1. Fri Sep 2 19:03 (3+17:56)
root xvc0 Fri Sep 2 18:07 - down (00:51)
reboot system boot 2.6.18-238.el5xe Fri Sep 2 18:03 (00:54)
wtmp begins Fri Sep 2 18:03:58 2011
root@cafe24 log]# root@cafe24 log]# [root@cafe24 log]# last reboot
reboot system boot 2.6.18-238.19.1. Wed Jan 23 20:25 (5+13:47)
reboot system boot 2.6.18-238.19.1. Wed Jan 23 20:22 (00:01)
reboot system boot 2.6.18-238.19.1. Fri Jan 11 17:50 (12+02:31)
reboot system boot 2.6.18-238.19.1. Tue Sep 6 11:27 (01:33)
reboot system boot 2.6.18-238.19.1. Fri Sep 2 19:03 (3+17:56)
reboot system boot 2.6.18-238.el5xe Fri Sep 2 18:03 (00:54)
wtmp begins Fri Sep 2 18:03:58 2011
[root@cafe24 log]# |
6. lastlog
- 로그파일 위치 : /var/log/lastlog
- 계정사용자들이 마지막으로 로그인한 정보. 바이너리 파일로 되어 있으며 lastlog 명령어로 확인 할 수 있다.
[root@cafe24 log]# lastlog
Username Port From Latest
root pts/0 1.x.x.x Tue Jan 29 09:58:43 +0900 2013
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
news **Never logged in**
uucp **Never logged in**
operator **Never logged in**
games **Never logged in**
gopher **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
nscd **Never logged in**
vcsa **Never logged in**
rpc **Never logged in**
apache **Never logged in**
mailnull **Never logged in**
smmsp **Never logged in**
ntp **Never logged in**
oprofile **Never logged in**
pcap **Never logged in**
dbus **Never logged in**
avahi **Never logged in**
rpcuser **Never logged in**
sshd **Never logged in**
haldaemon **Never logged in**
avahi-autoipd **Never logged in**
xfs **Never logged in**
sabayon **Never logged in**
kky pts/1 1.x.x.x Thu Jan 17 13:27:23 +0900 2013
login_test pts/1 1.x.x.x Thu Jan 17 13:27:58 +0900 2013
gdm **Never logged in**
mysql **Never logged in**
[root@cafe24 log]# |
7. boot.log
- 로그파일 위치 : /var/log/boot.log
- 부팅시 서비스 데몬들의 실행 상태를 기록하는 로그이다.
[root@cafe24 log]# cat /var/log/boot.log.4
Sep 4 19:03:48 host-78-78-78-50 NET[6932]: /sbin/dhclient-script : updated /etc/resolv.conf
Sep 4 19:03:51 host-78-78-78-50 NET[7001]: /sbin/dhclient-script : updated /etc/resolv.conf
Sep 5 19:03:52 host-78-78-78-50 NET[7608]: /sbin/dhclient-script : updated /etc/resolv.conf
Sep 5 19:03:55 host-78-78-78-50 NET[7677]: /sbin/dhclient-script : updated /etc/resolv.conf
[root@cafe24 log]#
|
8. cron 로그
- 로그파일 위치 : /var/log/cron
- cron에 예약한 작업이 정상적으로 실행되었는지에 관한 로그를 기록한 파일.
[root@cafe24 log]# cat /var/log/cron Jan 28 13:35:01 localhost crond[31103]: (root) CMD (LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok)
Jan 28 13:40:01 localhost crond[31305]: (root) CMD (LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok)
Jan 28 13:40:01 localhost crond[31306]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 28 13:45:01 localhost crond[31494]: (root) CMD (LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok)
Jan 28 13:50:01 localhost crond[31696]: (root) CMD (LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok)
Jan 28 13:50:01 localhost crond[31697]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 28 13:55:01 localhost crond[31885]: (root) CMD (LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok) |
9. xferlog
- 로그파일 위치 : /var/log/xferlog
- FTP서버의 데이터 전송에 관련된 로그 기록입니다.
- 파일의 송수신모드(a:아스키파일, b:바이너리파일), 특수행위 플래그(C:압축, U:비압축, T:tar archive),
전송방향(o:out going, i:ingoing), 로그인한 사용자의 종류(a:anonymous, g:guest, r:패스워드인증된사용자)등의 정보를
담고있습니다.
[root@cafe24 ~]# cat /var/log/xferlog Thu Sep 6 15:17:56 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:17:56 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:17:56 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:17:56 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:02 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:03 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:03 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:03 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:14 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:14 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:14 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:14 2012 1 112.x.x.x 0 /alsdream(2).alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:52 2012 1 112.x.x.x 0 /alsdream.alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:53 2012 1 112.x.x.x 0 /alsdream.alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:53 2012 1 112.x.x.x 0 /alsdream.alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:18:53 2012 1 112.x.x.x 0 /alsdream.alz b _ i r neoasone ftp 0 * i
Thu Sep 6 15:50:06 2012 1819 112.x.x.x 5622638634 /alsdream.alz b _ i r test ftp 0 * c
Thu Sep 6 16:39:50 2012 925 112.x.x.x 5622638634 /alsdream.alz b _ o r test ftp 0 * c
Tue Dec 4 10:12:30 2012 1 123.x.x.x 204 /IntelGFXCoin.log b _ i r jiji ftp 0 * c |
10. anaconda 로그
- 로그파일 위치 : /var/log/anaconda.log
- 리눅스 설치시 install 된 패키지나 과정에 대한 로그기록입니다.
[root@cafe24 log]# cat /var/log/anaconda.log
08:14:43 INFO : 1048576 kB are available
08:14:43 INFO : modules to insert cramfs fat vfat sunrpc lockd fscache nfs_acl nfs loop isofs floppy edd pcspkr squashfs
08:14:43 DEBUG : getModuleLocation: 2.6.18-238.el5xen/x86_64
08:14:43 INFO : loaded cramfs from /modules/modules.cgz
08:14:43 INFO : loaded fat from /modules/modules.cgz
08:14:43 INFO : loaded vfat from /modules/modules.cgz
08:14:43 INFO : loaded sunrpc from /modules/modules.cgz
08:14:43 INFO : loaded lockd from /modules/modules.cgz
08:14:43 INFO : loaded fscache from /modules/modules.cgz
08:14:43 INFO : loaded nfs_acl from /modules/modules.cgz
08:14:43 INFO : loaded nfs from /modules/modules.cgz
08:14:43 INFO : loaded loop from /modules/modules.cgz
08:14:43 INFO : loaded floppy from /modules/modules.cgz
08:14:43 INFO : loaded pcspkr from /modules/modules.cgz
08:14:43 INFO : loaded squashfs from /modules/modules.cgz |
11. su 로그
- 로그파일 위치 : /var/log/sulog
- su 명령어를 통한 관리자 권한을 사용한 로그기록입니다.
- 날짜 및 시간, 성공/실패(+/-), From 사용자 To 사용자, 사용한 터미널 이름 등의 정보가 담겨있습니다.
- 만약 /var/log/sulog 파일이 없다면 vi /etc/syslog.conf -> authpriv.info /var/log/sulog 설정변경후
/etc/init.d/syslog reload 명령으로 syslog가 설정파일을 다시 읽게합니다.
12. history 로그
- 로그파일 위치 : /root/.bash_history (root 유저의 경우)
- 입력한 실행명령어 목록이 저장되는 로그입니다.
- history 명렁어로 내용을 확인 할 수 있습니다.
- 팁 : 히스토리 명령어 입력시 시간정보 포함하여 출력하기
[root@cafe24 log]# history 1028 2013-01-29 [10:17:20] cat /var/log/boot.log
1029 2013-01-29 [10:17:42] cat /var/log/boot.log.1
1030 2013-01-29 [10:17:44] cat /var/log/boot.log.2
1031 2013-01-29 [10:17:45] cat /var/log/boot.log.3
1032 2013-01-29 [10:17:46] cat /var/log/boot.log.4
1033 2013-01-29 [10:18:24] ll
1034 2013-01-29 [10:18:29] ll cron
1035 2013-01-29 [10:18:32] ll cron.1
1036 2013-01-29 [10:18:34] ll cron.2.
1037 2013-01-29 [10:18:40] cat cron
1038 2013-01-29 [10:19:33] crontab -l
1039 2013-01-29 [10:23:28] ll
1040 2013-01-29 [10:24:57] ll
1041 2013-01-29 [10:27:21] ll
1042 2013-01-29 [10:27:25] ll anaconda.log
1043 2013-01-29 [10:27:28] cat anaconda.log
1044 2013-01-29 [10:27:30] clear
1045 2013-01-29 [10:28:18] cat /var/log/anaconda.log | more
1046 2013-01-29 [10:31:57] cat /var/account/pacct
1047 2013-01-29 [10:32:02] lastcomm
1048 2013-01-29 [10:33:46] cat /root/.bash_history
1049 2013-01-29 [10:35:01] histort
1050 2013-01-29 [10:35:02] history |
13. loginlog, btmp
- 로그파일 위치 : /var/log/btmp
- 실패한 로그인 시도를 기록하는 로그입니다.. 바이너리 파일이며 lastb 명령어로 확인 할 수 있습니다.
[root@cafe24 log]# lastb hoyoung ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
hoyoung ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
howardki ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
howardki ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
hoshino ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
hoshino ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
hosg ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
hosg ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
horus ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
horus ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
hornbutt ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
hornbutt ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
horn ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
horn ssh:notty 113.0.51.68 horn ssh:notty 113.0.51.68 Thu Jan 17 01:08 - 01:08 (00:00)
Interrupted Thu Jan 17 01:08 [root@cafe24 log]#
[root@cafe24 log]# |
출처 - http://yosigi.tistory.com/category/Linux/OS%20%EA%B4%80%EB%A0%A8
