System Logs in Linux

14 02 2010

In order to view any changes, especially any system intruder’s track, system logs can play a crucial part. syslogd uses /etc/syslog.conf to keep tracks of all system logs. Some machines might disable syslogd, but run syslog-ng or rsyslog instead.

Inside /var/log, there are some system logs that worth mentioning:
1. /var/log/secure contains successful and failed records for both users and applications
less /var/log/secure
/var/log/secure
Feb 14 15:16:46 centos sshd[6097]: Accepted password for ambient from 192.168.200.15 port 2236 ssh2
Feb 14 15:16:47 centos sshd[6097]: pam_unix(sshd:session): session opened for user ambient by (uid=0)
Feb 14 15:16:57 centos su: pam_unix(su:session): session opened for user root by ambient(uid=500)
Feb 14 15:56:39 centos sshd[6218]: Accepted password for ambient from 192.168.200.15 port 2770 ssh2
Feb 14 15:56:40 centos sshd[6218]: pam_unix(sshd:session): session opened for user ambient by (uid=0)
Feb 14 15:57:50 centos su: pam_unix(su:session): session opened for user root by ambient(uid=500)

2./var/log/messages : general system logs can be seen here
3.application logs: You need discuss README for specific log files for each application.

Important user access log files

Investigators and computer forensic analyst always detect anomalous activities by analysing these files. However, hackers need to cover their tracks in these files.
1. utmp : It is a binary file in /var/run or /var/adm containing current user session information. who command reveals its details.
[root@centos ambient]# who
ambient pts/1 2010-02-14 15:16 (192.168.200.15)
ambient pts/2 2010-02-14 15:56 (192.168.200.15)

2. wtmp : a binary file contains login and logout information, its path is /var/log or /var/adm.
[root@centos ambient]# last
ambient pts/2 192.168.200.15 Sun Feb 14 15:56 still logged in
ambient pts/1 192.168.200.15 Sun Feb 14 15:16 still logged in
ambient pts/1 192.168.200.15 Sat Feb 6 21:58 - 22:13 (00:14)
ambient pts/1 192.168.200.15 Sat Feb 6 16:07 - 17:52 (01:45)
reboot system boot 2.6.18-164.el5PA Sat Feb 6 16:02 (7+23:57)

3.lastlog : /var/log/lastlog contains time and location of each user logging in to the system.
[root@centos ambient]# lastlog
Username Port From Latest
root **Never logged in**
bin **Never logged in**
ambient pts/2 192.168.200.15 Sun Feb 14 15:56:40 +0700 2010
user1 **Never logged in**


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: