System Logs in Linux

14 02 2010

In order to view any changes, especially any system intruder’s track, system logs can play a crucial part. syslogd uses /etc/syslog.conf to keep tracks of all system logs. Some machines might disable syslogd, but run syslog-ng or rsyslog instead.

Inside /var/log, there are some system logs that worth mentioning:
1. /var/log/secure contains successful and failed records for both users and applications
less /var/log/secure
Feb 14 15:16:46 centos sshd[6097]: Accepted password for ambient from port 2236 ssh2
Feb 14 15:16:47 centos sshd[6097]: pam_unix(sshd:session): session opened for user ambient by (uid=0)
Feb 14 15:16:57 centos su: pam_unix(su:session): session opened for user root by ambient(uid=500)
Feb 14 15:56:39 centos sshd[6218]: Accepted password for ambient from port 2770 ssh2
Feb 14 15:56:40 centos sshd[6218]: pam_unix(sshd:session): session opened for user ambient by (uid=0)
Feb 14 15:57:50 centos su: pam_unix(su:session): session opened for user root by ambient(uid=500)

2./var/log/messages : general system logs can be seen here
3.application logs: You need discuss README for specific log files for each application.

Important user access log files

Investigators and computer forensic analyst always detect anomalous activities by analysing these files. However, hackers need to cover their tracks in these files.
1. utmp : It is a binary file in /var/run or /var/adm containing current user session information. who command reveals its details.
[root@centos ambient]# who
ambient pts/1 2010-02-14 15:16 (
ambient pts/2 2010-02-14 15:56 (

2. wtmp : a binary file contains login and logout information, its path is /var/log or /var/adm.
[root@centos ambient]# last
ambient pts/2 Sun Feb 14 15:56 still logged in
ambient pts/1 Sun Feb 14 15:16 still logged in
ambient pts/1 Sat Feb 6 21:58 - 22:13 (00:14)
ambient pts/1 Sat Feb 6 16:07 - 17:52 (01:45)
reboot system boot 2.6.18-164.el5PA Sat Feb 6 16:02 (7+23:57)

3.lastlog : /var/log/lastlog contains time and location of each user logging in to the system.
[root@centos ambient]# lastlog
Username Port From Latest
root **Never logged in**
bin **Never logged in**
ambient pts/2 Sun Feb 14 15:56:40 +0700 2010
user1 **Never logged in**

Centralised Syslog Daemon

6 02 2010

Network traffic logs mostly prevail throughout the whole network, some of which are recorded as eventlogs individually. Important traffic logs can be viewed on network devices. To centralise computer traffic logs makes administrators’tasks a lot easier.

I implemented this system on CentOS5 with rsyslog and phplogcon. You can choose Syslog-ng for an alternative.


1. Make sure you install all of these
yum install rsyslog rsyslog-mysql
yum install mysql-server
yum install httpd php php-mysql php-gd

2. Start mysql service
/etc/init.d/mysqld start
3. Create rsyslog database
mysql < /usr/share/doc/rsyslog-mysql-2.0.6/createDB.sql
4. Add a user for rsyslog. Execute these commands to mysql.
CREATE USER 'syslog'@'localhost' IDENTIFIED BY 'p$ss4w*rd';
GRANT ALL on Syslog.* TO 'syslog'@'localhost'

*** You should change root password after installing mySQL. See this for more details.
5. Edit /etc/rsyslog.conf by adding these below on the top of this file.
$ModLoad ommysql
*.*     : ommysql:,Syslog,syslog,p$ss4w*rd

***Please consider loopback IP carefully because I have this error message “Can’t connect to [local] MySQL server” while using localhost rather that loopback IP. The reason is rsyslog uses TCP/IP to connect to mySQL, but my localhost utilises Unix socket file. To see a different, run this command
mysqladmin version
mysqladmin -h version

More details…
6. Create a static link file.
ln -s /usr/lib/rsyslog/ /usr/lib/rsyslog/ommysql
7. Edit /etc/sysconfig/rsyslog by adding “-r” option.
8. Stop syslog and start rsyslog.
/etc/init.d/syslog stop
/etc/init.d/rsyslog start

9. If you are successful, /var/log/messages will not complain any error message.

Deploy phplogcon

1. Get phplogcon or
2. Unpack it and copy those in src directory to /var/www/html/rsyslog
mkdir /var/www/html/rsyslog
gunzip phplogcon-2.6.4.tar.gz
tar -xvf phplogcon-2.6.4.tar
cp -r phplogcon-2.6.4/src/* /var/www/html/rsyslog

3. Generate configuration file
cd /var/www/html/rsyslog
touch config.php
chown apache config.php

4. Open a web browser, go to http://localhost/rsyslog. It will escort you to the configuration process. Make sure you select source type to mySQL Native. A comprehensive guide is provided here.