logs

Review Logs Regularly
Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:

/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.

[root@localhost ~]# tail /var/log/messages 
Apr 27 23:42:48 localhost NetworkManager[1969]: <info>   domain name ‘localdomain’
Apr 27 23:57:07 localhost dhclient[1996]: DHCPREQUEST on eth0 to 172.16.28.254 port 67 (xid=0x4ba04357)
Apr 27 23:57:07 localhost dhclient[1996]: DHCPACK from 172.16.28.254 (xid=0x4ba04357)
Apr 27 23:57:07 localhost dhclient[1996]: bound to 172.16.28.175 — renewal in 760 seconds.
Apr 27 23:57:07 localhost NetworkManager[1969]: <info> (eth0): DHCPv4 state changed renew -> renew
Apr 27 23:57:07 localhost NetworkManager[1969]: <info>   address 172.16.28.175
Apr 27 23:57:07 localhost NetworkManager[1969]: <info>   prefix 24 (255.255.255.0)
Apr 27 23:57:07 localhost NetworkManager[1969]: <info>   gateway 172.16.28.2
Apr 27 23:57:07 localhost NetworkManager[1969]: <info>   nameserver ‘172.16.28.2’
Apr 27 23:57:07 localhost NetworkManager[1969]: <info>   domain name ‘localdomain’

[root@localhost ~]# tail /var/log/audit/audit.log 
type=LOGIN msg=audit(1461826801.700:174): pid=26266 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=24
type=USER_START msg=audit(1461826801.701:175): user pid=26266 uid=0 auid=0 ses=24 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:session_open acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=CRED_DISP msg=audit(1461826801.725:176): user pid=26266 uid=0 auid=0 ses=24 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:setcred acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=USER_END msg=audit(1461826801.725:177): user pid=26266 uid=0 auid=0 ses=24 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:session_close acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=USER_ACCT msg=audit(1461826861.738:178): user pid=26275 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:accounting acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=CRED_ACQ msg=audit(1461826861.738:179): user pid=26275 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:setcred acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=LOGIN msg=audit(1461826861.740:180): pid=26275 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=25
type=USER_START msg=audit(1461826861.742:181): user pid=26275 uid=0 auid=0 ses=25 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:session_open acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=CRED_DISP msg=audit(1461826861.907:182): user pid=26275 uid=0 auid=0 ses=25 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:setcred acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=USER_END msg=audit(1461826861.907:183): user pid=26275 uid=0 auid=0 ses=25 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:session_close acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’

[root@localhost ~]# tail /var/log/cron 
Apr 27 23:40:01 localhost CROND[26140]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Apr 27 23:50:01 localhost CROND[26199]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Apr 27 23:53:01 localhost CROND[26216]: (root) CMD (/usr/lib64/sa/sa2 -A)
Apr 28 00:00:01 localhost CROND[26268]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Apr 28 00:01:01 localhost CROND[26277]: (root) CMD (run-parts /etc/cron.hourly)
Apr 28 00:01:01 localhost run-parts(/etc/cron.hourly)[26277]: starting 0anacron
Apr 28 00:01:01 localhost anacron[26289]: Anacron started on 2016-04-28
Apr 28 00:01:01 localhost run-parts(/etc/cron.hourly)[26291]: finished 0anacron
Apr 28 00:01:01 localhost anacron[26289]: Jobs will be executed sequentially
Apr 28 00:01:01 localhost anacron[26289]: Normal exit (0 jobs run)

[root@localhost ~]# tail /var/log/maillog 
Apr 27 20:50:16 localhost postfix/qmgr[2354]: AFAC24377B: removed
Apr 27 20:51:55 localhost postfix/postfix-script[3416]: stopping the Postfix mail system
Apr 27 20:51:55 localhost postfix/master[2344]: terminating on signal 15
Apr 27 20:55:05 localhost postfix/postfix-script[2330]: starting the Postfix mail system
Apr 27 20:55:05 localhost postfix/master[2331]: daemon started — version 2.6.6, configuration /etc/postfix
Apr 27 21:09:10 localhost postfix/pickup[2343]: 9E23C43782: uid=0 from=<root>
Apr 27 21:09:10 localhost postfix/cleanup[25146]: 9E23C43782: message-id=<20160428040910.9E23C43782@localhost.localdomain>
Apr 27 21:09:10 localhost postfix/qmgr[2344]: 9E23C43782: from=<root@localhost.localdomain>, size=520, nrcpt=1 (queue active)
Apr 27 21:09:10 localhost postfix/local[25148]: 9E23C43782: to=<root@localhost.localdomain>, orig_to=<root>, relay=local, delay=0.15, delays=0.08/0.03/0/0.03, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 27 21:09:10 localhost postfix/qmgr[2344]: 9E23C43782: removed

[root@localhost ~]# tail /var/log/boot.log 
Starting HAL daemon:                                       [  OK  ]
Retrigger failed udev events                               [  OK  ]
Enabling Bluetooth devices:
Starting kdump:                                            [FAILED]
Starting sshd:                                             [  OK  ]
Starting Virtual Printing daemon:                                   done
Starting postfix:                                          [  OK  ]
Starting abrt daemon:                                      [  OK  ]
Starting crond:                                            [  OK  ]
Starting atd:                                              [  OK  ]

[root@localhost ~]# tail /var/log/yum.log 
Apr 28 00:10:52 Installed: nss_compat_ossl-0.9.6-2.el6_7.x86_64
Apr 28 00:10:57 Installed: elinks-0.12-0.21.pre5.el6_3.x86_64

[root@localhost ~]# tail /var/log/anaconda.log 
07:05:05,918 DEBUG   : writeksconfig is a direct step
07:05:05,918 INFO    : Writing autokickstart file
07:05:06,065 INFO    : leaving (1) step writeksconfig
07:05:06,065 INFO    : moving (1) to step setfilecon
07:05:06,065 DEBUG   : setfilecon is a direct step
07:05:06,065 INFO    : setting SELinux contexts for anaconda created files
07:05:17,873 INFO    : leaving (1) step setfilecon
07:05:17,873 INFO    : moving (1) to step copylogs
07:05:17,873 DEBUG   : copylogs is a direct step
07:05:17,874 INFO    : Copying anaconda logs

[root@localhost ~]# tail /var/log/anaconda.ifcfg.log 
DEVICE=”eth0″
BOOTPROTO=”dhcp”
HWADDR=”00:0C:29:FD:20:1A”
IPV6INIT=”yes”
NM_CONTROLLED=”yes”
ONBOOT=”yes”
TYPE=”Ethernet”
UUID=”aa960a0f-57d8-4c37-a22e-0b5ed7ccf19d”

07:05:00,673 DEBUG   : writeIfcfgFile eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0 not needed

[root@localhost ~]# tail /var/log/anaconda.syslog 
13:56:02,861 INFO NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) started…
13:56:03,863 INFO NetworkManager: <info> (eth0): device state change: ip-config -> activated (reason ‘none’) [7 8 0]
13:56:03,863 INFO NetworkManager: <info> Policy set ‘System eth0’ (eth0) as default for IPv4 routing and DNS.
13:56:03,863 INFO NetworkManager: <info> Activation (eth0) successful, device activated.
13:56:03,863 INFO NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
13:57:00,286 WARNING kernel:hrtimer: interrupt took 20580213 ns
14:00:59,501 DEBUG kernel:SELinux: 2048 avtab hash slots, 304891 rules.
14:00:59,646 DEBUG kernel:SELinux: 2048 avtab hash slots, 304891 rules.
14:01:00,386 DEBUG kernel:SELinux:  9 users, 12 roles, 4199 types, 234 bools, 1 sens, 1024 cats
14:01:00,386 DEBUG kernel:SELinux:  81 classes, 304891 rules

[root@localhost ~]# tail /var/log/secure 
Apr 27 20:55:03 localhost sshd[2197]: Server listening on :: port 22.
Apr 27 20:55:13 localhost polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 27 21:58:15 localhost sshd[25422]: Accepted password for root from 172.16.28.1 port 32891 ssh2
Apr 27 21:58:15 localhost sshd[25422]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 27 22:01:42 localhost passwd: pam_unix(passwd:chauthtok): password changed for root
Apr 27 22:01:42 localhost passwd: gkr-pam: couldn’t update the ‘login’ keyring password: no old password was entered
Apr 27 22:01:59 localhost passwd: pam_unix(passwd:chauthtok): password changed for root
Apr 27 22:01:59 localhost passwd: gkr-pam: couldn’t update the ‘login’ keyring password: no old password was entered
Apr 27 23:27:42 localhost su: pam_unix(su-l:session): session opened for user mohammedrafi by root(uid=0)
Apr 27 23:27:47 localhost su: pam_unix(su-l:session): session closed for user mohammedrafi
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s