Kernel Logging   «Prev  Next»

Lesson 2Examining system logs
Objective Examine contents of System Logs for Significant Events

Examine contents of System Logs for Significant Events

Before you begin looking through logfiles for significant events, you must know the format of logfiles. Most Linux logfiles have a common, fixed format that has four elements
  1. The date and time of the message
  2. The hostname from where the message came, which is important when you have enabled centralized system logging
  3. The name of the application or subsystem from where the message came--for example, kernel, ftpd, and so on
  4. The actual message,>which is the remainder of the line following the colon

The following diagram below shows typical entries from a /var/log/messages logfile.
Log Message Main

Log files Used For Trouble Shooting
The xferlog logfile has its own format. Check the xferlog man page for a description of each field.

Looking for significant events

Examining Root Logins

Examining the system logs is an important part of system administration. To ensure that problems are caught and resolved in a timely fashion, you should check your system's logs for significant events. View the table below to see how to identify commonly logged, significant events
If you have built a monolithic kernel for your firewall (strongly suggested), check for module insertion activity with grep insmod /var/log/messages.
A monolithic kernel should not have any modules inserted into it; if someone tried, it might be a sign of security compromise.

Event How to identify
root logins grep "login.*for user root" /var/log/messages
root login failures grep "FAILED LOGIN.*FOR root" /var/log/messages
su failures grep "failure.*root for su" /var/log/messages
anonymous ftp grep "ANONYMOUS" /var/log/messages
password updates grep "password" /var/log/messages
general error strings egrep -i "(fatal|unauthorized|illegal|denied|hack|sniff|spoof|spy)" /var/log/messages

The next lesson explains how to configure the system log