3. process statistics UNIX can track each user runs each command, if you want to know what last night mess of important documents, process statistics subsystem can tell you.
It also tracks a trespasser. And connection time log, process statistics subsystem default not activated, it must be started. On Linux systems start process statistics using the accton command, you must use root to run. Accton commands acctonfile, file must exist. Use the touch command to create the pacct file: touch/var/log/pacct and then run the accton: accton/var/log/pacct. Once the accton is activated, you can use the lastcomm command monitoring system commands at any time. To turn off statistics that can be used without any arguments accton command. Lastcomm command reports the file before execution. Without parameters, lastcomm command displays the current statistics file lifetime record of all information about the command. Including the command name, user, tty, command takes CPU time and a time stamp. If the system has many users, enter you can get quite long. The following example: crondFroot?? 0.00secsSunAug2000:16 promisc_check.sSroot?? 0.04secsSunAug2000:16 promisc_checkroot?? 0.01secsSunAug2000:16 greproot?? 0.02secsSunAug2000:16 tailroot?? 0.01secsSunAug2000:16 shroot?? 0.01secsSunAug2000:15 pingSroot?? 0.01secsSunAug2000:15 ping6.plFroot?? 0.01secsSunAug2000:15 shroot?? 0.01secsSunAug2000:15 pingSroot?? 0.02secsSunAug2000:15 ping6.plFroot?? 0.02secsSunAug2000:15 shroot?? 0.02secsSunAug2000:15 pingSroot?? 0.00secsSunAug2000:15 ping6.plFroot?? 0.01secsSunAug2000:15 shroot?? 0.01secsSunAug2000:15 pingSroot?? 0.01secsSunAug2000:15 shroot?? 0.02secsSunAug2000:15 pingSroot?? 1.34secsSunAug2000: acctonSrootttyp00.00secsSunAug2000 locaterootttyp01.34secsSunAug2000: 15 15: 15 process statistics are the pacct file may grow very fast. You need interactive or through cron mechanism keeps running sa command log data in the system control. Sa command report, cleaning and maintenance process statistics file. It can put the information in the compresses/var/log/pacct to summary file/var/log/savacct and/var/log/usracct. This summary contains the command name and user name of the classification system statistics. Sa default to read them, and then read the pacct file so that the report would contain all of the available information. Sa's output has the following tags: avio--each execution of the average number of I/O operations--user cp and total system time, in minutes, the cpu--and like k-cp-kernel used by average CPU time, in units of k * 1k sec--CPU storage integrity to 1k-core sec re--real time, in minutes, the s-system time, in minutes, tio--I/O operation of total u-user time, in minutes, for example: 842173.26re4.30cp0avio358k 210.98re4.06cp0avio299kind 924.80re0.05cp0avio291k *** oter 10530.44re0.03cp0avio302kping 10430.55re0.03cp0avio394ks 1620.11re0.03cp0avio413ksecurity.s * 1540.03re0.02cp0avio273kls 5631.61re0.02cp0avio823kping6.pl * 23.23re0.02cp0avio822kping6.pl 350.02re0.01cp0avio257kmd5sum 970.02re0.01cp0avio263kinitlog 120.19re0.01cp0avio399kpromisc_check.s 150.09re0.00cp0avio288kgrep 110.08re0.00cp0avio332kawK users can user instead of the command to provide a summary report. For example sa-m appears as follows: 885173.28re4.31cp0avk root879173.23re4.31cp0avk alias30.05re0.00cp0avk qmailp30.01re0.00cp0avk 4.Syslog device Syslog has been adopted by many log function, it is used in many protection measures--any program are available through syslog records events. Syslog to record system events, you can write to a file or device, or send a message to the user. It can record local events or through network record another host events. Syslog devices based on two important documents:/etc/syslogd (daemon) and the/etc/syslog.conf configuration file, it is customary that most information is written to the syslog/var/adm or/var/log directory information files (messages. *). A typical syslog records including generating program name and a text message. It also includes a range of equipment and a priority (but do not appear in the day). Each syslog message is assigned one of the following major equipment: LOG_AUTH--certification system: login, su, getty et LOG_AUTH LOG_AUTHPRIV--the same, but only to log on to choose single user-readable file LOG_CRON--cron daemon LOG_DAEMON--other system daemons, such as routed LOG_FTP--file transfer protocols: ftpd, ttpd LOG_KERN--kernel resulting message LOG_LPR--system printer buffer pool: lpr and lpd LOG_MAIL--e-mail system LOG_NEWS--network news system LOG_SYSLOG--by syslogd (8) the internal message LOG_USER--random user process message LOG_UUCP--UUCP subsystem LOG_LOCAL0 ~ LOG_LOCAL7--Syslog for local use reserved for each event gives several different priorities: LOG_EMERG LOG_ALERT--emergencies--should be immediately corrected issues, such as the system database corruption LOG_CRIT--important information, such as a hard disk error LOG_ERR LOG_WARNING-error--warning information LOG_NOTICE--is not an error, but may need to handle LOG_INFO LOG_DEBUG--information--contains intelligence information, usually to debug a program using the syslog.conf file specified in the record a log of syslogd, the program at startup query configuration file. This file consists of different program or message classification of individual entries, each on a separate line. For each type of information to offer a choice of domain and one domain. These fields are separated by tab: select the domain specified in the message type and priority; action field indicates syslogd receives a selection criteria that matches the message's action to be performed. Each option is composed by a device and priority. When specifying a priority, a syslogd records have the same or higher priority messages. So if you specify "crit", that all marked as crit, alert and emerg message will be recorded. Each row in the action field indicates when the select a field to select a given message after he ought to be sent. For example, if you want to record all messages to a file, as follows: # Logallthemailmessagesinoneplace mail. */var/log/maillog other devices also have their own logs. UUCP and news equipment can produce many external messages. It put the message into its own journal (/var/log/spooler) and the level limit for "err" or higher. For example: # Savemailandnewserrorsoflevelerrandhigherinaspecialfile. Uucp, news.crit/var/log/spooler when an emergency message arrives, you may want to let all users. Might also want to make your own log received and saved. # Everybodygetsemergencymessages, pluslogthemonanthermacine * .emerg ** .emerg @ linuxaid.com.cn alert message should be written to the root and tiger's personal account number: # RootandTigergetalertandhighermessages * .alertroot, tiger sometimes syslogd will produce a lot of messages. Such as the kernel ("kern" devices) can be very lengthy. The user may want to put the kernel message records to/dev/console. The following example shows the kernel log records are commented out: # Logallkernelmessagestotheconsole # Loggingmuchelsecluttersupthescreen # kern. */dev/console users can specify all on one line. The following examples get info or a higher level of messages sent to/var/Log/messages, apart from the mail. Level "none" no one device: # Loganything (exceptmail) oflevelinfoorhiger # Don'tlogprivateauthenticationmessages! * .Info: mail.none; authpriv.none/var/log/messages in some cases, you can put the log sent to the printer, so network intruders do modify the log is not used. Often extensive records log. Syslog devices are a significant target for attackers. An other host maintenance log of the system for preventing server attacks particularly vulnerable, and therefore pay particular attention. There is a small command logger for syslog (3) the system log files provide a shell command interface that allows users to create entries in the log file. Usage: logger for example: loggerThisisatest! it produces a following syslog records: Aug1922: 22: 34tiger: Thisisatest! Note do not fully trust the log, because the attacker can easily modify it. 5. the program log number of programs by maintaining a log to reflect the system's security status. The su command allows the user to access another user's permissions, so its security is important, it's file for sulog. The same also sudolog. In addition, Apache has two logs: access_log and error_log.
No comments:
Post a Comment