# 分析登录文件
日志文件的分析是很重要的,可以使用 vim 或则是 journalctl 查阅相关信息,还有之前提到过的 last、lastlog、dmesg 等软件。
不过数据非常的分散,所以提供了 logwatch 软件来帮助我们
# CentOS 预设提供的 logwatch
该工具每天分析一次日志文件,并将数据以 email 的格式寄送给 root。更详细的信息可以到 logwatch 官网 http://www.logwatch.org 查看
老样子,该工具默认未安装,拿出你的光盘挂载后,开始安装
[root@study ~]# yum install /mnt/Packages/perl-5.*.rpm /mnt/Packages/perl-Date-Manip-*.rpm /mnt/Packages/perl-Sys-CPU-*.rpm /mnt/Packages/perl-Sys-MemInfo-*.rpm /mnt/Packages/logwatch-*.rpm
# 需要安装 perl 依赖与软件
[root@study ~]# ll /etc/cron.daily/0logwatch
-rwxr-xr-x. 1 root root 434 Aug 16 2018 /etc/cron.daily/0logwatch
[root@study ~]# /etc/cron.daily/0logwatch
1
2
3
4
5
6
2
3
4
5
6
安装完成之后,它已经把脚本写到 cron 下面去了,一天会自动运行一次,然后通过邮件发送给 root;也可以直接运行 /etc/cron.daily/0logwatch,笔者看了下内容,内部直接运行了 /usr/sbin/logwatch 指令。手动运行之后,使用 root 账户去查看 email 就可以了。提示:手动运行的话,如果数据流很大当前终端机会阻塞,直到分析完成
[root@study ~]# mail
Heirloom Mail version 12.5 7/5/10. Type ? for help.
"/var/spool/mail/root": 1 message 1 new
>N 1 logwatch@study.cento Mon Mar 16 04:07 128/4920 "Logwatch for study.centos.mrcode (Linux)"
& 1
Message 1:
From root@study.centos.mrcode Mon Mar 16 04:07:23 2020
Return-Path: <root@study.centos.mrcode>
X-Original-To: root
Delivered-To: root@study.centos.mrcode
To: root@study.centos.mrcode
From: logwatch@study.centos.mrcode
Subject: Logwatch for study.centos.mrcode (Linux)
Auto-Submitted: auto-generated
Precedence: bulk
Content-Type: text/plain; charset="iso-8859-1"
Date: Mon, 16 Mar 2020 04:07:22 +0800 (CST)
Status: R
# 告知当前 logwatch 版本,当次分析的时间等信息
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Mon Mar 16 04:07:22 2020
Date Range Processed: yesterday
( 2020-Mar-15 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: study.centos.mrcode
##################################################################
# 下面开始一项一项的分析
--------------------- Cron Begin ------------------------
**Unmatched Entries**
INFO (RANDOM_DELAY will be scaled with factor 25% if used.)
---------------------- Cron End -------------------------
--------------------- Kernel Begin ------------------------
WARNING: Kernel Errors Present
[drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send ...: 2 Time(s)
---------------------- Kernel End -------------------------
--------------------- pam_unix Begin ------------------------
gdm-launch-environment:
Unknown Entries:
session opened for user gdm by (uid=0): 1 Time(s)
su-l:
Sessions Opened:
mrcode -> root: 3 Time(s)
....
--------------------- SSHD Begin ------------------------
SSHD Started: 2 Time(s)
Users logging in through sshd:
mrcode:
192.168.0.105: 4 times
**Unmatched Entries**
error: no more sessions : 8 time(s)
---------------------- SSHD End -------------------------
# 还有对磁盘的使用状态
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
devtmpfs 565M 0 565M 0% /dev
/dev/mapper/centos-root 10G 5.1G 5.0G 51% /
/dev/sda2 1014M 181M 834M 18% /boot
/dev/mapper/centos-home 5.0G 927M 4.1G 19% /home
---------------------- Disk Space End -------------------------
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# 作者写的文件分析工具
下载地址:http://linux.vbird.org//linux_basic/0570syslog//logfile_centos7.tar.gz
下载之后,在根目录解压,文件会进入相应的目录,包括定时任务的文件,每日 00:10 分析一次系统注册表文件,该工具只适用于 journalctl 的数据系统(CentOS 7.x)
[root@study ~]# tar -zxvf logfile_centos7.tar.gz -C /
etc/cron.d/vbirdlogfile
root/bin/logfile/
root/bin/logfile/function/
root/bin/logfile/function/samba
root/bin/logfile/function/dovecot
root/bin/logfile/function/sendmail
root/bin/logfile/function/proftp
root/bin/logfile/function/pop3
root/bin/logfile/function/procmail
root/bin/logfile/function/zzz.sh
root/bin/logfile/function/ssh
root/bin/logfile/function/ports
root/bin/logfile/function/postfix
root/bin/logfile/function/openwebmail
root/bin/logfile/function/wuftp
root/bin/logfile/logfile.sh
# 可以看到函数挺多的
# 这个是定时任务的文件
[root@study ~]# cat /etc/cron.d/vbirdlogfile
10 0 * * * root /bin/bash /root/bin/logfile/logfile.sh &> /dev/null
# 手动执行
[root@study ~]# sh /root/bin/logfile/logfile.sh
[root@study ~]# sh /root/bin/logfile/logfile.sh
/sbin/restorecon: Warning no default label for /dev/shm/logfile/logfile_mail.txt
grep: /etc/postfix/body_checks: No such file or directory
cat: /dev/shm/logfile//postlog.1: No such file or directory
# 打开邮件,就看到有信息了
[root@study ~]# mail
Heirloom Mail version 12.5 7/5/10. Type ? for help.
"/var/spool/mail/root": 2 messages 1 new
1 logwatch@study.cento Mon Mar 16 04:07 129/4931 "Logwatch for study.centos.mrcode (Linux)"
>N 2 root Mon Mar 16 04:24 67/3085 "study.centos.mrcode logfile analysis results"
# 查看内容,感觉还是可以的
=============== system summary =================================
Linux kernel : Linux version 3.10.0-1062.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org)
CPU informatin: 1 Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
CPU speed : 2904.000 MHz
hostname is : study.centos.mrcode
Network IP : 192.168.0.128 192.168.122.1
Check time : 2020/March/16 04:23:52 ( Monday )
Summary date : Mar 15
Up times : 8:10,
Filesystem summary:
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 565M 0 565M 0% /dev
tmpfs tmpfs 582M 144K 582M 1% /dev/shm
tmpfs tmpfs 582M 1.3M 581M 1% /run
tmpfs tmpfs 582M 0 582M 0% /sys/fs/cgroup
/dev/mapper/centos-root xfs 10G 5.1G 5.0G 51% /
/dev/sda2 xfs 1014M 181M 834M 18% /boot
/dev/mapper/centos-home xfs 5.0G 927M 4.1G 19% /home
tmpfs tmpfs 117M 12K 117M 1% /run/user/42
tmpfs tmpfs 117M 0 117M 0% /run/user/1000
/dev/sr0 iso9660 4.4G 4.4G 0 100% /mnt
================= Ports 的相關分析資訊 =======================
主機啟用的 port 與相關的 process owner:
對外部介面開放的
ports (PID|owner|command)
tcp 22|(root)|/usr/sbin/sshd -D
tcp 25|(root)|/usr/libexec/postfix/master -w
tcp 53|(nobody)|/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/de
tcp 111|(root)|/usr/lib/systemd/systemd --switched-root --system --deseri
tcp 514|(root)|/usr/sbin/rsyslogd -n
tcp 631|(root)|/usr/sbin/cupsd -f
udp 53|(nobody)|/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/de
udp 67|(nobody)|/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/de
udp 111|(root)|/usr/lib/systemd/systemd --switched-root --system --deseri
udp 1008|(rpc)|/sbin/rpcbind -w
udp 5353|(avahi)|avahi-daemon: running [study.local]
udp 45105|(avahi)|avahi-daemon: running [study.local]
================= SSH 的登錄檔資訊彙整 =======================
一共成功登入的次數: 4
帳號 來源位址 次數
mrcode 192.168.0.105 4
================= Postfix 的登錄檔資訊彙整 ===================
使用者信箱受信次數:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86