Announcement

Collapse
No announcement yet.

Keeping an Eye on Logfiles

Collapse
X
Collapse
  •  

  • Keeping an Eye on Logfiles

    If you want to watch a log file and have it update when ever new content is added the "tail" command is an easy on-the-fly tool to use.
    Ofcourse for long term use other implementations of log file analyzers or syslog services would be better.
    Here is a short example and some sample output showing a failed root login attempt.

    # tail -n 20 -f -s 5 /var/log/auth.log
    Feb 17 04:11:09 testbox login[4822]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=root
    Feb 17 04:11:12 testbox login[4822]: FAILED LOGIN (1) on 'tty2' FOR `root', Authentication failure
    Feb 17 04:11:18 testbox login[4822]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
    Feb 17 04:11:18 testbox login[5020]: ROOT LOGIN on 'tty2'
    Feb 17 04:11:20 testbox login[4822]: pam_unix(login:session): session closed for user root

    This will output to stdout and autoupdate when ever entries is being added to the auth.log file.
    The "-n" option sets how many lines from the file to display so in this example the latest 20 lines will be displayed.
    The "-f" option is what makes this autoupdate whenever new entries are added.
    The default read rate from the log file is 1 second but this is here set to 5 seconds using the "-s" option.

    Ofcourse this can be done on any text file you have permission to read and is not limited to log files.
    Check out the man or info page for additional options.

    In addition you can try out the "last" command that will display the last logged in users.
    This also has some additional options but here is some basic output.

    # last
    root tty1 Thu Feb 18 00:13 still logged in
    root tty1 Thu Feb 18 00:13 - 00:13 (00:00)
    reboot system boot 2.6.26-2-686 Thu Feb 18 00:09 - 22:13 (22:04)
    root tty1 Wed Feb 17 21:50 - down (00:29)
    root tty1 Wed Feb 17 21:50 - 21:50 (00:00)
    reboot system boot 2.6.26-2-686 Wed Feb 17 21:49 - 22:20 (00:30)
    root tty1 Wed Feb 17 18:00 - down (00:59)
    root tty1 Wed Feb 17 18:00 - 18:00 (00:00)
    reboot system boot 2.6.26-2-686 Wed Feb 17 17:55 - 19:00 (01:04)
    root tty2 Wed Feb 17 04:11 - 04:11 (00:00)

    Remark the newest entries are the first ones to be listed. Log files usually have the most recent data at the bottom.

    The "watch" command is a bit odd but can also be useful now and then.
    It executes one command of your choice repeatedly. That is that it defaults to repeat the command 2 seconds after the previous one ends. In this example I use the "watch" command combined with grep.

    # watch --differences=cumulative 'grep FAILED /var/log/auth.log'

    I do not show any output from this one but output form above will be every line from auth.log containing the word FAILED and whenever a new match is found the new match will be highlighted. When this is possible with grep it gets very powerfull. I recommend checking out the man page for additional features on both watch and grep.
      Posting comments is disabled.

    Categories

    Collapse

    Article Tags

    Collapse

    Latest Articles

    Collapse

    • Testing your Mail Server
      by Resheph
      Telnet to your smtp server using the following:
      "telnet example.com 25". The number "25" is the default portnumber for outging mail, defined by IANA.
      Substitute the address with your own address or ip number.
      Even though this might very well be possible to do on your ISP mail server, dont!!
      This will give you the SMTP server banner. I hope this has been changed or spoofed to protect from banner grabbing.
      In my example, it gives me "220 example.com...
      08-06-2016, 10:38 PM
    • Knowing your System Performance and State
      by Resheph
      Here are a few command line tools that will help you estimate your system usage and performance.
      There is a lot more information on this in the man pages so take a look there also. If you dont know your average system load you will not be able to determine if the load is in a peaking state or if the host is able to handle more load.
      Note that some commands might require installation of a few packages.

      Below gives a nice simple performance view of a HDU. Ofcourse running...
      08-06-2016, 10:35 PM
    • Browsing your Hardware in Linux
      by Resheph
      Sometimes it can be quite a challenge to find out what hardware you have but it is actually quite easy.
      Here are a few commands and some sample output for you.

      USB devices are usually easy to identify because you can just pick them up and look at them.
      Below will help you out with the few that just say NoName on it. Often those noname ones are the same as the named ones just with another wrapping. Below display a list of detected USB devices.

      # lsusb
      Bus...
      08-06-2016, 10:34 PM
    • Keeping an Eye on Logfiles
      by Resheph
      If you want to watch a log file and have it update when ever new content is added the "tail" command is an easy on-the-fly tool to use.
      Ofcourse for long term use other implementations of log file analyzers or syslog services would be better.
      Here is a short example and some sample output showing a failed root login attempt.

      # tail -n 20 -f -s 5 /var/log/auth.log
      Feb 17 04:11:09 testbox login[4822]: pam_unix(login:auth): authentication failure; logname=LOGIN...
      08-06-2016, 10:31 PM
    • Learn which Libraries Programs Call
      by Resheph
      Sometimes it comes in handy to know what libraries and what versions of those libraries some software is depending on.
      This is quite easy and is done with the "ldd" command.

      Here are the dependencies that the "ls" command has. Remark that you have to use the absolute path as ldd does not support the use of the search path stated in the environment variable PATH.

      # ldd /bin/ls
      linux-gate.so.1 => (0xb7fd4000)
      librt.so.1 => /lib/i686/cmov/librt.so.1...
      08-06-2016, 10:29 PM
    Working...
    X