📄 0570syslog.htm
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
>
<html lang="zh-TW">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" >
<meta name="Author" content="VBird, 鸟哥" >
<meta name="Description" content="登录档的分析啦!" >
<title>鸟哥的 Linux 私房菜 -- 登录档的分析啦!</title>
<style type="text/css">
body {
background-color: #D3D3D3;
color: #000000;
background-attachment:fixed ;
}
body,th,td,input,select,textarea,select,checkbox {
font-family: '新细明体', 'Times New Roman', serif;
font-size: 11pt ;
}
a:link {text-decoration: none; color: blue}
a:visited {text-decoration: none; color: blue}
a:active {text-decoration: none; color: blue}
a:hover {text-decoration: underline; color: #ff0000}
table.head1 {width:100%; background-color: #FFCCCC;
border-style:groove;border-width:5px;border-color: #FFCCCC; margin:0;
padding: 5px 5px}
td.head1 {font: 10pt "新细明体", serif; color: #000099; }
td.info1 {font: 11pt "新细明体", serif; color: #000066; text-align:center; width:14%}
td.info2 {font: 11pt "新细明体", serif; color: #000066; text-align:center; width:12%}
*.info21 {font: 11pt "新细明体", serif; color: #000066; }
*.info22 {font: 11pt "新细明体", serif; color: blue ; }
*.info23 {font: 11pt "新细明体", serif; color: green ; }
td.info3 {font: 11pt "新细明体", serif; color: #000066; text-align:justify}
*.text_head0 {font-size:18pt; font-family:'标楷体','Times New Roman','Times', serif; }
*.text_head_en {font-size:18pt; font-family:'Times New Roman','Times', serif; }
*.text_h1 {font: 15pt "新细明体", serif; color: #0000BB; font-weight: bold }
*.text_h2 {font: 13pt "新细明体", serif; color: #0000BB; font-weight: bold }
*.text_import1 {font: 11pt "新细明体", serif; color: #000088; font-weight: bold }
*.text_import2 {font: 11pt "新细明体", serif; color: #000088; font-weight: normal}
*.text_vbird {font: 11pt "新细明体", serif; color: #000088; font-weight: normal;
font-style: italic;}
*.text_history {font: 10pt "新细明体", serif; color: #000066; }
*.text_date {font: 10pt "新细明体", serif; color: #3333FF; }
*.block1 {padding: 10px 20px 10px 25px; text-align:left }
*.block2 {padding: 10px 0px 10px 25px; text-align:left }
table.term2 {width: 350px; background-color: #000000;
border-style:groove;border-width:3px;border-color: #FFCCCC; margin:10px 0px;}
table.term {width: 580px; background-color: #000000;
border-style:groove;border-width:3px;border-color: #FFCCCC; margin:10px 0px;}
td.term {font: 10pt "细明体", Fixedsys, serif; color: #FFFFFF; }
*.term_hd {font: 10pt "细明体", Fixedsys, serif; color: #BBBBBB; }
*.term_note {font: 10pt "细明体", Fixedsys, serif; color: #777777; font-weight: normal }
*.term_note_b {font: 10pt "细明体", Fixedsys, serif; color: #FF77FF; font-weight: bolder }
*.term_command {font: 10pt "细明体", Fixedsys, serif; color: yellow ; font-weight: bolder }
*.term_write {font: 10pt "细明体", Fixedsys, serif; color: yellow ; font-weight: normal }
*.term_say {font: 10pt "细明体", Fixedsys, serif; color: #FF6666; font-weight: normal }
</style>
</head>
<body style="margin:0; padding:0">
<center>
<!-- 这里是关于页首按钮处的按钮程式 -->
<div style="text-align:center">
<span style="font-weight:bolder; color:#3333FF"><span class="text_head0">鸟哥的<span class="text_head_en">
Linux </span>私房菜</span></span><br />
<span style="color:#000080">为取得较佳浏览结果,请爱用 <a href="http://moztw.org" target="_blank">firefox</a>
浏览本网页</span><br />
<a href="http://linux.vbird.org/" target="_blank"
onmouseover="document.head_icon1.src='../images/icon_VBird_on.jpg'"
onfocus="document.head_icon1.src='../images/icon_VBird_on.jpg'"
onmouseout="document.head_icon1.src='../images/icon_VBird_off.jpg'">
<img alt="前往鸟哥的 Linux 私房菜馆首页" title="前往鸟哥的 Linux 私房菜馆首页" name="head_icon1"
src="../images/icon_VBird_off.jpg" border="0" /></a>
<a target="_blank" href="http://linux.vbird.org/linux_basic"
onmouseover="document.head_icon2.src='../images/icon_basic_on.jpg'"
onfocus="document.head_icon2.src='../images/icon_basic_on.jpg'"
onmouseout="document.head_icon2.src='../images/icon_basic_off.jpg'">
<img src="../images/icon_basic_off.jpg" border="0"
alt="前往 Linux 基础文件,新手请从头学起"
title="前往 Linux 基础文件,新手请从头学起" name="head_icon2" /></a>
<a target="_blank" href="http://linux.vbird.org/linux_server"
onmouseover="document.head_icon3.src='../images/icon_server_on.jpg'"
onfocus="document.head_icon3.src='../images/icon_server_on.jpg'"
onmouseout="document.head_icon3.src='../images/icon_server_off.jpg'">
<img src="../images/icon_server_off.jpg" border="0"
alt="前往 Linux 架站文件,网路基础那章节请务必参考!"
title="前往 Linux 架站文件,网路基础那章节请务必参考!" name="head_icon3" /></a>
<a target="_blank" href="http://linux.vbird.org/linux_security"
onmouseover="document.head_icon4.src='../images/icon_security_on.jpg'"
onfocus="document.head_icon4.src='../images/icon_security_on.jpg'"
onmouseout="document.head_icon4.src='../images/icon_security_off.jpg'">
<img src="../images/icon_security_off.jpg" border="0"
alt="前往『网路安全』相关文件网页" title="前往『网路安全』相关文件网页" name="head_icon4" /></a>
<a href="http://phorum.vbird.org" target="_blank"
onmouseover="document.head_icon5.src='../images/icon_forum_on.jpg'"
onfocus="document.head_icon5.src='../images/icon_forum_on.jpg'"
onmouseout="document.head_icon5.src='../images/icon_forum_off.jpg'">
<img src="../images/icon_forum_off.jpg" border="0"
alt="前往 Linux 新手讨论区,发问前务必查阅发文规则"
title="前往 Linux 新手讨论区,发问前务必查阅发文规则" name="head_icon5" /></a>
<a target="_blank" href="http://linux.vbird.org/adsl"
onmouseover="document.head_icon6.src='../images/icon_adsl_on.jpg'"
onfocus="document.head_icon6.src='../images/icon_adsl_on.jpg'"
onmouseout="document.head_icon6.src='../images/icon_adsl_off.jpg'">
<img src="../images/icon_adsl_off.jpg" border="0"
alt="前往『ADSL连线分享』相关文件网页" title="前往『ADSL连线分享』相关文件网页" name="head_icon6" /></a>
<a href="http://www.study-area.org" target="_blank"
onmouseover="document.head_icon7.src='../images/icon_study-area.jpg'"
onfocus="document.head_icon7.src='../images/icon_study-area.jpg'"
onmouseout="document.head_icon7.src='../images/icon_study-area.jpg'">
<img src="../images/icon_study-area.jpg" border="0"
alt="前往 Study Area 网站" title="前往 Study Area 网站" name="head_icon7" /></a>
<br />
</div>
<table summary="本文内容的排版" style="width:750px;
background-image:url('../images/VBirdLinux.jpg');
background-attachment:fixed;" border="0" cellspacing="0" cellpadding="0">
<tr><td style="width:16px; height:16px; background-image:url('../images/border-top-left.jpg');
font-size:6px"> </td>
<td style="width:718px; height:16px; font-size:6px;
background-image:url('../images/border-top-center.jpg')"> </td>
<td style="width:16px; height:16px; background-image:url('../images/border-top-right.jpg');
font-size:6px"> </td></tr>
<tr><td style="width:16px; font-size:6px;
background-image:url('../images/border-middle-left.jpg')"> </td>
<td width="718">
<!-- 本文的档头部分 -->
<div style="text-align:center">
<a href="0570syslog.php">
<span class="text_head0">认识与分析登录档</span></a><br />
</div>
<div style="text-align:left">
<a href="0570syslog.php?thisscreen=800x600"><!--切换解析度为 800x600--></a>
</div>
<div style="text-align:right">
<span class="text_history">最近更新日期∶2006/07/23</span>
</div>
<!-- 本文的档头部分 -->
<table class="head1" summary="排版∶文章档头的说明"><tr><td class="head1">
『登录档』似乎是常常听到的名词,网路上的老手们也常常告知新手们要多察看登录档,
那么这些登录档是干嘛用的?嗯!似乎是当你启发一个事件的时候,或者是有人登入你的 Linux
主机的时候,主机会有一些认证的程序或者是一些重要的讯息,由于这些讯息有被追踪的重要性,
所以自然就有需要将他保留下来,以备未来的不时之需棉,这些讯息会被纪录在某些档案上,
这些档案就被称为登录档了!那么您晓得该登入者的资讯被纪录在哪里吗?这些资讯的量有多大呢?
您可以每天自行观看吗?哇!如果能用 Shell Scripts 来分析的话,不是就更快速了吗?呵呵!
这里鸟哥写了一个小小的分析档案 ( logfile.sh ),让大家可以更快乐的管理你的 Linux 主机呦! ^_^
</td></tr></table><br>
<!-- 本文的连结区部分 -->
<div class=block1>
<span class="text_h1">
1. <a href="#whatis_syslog">什么是登录档?</a><br>
2. <a href="#syslogd">登录档的纪录∶ syslogd</a><br>
<span class=text_h2>
2.1 <a href="#syslogd_format">登录档内容的一般格式</a><br>
2.2 <a href="#syslogd_conf">登录档的设定档∶ /etc/syslog.conf</a><br>
2.3 <a href="#syslogd_secure">登录档的安全性设置</a><br>
2.4 <a href="#syslogd_server">登录档主机的简单设定</a><br>
</span>
3. <a href="#rotate">登录档的轮替 (logrotate)∶</a><br>
<span class=text_h2>
3.1 <a href="#rotate_config">logrotate 的设定档</a><br>
3.2 <a href="#rotate_command">实际测试 logrotate 的动作</a><br>
</span>
4. <a href="#analyze">分析登录档</a><br>
<span class=text_h2>
4.1 <a href="#analyze_command">一些常见指令∶ last, lastlog, dmesg</a><br>
4.2 <a href="#analyze_vbird">鸟哥自己写的登录档分析工具∶</a><br>
</span>
5. <a href="#FAQ">本章习题练习</a><br>
<span class=text_h2>
6. <a href="http://phorum.vbird.org/viewtopic.php?t=23895"
target="_blank">针对本文的建议∶http://phorum.vbird.org/viewtopic.php?t=23895</a>
</span>
</span>
</div>
<!-- 本文的正式部分 -->
<hr><a NAME="whatis_syslog"></a><img src="images/penguin-m.gif" alt="大标题的图示" height="34" width="25" align="middle" /><span class="text_h1">什么是登录档?</span><br>
<div class=block1>
这部分是最容易被新手所忽略的,那就是『
<span class=text_import2>详细而确实的纪录或者是备份系统的登录档</span>
』。那么什么是登录档呢?简单的说,就是<span class=text_import2>记录系统活动记录的几个档案,
例如∶何时、何地 (来源 IP)、何人( login name )、做了什么动作,
另外就是系统在什么时候做了什么样的行为时,发生了什么样的事件等等</span>,要知道的是,我们的
Linux 主机在背景之下,有相当多的 daemons 在工作著,那么这些工作中的程序总是会有一些讯息显示,
这些显示的讯息就是给记录在登录档当中啦,也就是说,记录这些系统的重要讯息,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -