this article might be largely incomplete…
kernel ringbuffer boot messages
messages from the kernel during first stages of boot.
[cc lang=”bash” escaped=”true” width=”600″]
# all distros
dmesg; # show kernel ring buffer boot messages log
# Centos7 only (debian8 has the file but it is empty)
less /var/log/dmesg
# debian8 is using this file insted:
less /var/log/kern.log
# suse12 / Centos7 is NOT the ringbuffer
less /var/log/boot.log
[ OK ] Started udev Kernel Device Manager.
[ OK ] Found device Virtual_Disk 3.
Starting File System Check on /dev/disk/by-uuid/986b9f95-b3a1-441e-92a4-98b7a500166b…
[ OK ] Found device Virtual_Disk 2.
Mounting /srv…
Mounting /tmp…
Mounting /var/crash…
Mounting /.snapshots…
Mounting /boot/grub2/x86_64-efi…
Mounting /var/cache…
Mounting /var/tmp…
Mounting /var/log…
…
[/cc]
manpages: mostly the same – but still a little different 😀 (if you have strange artifacts in Firefox go View -> Text-Encoding -> Unicode)
example files:
general
list log files – so the last most recently changed files are at the bottom
[cc lang=”bash” escaped=”true” width=”600″]
ls -rtlh –color=auto /var/log/
[/cc]
the general output log for all 3 distros is:
[cc lang=”bash” escaped=”true” width=”600″]
less /var/log/messages; # Shift+G goes to END of file
[/cc]
example files:
logging logins
there is a binary file on all 3 distros /var/log/lastlog
that can be viewed with
[cc lang=”bash” escaped=”true” width=”600″]
last
user pts/0 172.20.0.7 Tue May 16 12:20 still logged in
user console :0 Tue May 16 12:16 still logged in
user :0 :0 Tue May 16 12:16 still logged in
reboot system boot 4.4.21-69-defaul Tue May 16 14:15 – 15:25 (01:09)
root tty1 Tue May 16 11:10 – 11:10 (00:00)
user pts/0 172.20.0.7 Tue May 16 10:09 – 11:10 (01:00)
…
[/cc]
there are additional log files:
[cc lang=”bash” escaped=”true” width=”600″]
# CentOS7
[root@centos ~]# tail -f /var/log/secure
May 16 12:31:46 centos groupadd[2407]: new group: name=vnstat, GID=994
May 16 12:31:46 centos useradd[2412]: new user: name=vnstat, UID=996, GID=994, home=/var/lib/vnstat, shell=/sbin/nologin
May 16 15:20:29 centos sshd[2613]: reverse mapping checking getaddrinfo for pc0032.domainname.local [172.20.0.7] failed – POSSIBLE BREAK-IN ATTEMPT!
May 16 15:20:29 centos sshd[2613]: Accepted password for user from 172.20.0.7 port 51737 ssh2
May 16 15:20:29 centos sshd[2613]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:20:33 centos sshd[2613]: pam_unix(sshd:session): session closed for user user
May 16 15:21:17 centos sshd[2634]: reverse mapping checking getaddrinfo for pc0032.domainname.local [172.20.0.7] failed – POSSIBLE BREAK-IN ATTEMPT!
May 16 15:21:17 centos sshd[2634]: Accepted password for user from 172.20.0.7 port 51744 ssh2
May 16 15:21:17 centos sshd[2634]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:21:18 centos sshd[2634]: pam_unix(sshd:session): session closed for user user
# Debian8
root@debian:~# tail -f /var/log/auth.log
May 16 15:08:51 debian su[3292]: + /dev/pts/0 user:root
May 16 15:08:51 debian su[3292]: pam_unix(su:session): session opened for user root by user(uid=1000)
May 16 15:17:01 debian CRON[3311]: pam_unix(cron:session): session opened for user root by (uid=0)
May 16 15:17:01 debian CRON[3311]: pam_unix(cron:session): session closed for user root
May 16 15:22:38 debian sshd[3346]: reverse mapping checking getaddrinfo for pc0032.domainname.local [172.20.0.7] failed – POSSIBLE BREAK-IN ATTEMPT!
May 16 15:22:38 debian sshd[3346]: Accepted password for user from 172.20.0.7 port 51763 ssh2
May 16 15:22:38 debian sshd[3346]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:22:38 debian systemd-logind[620]: New session 17 of user user.
May 16 15:22:40 debian sshd[3346]: pam_unix(sshd:session): session closed for user user
May 16 15:22:40 debian systemd-logind[620]: Removed session 17.
[/cc]
logrotate:
the process of checking on log files and moving them into separate files – if they become bigger than the set file-size limit.
config files:
[cc lang=”bash” escaped=”true” width=”600″]
# Debian8
less /etc/logrotate.conf
# Suse12 / Centos7
less /etc/logrotate.d/syslog
[/cc]
you can view the old compressed log files with vim (automatically decompresses it)
[cc lang=”bash” escaped=”true” width=”600″]
suse:~ # ll /var/log/*.xz
-rw-r—– 1 root root 358920 5. Mai 10:00 /var/log/messages-20170505.xz
-rw-r—– 1 root root 255304 11. Mai 10:15 /var/log/messages-20170511.xz
vim /var/log/messages-20170511.xz; # view compressed old log
[/cc]
example files:
manpages:
off topic:
it seems the time-service of suse12 is adjusting it’s time every 5 seconds… i wonder if that is really necessary 😀
2017-05-11T12:32:33.431742+02:00 suse systemd[1745]: Time has been changed 2017-05-11T12:32:38.432311+02:00 suse systemd[1745]: Time has been changed 2017-05-11T12:32:38.432541+02:00 suse systemd[1]: Time has been changed 2017-05-11T12:32:43.438919+02:00 suse systemd[1]: Time has been changed 2017-05-11T12:32:43.439282+02:00 suse systemd[1745]: Time has been changed 2017-05-11T12:32:48.438992+02:00 suse systemd[1745]: Time has been changed
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!