THE ADMIN's LAB : LINUX- 32 LINUX LOGS (RHEL-7) P2

LINUX- 32 LINUX LOGS (RHEL-7) P2

LINUX LOG’s AND IT’s SIGNIFICANCE,

All Posts under Linux Logs:

LINUX LOGS (RHEL-7) P1
LINUX LOGS (RHEL-7) P2
LINUX LOGS (RHEL-7) P3

Still we are roaming under /var/log, almost all individual log files are covered, now time to directories under /var/log.

SUBDIRECTORIES UNDER /VAR/LOG

[root@rhel7-server log]# ls -ltr | grep "^d"

drwx------. 2 root root 6 Jan 27 2014 ppp

drwx------. 2 root root 6 Jan 27 2014 speech-dispatcher

drwxr-xr-x. 2 chrony chrony 6 Feb 5 2014 chrony

drwxr-xr-x. 2 root root 6 Apr 2 2014 qemu-ga

drwxr-xr-x. 3 root root 17 Nov 12 2017 pluto

drwx------. 3 root root 16 Nov 12 2017 samba

drwx------. 5 root root 37 Nov 12 2017 libvirt

drwxr-xr-x. 2 root root 4096 Nov 12 2017 anaconda

drwxr-xr-x. 2 root root 22 Nov 18 2017 tuned

drwxr-sr-x. 3 root systemd-journal 45 May 13 16:54 journal

drwxr-xr-x. 2 root root 4096 Jul 15 13:30 sa

drwxr-x---. 2 root root 40 Jul 22 15:51 audit

drwx--x--x. 2 root gdm 4096 Jul 28 19:07 gdm

drwx------. 2 root root 4096 Jul 29 14:33 httpd

drwxr-xr-x. 2 root root 4096 Jul 29 14:33 rhsm

drwxr-xr-x. 2 lp sys 4096 Jul 29 16:53 cups

/var/log/cups

The Common Unix Printing System (CUPS) uses the default log file /var/log/cups/error_log to store informational and error messages.

We already covered this in previous post.

/var/log/httpd

Contains the apache web server access_log and error_log and related virtual hosts logs if set up to log here. The error_log contains all errors encountered by httpd. These errors include memory issues and other system-related errors. access_log contains a record of all requests received over HTTP.

[root@rhel7-server log]# cd /var/log/httpd/

[root@rhel7-server httpd]# ls -ltr

total 12

-rw-r--r--. 1 root root 605 Jul 22 17:52 access_log-20180729

-rw-r--r--. 1 root root 0 Jul 22 17:52 www.test.com-error_log

-rw-r--r--. 1 root root 2098 Jul 22 17:52 error_log-20180729

-rw-r--r--. 1 root root 154 Jul 22 17:53 www.test.com-access_log-20180729

-rw-r--r--. 1 root root 0 Jul 29 14:33 www.test.com-access_log

-rw-r--r--. 1 root root 0 Jul 29 14:33 error_log

-rw-r--r--. 1 root root 0 Jul 29 14:33 access_log

[root@rhel7-server httpd]# cat error_log

[root@rhel7-server httpd]# cat access_log

[root@rhel7-server httpd]# cat access_log-20180729

::1 - - [22/Jul/2018:17:52:10 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (Red Hat) (internal dummy connection)"

[root@rhel7-server httpd]# cat error_log-20180729 |tail -5

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

[Sun Jul 22 17:52:12.001226 2018] [auth_digest:notice] [pid 12965] AH01757: generating secret for digest authentication ...

[Sun Jul 22 17:52:12.002109 2018] [lbmethod_heartbeat:notice] [pid 12965] AH02282: No slotmem from mod_heartmonitor

[Sun Jul 22 17:52:12.003941 2018] [mpm_prefork:notice] [pid 12965] AH00163: Apache/2.4.6 (Red Hat) configured -- resuming normal operations

[Sun Jul 22 17:52:12.003970 2018] [core:notice] [pid 12965] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

/var/log/samba

Contains log information stored by samba, which is used to connect Windows to Linux.

The Server Message Block Protocol (SMB) server, Samba is popularly used for sharing files between Linux computer and other computers which support the SMB protocol. Samba keeps three distinct types of logs in the subdirectory /var/log/samba:

log.nmbd - messages related to Samba's NETBIOS over IP functionality (the network stuff)

log.smbd - messages related to Samba's SMB/CIFS functionality (the file and print sharing stuff)

log.[IP_ADDRESS] - messages related to requests for services from the IP address contained in the log file name

There is no samba configured samba with me right now. Hence no logs to show.

/var/log/anaconda

While installing Linux all installation related messages are stored under this

[root@rhel7-server anaconda]# ls -ltr

total 980

-rw-------. 1 root root 47779 Nov 12 2017 anaconda.log

-rw-------. 1 root root 196852 Nov 12 2017 syslog

-rw-------. 1 root root 23027 Nov 12 2017 anaconda.xlog

-rw-------. 1 root root 30861 Nov 12 2017 anaconda.program.log

-rw-------. 1 root root 533412 Nov 12 2017 anaconda.packaging.log

-rw-------. 1 root root 150835 Nov 12 2017 anaconda.storage.log

-rw-------. 1 root root 4200 Nov 12 2017 anaconda.ifcfg.log

-rw-------. 1 root root 0 Nov 12 2017 ks-script-yZrbLH.log

-rw-------. 1 root root 0 Nov 12 2017 ks-script-Li3vEs.log

-rw-------. 1 root root 0 Nov 12 2017 ks-script-cwp0j8.log

anaconda.ifcfg.log = Records messages related to network interfaces.

anaconda.log = Records informational, debug and other general messages

syslog = Records messages related to kernel

anaconda.xlog = Records messages related to X window

anaconda.packaging.log = Records messages related to yum & rpm commands during package installation.

anaconda.program.log = Records messages generated by external programs.

anaconda.storage.log = Records messages related to storage modules.

ks-script-yZrbLH.log = File contains logs from kickstart installations.

/var/log/sa

Contains the daily System Activity Report “sar” files that are collected by the sysstat package.

[root@rhel7-server ~]# cd /var/log/sa

[root@rhel7-server sa]# ls -ltr |tail -5

-rw-r--r--. 1 root root 88736 Jul 15 19:10 sa15

-rw-r--r--. 1 root root 75824 Jul 21 19:40 sa21

-rw-r--r--. 1 root root 82976 Jul 22 18:20 sa22

-rw-r--r--. 1 root root 64016 Jul 28 19:10 sa28

-rw-r--r--. 1 root root 79808 Jul 29 18:00 sa29

[root@rhel7-server sa]# sar -f sa29

Linux 3.10.0-121.el7.x86_64 (rhel7-server) 07/29/2018 _x86_64_ (1 CPU)

02:00:01 PM CPU %user %nice %system %iowait %steal %idle

02:10:01 PM all 0.26 0.00 0.18 0.00 0.00 99.55

02:20:01 PM all 0.21 0.00 0.16 0.01 0.00 99.62

02:30:01 PM all 0.24 0.00 0.18 0.01 0.00 99.56

02:40:01 PM all 0.22 0.07 0.26 0.17 0.00 99.29

02:50:01 PM all 0.22 0.00 0.16 0.00 0.00 99.62

03:00:01 PM all 0.22 0.00 0.18 0.02 0.00 99.59

03:10:01 PM all 0.29 0.00 0.20 0.00 0.00 99.51

In future I will write a post regarding importance and benefits of SAR.

/var/log/audit

Record logs information stored by the Linux audit daemon (auditd). This log contains information on what users perform read/writes to .

[root@rhel7-server ~]# cd /var/log/audit/

[root@rhel7-server audit]# ls -ltr

total 7844

-r--------. 1 root root 6291746 Jul 22 15:51 audit.log.1

-rw-------. 1 root root 1727620 Jul 29 18:01 audit.log

[root@rhel7-server audit]# tail -5 audit.log

type=LOGIN msg=audit(1532867461.226:2150): pid=9447 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=78 res=1

type=USER_START msg=audit(1532867461.240:2151): pid=9447 uid=0 auid=0 ses=78 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=CRED_REFR msg=audit(1532867461.240:2152): pid=9447 uid=0 auid=0 ses=78 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=CRED_DISP msg=audit(1532867461.267:2153): pid=9447 uid=0 auid=0 ses=78 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=USER_END msg=audit(1532867461.270:2154): pid=9447 uid=0 auid=0 ses=78 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

/var/log/rhsm

There are two log files maintained for Red Hat Subscription Manager in the /var/log/rhsm directory

rhsm.log = shows every invocation and result of running Subscription Manager in either the user interface or the command line

rhsmcertd.log = shows every time a new certificate is generated, which happens on a schedule defined by the cert

[root@rhel7-server ~]# cd /var/log/rhsm/

[root@rhel7-server rhsm]# ls -l

total 36

-rw-r--r--. 1 root root 0 Jul 29 14:33 rhsmcertd.log

-rw-r--r--. 1 root root 96 Jun 23 16:47 rhsmcertd.log-20180714

-rw-r--r--. 1 root root 96 Jul 15 13:49 rhsmcertd.log-20180715

-rw-r--r--. 1 root root 675 Jul 21 17:16 rhsmcertd.log-20180722

-rw-r--r--. 1 root root 709 Jul 29 14:28 rhsmcertd.log-20180729

-rw-r--r--. 1 root root 406 Jul 29 14:33 rhsm.log

-rw-r--r--. 1 root root 591 Jun 23 16:47 rhsm.log-20180714

-rw-r--r--. 1 root root 997 Jul 15 13:49 rhsm.log-20180715

-rw-r--r--. 1 root root 2265 Jul 21 17:16 rhsm.log-20180722

-rw-r--r--. 1 root root 2656 Jul 29 14:28 rhsm.log-20180729

[root@rhel7-server rhsm]# tail -5 rhsm.log

2018-07-29 14:33:03,827 [INFO] rhsmd @rhsmd:193 - rhsmd started

2018-07-29 14:33:03,828 [INFO] rhsmd @rhsmd:224 - logging subscription status to syslog

2018-07-29 14:33:03,904 [INFO] rhsmd @rhsmd:186 - rhsmd: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date.

[root@rhel7-server rhsm]# tail -5 rhsmcertd.log

[root@rhel7-server rhsm]# tail -5 rhsmcertd.log-20180714

Sat Jun 23 16:47:00 2018 [WARN] (Cert Check) Update failed (255), retry will occur on next run.

/var/log/gdm

Gnome Display Manager (gdm), it depends upon the display manager used by system. Here I am using Gnome, that’s why its recording all messages related to Gnome display.

[root@rhel7-server ~]# cd /var/log/gdm

[root@rhel7-server gdm]# ls -ltrh

total 192K

-rw-r--r--. 1 root root 13K Jul 28 19:05 :4.log

-rw-r--r--. 1 root root 13K Jul 28 19:05 :5.log

-rw-r--r--. 1 root root 24K Jul 28 19:05 :0.log.2

-rw-r--r--. 1 root root 24K Jul 28 19:07 :0.log

[root@rhel7-server gdm]# tail -5 :0.log

(II) vmware(0): Modeline "1856x1392"x60.0 218.25 1856 1952 2176 2528 1392 1393 1396 1439 -hsync +vsync (86.3 kHz e)

(II) vmware(0): Modeline "1920x1200"x59.9 193.25 1920 2056 2256 2592 1200 1203 1209 1245 -hsync +vsync (74.6 kHz e)

(II) vmware(0): Modeline "1920x1440"x60.0 234.00 1920 2048 2256 2600 1440 1441 1444 1500 -hsync +vsync (90.0 kHz e)

(II) vmware(0): Modeline "2560x1600"x60.0 348.50 2560 2752 3032 3504 1600 1603 1609 1658 -hsync +vsync (99.5 kHz e)

(II) vmware(0): Modeline "1280x768"x60.0 78.76 1280 1330 1380 1430 768 818 868 918 -hsync +vsync (55.1 kHz eP)

/var/log/journal

You can check my previous posts about “Journal”. They are covered in great details.

System Logging RHEL7 -P5

System Logging RHEL7 - P6

systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources:

What “systemd-journald” is doing for us?

· Kernel and daemon process log management

· Collecting alerts generated during boot

· Syslog and initial ram disk messages management

· Log messages are stored in “binary” format in a file called “journals”

· To view journal logs we need to use “Journalctl” command

· Journalctl is getting/collecting log info from journald

· Located under /run/log/journal

· By default it is not enabled

· It collects information from different sources and loads the messages in the journal

· Journal started before mounting of file systems

[root@rhel7-server ~]# cd /var/log/journal/

[root@rhel7-server journal]# ls -l

total 4

drwxr-sr-x. 2 root systemd-journal 4096 Jul 29 15:59 d576823ceabd4711959e4f1dca3f9d3f

[root@rhel7-server journal]# cd d576823ceabd4711959e4f1dca3f9d3f/

[root@rhel7-server d576823ceabd4711959e4f1dca3f9d3f]# ls -l

total 57364

-rw-r-----. 1 root root 25165824 Jul 28 21:22 system@0005721135902be8-1cd9b8cb6f276e51.journal~

-rw-r-----. 1 root systemd-journal 8388608 Jul 29 18:25 system.journal

-rw-r-----+ 1 root systemd-journal 8388608 Jul 29 13:52 user-42.journal

-rw-r-----+ 1 root systemd-journal 8388608 Jul 29 15:57 user-5000.journal

-rw-r-----+ 1 root systemd-journal 8388608 Jul 29 16:37 user-5002.journal

[root@rhel7-server ~]# journalctl |tail -5

Jul 29 18:20:01 rhel7-server systemd[1]: Started Session 80 of user root.

Jul 29 18:20:01 rhel7-server CROND[9650]: (root) CMD (/usr/lib64/sa/sa1 1 1)

Jul 29 18:30:01 rhel7-server systemd[1]: Starting Session 81 of user root.

Jul 29 18:30:01 rhel7-server systemd[1]: Started Session 81 of user root.

Jul 29 18:30:01 rhel7-server CROND[9741]: (root) CMD (/usr/lib64/sa/sa1 1 1)

/var/log/tuned

Tuned is a dynamic adaptive system tuning daemon that tunes system settings dynamically depending on usage. It is a profile-based system tuning tool that uses the udev device manager to monitor connected devices and enables both static and dynamic tuning of system settings.

/var/log/tuned records newly tuned configuration messages.

[root@rhel7-server ~]# cd /var/log/tuned/

[root@rhel7-server tuned]# ls -l

total 20

-rw-r--r--. 1 root root 16596 Jul 28 15:53 tuned.log

[root@rhel7-server tuned]# tail -5 tuned.log

2018-07-28 15:53:09,295 WARNING tuned.plugins.plugin_cpu: your CPU doesn't support MSR_IA32_ENERGY_PERF_BIAS, ignoring CPU energy performance bias

2018-07-28 15:53:09,399 ERROR tuned.utils.commands: Executing cpupower error: analyzing CPU 0:

2018-07-28 15:53:09,400 ERROR tuned.plugins.plugin_cpu: could not get current governor on cpu 'cpu0'

2018-07-28 15:53:09,400 ERROR tuned.utils.commands: Reading /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors error: [Errno 2] No such file or directory: u'/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors'

2018-07-28 15:53:09,400 INFO tuned.plugins.plugin_cpu: ignoring governor 'performance' on cpu 'cpu0', it is not supported

/var/log/libvirt

Libvirt is collection of software that provides a convenient way to manage virtual machines and other virtualization functionality, such as storage and network interface management. These software pieces include a long term stable C API, a daemon (libvirtd), and a command line utility (virsh). A primary goal of libvirt is to provide a single way to manage multiple different virtualization providers/hypervisors, such as the KVM/QEMU, Xen, LXC, OpenVZ or VirtualBox hypervisors (among others).

Libvirt includes logging facilities starting from version 0.6.0, this complements the error handling mechanism and APIs to allow tracing through the execution of the library as well as in the libvirtd daemon.

Debugging libvirt related problems can be tricky since the issue might be caused by a GUI application, the library, libvirtd or the hypervisor itself.

[root@rhel7-server ~]# cd /var/log/libvirt/

[root@rhel7-server libvirt]# ls -l

total 0

drwx------. 2 root root 6 Mar 24 2014 lxc

drwx------. 2 root root 6 Mar 24 2014 qemu

drwx------. 2 root root 6 Mar 24 2014 uml

Though this is already a VM so no logs there.

/var/log/qemu-ga

The qemu-guest-agent is a helper daemon, which is installed in the guest. It is used to exchange information between the host and guest, and to execute command in the guest.

[root@rhel7-server log]# cd qemu-ga

[root@rhel7-server qemu-ga]# ls -l

total 0

Though this is already a VM so no logs there.

/var/log/chrony

Its implementation of NTP, and related logs are stored here.

[root@rhel7-server ~]# cd /var/log/chrony/

[root@rhel7-server chrony]# ls -l

total 0

though I do not have NTP, so no logs here.

/var/log/ speech-dispatcher

speech-dispatcher is a server process that is responsible for transforming requests for text-to-speech output into actual speech hearable in the speakers. It arbitrates concurrent speech requests based on message priorities, and abstracts different speech synthesizers. Client programs, like screen readers or navigation software, send speech

requests to speech-dispatcher using TCP protocol (with the help of client libraries). speech-dispatcher is usually started automatically by client libraries (i.e. autospawn), so you only need to run it manually if testing/debugging, or when in other explicit need for a special setup.

I am not using this, so there are no logs to display.

/var/log/ppp

Ref:

https://www.tldp.org/HOWTO/PPP-HOWTO/c44.html

PPP (the Point to Point Protocol) is a is a data link protocol used commonly used to establish a direct connection between two nodes over serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber optic links. If you access the Internet through a modem connected to a dial-up phone line (including mobile modems), then the connection is negotiated using PPP. Some VPNs also use PPP.

A PPP interface is managed by the PPP daemon (pppd) provided by the ppp package.

Using PPP, you can connect your Linux PC to a PPP server and access the resources of the network to which the server is connected (almost) as if you were directly connected to that network.

You can also set up your Linux PC as a PPP server, so that other computers can dial into your computer and access the resources on your local PC and/or network.

PPP is strictly a peer to peer protocol; there is (technically) no difference between the machine that dials in and the machine that is dialed into. However, for clarity's sake, it is useful to think in terms of servers and clients.

When you dial into a site to establish a PPP connection, you are a client. The machine to which you connect is the server.

When you are setting up a Linux box to receive and handle dial-in PPP connections, you are setting up a PPP server.

[root@rhel7-server ~]# cd /var/log/ppp

There are no files inside, so where the logs stored?

[root@rhel7-server ppp]# grep ppd /var/log/messages

Aug 4 13:20:55 rhel7-server pppd[10687]: pppd 2.4.5 started by root, uid 0

Aug 4 13:21:00 rhel7-server pppd[10687]: Couldn't set tty to PPP discipline: Device or resource busy

Aug 4 13:21:00 rhel7-server pppd[10687]: Exit.

I want my debug logs under /var/log/ppp

[root@rhel7-server ppp]# touch pppdebug

[root@rhel7-server ppp]# vi /etc/rsyslog.conf

daemon.debug;local2.debug /var/log/ppp/pppdebug çç

#above line inserted at end of RULES section.

[root@rhel7-server ~]# systemctl restart rsyslog

[root@rhel7-server ppp]# pppd debug call wvdial

“wvdial” is a peer-name and peer-name must be the name of a file in the /etc/ppp/peers directory.

[root@rhel7-server ppp]# tail -f pppdebug

Aug 4 13:44:59 rhel7-server pppd[11149]: pppd 2.4.5 started by root, uid 0

Aug 4 13:45:04 rhel7-server pppd[11149]: Couldn't set tty to PPP discipline: Device or resource busy

Aug 4 13:45:04 rhel7-server pppd[11149]: Exit.

NON-HUMAN READABLE LOGS:

Well, this is interesting. Just try to cat these files and see the output.

/var/log/lastlog: last logins for all users. = lastlog

/var/log/wtmp: login/logout/reboot history. = last -f /var/log/wtmp

/var/log/btmp: failed login attempts. = lastb

/var/run/utmp: currently logged in users = who

Some Linux logs are like binary files which need to be parsed by another application specifically designed for viewing these logs

/var/log/lastlog

The last logins log should not typically be parsed and examined by humans, but rather should be used in conjunction with the “lastlog” command.

[root@rhel7-server log]# lastlog |tail -5

test1 pts/61 192.168.135.1 Sat May 12 19:07:30 +0530 2018

test2 pts/1 Sun Apr 22 16:32:55 +0530 2018

user1 **Never logged in**

user2 **Never logged in**

apache **Never logged in**

/var/log/wtmp

Contains login records. Using wtmp we can find out who is logged in and logged out the system. We can also find out reboot timings via this.

[root@rhel7-server log]# last -f wtmp |head -10

root pts/3 Sun Jul 29 15:06 still logged in

root pts/2 192.168.135.1 Sun Jul 29 15:06 still logged in

root pts/1 Sun Jul 29 13:54 still logged in

root pts/0 192.168.135.1 Sun Jul 29 13:54 still logged in

(unknown 192.168.135.1:1 Sat Jul 28 19:07 still logged in

(unknown :0 :0 Sat Jul 28 19:07 still logged in

root pts/3 Sat Jul 28 17:15 - 15:06 (21:50)

root pts/2 192.168.135.1 Sat Jul 28 17:15 - 14:01 (20:46)

root pts/1 Sat Jul 28 17:13 - 13:54 (20:40)

root pts/0 192.168.135.1 Sat Jul 28 17:13 - 19:15 (02:01)

we can see few are still logged in and few are logged out. Their login and logout time are recorded.

[root@rhel7-server log]# last -f /var/log/wtmp |grep reboot

reboot system boot 3.10.0-121.el7.x Sat Jul 28 21:21 - 15:33 (18:11)

reboot system boot 3.10.0-121.el7.x Sat Jul 21 22:42 - 15:33 (7+16:51)

reboot system boot 3.10.0-121.el7.x Sat Jun 23 18:15 - 17:13 (27+22:57)

reboot system boot 3.10.0-121.el7.x Sun May 20 21:26 - 17:13 (61+19:46)

reboot system boot 3.10.0-121.el7.x Sun May 20 00:18 - 15:56 (15:38)

reboot system boot 3.10.0-121.el7.x Sun May 20 00:12 - 00:14 (00:02)

reboot system boot 3.10.0-121.el7.x Sun May 20 00:10 - 18:43 (-5:-27)

reboot system boot 3.10.0-121.el7.x Sun May 20 00:09 - 18:41 (-5:-28)

reboot system boot 3.10.0-121.el7.x Sat May 19 23:37 - 18:09 (-5:-27)

reboot system boot 3.10.0-121.el7.x Sat Nov 25 21:45 - 15:41 (174+17:56)

reboot system boot 3.10.0-121.el7.x Sat Nov 18 22:56 - 15:41 (181+16:45)

reboot system boot 3.10.0-121.el7.x Sat Nov 18 22:53 - 17:26 (-5:-26)

/var/log/btmp

All bad/failed login attempts are recorded here. To read this either we can use “last -f /var/log/btmp” or “lastb”

[root@rhel7-server log]# last -f /var/log/btmp |head -5

user1 ssh:notty 192.168.135.1 Sun Jul 29 15:24 gone - no logout

test1 ssh:notty 192.168.135.1 Sun Jul 29 15:24 - 15:24 (00:00)

anurag ssh:notty 192.168.135.1 Sun Jul 29 15:24 - 15:24 (00:00)

root ssh:notty 192.168.135.1 Sun Jul 29 15:15 - 15:24 (00:08)

[root@rhel7-server log]# lastb

[root@rhel7-server log]# lastb |head -5

user1 ssh:notty 192.168.135.1 Sun Jul 29 15:24 - 15:24 (00:00)

test1 ssh:notty 192.168.135.1 Sun Jul 29 15:24 - 15:24 (00:00)

anurag ssh:notty 192.168.135.1 Sun Jul 29 15:24 - 15:24 (00:00)

root ssh:notty 192.168.135.1 Sun Jul 29 15:15 - 15:15 (00:00)

/var/run/utmp

Records currently logged in users. “who” command uses this file to display the information.

[root@rhel7-server log]# who

(unknown) :0 2018-07-28 19:07 (:0)

root pts/0 2018-07-29 13:54 (192.168.135.1)

root pts/1 2018-07-29 13:54

root pts/2 2018-07-29 15:06 (192.168.135.1)

root pts/3 2018-07-29 15:06

(unknown) 2018-07-28 19:07 (192.168.135.1:1)

user1 pts/4 2018-07-29 15:47 (192.168.135.1)

user1 pts/5 2018-07-29 15:47

[root@rhel7-server log]# last -f /var/run/utmp

user1 pts/5 Sun Jul 29 15:47 still logged in

user1 pts/4 192.168.135.1 Sun Jul 29 15:47 still logged in

(unknown 192.168.135.1:1 Sat Jul 28 19:07 still logged in

root pts/3 Sun Jul 29 15:06 still logged in

root pts/2 192.168.135.1 Sun Jul 29 15:06 still logged in

root pts/1 Sun Jul 29 13:54 still logged in

root pts/0 192.168.135.1 Sun Jul 29 13:54 still logged in

(unknown :0 :0 Sat Jul 28 19:07 still logged in

reboot system boot 3.10.0-121.el7.x Sat Jul 28 21:21 - 15:47 (18:25)

utmp begins Sat Jul 28 21:21:55 2018

CONT ………………..

THE ADMIN's LAB

Saturday, 4 August 2018

LINUX- 32 LINUX LOGS (RHEL-7) P2

No comments:

Post a Comment

Labels

WAREHOUSE

Total Pageviews