Linux操作系统中有三种主要的日志子系统:
(1)连接时间日志
(2)进程统计日志
(3)系统和服务日志
连接时间日志和进程统计日志由rsyslog(旧版是syslog)日志服务驱动,系统和服务日志由相对应的网络服务驱动和管理;
连接时间日志
连接时间日志由/var/run/utmp和/var/log/wtmp两个文件记录,系统自动更新;这两个文件不能通过cat命令来查看,但是可以通过w/who/ac/finger/last/lastlog等命令查看。(关于/var/run/utmp的字段定义放在/usr/include/utmp.h中,有兴趣可以仔细研究一下)
w/who/ac/finger命令主要是读取/var/run/utmp文件信息,看下面的示例
(1)w命令
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# w -help
w: invalid option --
'e'
usage: w -hlsufV [user]
-h skip header
-l long listing (default)
-s short listing
-u ignore uid of processes
-f toggle FROM field (default on)
-V display version
# w
21:48:53 up 36 days, 18:04, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
yucz pts
/1
116.6.101.193 21:16 0.00s 0.01s 0.00s sshd: yucz [priv]
|
(2)who命令显示当前登用用户
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
# who --help
Usage:
who
[OPTION]... [ FILE | ARG1 ARG2 ]
Print information about
users
who
are currently logged
in
.
-a, --all same as -b -d --login -p -r -t -T -u
-b, --boot
time
of last system boot
-d, --dead print dead processes
-H, --heading print line of column headings
-l, --login print system login processes
--lookup attempt to canonicalize hostnames via DNS
-m only
hostname
and user associated with stdin
-p, --process print active processes spawned by init
-q, --count all login names and number of
users
logged on
-r, --runlevel print current runlevel
-s, --short print only name, line, and
time
(default)
-t, --
time
print last system clock change
-T, -w, --mesg add user's message status as +, - or ?
-u, --
users
list
users
logged
in
--message same as -T
--writable same as -T
--help display this help and
exit
--version output version information and
exit
# who
yucz pts
/1
2015-02-25 21:16 (116.6.101.193)
|
(3)ac命令来显示用户连接时间
|
1
2
3
4
5
6
7
|
#ac --help
Usage: ac [-dhpVy] [-f <
file
>] [people] ...
#ac -d root
Aug 8 total 0.00
Aug 11 total 5.62
Aug 12 total 2.21
Aug 13 total 7.74
|
(4)finger命令显示用户的连接状态和其他信息
|
1
2
3
4
5
6
|
#finger root
Login: root Name: root
Directory:
/root
Shell:
/bin/bash
Last login Wed Aug 13 03:26 2014 (CDT) on pts
/4
from 116.6.101.193
No mail.
No Plan.
|
lastb/lastlog/last命令主要是读取/var/log/btmp文件信息,看下面的示例
(1)last命令可以查看本地计算机用户的登陆情况,同时可以看到系统的启动和重启状态;
|
1
2
3
4
5
6
7
8
9
|
#last | tail -10
root pts
/0
116.6.101.193 Tue Aug 12 04:42 - down (00:49)
root pts
/1
116.6.101.193 Mon Aug 11 21:05 - 23:19 (02:14)
root pts
/1
116.6.101.193 Mon Aug 11 21:02 - 21:04 (00:02)
root pts
/0
116.6.101.193 Mon Aug 11 20:39 - 00:58 (04:19)
reboot system boot 2.6.32-431.23.3. Fri Aug 8 04:11 - 05:31 (4+01:20)
root pts
/0
10.0.80.185 Fri Aug 8 04:08 - 04:09 (00:00)
reboot system boot 2.6.32-431.23.3. Fri Aug 8 04:08 - 04:09 (00:01)
reboot system boot 2.6.32-431.el6.x Thu Aug 7 23:01 - 04:06 (05:05)
|
(2)lastlog查看用户最后登陆系统的状态
|
1
2
3
4
5
6
7
8
9
10
|
# lastlog -h
Usage: lastlog [options]
Options:
-b, --before DAYS print only lastlog records older than DAYS
-h, --help display this help message and
exit
-t, --
time
DAYS print only lastlog records
more
recent than DAYS
-u, --user LOGIN print lastlog record of the specified LOGIN
# lastlog -u root
Username Port From Latest
root pts
/4
116.6.101.193 Wed Aug 13 03:26:29 -0500 2014
|
(3)lastb主要显示登陆失败的情况
|
1
2
3
4
5
6
7
|
# lastb
yucz
ssh
:notty 116.6.101.193 Wed Feb 25 21:16 - 21:16 (00:00)
yucz
ssh
:notty 116.6.101.193 Thu Feb 12 00:49 - 00:49 (00:00)
yucz
ssh
:notty 116.6.101.193 Mon Feb 9 02:29 - 02:29 (00:00)
yucz
ssh
:notty 184.173.65.76 Fri Feb 6 03:52 - 03:52 (00:00)
yucz
ssh
:notty 184.173.65.76 Fri Feb 6 03:51 - 03:51 (00:00)
yucz
ssh
:notty 116.6.101.193 Wed Feb 4 03:33 - 03:33 (00:00)
|
本文转自 bannerpei 51CTO博客,原文链接:http://blog.51cto.com/281816327/1615459,如需转载请自行联系原作者
