システムログの読み方とメール配信

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


Part 3 




Part3





/var/log

OS
 /var/log 
/etc/syslog.conf 
syslog.conf Part4


 Red Hat Linux  FreeBSD 
/var/log 





 Red Hat Linux
  

() Red Hat Linux 7.3 
(FreeBSD)
 /var/log 

[root@ape log]# ls -F
XFree86.0.log     httpd/            secure
boot.log          ksyms.0           spooler
canna/            lastlog           squid/
cron              maillog           up2date
cups/             messages          vbox/
dmesg             rpmpkgs           wtmp
fax/              sa/               xferlog
gdm/              samba/


 


 	/var/log ------------------------------
  - XFree86.0.log

	XFree86

  - boot.log

	/
	 initlog(8) 
	

  - canna/

	 Canna 

  - cron

	cron

  - cups/

	(Common Unix Printing System)
	

  - dmesg

	tail
	

  - fax/

	efax
	%%%%!

  - gdm

	gdm  gnome display manager

  - httpd/

	Apache(httpd)

  - ksyms.0

	

  - lastlog

	last(1)lastlog(8)
	

  - maillog

	MTApopper
	

  - messages

	

  - rpmpkgs

	(/etc/cron.daily/rpm
	)

  - sa/

	


  - samba/

	samba (: http://www.samba.org/) 

  - secure

	

  - squid

	squid()

  - up2date

	up2date(Update Agent)

  - wtmp

	login(1), init(1)wtmp(5)
	

  - xferlog

	ftp()xferlog(5)ftpd(8)
	

------ ---------------------------------------------------


 * XFree86.0.log

	 X Windows System 
	XX 
	XFree86.0.log 
	

	Markers: (--) probed, (**) from config file, (==) default setting,
        	 (++) from command line, (!!) notice, (II) informational,
	         (WW) warning, (EE) error, (??) unknown.

	X
	

	o 
	o 
	o 

	
	

 * cron

	cron(8)
	

Sep 05 06:01:00 ape CROND[7230]: (root) CMD (run-parts /etc/cron.hourly) 

	PID
	
	

 * messages

	 syslog.conf 
	 messages 
	
	 messages 
	

* secure

	sshd
	sudo
	


FreeBSD

FreeBSD 4.6.2  /var/log 


balius# ls -F
XFree86.0.log     lastlog           sendmail.st
cron              lpd-errs          setuid.today
dmesg.today       maillog           setuid.yesterday
dmesg.yesterday   messages          slip.log
ip6fw.today       mount.today       userlog
ip6fw.yesterday   mount.yesterday   vinum_history
ipfw.today        ppp.log           wtmp
ipfw.yesterday    security



  - XFree86.0.log
  - cron
  - lastlog
  - maillog
  - messages
  - security
  - wtmp

	Linux

  - dmesg.today
  - dmesg.yesterday

	dmesg(8)/etc/security 
	/etc/security cron
	/
	

  - ip6fw.today
  - ip6fw.yesterday
  - ipfw.today
  - ipfw.yesterday

	ipfw(IP firewall)ip6fw(IPv6 firewall)
	deny, reset, unreach 

  - lpd-errs

	lpd

  - mount.today
  - mount.yesterday

	mountmount -p 
	

  - ppp.log

	ppp(8)/etc/ppp/ppp.conf 
	

  - sendmail.st

	sendmail

  - setuid.today
  - setuid.yesterday

	(ufs)setuid
	 ls -liTd 1
	

  - slip.log

	slip(8)(Serial Line IP)PC
	()
	PCMCIAPC
	IP

  - userlog

	pw(8)
	
	
2002-07-25 22:20:04 [root:useradd] kay(3234) home /home/gentei/kay made
	
	UID

  - vinum_history

	vinum(8)(Logical Volume Manager)












Unix







   less

  less

	% less [-] 

  SPC(b)1()j(k)1()
  less
  less

  less

	/	
	?	

  /?
  

	n	
	N	

  
  Linux:/var/log/boot.log 
Sep 14 02:52:21 ape syslog: syslogd startup succeeded
Sep 14 02:52:21 ape syslog: klogd startup succeeded
Sep 14 02:52:21 ape portmap: portmap startup succeeded
Sep 14 02:52:22 ape nfslock: rpc.statd startup succeeded
Sep 14 02:52:22 ape keytable: Loading keymap:  succeeded
Sep 14 02:52:22 ape keytable: Loading system font:  succeeded
Sep 14 02:52:22 ape random: Initializing random number generator:  succeeded
  :
   "succeeded" 
   "succeeded" 
   /  ? !
  
  
  /?
  

	!	
	*	
		
	@	
		(?
		)
	C-k	
		
	C-r	

  
  

	F	

   "tail -f" 
  

   tail

  (10)-f 
  
  

	# tail -f /var/log/messages

   messages 
  

   grep/egrep/fgrep

  grepUnix
  
  less
   / grep
  

	% grep   | less

  egrep OR
  

	% tail -f /var/log/messages | \
	    egrep -vi 'success|starting|fsck.*clean'

  messages 
  success  starting  fsck.*clean
  egrep -v -i
  

  fgrepFixed grep 
  IP1
   "grep 10.1.2.3 foo.log" 
  "1001.233" 
  ( . * [ ] )fgrep
  


   awk

  
  
  awkperl
  awk Aho,
  Weinberger, Kernighan 
  
  

  awk

    * awk
      1
      1
      

    * awk(
      )awk -f 
      

	% awk ''  []

      

	% awk -f   []

      
      $ 
      $ '' 
      

    * awk
      $1, $2, $3, ..., $NF NFawk
       $NF 
      awk

	USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
	root         1  0.0  0.4  1368  476 ?        S    Sep14   0:04 init

      1(1)

	1	$1="USER", $2="PID", $3="%CPU"...,
			$10="TIME",$11 = "COMMAND"
	2	$1="root", $2="1", $3="0.0"...,
			$10="0:04",$11 = "init"

      $

    * awk

	1 {  }
	2 {  }
	  :

      
      ({ }
      )
      

	//	
	BEGIN		
			
	END		
			

      
      

	# ps aux | \
	  awk 'BEGIN {sum=0} \
	       {sum += $5} \
	       END {print sum}'

      ps aux  awk 
      BEGIN sum=0 
      Perlawk$(: awk
      BEGIN)

       {sum += $5} 
      ps aux 5VSZ
       sum 
      END{print sum} 
      VSZ

  awk-F 
  

	# awk -F: '{print $1,$6}' /etc/passwd

   :() /etc/passwd 
  passwd
  

   sort

  sort11
  

	-n	()()
	-r	
	-k 1[,2]
		(1
		)21
		2
	-t	

  
  uniq
  

   uniq

  
  

	-c	
		
	-u	

  -c 
  ApacheWeb
  
  ()

	foo-bar.co.jp - - [16/Sep/2002:00:13:13 +0900] 
	"GET /~yuuji/software/mpg123el/ HTTP/1.1" 200 6623

  awkGETURL
  7
  sort GETURL
   unic -c 
  

	% awk '{print $7}' /var/log/httpd/access_log | sort | unic -c
	  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	  67 /
	   2 /%7Eakitsugu/gb/
	   3 /%7Eet/gb/
	   5 /%7Efuji/gb/
	   6 /%7Ehiyokko/gb/
	   3 /%7Einagaki/gb/
	     :
	     :

  
  

	% awk '{print $7}' /var/log/httpd/access_log | sort | \
	  unic -c | sort -nr | cat -n
	     1  2106 /~yuuji/software/imapext/
	     2  1328 /~yuuji/yatex/info2/prev.gif
	     3  1322 /~yuuji/diary/2002/
	     4  1313 /~yuuji/yatex/info2/up.gif
	      :
	      :

  cat -n 

  awk, sort, uniq 
  









swatch, logsurfer 

  * swatch (The System WATCHER by Todd Atkins)

    swatch 
    ()
    
    

	watchfor /file system full/
	mail=root,subject=FileSystemFull

    /file system full/ 
    root
    
    http://www.oit.ucsb.edu/~eta/swatch/ 

  * logsurfer (by Wolfgang Ley and Uwe Ellerman)

    logsurfer swatch
    swatchPerl
    Perl
    logsurferC
    swatch1
    
    logsurfer()
    
    
    
    
    
    http://www.cert.dfn.de/eng/logsurf/ 





/var/log 
cron
111
 root 
root




 Red
Hat FreeBSD 4 

  * Red Hat cron

  Red Hat 7.3 cron/etc/crontab 
  

	SHELL=/bin/bash
	PATH=/sbin:/bin:/usr/sbin:/usr/bin
	MAILTO=root
	HOME=/
	
	# run-parts
	01 * * * * root run-parts /etc/cron.hourly
	02 4 * * * root run-parts /etc/cron.daily
	22 4 * * 0 root run-parts /etc/cron.weekly
	42 4 1 * * root run-parts /etc/cron.monthly

  crontab(5)man
  
  

	01	run-parts /etc/cron.hourly
	04:02	run-parts /etc/cron.daily
	04:22	run-parts /etc/cron.weekly
	104:42	run-parts /etc/cron.monthly

  run-parts  /usr/bin bash
  
    
  cron
  

-----[ ]--- cron.daily --------------------------------
00-logwatch	/var/log ()
		root
0anacron	anacron
		
logrotate	logrotate(8)/etc/logrotate.conf 
		
makewhatis.cron	whatis(
		)
----------------------------------------------------------------------
-----[ ]--- cron.weekly ------------------------------
0anacron	anacron
makewhatis.cron	whatis
----------------------------------------------------------------------
-----[ ]--- cron.monthly -----------------------------
0anacron	anacron
----------------------------------------------------------------------

-----[ ]----------------------------------------------------------
cron
----------------------------------------------------------------------


  * FreeBSD cron

  FreeBSD Red Hat 
  /etc/crontab 
  

# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: src/etc/crontab,v 1.21.2.3 2000/12/08 10:56:07 obrien Exp $
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
#
#minute hour    mday    month   wday    who     command
#
*/5     *       *       *       *       root    /usr/libexec/atrun
#
# rotate log files every hour, if necessary
0       *       *       *       *       root    newsyslog
#
# do daily/weekly/monthly maintenance
1       3       *       *       *       root    periodic daily
15      4       *       *       6       root    periodic weekly
30      5       1       *       *       root    periodic monthly
#
# time zone change adjustment for wall cmos clock,
# does nothing, if you have UTC cmos clock.
# See adjkerntz(8) for details.
1,31    0-5     *       *       *       root    adjkerntz -a


  periodic 
  /etc/periodic  daily, weekly, monthly 
  
  
  
  /tmp 
  
   /etc/defaults/periodic.conf 
  /etc/periodic.conf 
  
  /etc/defaults/periodic.conf 
  
----------------------------------------------------------------------
# Daily options

# These options are used by periodic(8) itself to determine what to do
# with the output of the sub-programs that are run, and where to send
# that output.  $daily_output might be set to /var/log/daily.log if you
# wish to log the daily output and have the files rotated by newsyslog(8)
#
daily_output="root"                                     # user or /file
daily_show_success="YES"                                # scripts returning 0
daily_show_info="YES"                                   # scripts returning 1
daily_show_badconfig="NO"                               # scripts returning 2
  
  

# 120.clean-kvmdb
weekly_clean_kvmdb_enable="YES"                         # Clean kvmdb weekly
weekly_clean_kvmdb_days=7                               # If not accessed for
weekly_clean_kvmdb_verbose="YES"                        # Mention files deleted
  :
  :
----------------------------------------------------------------------

  periodic.conf  rc.conf 
  periodic.conf _
   /etc/periodic/ 
  cron "YES" 
   "NO"  periodic.conf 
  
  /etc/periodic/daily/110.clean-tmps 
  /tmp 
  

	case "$daily_clean_tmps_enable" in
	    [Yy][Ee][Ss])

   daily_clean_tmps_enable 
  
  /etc/periodic.conf 

	daily_clean_tmps_enable="YES"

  




cronroot Red Hat,
FreeBSD cron MAILTO 
 crontab 
 admin  

	MAILTO=admin

MTAroot
aliassendmail  /etc/mail/aliases 


	root:	addr1, addr2

root( addr1  addr2 
 newaliases qmail
root ~alias/.qmail-root 

	&addr1
	&addr2

11







Unix
Unix




yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]