Chapter 18 - 03 - Discuss Log Monitoring and Analysis on Linux - 02_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCR
Tags
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis...
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Linux Log Format o-1 Format of Linux log files: files g : i crity var/ log/icritical NN. W, SOS— = ’ "\ S 7’ \ e 4 \ ~ e \ s Type of Log Severity of Log Log File Location Any type of severity log -’f- - - »” - - - mail.___*"__Mvar/log/maillog mail.___*"__/var/log/maillog All severity logs pertaining to mail are written to /var/log/maillog Copyright © by EC ncll. I. All Rights Reserved. Reserved. ReproductionIss Strictly Prohibited. Linux Log Format The system log file provides information about where messages mess ages are logged. It is in the following format: f.ll..l: r.l.l.': :.l..Q.'rlI-lIIIIIIII: :.l..'.'rfllfllllllllll: "]." =. "] " P ie criti/var/ criti/ var/ log/:critical 7 i [. ”’ 7 i Nusssns' : 8Yesnssfasnsnnnnnnnn 4.f-v e LY 'V\\ S ’ \ s /, /’ \\ ~S 7’’ \ 2 s Type of Log Severity of Log Log File Location Any type of severity log ’/ - /” I” mail. _ «" «~ /var/log/maillog All severity logs pertaining to mail are written to /var/log/maillog Figure 18.12: Linux log format Module 18 Page 2097 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Consider some examples below to understand the log file format. Example 1: Log all kernel messages to the console kern.* /dev/console Example 2: Log anything (except mail) of level info or higher. Do not log private authentication messages *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages Example 3: The authpriv file has restricted access authpriv.* /var/log/secure Example 4: Log all the mail messages in one place mail.* /var/log/maillog Each line of the log file is divided into two portions: message selector and action field. Message selector represents the type of message to log. It is a combination of log type and severity level. In the above example, kern.*, *.info;mail.none;news.none;authpriv.none;cron.none, authpriv.*, and mail.* are the various selectors. Here, * indicates "all" such as kern.* all messages generated by the kernel. An action field describes the type of action to be applied to the message. It indicates a log file location. In the above examples, ;/dev/console, /var/log/messages, /var/log/secure, /var/log/maillog represent the actions. Module 18 Page 2098 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Severity Level and Value of Linux Logs Emergency Emergency 0.emer System is unusable Action must be taken Alert Alert d1 Blert alert immediately Critical 2.crit Critical conditions Error 3.err Error conditions Warning 4.warning Warning conditions ienifi Notice 5 ot P Norn?a.l but significant Norn?a.| condition Info 6.info Informational messages Debug 7.debug Debug-level messages Copyright © by £ LL ANl All Rights Reserved. Reproduction Rights Reserved. Reproduction isis Strictly Strictly Prohibited Prohibited Severity Level and Value of Linux Logs The combination of Linux log file(s) and severity levels facilitates determination of what is logged and where that information is stored. When a system logger receives messages from multiple programs, it will make decisions as to what to keep and what to discard on the basis of severity levels defined by the selector. There are eight severity levels for sending a message in Linux, starting from level 0 to level 7. The highest severe message is at level 0, and the lowest severe message is at level 7. Level 0—Emergency: This level represents emergency conditions where the system comes unusable; for example, imminent system crash. Level 1—Alert: This level represents those conditions that require immediate actions; for example, a corrupted system database. Level 2—Critical: This level represents critical conditions such as a hardware error. Level 3—Error: This level represents error messages. Level 4—Warning: This level represents warning messages. Level 5—Notice: This level represents those messages that are not an error but require special attention. Level 6—Information: This level represents informational messages. Level 7—Debug: This level represents those messages that are required during debugging programs. Module 18 Page 2099 EC-Council Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Monitoring and Analysis of Linux Logs ( Commands Used to Monitor and Analyze Linux Log Files : ) cat command less command o O cat command displays file contents less command displays the contents of a cat[filename] text file one page (one screen) per time less [filename] tail command more command @ e tail command displays last 10 lines more command displays the number of lines from a given text file by default from a text file as much as the screen can fit tail [n] [filename] more [filename] head command ' grep command head command displays first 10 lines from - grep command is used for searching a a given text file by default specific string in a file head [-n] [filename] grep “search string” “search string” [filename] Copyright © by by EC EC cil. All Rights cll. Rights Reserved. Reproduction Reproduction IsIs Strictly Prohibited Monitoring and Analysis of Linux Logs Monitoring and analysis of Linux logs helps determine security issues before they can significantly harm the system. Various types of commands are provided by Linux to monitor and analyze log files. Some of them them are described below. =* cat command: cat stands for concatenate. It is one of the most important commands used in Linux OS. It reads data from the file and displays its content. It can combine the contents of two files by appending the content of the second file to the end of the first file. It can also copy the content of one file to another file. Its syntax is as follows: cat [option] [filename] Described below are the different types of cat commands. o cat[filename] : This command will display the content of a given filename. o0 cat[filenamel] [filename2]: This command will display the content of filenamel and filename2. o0 cat>newfilename: This command command will will create create a new new file with with the name name "newfilename." 0o cat -n [filename]: This command displays the content of a given file with line number. o0 cat [filenamel]>[filename2]: This command copies the content of filenamel to filename2. o cat -s [filename]: This command suppresses repeated empty lines. Module 18 Page 2100 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis 0 cat [filenamel]>>[filename2]: This command appends the content of filenamel to the end of filename2. o tac [filename]: This command displays the file in reverse order. 0 cat -E [filename]: This command highlights the end of the line. tail command: This command displays last 10 lines from a given text file by default. It also allows options n number of lines and ¢ number of characters. Its syntax is as follows: tail [options] [filename (s)] Described below are the different types of tail commands. o tail [filename]: This command displays the last 10 lines from a given file. 0 tail [filenamel] [filename2]: This command displays the last 10 lines of both the files. 0 tail [-n] [filename]: This command displays last n number of lines from a given file. For example, if 5 is used in place n, then only the last five lines will be displayed from a given file. 0 tail [-c] [n][filename]: This command displays last n number of characters from a given file. head command: This command displays the first 10 lines from a given text file by default. It also allows options n number of lines and ¢ number of characters. Its syntax is as follows: head [options] [filename (s)] Described below are the different types of head commands. o head [filename]: This command displays the first 10 lines from a given file. 0 head [filenamel] [filename2]: This command displays the first 10 lines of both the files. 0o head [-n] [filename]: This command displays the first n number of lines from a given file. For example, if 5 is used in place n, then only the first five lines will be displayed from a given file. 0 head [-c] [n][filename]: This command displays the first n number of characters from a given file. less command: This command displays the contents of a text file, one page (one screen) per time. In case of a large size file, it will not access the complete file; instead, it will access page by page. For example, when using any text editor for reading a large size file, it will get loaded completely to main memory. However, by using less command, it will not load complete file; instead, it loads part by part, thus making it faster. Its syntax is as follows: less filename Module 18 Page 2101 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis * more command: This command displays a number of lines from a text file—as much as the screen can fit. It helps view files in a scrollable manner and search the text, strings, and regular expressions. Its syntax is as follows: more filename = grep command: This command is used for searching a specific string in a file. grep “search string” [filename] The following available options can be used to search the string: (@] -C. It displays a count of number of lines that match a pattern. @] -h: It displays the matched lines but not the filenames. : It ignores the case for matching. : It displays file names' list. : It displays the line numbers as well as the matched line. -v. It displays all the lines without a matching pattern. -W. It matches the whole word. Module 18 Page 2102 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.