Chapter 18 - 03 - Discuss Log Monitoring and Analysis on Linux - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Linux Log Format

o-1
Format of Linux log files:
files

g :
i crity var/ log/icritical
NN. W, SOS— =
’ "\ S
7’ \ e
4 \ ~
e \ s
Type of Log Severity of Log Log File Location

Any type of severity log
-’f-
- -
»” -
- -
mail.___*"__Mvar/log/maillog
mail.___*"__/var/log/maillog
All severity logs pertaining to mail are written to
/var/log/maillog

Copyright © by EC ncll. I. All Rights Reserved.
Reserved. ReproductionIss Strictly Prohibited.

Linux Log Format
The system log file provides information about where messages
mess ages are logged. It is in the following
format:

f.ll..l:
r.l.l.': :.l..Q.'rlI-lIIIIIIII:
:.l..'.'rfllfllllllllll:

"]." =. "] "

P ie criti/var/
criti/ var/ log/:critical
7 i [.
”’
7 i
Nusssns' : 8Yesnssfasnsnnnnnnnn
4.f-v
e LY 'V\\ S
’ \ s
/,
/’ \\ ~S
7’’ \ 2
s
Type of Log Severity of Log Log File Location

Any type of severity log

’/
- /”
I”

mail. _ «"
«~ /var/log/maillog
All severity logs pertaining to mail are written to
/var/log/maillog

Figure 18.12: Linux log format

Module 18 Page 2097 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Consider some examples below to understand the log file format.

Example 1: Log all kernel messages to the console
kern.* /dev/console

Example 2: Log anything (except mail) of level info or higher. Do not log private
authentication messages
*.info;mail.none;news.none;authpriv.none;cron.none
/var/log/messages

Example 3: The authpriv file has restricted access
authpriv.* /var/log/secure

Example 4: Log all the mail messages in one place
mail.* /var/log/maillog
Each line of the log file is divided into two portions: message selector and action field.

Message selector represents the type of message to log. It is a combination of log type
and severity level. In the above example, kern.*,
*.info;mail.none;news.none;authpriv.none;cron.none, authpriv.*,
and mail.* are the various selectors. Here, * indicates "all" such as kern.* all
messages generated by the kernel.

An action field describes the type of action to be applied to the message. It indicates a
log file location. In the above examples, ;/dev/console, /var/log/messages,
/var/log/secure, /var/log/maillog represent the actions.

Module 18 Page 2098 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Severity Level and Value
of Linux Logs

Emergency
Emergency 0.emer System is unusable

Action must be taken
Alert
Alert d1 Blert
alert immediately

Critical 2.crit Critical conditions

Error 3.err Error conditions

Warning 4.warning Warning conditions
ienifi
Notice 5 ot
P Norn?a.l but significant
Norn?a.|
condition

Info 6.info Informational messages

Debug 7.debug Debug-level messages

Copyright © by £ LL ANl
All Rights Reserved. Reproduction
Rights Reserved. Reproduction isis Strictly
Strictly Prohibited
Prohibited

Severity Level and Value of Linux Logs
The combination of Linux log file(s) and severity levels facilitates determination of what is
logged and where that information is stored. When a system logger receives messages from
multiple programs, it will make decisions as to what to keep and what to discard on the basis of
severity levels defined by the selector. There are eight severity levels for sending a message in
Linux, starting from level 0 to level 7. The highest severe message is at level 0, and the lowest
severe message is at level 7.
Level 0—Emergency: This level represents emergency conditions where the system
comes unusable; for example, imminent system crash.
Level 1—Alert: This level represents those conditions that require immediate actions;
for example, a corrupted system database.
Level 2—Critical: This level represents critical conditions such as a hardware error.

Level 3—Error: This level represents error messages.

Level 4—Warning: This level represents warning messages.

Level 5—Notice: This level represents those messages that are not an error but require
special attention.
Level 6—Information: This level represents informational messages.

Level 7—Debug: This level represents those messages that are required during
debugging programs.

Module 18 Page 2099 EC-Council
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Monitoring and Analysis of Linux Logs
( Commands Used to Monitor and Analyze Linux Log Files : )

cat command less command

o
O cat command displays file contents less command displays the contents of a
cat[filename] text file one page (one screen) per time
less [filename]

tail command more command

@
e tail command displays last 10 lines more command displays the number of lines
from a given text file by default from a text file as much as the screen can fit
tail [n] [filename] more [filename]

head command ' grep command

head command displays first 10 lines from - grep command is used for searching a
a given text file by default specific string in a file
head [-n] [filename] grep “search string”
“search string” [filename]

Copyright © by
by EC EC cil. All Rights
cll. Rights Reserved. Reproduction
Reproduction IsIs Strictly Prohibited

Monitoring and Analysis of Linux Logs
Monitoring and analysis of Linux logs helps determine security issues before they can
significantly harm the system. Various types of commands are provided by Linux to monitor and
analyze log files. Some of them
them are described below.
=* cat command: cat stands for concatenate. It is one of the most important commands
used in Linux OS. It reads data from the file and displays its content. It can combine the
contents of two files by appending the content of the second file to the end of the first
file. It can also copy the content of one file to another file. Its syntax is as follows:
cat [option] [filename]

Described below are the different types of cat commands.
o cat[filename] : This command will display the content of a given filename.
o0 cat[filenamel] [filename2]: This command will display the content of
filenamel and filename2.

o0 cat>newfilename: This command
command will
will create
create a new
new file with
with the name
name
"newfilename."
0o cat -n [filename]: This command displays the content of a given file with line
number.

o0 cat [filenamel]>[filename2]: This command copies the content of filenamel
to filename2.
o cat -s [filename]: This command suppresses repeated empty lines.

Module 18 Page 2100 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

0 cat [filenamel]>>[filename2]: This command appends the content of
filenamel to the end of filename2.
o tac [filename]: This command displays the file in reverse order.
0 cat -E [filename]: This command highlights the end of the line.

tail command: This command displays last 10 lines from a given text file by default. It
also allows options n number of lines and ¢ number of characters. Its syntax is as
follows:
tail [options] [filename (s)]

Described below are the different types of tail commands.

o tail [filename]: This command displays the last 10 lines from a given file.

0 tail [filenamel] [filename2]: This command displays the last 10 lines of
both the files.
0 tail [-n] [filename]: This command displays last n number of lines from a
given file. For example, if 5 is used in place n, then only the last five lines will be
displayed from a given file.
0 tail [-c] [n][filename]: This command displays last n number of characters
from a given file.

head command: This command displays the first 10 lines from a given text file by
default. It also allows options n number of lines and ¢ number of characters. Its syntax is
as follows:
head [options] [filename (s)]

Described below are the different types of head commands.
o head [filename]: This command displays the first 10 lines from a given file.
0 head [filenamel] [filename2]: This command displays the first 10 lines of
both the files.

0o head [-n] [filename]: This command displays the first n number of lines from
a given file. For example, if 5 is used in place n, then only the first five lines will be
displayed from a given file.

0 head [-c] [n][filename]: This command displays the first n number of
characters from a given file.
less command: This command displays the contents of a text file, one page (one
screen) per time. In case of a large size file, it will not access the complete file; instead, it
will access page by page. For example, when using any text editor for reading a large
size file, it will get loaded completely to main memory. However, by using less
command, it will not load complete file; instead, it loads part by part, thus making it
faster. Its syntax is as follows:
less filename

Module 18 Page 2101 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

* more command: This command displays a number of lines from a text file—as much as
the screen can fit. It helps view files in a scrollable manner and search the text, strings,
and regular expressions. Its syntax is as follows:
more filename

= grep command: This command is used for searching a specific string in a file.
grep “search string” [filename]

The following available options can be used to search the string:

(@] -C. It displays a count of number of lines that match a pattern.

@] -h: It displays the matched lines but not the filenames.
: It ignores the case for matching.
: It displays file names' list.

: It displays the line numbers as well as the matched line.
-v. It displays all the lines without a matching pattern.
-W. It matches the whole word.

Module 18 Page 2102 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.