RedHat系统常用的日志文件详解三
last命令
last命令往回搜索wtmp來顯示自從文件第一次創(chuàng)建以來登錄過的用戶。例如:
*?E,?d1?H.?N,?z,?])?M+?n'?}3?i)?|
QUOTE:
)?b#?f4?d.?B*?g
chyang?pts/9?202.38.68.242?Tue?Aug?1?08:34?-?11:23?(02:49)?5?R'?]:?Q)?B(?F+?Z(?i
cfan?pts/6?202.38.64.224?Tue?Aug?1?08:33?-?08:48?(00:14)?,?{2?},?X3?i%?j"?|:?U%?F/?}/?Y
2?V4?^6?E8?W#?f:?E$?W$?W-?l
chyang?pts/4?202.38.68.242?Tue?Aug?1?08:32?-?12:13?(03:40)?2?s6?z5?h#?V)?@
??_-?`7?l9?U"?j-?L5?T1?v$?v.?B
lewis?pts/3?202.38.64.233?Tue?Aug?1?08:06?-?11:09?(03:03)
lewis?pts/2?202.38.64.233?Tue?Aug?1?07:56?-?11:09?(03:12)?*?A"?s5?}!?O-?G#?l4?B
%?A7?e!?Z!?F:?Y#?F(?S5?c
如果指明了用戶,那么last只報告該用戶的近期活動,例如,鍵入last?ynguo命令,然后按回車鍵,將顯示如下內(nèi)容:
,?C7?g#?~*?D-?c)?A
QUOTE:?:?M4?U:?k*?V0?V+?P3?D
6?v0?X1?j4?J3?S&?t/?m!?N
ynguo?pts/4?simba.nic.ustc.e?Fri?Aug?4?16:50?-?08:20?(15:30)?'?}1?J6?o+?s??b;?m%?S*?i??c
ynguo?pts/4?simba.nic.ustc.e?Thu?Aug?3?23:55?-?04:40?(04:44)
*?`(?q/?h9?d1?g
ynguo?pts/11?simba.nic.ustc.e?Thu?Aug?3?20:45?-?22:02?(01:16)
ynguo?pts/0?simba.nic.ustc.e?Thu?Aug?3?03:17?-?05:42?(02:25)?6?m+?p??b!?U6?x8?I+?L??q!?|:?~&?Y1?Q
8?]!?o4?e8?W"?I%?e??T+?R
ynguo?pts/0?simba.nic.ustc.e?Wed?Aug?2?01:04?-?03:16?1+02:12)
ynguo?pts/0?simba.nic.ustc.e?Wed?Aug?2?00:43?-?00:54?(00:11)
4?z1?A??A+?C;?P/?O4?[%?L7?I5?Y
ynguo?pts/9?simba.nic.ustc.e?Thu?Aug?1?20:30?-?21:26?(00:55)
$?_4?T/?V&?f??y/?B'?[
ac命令
0?d)?S0?a0?u-?d7?Z%?L-?V
5?z%?g;?Z/?i2?[)?[0?Y
ac命令根據(jù)當(dāng)前的/var/log/wtmp文件中的登錄進(jìn)入和退出來報告用戶連接的時間(小時),如果不使用標(biāo)志,則報告總的時間。例如,鍵入ac命令,然后按回車鍵,將顯示如下內(nèi)容:?;?{;?Z9?}:?f/?e
QUOTE:
total?5177.47?(?@#?D&?P3?n#?s
鍵入ac?-d命令,然后按回車鍵,將顯示每天的總的連接時間:
&?f:?X0?[)?u6?a#?o%?F(?V0?x.?l'?\
QUOTE:
1?o5?\'?P6??0?R(?J"?_
6?H;?X$?`+?W2?a3?g,?~??]'?`&?X
Aug?12?total?261.87
,?`8?p7?Y;?f8?k4?m
Aug?13?total?351.39
!?x)?j0?}??e9?Y0?Q.?@??Y:?c1?O4?B:?q
Aug?14?total?396.09?.?k,?F)?M'?|:?t#?n1?z:?l6?[+?t*?N
Aug?15?total?462.63?+?D1?o??P??R,?G"?h:?c0?J4?i"?r
'?A1?c4?r+?O"?S.?T#?[%?y-?Q/?k
Aug?16?total?270.45?'?o1?l.?_6?p6?[0?h+?T0?Z/?k
Aug?17?total?104.29?+?m;?Y4?c(?x"?E$?T'?r#?s
3?t5?s??z2?p5?@1?{"?I*?m
Today?total?179.02
鍵入ac?-p命令,然后按回車鍵,將顯示每個用戶的總的連接時間:?6?N8?n/?a*?B*?a
5?y:?f!?Y??G&?P'?k#?j
1?s*?K#?U$?D'?z3?L)?Q
QUOTE:?;?y'?W-?~)?C8?X-?E"?p'?|9?i5?e
'?Y%?n8?w5?A,?g#?|8?w??@/?l:?y
ynguo?193.23
8?N-?C)?q*?z&?X8?d2?`
yucao?3.35
rong?133.40
,?^'?y0??"?D3?R
hdai?10.52?,?w(?x%?h-?i-?I%?C.?r
.?C2?B)?r$?N,?T??d-?g,?L
zjzhu?52.87
zqzhou?13.14?&?R.?a-?o8?B5?x*?T2?[
(?g:?P.?d!?A2?n3?i6?i7?e.??6?o
liangliu?24.34?6?O3?y-?b0?d"?P7?~0?P6?h4?u$?Y1?Z
3?g;?E3?C$?L:?G.?a:?Q
total?5178.24?#?`4?d'?h5?j6?S/?f4?_2?F1?t%?y
!?r4?H9?b%?Y"?|'?}
lastlog命令
6?_'?K8?M%?Q"?N
lastlog文件在每次有用戶登錄時被查詢。可以使用lastlog命令檢查某特定用戶上次登錄的時間,并格式化輸出上次登錄日志?/var/log/lastlog的內(nèi)容。它根據(jù)UID排序顯示登錄名、端口號(tty)和上次登錄時間。如果一個用戶從未登錄過,lastlog顯示?**Never?logged**。注意需要以root身份運(yùn)行該命令,例如:?0?F%?C0?U6?B%?P%?J,?I,?k
QUOTE:?8?V&?\*?K*?b/?k??u/?p-?O-?H'?u7?Q
1?p9?V3?}3?q0?R+?r(?v&?T*?m
9?g;?x!?v3?Z6?q(?M3?a(?M;?I
rong?5?202.38.64.187?Fri?Aug?18?15:57:01?+0800?2000?:?w&?m5?^;?k3?X8?s;?F??w
dbb?**Never?logged?in**
8?g1?H1?I7?e$?X0??
xinchen?**Never?logged?in**?3?T7?a8?q!?T&?r:?A
pb9511?**Never?logged?in**
xchen?0?202.38.64.190?Sun?Aug?13?10:01:22?+0800?2000?6?\1?j4?k!?j??U6?c
;?N"?M-?b+?I6?f??a"?w
另外,可加一些參數(shù),例如,"last?-u?102"命令將報告UID為102的用戶;"last?-t?7"命令表示限制為上一周的報告。?3?O#?a7?x)?t2?Q:?K
進(jìn)程統(tǒng)計?(?N,?i2?r2?u&?N/?n
4?}#?m3?]$?I'?@"?q9?@/?u%?N.?H
*?X*?Q-?A#?^4?[;?@-?k7?O
UNIX可以跟蹤每個用戶運(yùn)行的每條命令,如果想知道昨晚弄亂了哪些重要的文件,進(jìn)程統(tǒng)計子系統(tǒng)可以告訴你。它還對跟蹤一個侵入者有幫助。與連接時間日志不同,進(jìn)程統(tǒng)計子系統(tǒng)默認(rèn)不激活,它必須啟動。在Linux系統(tǒng)中啟動進(jìn)程統(tǒng)計使用accton命令,必須用root身份來運(yùn)行。accton命令的形式為:accton?file,file必須事先存在。先使用touch命令創(chuàng)建pacct文件:touch?/var/log/pacct,然后運(yùn)行accton:accton?/var/log/pacct。一旦accton被激活,就可以使用lastcomm命令監(jiān)測系統(tǒng)中任何時候執(zhí)行的命令。若要關(guān)閉統(tǒng)計,可以使用不帶任何參數(shù)的accton命令。?,?Y+?P+?O)?j8?@9?t"?]:?H
5?G$?h&?f;?P,?~??c)?O
lastcomm命令報告以前執(zhí)行的文件。不帶參數(shù)時,lastcomm命令顯示當(dāng)前統(tǒng)計文件生命周期內(nèi)記錄的所有命令的有關(guān)信息。包括命令名、用戶、tty、命令花費(fèi)的CPU時間和一個時間戳。如果系統(tǒng)有許多用戶,輸入則可能很長。看下面的例子:?2?t+?y/?R9?d&?r$?V%?z8?V
QUOTE:?,??(?@,?x$?p;?I3?h3?T6?d2?y'?}8?n)?Y8?W%?f*?q
$?|0?o8?e)??9?L??G&?~
crond?F?root????0.00?secs?Sun?Aug?20?00:16?0?h(?}??b3?b"??+?`9?o!?P%?W2?@*?@
promisc_check.s?S?root????0.04?secs?Sun?Aug?20?00:16
promisc_check?root????0.01?secs?Sun?Aug?20?00:16?%?i.?\-?`6?i$?|7?R5?P5?T
grep?root????0.02?secs?Sun?Aug?20?00:16
tail?root????0.01?secs?Sun?Aug?20?00:16?,?p1?N#?d5?{3?z6?Q/?~!?L$?M&?W2?x3?M
sh?root????0.01?secs?Sun?Aug?20?00:15
ping?S?root????0.01?secs?Sun?Aug?20?00:15?7?k!?t8?w,?g5?|(?w-?@,?v.?c+?Z
2?r5?`+?^#?x%?Y5?V6?V&?{&?b4?n
ping6.pl?F?root????0.01?secs?Sun?Aug?20?00:15
sh?root????0.01?secs?Sun?Aug?20?00:15
ping?S?root????0.02?secs?Sun?Aug?20?00:15?9?]6?y$?S4?H+?I8?M+?d1?L(?k
)?['?M4?a&?T;?f/?G:?E(?i+??
ping6.pl?F?root????0.02?secs?Sun?Aug?20?00:15
7?G,?|"?v5?c6?\'?j
sh?root????0.02?secs?Sun?Aug?20?00:15
ping?S?root????0.00?secs?Sun?Aug?20?00:15?/?F9?`.?o6?K;?N1?f#?s
9?k)?k7?l-?q;?Z&?^
ping6.pl?F?root????0.01?secs?Sun?Aug?20?00:15?0?\&?P*?Q&?K8?^&?p
#??2?|/?s#?Q#?Q1?h-?M0?N4?s'?}
sh?root????0.01?secs?Sun?Aug?20?00:15?!?`*?c$?S$?Z8?F5?x+??#?_#?l8?A
ping?S?root????0.01?secs?Sun?Aug?20?00:15?%?H2?g5?y"?z:?b&?r%?^
1?v:?L(?H5?Q9?a$?P2?Q6?x
sh?root????0.02?secs?Sun?Aug?20?00:15???d??e,?f*?w;?F
;?}'?{1?j(?}.?B6?[$?Y+?_#?g
ping?S?root????1.34?secs?Sun?Aug?20?00:15
locate?root?ttyp0?1.34?secs?Sun?Aug?20?00:15
accton?S?root?ttyp0?0.00?secs?Sun?Aug?20?00:15?:?|.?~4?{8?q(??.?P
進(jìn)程統(tǒng)計的一個問題是pacct文件可能增長得十分迅速。這時需要交互式地或經(jīng)過cron機(jī)制運(yùn)行sa命令來保證日志數(shù)據(jù)在系統(tǒng)控制內(nèi)。sa命令報告、清理并維護(hù)進(jìn)程統(tǒng)計文件。它能把/var/log/pacct中的信息壓縮到摘要文件/var/log/savacct和?/var/log/usracct中。這些摘要包含按命令名和用戶名分類的系統(tǒng)統(tǒng)計數(shù)據(jù)。在默認(rèn)情況下sa先讀它們,然后讀pacct文件,使報告能包含所有的可用信息。sa的輸出有下面一些標(biāo)記項。?(
總結(jié)
以上是生活随笔為你收集整理的RedHat系统常用的日志文件详解三的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 最实用的Office使用技巧
- 下一篇: Zigbee在.Net Micro Fr