�o�����O�̮e���Q�s��ҩ������A���N�O�ԲӦӽT�ꪺ�����Ϊ̬O�ƥ��t�Ϊ��n�����C����O�n���ɩO�H²�檺���A�N�O�O���t�ά��ʰO�����X���ɮסA�Ҧp�G��ɡB��a�]�ӷ� IP �^�B��H�] login name �^�B���F����ʧ@�A�t�~�N�O�t�Φb����ɭ԰��F����˪��欰�ɡA�o�ͤF����˪��ƥ󵥵��A�n���D���O�A�ڭ̪� Linux �D���b�I�����U�A���۷��h�� daemons �b�u�@�ۡA����o�Ǥu�@�����{���`�O�|���@�ǰT����ܡA�o����ܪ��T���N�O���O���b�n���ɷ����աA�]�N�O���A�O���o�Ǩt�Ϊ����n�T���A�N�O�n���ɩҶi�檺�����u�@�����e�F�C���ѩ�o�ǰO�����u�@���e���t�Ϊ���T�ӸԲӤF�A�Y�Q���o�N�i��v�T��t�Ϊ��w���ʡA�]���A�q�`�o�ǵn���ɥu�� root �i�H�i�����\���I

���򬰦�n�O���P�ѪR�n���ɩO�H�o�O�ѩ�O���ɦ��X�ӭ��n���\��G

• �ѨM�t�Ϊ����~�G�o�ӹ��t�κ޲z���ӻ��O�ܭ��n����T�A�Ҧp�G�}�����L�{���������쪺�w��T����Ʒ|�O����O��������A�ѩ�o�ǰ�������T�i�H���ѧڭ��A�ѵw���T�A�ҥH�p�G�A���t�εo�Ͱ��D�ɡA�i�H�U�F dmesg �ݬݵw�骺�������S���o�Ϳ��~�O�I�t�~�A�p�G�t�θ귽�Q�ӺɡB�֤߬��ʵo�Ϳ��~�����ƥ�o�ͪ��ɭԡA�h�t�εn���ɥ�|�N���~���T���O���b�n���ɤ��]�q�`�O /var/log/messages �^�A�o�dz��i�H�ǥH���o���~�o�ͮɪ���T�A�å[�H�J�A���D�I�I

• �ѨM�����A�Ȫ����D�G�b�w�˩γ]�w�s�A�Ȫ��M��ɡA�̱`�ϥΨ�o�ӥ\��F�I�Ҧp�b�w�˱Ұ� sendmail �ɡA�p�G sendmail �L�k���ѪA�Ȫ��ɭԡA����L�k���ѪA�Ȫ����D�h�|�Q������n���ɷ����h�A�h�u�n���R�n���ɴN�i�H�A�Ѱ��D�I�A���ǥH�ѨM���D�աI( �ҥH�ڭ̱`���y�ѧU�ۧU�̡z�O�u���աI���(1)�ù��W�������~�T���P(2)�n���ɪ����~��T�A�X�G�i�H�ѨM�j������ Linux ���D�I )

• �O���n����T�G�o�ӪF��۷������n�I�Ҧp�G���ѱz�� apache �o�� WWW �A�ȱ��F�A�A��򪾹D��ɱ������H�ӳ̫�n�J�̬O�֡H�I�o���i�H�ǥѤ��R apache ���n���ɨӨ��o��T�F���~�A�U�@���@�ѱz���t�γQ�J�I�A�åB�Q�Q�Ψӧ����L�H���D���A�o�ӮɭԹ�誺�D���d�X�O�z�� Linux �b�i��������欰�A�o�ӮɭԧA�n�p��i�����z���D���O�ѩ�Q�J�I�ҾɭP�����D�A�åB��U����~�򩹨ӷ��l�d�O�H�I�����I���ɵn���ɥi�O�۷����n���O�I

�]���A�@�Ӧ��g�窺�D���޲z���A�|�H���H�a�d�\�@�U�ۤv���n���ɡA�H�H�ɴx���t�Ϊ��̷s�߰ʡI���򨣪��X�ӵn���ɦ����ǩO�H�@��Ө��A���U���X�ӡG

• /var/log/secure�G�O���n�J�t�Φs����ƪ��ɮסA�Ҧp pop3, ssh, telnet, ftp �����|�O���b���ɮפ��F
• /var/log/wtmp�G�O���n�J�̪��T����ơA�ѩ��ɮפw�g�Q�s�X�L�A�ҥH�����ϥ� last �o�ӫ��O�Ө��X�ɮת����e�F
• /var/log/messages�G�o���ɮ׬۷������n�A�X�G�t�εo�ͪ����~�T���]�Ϊ̬O���n����T�^���|�O���b�o���ɮפ��F
• /var/log/boot.log�G�O���}���Ϊ̬O�@�ǪA�ȱҰʪ��ɭԡA����ܪ��Ұʩ������T���F
• /var/log/maillog �� /var/log/mail/*�G�����l��s���Ω���( sendmail �P pop3 )���ϥΪ̰O���F
• /var/log/cron�G�o�ӬO�ΨӰO�� crontab �o�ӨҦ�ʪA�Ȫ����e���I
• /var/log/httpd, /var/log/news, /var/log/mysqld.log, /var/log/samba, /var/log/procmail.log�G ���O�O�X�Ӥ��P�������A�Ȫ��O���ɰաI

�n�F�A����O���F�o�ǵn���ɤ���A�ڭn��������R�r�I�H�򥻤W�A�@�Ӧn���t�κ޲z���j�������D�y�@���D���t�d���A�ȳ̦n��ֺɶq���z�A�o�O����N��O�H�]�N�O���A�o���D�����l��D������N�M���t�d�l��u�@�A���n�ٷd WWW �A�ȡI�o�˦��X�Ӧn�B�A���F�t�Ϊ��w���ʸ��Τ��~�]�]���}�� port �ܤ֤F�I�^�A�O���ɪ��ѪR�]�|���²��I�]���ڭ̪� /var/log/secure �O�����n�J�̸�T�N�|������@�P�ʡI����ڭ̴N�i�H�d�ߤ@�U�C��n�J���ϥΪ̱b���ջP���~�T���յ������I�]���M�o�A�p�G�A���W�e���B�g���״I���ܡA����@���D���W���w�˩Ҧ��������A�Ȥ]�O�i�H���աI�^�򥻤W�A�ˬd/var/log/messages�B/var/log/secure�o�ǭ��ɮפ]�N�۷����F�I�]���t�εo�ͪ����~�Ϊ̬Oĵ�i�T���q�`���|�g�J�o���ɮפ��C
�@
���O�A�p�G�ڤ��䦳�ƤQ���D������H�ڭn���n�@���@���h��� log file �O�H�����I���˹�ݷ|���H�z��?�]���A�ڭ̩��U�]�ϥΤ@��²�����n���ɨӤ��R Red Hat �� Mandrake �o��� Linux distribution ���n���ɧa�I

�b�t�Ϊ��n���ɨt�η����A�j�h�H�@��`�n�{���Ӷi��g�J�o�ǰT�����o�Ӥu�@�A���N�O syslogd �o��{���աI�t�~�A�ѩ�n���ɦp�G�@�����j���ܡA����o�ǵn���ɪ��g�J�ʧ@�N�|�ܨS���IJv�A�o�O�]���ɮפӤj�ɡAASCII �榡�X������ɮ׼g�J����·Ъ��t�G�I������i��n���ɸ�ƪ��ƥ��u�@�O�H�����I���N�ϥ� logrotate �a�I�N��ƶi�����( rotate )�H����O����H�I�]�ڣ{���x�y��������I�H�^���]�i�H�٬������աI�򥻤W�A�N�O�N�ª� log �ɮק��W�١A�M��إߤ@�ӪŪ� log �ɮסA�p���@�ӡA�s�� log �ɮױN�q�s�}�l�O���A�M��u�n�N�ª� log �ɮׯd�U�@�}�l�A��I���N�i�H�F��N�n���ɡy����z���ت��աI���~�A�p�G�ª������]�j���n�O�s�X�Ӥ�a�I�^�O�s�F�@�q�ɶ��S�����D�A����N�i�H���t�Φ۰ʪ��N�L�屼�A�K�o�����ܦh�_�Q���w�ЪŶ����I�]�|�ӨҤl�ӻ��A�ڪ� WWW �����@�Ӥ몺�n���ɡA�Ҧ������w�ЪŶ��j�p�A�j���N�� 1GB �o��h....�ӥB���O�¤�r��....�ܥi�ȧa�I�^
�@
�ҥH���A�򥻤W�A�w�� log �ɮרӳ]�p���A�Ȧ��o���G
• syslogd�G�i��t�ΩΪ̬O�����A�Ȫ��n���ɰO���u�@�F
• logrotate�G�N�ª���Ƨ�W�A�åB�إ߷s���n���ɡA�H�O���n���ɪ��y�s�A�z�A�õ��]�w�N���ª��n���ɧR���C
�ҥH�A���ۤU�ӧڭ̨ӽͤ@�ͫ��˳W���o���{���O�H�I�N�� syslogd �o��{�����Ͱ_�a�I�����o�����n���ɡA�~�i�H�i�� logrotate �r�I�z���O�a�I�H

---

• syslogd�G

�ڭ̦bLinux�̭��w�]�N�w�g�ϥΤFsyslogd�o��{���ӰO���t�Ϊ��n�J��ơA���۫H���ܡA�A�i�H�ϥ�ps�Ӭd�ߤ@�U�G
�@

[root @test root]# ps -aux|grep syslog root       782  0.0  0.8  1340  508 ?        S    Oct30   0:00 syslogd -m 0 root     11044  0.0  1.1  2408  732 pts/1    S    00:03   0:00 grep syslog

�@
�ݨ�syslog�o�ӪA�ȦW�٤F�a�H�I�����I�ҥH���D�L�w�g�b�I�����U�u�@�o�Isyslog �o��{���i�H���ѡy�t�εn�J��T�O���z�ΡyKernel���~��ĵ�ܸ�T�O���z���\��A���~�A�L�ٴ��ѤF�y���a�ݻP���ݹq�����n����T�O���z�\��A�ҥH�A�i�H�N���ݪ��D���n�J��T�P�ɰO���b���a�ݩO�I�ܤ������\��a�I�I���~�A�ثe���W�ϥΪ��t�ΪA�Ȥ��A�j���w�]�䴩�H syslog �o�@�ӪA�ȨӰO���L���n���ɮ׸�ơA�Ҧpapache, samba, sendmail �����C�ӳq�`syslog���Ѫ��O���ѼƥD�n���G
�@
• �ƥ�o�ͮɶ��F
• �D���W�١F
• �Ұʦ��ƥ󪺪A�ȦW�١]�Ҧp httpd, samba...�^
• �T����Ƥ��e
�@
�����o�Ǹ�T�A���M�A�o�Ǹ�T���Բӫ׬O�i�H�ק諸�A���~�A�o�Ǹ�T�i�H�@���t�ΰ������ΩO�I�ڭ̥��Ӭݤ@�U/var/log/secure�����e��ܨǤ���O�H
�@

[root @test root]# vi /var/log/secure Nov  4 16:28:35 test xinetd[7831]: START: telnet pid=7841 from=192.168.1.11 Nov  4 16:28:35 test xinetd[7841]: FAIL: telnet address from=192.168.1.11 Nov  4 23:41:17 test sshd[10803]: Accepted password for test from 192.168.1.11 port 3117 ssh2 Nov  4 23:41:17 test sshd(pam_unix)[10805]: session opened for user test by (uid=500) Nov  4 23:41:29 test su(pam_unix)[10838]: authentication failure; logname=test uid=500 euid=0 tty= ruser=test rhost=  user=root Nov  4 23:41:34 test su(pam_unix)[10839]: session opened for user root by test(uid=500)

�@
�b�W�������椤�A�i�H�ݨ�C���O�����D�n���e�O�G
�@
<����P�ɶ�><�D���W��><�A�ȦW��><��ܰT��>
�@
�H�Ĥ@����ƨӬݡA<����O Nov 4 �� 16:28:35 �ɭ�>�A�b<�D�� test ����>�A<���� xinetd �A�Ȫ����e����ư�>�A<�ӵ{�Ǫ� PID �� 7831�A��ܪ��T���A�����Otelnet�o�ӥ�xinetd�Ұʪ��A�Ȧ��H�n�J�A�n�J�̪�IP�O192.168.1.11>�A�o�˰��ԲӤF�a�I�٦��ܦh����T�ȱo�ݪ��O�I�ר�O/var/log/messages�����e�C�M��A���n�ѰO�F�A�b�̫�@����Ƥ��A�ٰO���F�i�H�ϥ�su���ϥΪ̪�uid��500�A�b���W�٬�test�A����p�G�o�Ӹ�ƳQ�H�a�ܨ��F�A�����I���ӥ~����cracker�N�i��չϥHtest�o�ӱb���Ӳq���A���K�X�A�å[�H�}�ѡA��I�u���ܭ��n�a�I�ҥH�o�Ǹ�ƫܦh������~�y�O�I
�@
�n�F�A�A�Ӭݨ�ڭ̭n�p��ӳ]�w syslogd �O�H�I��軡�� syslog �i�H�O���ڭ̨t�Τ����X�G�Ҧ����w�]���t�Τu�@�A����U�@�ڪ������A�ȬO�ۦ�]�w���O�H�I�Ҧp�H Tarball �w�˦n���A�ȮM��COK�I�ڭ̥i�H�ǥѭק� syslog ���Ѽ��ɨӹF��o�ӥت��C����w�]�� syslog �Ѽ��ɩ�b���̩O�H�I
�@
• /etc/syslog.conf
�@
���w�]�� syslogd �{�����Ѽ��ɮ״N�O /etc/syslog.conf �o���ɮפ��e�աI�o���ɮת����e�i�H�W�w�y����A�Ȼݭn�Q�O���B�ӪA�ȳQ�������T�����Ŧp���H�z�C�򥻤W�A�i�H�ϥΩ��U���y�l�y�k�ӻ����G
 

�A�ȦW��.�T�����š@�@�@�s�����ܦa�I

• �A�ȦW���G�Ҧp mail, http, news, cron, at �������A�ȦW�١F
�@
• �T�������G�`�@�����U�C�X�ص��šG
• info �G ���ܤ@�ǰT����ơF
• notice �G �`�N�I�ݭn����d�N���T���F
• waring �� warn �G ĵ�ܪ��T���A�H�W�T�ӰT�����٬O�S�����~�����p�A���M�O�ݭn�d�N�A���O�٨S������~�����p�F
• err �� error �G �r�I���~�T���X�{�F�I�ӭn������~�����D�o�ͭ�]�F�F
• crit �G �{���I�F�I�A���B�z�i�N�˸����F�I
• alert �G ���~�T���@�A�aĵ�iĵ�i�I�A�N�n���J�F�I
• emerg �� panic �G ���I�t�Τw�g�i�J�V�ê����q�I�u���O���J�F���
• �S�������G�Ҧp debug �]��ܸ��h����T�I�^�� none �]���n�O���ӪA�Ȫ����e�I�^���I
�@
• �s�����ܦa�I�G�q�`�ڭ̨ϥΪ����O�O�����ɮװաI���O�]�i�H��X��˸m��I�Ҧp�L�����������I
• �ɮת�������|�G�q�`�N�O��b /var/log ���Y���ɮװաI
• �L�����Ψ�L�G�Ҧp /dev/lp0 �o�ӦL�����˸m
• �ϥΪ̦W���G��ܵ��ϥΪ��o�I
• ���ݥD���G�Ҧp @test.adsldns.org
�@

���D�@�G�p�G�ڭn�N�ڪ�mail��������Ƶ��L�g�J/var/log/maillog�����A����b/etc/syslog.conf�N�n�g���G mail.info        /var/log/maillog �`�N��W����A���ڭ̪����Ũϥ�info�ɡA����y����j��info����(�tinfo�o�ӵ���)���W���T���A���|�Q�g�J��᭱�����ɮפ����I�z�o�˥i�H�A�ѶܡH�]�N�O���A�ڭ̥i�H�N�Ҧ�mail���n����T�������b/var/log/maillog�̭����N��աI

�@

���D�G�G�ڭn�N�s�D�s�ո��(news)�ΨҦ�ʩR�O����T(cron)���g�J��@�Ӻ٬�/var/log/cronnews���ɮפ��A���O�o��ӵ{�Ǫ�ĵ�i�T���O���b/var/log/cronnews.warn�Ӧp��]�w�ڪ��ɮשO�H��²��աI�J�M�O��ӵ{�ǡA����u�n�H�����ӹj�}�F�A���~�A�ѩ�ĤG�ӫ��w�ɮפ��A�ڥu�n�O��ĵ�i�T���A�]���]�w�W�ݭn���w�y=�z�o�ӲŸ��A�ҥH�N�����F�G news.*;cron.*             /var/log/cronnews news.=warn;cron.=warn     /var/log/cronnews.warn �W�����ӡy=�z�N�O�b���w���Ū��N��աI�ѩ���w�F���šA�]���A�u���o�ӵ��Ū��T���~�|�Q�����b�o���ɮ׸̭��O�I

�@

���D�T�G�ڪ�messages�o���ɮ׻ݭn�O���Ҧ�����T�A���O�N�O���Q�n�O��cron,mail��news����T�A�������ӫ��g�~�n�H�i�H����ؼg�k�A���O�O�G *.*;news,cron,mail.none            /var/log/messages �� *.*;news.none;cron.none;mail.none  /var/log/messages �ϥΡy,�z���j�ɡA���򵥯ťu�n���b�̫�@�ӧY�i�A�p�G�O�H�y;�z�Ӥ����ܡA����N�ݭn�N�A�ȻP���ų��g�W�h�o�I�o�˷|�]�w�F�a�I

�@
�A�ѻy�k����A�ڭ̨Ӭݤ@�ݦb�|���}�Һ����A�Ȫ����p�U�A�ڭ̪� syslog �����Ǩt�ΪA�Ȥw�g�b�����F�O�H�I���N�O�@�@�@ /etc/syslog.conf �o���ɮת��w�]���e�o�I�]�`�N�I�p�G�ݭn�N�Ӧ氵�����ѮɡA����N�[�W # �Ÿ��N�i�H�աI�^
�@

�Ĥ@�ӨҤl�G�Ӧ� Red Hat 7.x ������ syslog.conf ���e�G #kern.*                                                 /dev/console # �u�n�O kernel ���ͪ��T���A�������e�� console �h�I # �o�Ӷ��عw�]�O�������I���L�A�u�n�z�@�N�A�i�H�}�ҴN�O�F�I *.info;mail.none;authpriv.none;cron.none                /var/log/messages # �b�w���U�A�Ȫ��T�����A���n�O����o���ɮ׷����աI # �Ҧp mail �ڭ̤w�g�w�]�n�O���b /var/log/maillog �]���U�^�A # �ҥH�۵M���n�b�O����o�� /var/log/messages �ɮפ��աI # �M���L���T���������O���� /var/log/messages �����I # �ҥH�o���ɮ׬۷������n�I�S���Q�W�w�쪺�T�����i�H�b�o�̧��I authpriv.*                                              /var/log/secure # �o�ӴN�O�g�L�@�Ǩ����T�{���欰����A�ݭn�O���������ɮװաI # ����O�����T�{�O�H�Ҧp pop3 ���H�n��J�b���P�K�X�B ssh �P telnet, ftp  # �������A�Ȼݭn��J�b���P�K�X�A�o�dz��|�b /var/log/secure �̭��O���I # �L�i�]�O�۷����n���@���ɮשO�I mail.*                                                  /var/log/maillog # �u�n�� mail �������]���׬O pop3 �٬O sendmail �^���|�Q������o���ɮפ��I cron.*                                                  /var/log/cron # �ٰO�o�Ҧ�ʩR�O���@���`�ܡH�I��աI�N�O���� crontab ���F��A # ���F�誺�A�ȵ{���W�ٴN�O cron �աI���� cron �����G���O���󦹡I *.emerg                                                 * ����ɭԵo�ͪ�ĵ�i�T�����|��ܵ��u�W���Ҧ��H�I���� �� �N�O�ثe�u�W���Ҧ��H�աI uucp,news.crit                                          /var/log/spooler # �O���s�D���~���� crit �����Ū���T�A�g�J spooler �����I local7.*                                                /var/log/boot.log # �N�}�����������T�����L�g�J /var/log/boot.log �o���ɮ׷�����I

�ĤG�ӨҤl�G�Ӧ� Mandrake 9.0 �� syslog.conf ���e�I # �U�بt�Ϊ��T�� # �U���T�椤�A���O�O�����O�G # 1. �Ĥ@��O�����O�����y�����T�{�z����T�A�u�n�O���y�n�J�z�D���A�Y�� #   �y��J�b���P�K�X�z���{�ǮɡA���O���� auth.log �̭��h�F�A�o�������O���D�n���G #    xinet(telnet, ftp), ssh, su, postfix, pop3 ���� # 2. �ĤG��h�O���F�����O������T���~�A��L�����ݭn�O���b/var/log/syslog�����I # 3. �ĤT��h�O�O���F���� user ���檺���O���I�s�t�Υ\��Ҳ��ͪ��Y�ǰT���I auth,authpriv.*                                /var/log/auth.log *.*;auth,authpriv.none                        -/var/log/syslog user.*                                        -/var/log/user.log # �o�ӳ����h�O�b�O�������T�I����W���� /var/log/syslog ���I���ƤF�I # ���L�A���U�o�@�椤�A�� mail, news, authpriv ��������T�����|�Q�����C *.info;mail.none;;news.none;authpriv.none     -/var/log/messages # �����{�Ҹ�T�������T�����|�Q�����b /var/log/secure �o���ɮ׷����A # ���� /var/log/auth.log �]���I���ƤF�I�L�צp��A�h�O���X���`�O�n���I Authpriv.*                                     /var/log/secure # �����l��������T���|�����b���U�I���L�A�٬O�����T�ӵ��ŨӰO���A # ���O�O�Ҧ��Bĵ�i�P���~�T���I�]���p�G�O�l��D�����ܡA�A���T���|�D�`�����áA # �ҥH�A�ɪ��N�O���ɪ����Ť��}�A�N���U���A�ѧA���D���D�n��T�O�I mail.=debug;mail.=info;mail.=notice           -/var/log/mail/info mail.=warn                                    -/var/log/mail/warnings mail.err                                      -/var/log/mail/errors # �o�ӳ����h�O�b�O������@�ǨҦ�ʩR�O���]�w���B�I # �n��o���O�A�ѩ�ܦh���차�{�����O�ϥ� cron �b�i��}�a���欰�A # �ҥH�A�ɪ��A�� cron �]�O�ܭ��n���I cron.=debug;cron.=info;cron.=notice           -/var/log/cron/info cron.=warn                                    -/var/log/cron/warnings cron.err                                      -/var/log/cron/errors # �o�����O�O�������֤ߦ�������T�I�Ҧp�ڭ̦b�e�@�����쪺�Ҳո��J�A # �ѩ󨺭ӬO�֤ߪ��\��A�ҥH������Ҳո��J�ɡA�֤ߴN�|���T����ܰաI kern.=debug;kern.=info;kern.=notice           -/var/log/kernel/info kern.=warn                                    -/var/log/kernel/warnings kern.err                                       /var/log/kernel/errors # �o�O����L��������T�աI lpr.=debug;lpr.=info;lpr.=notice              -/var/log/lpr/info lpr.=warn                                     -/var/log/lpr/warnings lpr.err                                       -/var/log/lpr/errors # �o�O�s�D�s�եD������T news.=debug;news.=info;news.=notice           -/var/log/news/news.notice news.=crit                                    -/var/log/news/news.crit news.=err                                     -/var/log/news/news.err # ����o�ӴN�O����Ҧ��A�Ȭ������ɮ��o�I Daemon.=debug;daemon.=info;daemon.=notice     -/var/log/daemons/info Daemon.=debug;daemon.=info;daemon.=notice     -/var/log/daemons/info Daemon.=warn                                  -/var/log/daemons/warnings Daemon.err                                    -/var/log/daemons/errors # �N�Ҧ��w�g�e�{�y�Y�����~���T���z�H�Y���o�e���ثe�b�D���W��������H�I # �o���Ӧn�B�F�A�p�G�D���U�@�������o�ͺ��ƥ�ɡA����u�W�ϥΪ̥i�H�ߨ誾�D�A # �p�G����ߧY�p�� root ���ܡA����D�����ˮ`�N�i���̧C�I *.emerg                                       * # ����� Mandrake Linux �������]�w�u��A����ܪ���T���|�Q�����b�o���ɮפ��I Local1.*                                      -/var/log/explanations

�@
�j�P�W�N�O���o�ǥ\��աI�o�ˤ@�ӡA�ڭ̪��@�Ǥ��P����T�N�i�H�s�b���P���ɮ׷����A�i�H��K�ڭ̨Ӷi��n�J��ƪ��ѪR�O�I�t�~�A�o���ɮ׳��۷������n�]�Ҧp����ɭԳQ�ֵn�J�i�ӥD���աI�H�^�A�ҥH�L�̪��v���j�h�O�ݩ� root ���iŪ�g�Ӥw�I�o�I�D�`�ݭn�p�ߦӯd�N�I�]�Ъ`�N�A�b�t�Ϊ��w�]���p���A�Ҧ����������A���T���X�G���O�g�J /var/log/messages �o���ɮפ��A�ҥH�A�p�G�t�Φ����D�A�иԲӪ��ˬd�@�U�o�� /var/log/messages �ɮקa�I�I�^
�@
�p�G�z����L���ݨD�A�ҥH�ݭn�S�����ɮר����A�O���ɡA�����I�O�Ȯ�A�d�U���L�O���b/etc/syslog.conf�����A�p���@�ӡA�z�N�i�H���ƪ��N�\�h����T�O���b���P���ɮ׷����A�H��K�z���޲z�O�I
�@


---

• �n���ɪ��w���ݩʳ]�w

�n�F�A�ѤW�@�ӳ��`�̭��ڭ̪��D�F syslog.conf ���]�w�A�]���D�F�n���ɤ��e�����n�ʤF�A�ҥH�A�p�G�۷Q�A�O�@�ӫܼF�`���b�ȡA�Q�Q�ΥL�H���q���F�a�ơA�M��S���Q�d�U�ҾڡA�A�|���@�H��աI�N�O���}���ɭԱN���������b�A�N�Ҧ��i�઺�T�������L�ٷٱ��A�ҥH�Ĥ@�Ӱʸ������a��N�O�n���ɪ��M���u�@�ա�z�I�����ФH�a�F�a�ơK..�ޡI���n�����ܡ�ͪ��N��O�A�p�G��ѧA�o�{�A���n���ɤ��l�ӫD�F�A�Ϊ̬O�o�{�A���n���ɦ��G���ӹ�l���ɭԡA�̱`�o�{���N�O���ͱ`�`�|�^�����A�L��/var/log�o�ӥؿ��y�����F�I�z���n���I�o�O�u���Ʊ�?�аO�o�A�y���ֲM�d�A���t�ΡI�z
�@
�˸����O�I���򦳨S����k����o�˪��Ʊ��O�H���r�I�ޱ������u�K..�����I�O��ߡA�򥻤W�A�ڭ̥i�H�z�L�@�����ê��ݩʨӳ]�w�A���n���ɡA�����y�u�i�H�W�[��ơA���O����Q�R���z�����A�A����γ\�i�H�F��dz\���O�@�I���L�A�p�G�A�� root �b���Q�}�ѤF�A���򩳤U���]�w�٬O�L�k�O�@���A�]���A�n�O�o�y root �O�i�H�b�t�ΤW���i�����Ʊ����z�A�]���A�бN�A�� root �o�ӱb�����K�X�]�w���w���@�ǡI�d�U���n�����o�Ӱ��D�O�I�n�F�A�}�l�ӳ]�w�@�U�򥻪������ݩʧa�I���N�O�b �ɮ��ݩ� ���L�� lsattr �P chattr �o�ӪF��աI�p�G�N�@���ɮץH chattr �]�wi�o���ݩʮɡA������ɮ׳s root ����������I�ӥB�]����s�W��ơA��I�u�w���I���O�A�p���@�ӵn���ɪ��\��Z���O�]�N�����F�H�]���S����k�g�J�r�I�ҥH�o�A�ڭ̭n�ϥΪ��O a �o���ݩʡI�A���n���ɦp�G�]�w�F�o���ݩʪ��ܡA����L�N�u��Q�W�[�A�Ӥ���Q�R���I��I�o�Ӷ��شN�D�`���ŦX�ڭ̵n���ɪ��ݨD�աI�]���A��ij�z�i�H�o�˪��W�[�A���n���ɪ������ݩʡC
�@

[root @test root]# chattr +a /var/log/messages [root @test root]# lsattr /var/log/messages ----a--------- messages

�@
�[�J�F�o���ݩʤ���A�A��/var/log/messages�n���ɱq���N�ȯ�Q�W�[�A�Ӥ���Q�R���A����root�Hchattr �Va /var/log/messages�����o��a���ѼƤ���A�~��Q�R���β��ʳ�I
�@
���F�z���n���ɸ�T�w���A�j�P����ij�z�ϥγo���ݩʡI���L�A�b���U��logrotate�����A�ڭ̥��ݭn�N�o���ݩʥh������A�~��i�������I�����I���U�ӧڭ̨Ӭݬݦp��i��n���ɸ�ƪ������a�I

---

• logrotate�G

�n�F�I����ڭ̤w�g�N�n����Ƽg�J�F�O���ɤ��F�A�]�w�g�Q��chattr�]�w�Fa�o���ݩʤF�A����Ӧp��i�� log rotate ���u�@�O�I�H�o�̽ЯS�O�d�N���O�A syslog �D�O�Q�� demand ���覡�ӱҰʪ��A�����ݨD���ɭԥߨ�N�|�Q���檺�A���O log rotate �o�O�b�W�w���ɶ���F����~�Ӷi�� log files �� rotate �欰�A�ҥH�o�� logrotate �{�dz��O���b cron ���U�i�檺��I�o�@�I�ЯS�O�d�N��I�n�F�A���� logrotate �o�ӵ{�����ѼƳ]�w�ɦb���̩O�H�I�����I�Ҽ{��Ӧa����
�@
• /etc/logrotate.conf
• /etc/logrotate.d
�@
�`�N�o�I���� logrotate.conf �~�O�D�n���Ѽ��ɮסA�ܩ� logrotate.d �O�@�ӥؿ��A�̭����Ҧ��ɮ׳��|�Q�D�ʪ�Ū�J /etc/logrotate.conf �����Ӷi��I�t�~�A�b/etc/logrotate.d�̭����ɮפ��A�p�G�S���W�w�쪺�@�Dzӳ��]�w�A�h�H/etc/logrotate.conf�o���ɮת��W�w�ӫ��w���w�]�ȡI�n�F�A���ڭ̴��� log rotate ���D�n�\��N�O�N�ª��n���ɮײ��ʦ����ɡA�åB���s�إߤ@�ӷs���Ū��ɮרӰO���A�L�����浲�G���I�������U���ϥܡG
�@ �@
�ѤW�����ϥܧڭ̥i�H�M�������D�A���Ĥ@�����槹rotate����A�쥻��messages�|�ܦ�messages.1�ӥB�|�s�y�@�ӪŪ�messages���t�Ψ��x�s�n���ɡC�ӲĤG�����椧��A�hmessages.1�|�ܦ�messages.2��messages�|�ܦ�messages.1�A�S�y���@�ӪŪ�messages���x�s�n���ɡI����p�G�ڭ̶ȳ]�w�O�d�T�ӵn���ɦӤw���ܡA�������ĥ|���ɡA�hmessages.3�o���ɮ״N�|�Q�R���A�åѫ᭱�����s���O�s�n���ɩҨ��N�I�򥻪��u�@�N�O�o�˰աI
�@
����h�[�i��@�� logrotate ���u�@�O�H��I�o�dz��O���b logrotate.conf �̭��A�ڭ̨Ӭݤ@�U�w�]�� logrotate �����e�a�I
�@

# ���U���]�w�O logrotate ���w�]�]�w�ȡA�p�G�ӧO���ɮ׳]�w�F��L���ѼơA # ����N�H�ӧO���ɮ׳]�w���D�A�Y���ɮרS���]�w�쪺�ѼơA # �h�H�o���ɮת����e���w�]�ȡI # �C��§���i��@�� rotate ���u�@ weekly # �O�d�X�ӵn���ɩO�H�w�]�O�O�d�|�ӡI rotate 4 # �O�_�إ߷s���n���ɨӰO���O�H�]���ڭ̭n�~��O���A�ҥH���M�O�إ��o�I create # rotate���᪺�n���ɡA�n���n���Y�A�q�`�O���n���Y�աA # ���O�p�G�A���t�Ϋܦ��L�A���ܧA���n���ɫ��e�j���ɭԡA # ����̦n�N�O���L���Y�@�U������|���Ŷ��I Compress # �N���U�o�ӥؿ������Ҧ��ɮ׳�Ū�i�Ӱ��� rotate ���u�@�I include /etc/logrotate.d # �ܩ�n������T�����A���ϥ� last �Ӭ������n���̸�T�N�O�O���b�o���ɮפ��I # ���U�N�O /var/log/wtmp �o���ɮת� rotate ���p�A�L���N��O�G # 1. �C�Ӥ�i��@�� log rotate ���u�@�F  # 2. �N�ɮת��v���]�w�� 664 �o�I  # 3. �ȫO�s�e�@�Ӥ몺 rotate �ƥ��I�o�ӥi�H��j�@�I�A�Ҧp 5 �I�O�s���Ӥ�A�H�Q�l�� /var/log/wtmp {     monthly     create 0664 root utmp     rotate 1 } # ���U�o���ɮ׸� /var/log/wtmp �����I /var/log/lastlog {     monthly     rotate 1 }

�@
�ѳo���ɮת��]�w�ڭ̥i�H���D /etc/logrotate.d ���N�O�� /etc/logrotate.conf �ҳW���X�Ӫ��ؿ��A�ҥH�A���ڭ̥i�H�N�Ҧ�����Ƴ����L�g�J /etc/logrotate.conf �Y�i�A���O�o�ˤ@�ӳo���ɮ״N��b�O�ӽ����F�A�]���A�W�ߥX�Ӥ@�� RPM �M�� �N�@�� rotate �������ɮסA�����I���G�O����X�z���@�Ӥ�k�I�W������T�O�t�Ϊ��w�]rotate���p�A���L�A�z�i�H�ۦ檺�קאּ�ۤv���w���˦��A�Ҧp�A�p�G�z���t�Ϊ��Ŷ����j�A�åB��߰����H���b�Ȫ����D�A����i�H�G
�@
• �N rotate 4 �令 rotate 9 ���k�A�H�O�s���h���ƥ��ɮסF
• �j�������n���ɤ��ݭn compress �o�I���O�Ŷ��Ӥp�N�ݭn compress �I�ר�O�ܦ��w�ЪŶ���httpd��ݭncompress���I
�@
�n�F�A�W���ڭ̤j�P���ФF /var/log/wtmp �o���ɮת��]�w�A���O�٬O���ܸԲӰաA�ҥH���U�ڭ̥H /etc/logrotate.d/syslog �o�ӽ��� syslog �o�ӪA�Ȫ��ɮסA�ӬݬݸӦp��]�w�L��rotate�O�G
�@

/var/log/auth.log /var/log/syslog /var/log/user.log /var/log/secure /var/log/messages /var/log/boot.log /var/log/mail/errors /var/log/mail/info /var/log/mail/warnings /var/log/cron/errors /var/log/cron/info /var/log/cron/warnings /var/log/kernel/errors /var/log/kernel/info /var/log/kernel/warnings /var/log/lpr/errors /var/log/lpr/info /var/log/lpr/warnings /var/log/news/news.err /var/log/news/news.notice /var/log/news/news.crit /var/log/daemons/errors /var/log/daemons/info /var/log/daemons/warnings /var/log/explanations { �@�@�@�@sharedscripts �@�@�@�@rotate 5 �@�@�@�@weekly �@�@�@�@postrotate �@�@�@�@/usr/bin/killall -HUP syslogd # �@�@�@�@endscript }

�@
���T�� logrotate ���g�k���G
�@
• �N log file �W�١]�]�t������|�^�g�b�e���A�i�H�ϥΪťզr�����j�h�� log files �F
• �� { } �]�A�Ҧ����]�w�F
• �]�w�����ػP�e�����쪺�ۦP�A�åB�i�[�J rotate �e (pre) �P�� (post) ���@�ǯS�����檺���O�I
• prerotate�G�b�Ұ� logrotate ���e�i�檺���O�A�Ҧp�ק� log file ���ݩʡI�I
• postrotate�G�b���� logrotate ����Ұʪ����O�A�Ҧp���s�Ұʡ] kill -1 �� kill -HUP �^�Y�ӪA�ȡI
• Prerotate�Ppostrotate���w�g�[�W�F�S���ݩʪ��ɮ׳B�z�W���A�O�۷����n������{�ǡI
�@
�ѩ�ڭ̤w�g�N�n���ɪ��ݩʳ]�w�Fchattr +a�A�ҥH���ݭn�blogrotate���e�N�o���ݩʮ����A�æblogrotate����A�A�N�o���ݩʥ[�^�h�I�ҥH�o�A����prerotate�Ppostrotate�N�㪺�۷������n�աI���]�ڭ̶Ȱw��/var/log�̭����X���ɮ׳]�w�ݩʡG
�@
• messages
• secure
• auth.log
�@
�������Ӧp��ק�W����ܪ����e�O�H��I�A�i�H�o�˰��G
�@

/var/log/auth.log /var/log/syslog /var/log/user.log /var/log/secure /var/log/messages /var/log/boot.log /var/log/mail/errors /var/log/mail/info /var/log/mail/warnings /var/log/cron/errors /var/log/cron/info /var/log/cron/warnings /var/log/kernel/errors /var/log/kernel/info /var/log/kernel/warnings /var/log/lpr/errors /var/log/lpr/info /var/log/lpr/warnings /var/log/news/news.err /var/log/news/news.notice /var/log/news/news.crit /var/log/daemons/errors /var/log/daemons/info /var/log/daemons/warnings /var/log/explanations { �@�@�@�@sharedscripts �@�@�@�@rotate 5 �@�@�@�@weekly �@�@�@�@prerotate �@�@�@�@�@�@�@�@/usr/bin/chattr -a /var/log/auth.log �@�@�@�@�@�@�@�@/usr/bin/chattr -a /var/log/messages �@�@�@�@�@�@�@�@/usr/bin/chattr -a /var/log/secure �@�@�@�@endscript �@�@�@�@postrotate �@�@�@�@�@�@�@�@/usr/bin/killall -HUP syslogd �@�@�@�@�@�@�@�@/usr/bin/chattr +a /var/log/auth.log �@�@�@�@�@�@�@�@/usr/bin/chattr +a /var/log/messages �@�@�@�@�@�@�@�@/usr/bin/chattr +a /var/log/secure �@�@�@�@endscript }

�@
�ݨ�_�H�N�O�����L�h�� a �o���ݩʡA�M�����F����A�A���L�[�J�o���ݩʡI�ЯS�O�d�N���O�A���� /usr/bin/killall �VHUP syslogd ���N�q�A�o�@�檺�ت��b��N�t�Ϊ� syslogd ���s�H��Ѽ��ɡ] syslog.conf �^�����Ū�J�@���I�]�i�H�Q���O reload ���N��աI�ѩ�ڭ̫إߤF�@�ӷs���Ū������ɡA�p�G�����榹�@��ӭ��s�ҰʪA�Ȫ��ܡA����O�����ɭԱN�|�o�Ϳ��~��I�I(�Ц^��귽�޲z�����`Ū�@�U kill �᭱�� signal �����e����)�I
�@
Logrotate�����աG
�n�F�A�]�w��������A�ڭ̨Ӵ��լݬݳo�˪��]�w�O�_�i��O�H���L���橳�U�����O�G
�@

[root @test root]# logrotate �Vf /etc/logrotate.conf [root @test root]# lsattr /var/log/auth.log /var/log/messages /var/log/secure ----a--------- /var/log/auth.log ----a--------- /var/log/messages ----a--------- /var/log/secure

�@
�W������ -f �㦳�y�j�����z���N��A�p�G�@�����]�w���S�����D���ܡA����z�פW�A�z�� /var/log �o�ӥؿ��N�|�_�ܤ��o�I�ӥB���Ӥ��|�X�{���~�T���~��I�K�K�I�o�˴N OK �F�I�ܴΤ��O�ܡH�I

�n�F�A����w�]��logrotate����ɭ԰���O�H�����I���ξ�ߡA�t�Τw�g���ڭ̳]�w�n�F�I��b���̩O�H
�@

/etc/cron.daily/logrotate
�@
�`�N�ݤ@�U�̭������e�G
�@
/usr/sbin/logrotate /etc/logrotate.conf
�@
�ѩ� logrotate ���u�@�w�g�[�J crontab ���Y�F�I�ҥH�{�b�C�Ѩt�γ��|�۰ʪ����L�d�� logrotate �o�I���ξ�ߪ��աI�I�u�O�n�`�N�@�U���� /var/log/messages ���Y�O�_�`�`���G�yJun 23 04:02:00 test syslogd 1.4.1: restart.�z�o�˪��r�ˡI�H�o�������O syslogd ���s�Ұʪ��ɶ��ա]�N�O�]�� /etc/logrotate.d/syslog ���]�w���t�G�I�^
�@

���D�G�ڪ�/var/log/messages�u�Ʊ�O���@�Ǭ۷����n����T�A����cron�����e�w�g�b/var/log/cron�̭��O���F�A�ҥH�ڷQ�Ncron����T�����A����ӫ��ק�ڪ�syslog.conf���]�w�O�H ���G �򥻤W�A�A�i�H�o�˳]�w�աI [root @test root]# vi /etc/syslog.conf �ק� /var/log/messages ���@��A�Ϧ������U���Ҽ˴N�i�H�F�I *.info;mail.none;;news.none;authpriv.none;cron.none      -/var/log/messages [root @test root]# /etc/rc.d/init.d/syslog restart �o�˴N�i�H�աI²�檺�ܡI

�@

���D�G�N procmail �� logfile �]/var/log/procmail.log�^�[�J logrotate �����I���]�ڭ̤w�g�N procmail �[�J�� sendmail ���{�������F�A�åB�w�g�ҰʥL�A�o�ӮɭԡA�p�G�ڷQ�n�C�Ӥ������@�� logrotate �A�åB�O�d���Ӥ�����n����Ƴƥ��A���ӫ��@�O�H ���G �ϥ� vi �إߤ@���ɮסA�ɦW�� /etc/logrotate.d/procmail�A�o���ɮת����e���G # This file is creating by VBird 2002/06/18  /var/log/procmail.log {  �@�@�@�@monthly  �@�@�@�@size=10M  �@�@�@�@rotate 5  �@�@�@�@nocompress  } �W�������O�G  1. �Y�ӵn���ɤu�@�W�L�@�Ӥ�F  2. �θӵn���ɤj�p�W�L 10 MB�F  3. �O�s���ӳƥ��ɮסF  4. �ƥ��ɮפ��n���Y�I�I �M���x�s�����}�A�o�ˤ@�ӡA�C�Ӥ�N�|�۰ʪ��N�n����Ƴƥ��U���o�I���ݭn���檺�աI������쪺�O���� size ���ѼơI�p�G�z���n���ɦѬO�ܤj���ɭԡA�i�H�Ҽ{�[�J size �o�ӰѼƻ��I�L�򥻤W����س��A���O�O�y k �P M �z�A�Шϥ� man logrotate �ӸԲӬd�ݤ@�U�Ϊk�o�I

�n���ɪ����R�O�ܭ��n���I�Ҧp���� last �i�H���A���D�쩳�ֵn���i�D���աI���O�èS�� pop3 �o�Ӧ��H��w���n���T���I�o�ӮɭԴN�ݭn�Ҽ{�� /var/log/secure �������աI�L�צp��A�t�γ̱`�ϥΪ��d�\�n���ɪ����O���O�����U�X�ӡG

---

• dmesg

[root @test /root]# dmesg

�b���O�C�Ҧ�������Jdmesg�Y�i����I�ѩ�t�Φb�}�����L�{�����|���N�w�� mount �W�ӡA�ҥH�L�k�����N��ƪ������LŪ�� log file �����h�A���O���F�����W������K�A�ҥH�b�}�����L�{�������T���٬O�n�O���U�ӡA�o�ӮɭԨt�δN�N ram �}�F�@�Ӥp�϶����x�s�o�Ӹ���o�I�o�Ӷ}���O�����ɮ״N�O�G�y/proc/kmsg�z�աI�P�ɡA�w�]�� RAM ���϶��e�q�b���P���������ä��ۦP�A�ثe���w�]�����O 16KB ���j�p��
�@


---

• last

[root @test /root]# last �Ѽƻ����G -number �Gnumber ���Ʀr�A�p�G�z���n�J�T���Ӧh�F�A�i�H�ϥγo�ӫ��O�I �d�ҡG [test @test /root]# last -5 test    pts/0        192.168.1.2      Tue Apr  9 20:34 - 20:35  (00:01) test    pts/0        192.168.1.2      Tue Apr  9 20:14 - 20:30  (00:15) test    ftpd21546    192.168.1.2      Tue Apr  9 02:55 - 03:06  (00:10) test    ftpd15813    192.168.1.2      Tue Apr  9 01:20 - 01:21  (00:00) test    pts/0        192.168.1.2      Mon Apr  8 20:14 - 00:27  (04:13) wtmp begins Tue Apr  2 01:12:26 2002 [root @test /root]# last -f /var/log/wtmp.1  <==�s�X�W�Ӥ몺�n�J��ơI

����p�G�n�s�X�ӤW�Ӥ몺�n�J��ƩO�H�I�i�H�ϥΤW�����ĤG�ӽd�ҡI

• Mandrake 9.0

���M�ܦh���M�󳣦��L�̪��ߦn���n�����R����ɮסA���O�`ı�o���O�ܹ�ۤv���f���A�ҥH�O�AVBird�N�ۤv�g�F�@��{���Ӥ��R�ۤv���n���ɡI�ثe�o��{���w�g�Q�令�i�H�䴩Mandrake 9.0�F�A�ӥB�w�g���]����RPM�ɮסA���ӬO�ܮe���w�˰աI

�ڪ��]�p�z����²��A�N�O��¤��R�ڭ̱`�`�ϥΪ��X�ӪA�ȡG

• SSH�n�J���ƻP�n�J�̱b���PIP���R�F
• �ϥ�su��Ʀ�root������
• �ϥ�FTP�n�J�D�������ƻP�n�J�̱b���PIP���R�F
• �ϥ�POP3�n�J�D�������ƻP�n�J�̱b���PIP���R�F
• �ϥ�Postfix�����A
�j���N�O���R�o���Ӹ�ơA�Ӥ��R���ɮ׬��G
• /var/log/auth.log
• /var/log/mail/info, /var/log/mail/warnings, /var/log/mail/errors
• /var/log/messages
�U���������G
• http://linux.vbird.org/download.html
�w�˪��B�J��²�檺�A�N�O�����HRPM���覡�Ӧw�˧Y�i�I�e������?���~�A�o�ӵ{���w�]�|�N���R����ƱH��root@localhost�A�ҥH�A�p�G�z�Q�n���o�ӵ{�������R���G�H���L���H�c�h���ܡA����N�ݭn��ʪ��ק�@�U�ɮסA��Y�O/usr/local/virus/logfile/logfile.sh�o���ɮסA�ק墨��email���ܼơA�N�L�ѭ����root�令�A��e-mail address�Y�i�I
���j�a����ܻ��P���޲z�ۤv���D����I
�@


---

• Red Hat 7.X

���M Red Hat �w�g�g�F�@��ܴΪ��{���Ӥ��R log files �A���O���`ı�o���O�ܦX�ڪ��f���I�I�ҥH�N�����H awk �t�X cut �P�@�Ǭ����� command �A�N�ڪ��X�ӭ��n�� secure �� log files �s�X�ӡA���s���R�@�f�I�g�X�F�@�ӥs�� logfile.sh �����R�ɮסI�o���ɮץD�n���R�����ج��G
• /var/log/secure  �G�t ssh �n�J�Bftp �n�J�Bpop3 �n�J�� sendmail �n�J���|�j���ءF
• /var/log/messages�G���R�]���~�n�J�ӵo�ͪ����~�T����ܡF
• /var/log/maillog �G���R�O�_�i��Q���@��H���F�H�I�ˬd�չϨϥΧڭ̥D���� IP �I
�w�˪��B�J��²��I���L�Ъ`�N�A�ڪ��o���ɮץD�n�����ҬO�b Red Hat 7.2 ���U�A�Ӧb Red Hat 7.1 ���U�ϥιL�]�S��������D�I�����w�˪���k�a�I
• ���U�����ɮסG

logfile.sh
• �إߤ@�ӥؿ��A�W�٬� /usr/local/virus/logfile

mkdir /usr/local/virus
mkdir /usr/local/viurs/logfile
• �N�ɮ� copy ��ӥؿ��U�A�åB�ܧ��v���G

cp /root/logfile.sh /usr/local/virus/logfile
chmod 700 /usr/local/virus/logfile/logfile.sh
• �]�w�o���ɮצb�C�Ѫ� 11:57pm ����@���I�s�� /etc/crontab �ɮסI

vi /etc/crontab
57 23 * * * root /usr/local/virus/logfile/logfile.sh
�o�ˤl�@�ӡA�C�Ѫ��ߤW 11:57 �N�|�۰ʪ�����o�@�Ӥ��R�ɮסA�åB�N��ƱH���z�]root�^�A�ҥH�p�G�A���Q�N��ƱH�� root ���ܡA�жi�J logfile.sh �̭��A�ק�yemail="root@localhost"�z�o�@�Ӷ��ءA�令�z�n�� e-mail �N�i�H�աI���ϥδr�֡I
�@


---

• ���ͦ^���ʧ@�G

�P�º��ͤ��S�Ҵ��Ѫ���T�A�ѩ�ڭ̪��{���ϥΪ��O Wu-ftp �o�� ftp ���A�ȡA�ҥH�w�� proftp �èS����k���\���N���d�w�I�٦n���S�w�g���j�a�d�w�F�I��I�P�¥L�a�I�I ^_^�p�G�z�٦��s���o�{�A�w�ﴣ�X�ӻP�ڭ̤�����I�����o�I�H�U�N���S�g������ proftp �������K�W�ӡA�p�G�z�ϥΪ��O proftp ���ܡA����бN���U����ưŤU����A�K�� logfile.sh �����A���N����� 2.3 ���@�������� ftp ���B�z�X�I
 

# 2.3a FTP {for proftpd} echo "========================== "                                                           >> $logfile echo "3. ���� FTP  �n���ɪ��n�J���Ʋέp"                                                     >> $logfile echo "�b��   �ӷ���} ���� "|awk '{printf("\%-15s \%-25s \%-4s\n", $1, $2, $3)}'             >> $logfile echo "FTP�n�J����: `cat $basedir/messageslog|grep "FTP session opened." | wc -l`"|awk '{printf( "\%-41s \%3d\n", $1, $2)}' >> $logfile # add login ip script cat $basedir/messageslog | grep "FTP session opened."|awk '{print $7}'|cut -d"[" -f2 | cut -d"]" -f1 >"$basedir/ftploginip" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };      END{ for( course in Number )      printf( "\%-41s \%3d\n", course, Number[course])}' $basedir/ftploginip|sort +2 -gr |awk '{printf("\%-41s \%3d\n", $1, $2)}'>>$logfile echo " "      >> $logfile echo "FTP�n�J���\�b��"      >> $logfile cat $basedir/messageslog | grep "(ftp) session opened for user" | awk '{print $11}' > "$basedir/messagesftp" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };      END{ for( course in Number )      printf( "\%-41s \%3d\n", course, Number[course])}' $basedir/messagesftp|sort +2 -gr|awk '{printf("\%-41s \%3d\n", $1, $2)}'>>$logfile echo " "      >> $logfile cat $basedir/messageslog|grep "Authentication failure." >$basedir/ftperr cat $basedir/messageslog|grep "no such user '" >>$basedir/ftperr echo "FTP���~�n�J����:`cat $basedir/ftperr| wc -l`"|awk '{printf( "\%-41s \%3d\n", $1, $2)}' >> $logfile cat $basedir/ftperr|grep "failure."|awk '{print $7 " " $9}'|cut -d'[' -f2|cut -d':' -f1|awk '{print $2 " " $1}'|cut -d'M' -f2|cut -d']' -f1>"$basedir/ftpfail" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };      END{ for( course in Number )      printf( "\%-15s \%3d\n", course, Number[course])}' $basedir/ftpfail|sort +2 -gr|awk '{printf("\%-15s \%-25s \%3d\n", $1, $2, $3)}'>>$logfile cat $basedir/ftperr|grep "no such user '"|awk '{print $7 " " $12}'|cut -d'[' -f2|awk '{print $2 " " $1}'|cut -d']' -f1>"$basedir/ftpxusr" /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };      END{ for( course in Number )      printf( "\%-15s \%3d\n", course, Number[course])}' $basedir/ftpxusr|sort +2 -gr|awk '{printf("\%-15s \%-25s \%3d\n", $1, $2, $3)}'>>$logfile echo " "      >> $logfile