Banty Kumar

Ashutosh Bhadoria

Detailed list of an application information, system performance, or user activities. A log can be useful for keeping track of computer use, emergency recovery, and application improvement.

Each software program that is capable of creating a log has different methods of starting or stopping the log creation.

A log is a record of computer activity used for statistical purposes as well as backup and recovery. Log files are written by the operating system or other control program for such purposes as recording incoming dialogs, error and status messages and certain transaction details. Start and stop times of routine jobs may

also be recorded.

The logs generated by any system are stored in files which are called as log files.

We can retrieve this information using various system commands which is called ‘Log Capturing’.

Linux systems have a very flexible and powerful logging system, which enables you to record almost anything you can imagine and then manipulate the logs to retrieve the information you require.

Linux uses a set of configuration files, directories, programs, commands and daemons to create, store and recycle these log messages.

Linux system administrators often need to look at log files for troubleshooting purposes.

Knowing where the system keeps its log files and how to make use of related commands can therefore help save valuable time during troubleshooting.

It helps to monitor the system performance.

From security point of view the events logged in the log file are mainly:

1. Authentication attempts – both successful and failed.

2. All bad requests – which includes attempts for SQL injections and various hacking efforts.

Helps to monitor and check resource allocation and usage.

At the heart of the logging mechanism is the rsyslog daemon. This service is responsible for listening to log messages from different parts of a Linux system and routing the message to an appropriate log file in the /var/log directory.

The rsyslog daemon gets its configuration information from the rsyslog.conf file.

The rsyslog.conf file is found in the /etc directory.

This instruction comes from a series of two-part lines within the file. The two part instruction is made up of a selector and

an action. The two parts are separated by white space.

1) auth or authpriv: Messages coming from authorization and security related events.

2) kern: Any message coming from the Linux kernel.

3) mail: Messages generated by the mail subsystem.

4) cron: Cron daemon related messages.

5) daemon: Messages coming from daemons.

6) news: Messages coming from network news subsystem.

7) lpr: Printing related log messages.

8) user: Log messages coming from user programs.

9) local0 to local7: Reserved for local use

top - top provides an ongoing look at processor activity in real time. It displays a listing of the most CPU-intensive tasks on the system, and can provide an interactive interface for manipulating processes.

who – shows who is logged in.

last – shows listing of last logged in users, last searches back through the file /var/log/wtmp and displays a list of all users logged in since that file was created.

lastlog - reports the most recent login of all users or of a given user, lastlog formats and prints the contents of the last login log /var/log/lastlog file.

last reboot - to find out when was the system last rebooted. strace - In the simplest case strace runs the

specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.

cat - concatenate files and print on the standard output. system() - The C library function int system(const char

*command) passes the command name or program name specified by command to the host environment to be executed by the command processor and returns after the command has been completed.

Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information.

Event correlation is performed by a special utility called as event correlator.

Event correlation can be decomposed into four steps: event filtering, event aggregation, event masking and root cause analysis.

Event filtering:-Event filtering consists in discarding events that are deemed to

be irrelevant by the event correlator. Event aggregation:-

Event aggregation (also known as event de-duplication) consists in merging duplicates of the same event. Event masking:-

Event masking consists in ignoring events pertaining to systems that are downstream of a failed system. Root cause analysis:-

It consists in analyzing dependencies between events, based for instance on a model of the environment and dependency graphs, to detect whether some events can be explained by others.

In the Log folder in Desktop there is a file ProcessLog which has the process related logs.

To make sense out of the captured log we sort out the top 10 CPU intensive processes from rest of the large entries of the logs.

These processes may be running in the background or foreground.

This has been achieved by using the ‘sed’ command from the coreutils package. ‘sed’ is a stream editor for filtering and transforming text.

We have also made a provision to search how many times a particular process has been invoked, the process being provided by the user.