document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-22 23:00:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

[Translated]Built in Audit Trail Tool – Last Command in Linux.md

Browse Source
This commit is contained in:
geekpi 2014-01-29 21:56:51 +08:00
parent 672a9117c9
commit 07f8fa3206
2 changed files with 181 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
sources/Built in Audit Trail Tool – Last Command in Linux.md
View File

@ -1,180 +0,0 @@
内置审计跟踪工具- Linux last命令
================================================================================
![](http://linoxide.com/wp-content/uploads/2013/12/linux-last-command.jpg)
如果你是一个服务器管理员你或许理解你要保护你的服务器。不仅是从外部还要从内部保护。linux有一个内置工具来看到最后登陆服务器的用户
这个命令是**last**。命令**对于追踪非常有用**。让我们来看一下last可以为你做些什么。
### last命令的功能是什么 ###
**Last** display a list of all user logged in (and out) from **/var/log/wtmp** since the file was created. This file is binary file which cannot view by text editor such as Vi, Joe or another else. This trick is pretty smart because user (or root) can not modify the file as they want.
Last gives you information the name of all users logged in, its tty, IP Address (if the user doing a remote connection) date time, and how long the user logged in.
### How to run Last ###
You just need to type **last** on your console. Heres the sample :
$ last
leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)
Heres how to read last information :
- The first column tell who are the user
- The second column give us information about how the user is connected
> pts/0 (pseudo terminal) means that the user connect via remote connections such as SSH or telnet
>
> tty (teletypewriter) means that the user connect via direct connection to the computer or local terminal
>
> Exception for reboot activity the status will be shown is system boot
- The third column **show where the user come from**. If the user connect from remote computer, you will see a hostname or an IP Address. If you see :0.0 or nothing it means that the user is connect via local terminal. Exception for reboot activity, the kernel version will be shown as the status
- The remaining columns display **when the log activity has happened**. Numbers in the bracket tell us how many hours and minutes the connection was happened
### Some examples of Last command on day-to-day operation ###
#### Limit the number of line shown ####
When you have a lot of lines to show, you can limit how many lines do you want to see. Use **-n parameter** to do it.
$ last -n 3
leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)
**-n parameter** will make last command to display 3 lines starting from the current time and backwards
#### Dont display the hostname ####
Use **-R parameter** to do is. Heres the sample :
$ last -R
leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot Mon Dec 2 09:20 - 13:25 (04:05)
As you see, now there is no information about hostname or IP Address
#### Display the hostname in the last column ####
To do this, we can use **-a parameter**
$ last -a
leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162
pungki tty1 Mon Dec 2 09:31 still logged in :0.0
reboot system boot Mon Dec 2 09:20 - 13:25 (04:05) 2.6.32-358.23.2.el6.i686
Now the hostname information such as 10.0.76.162 will be placed in the last column.
#### Print full login and logout time and dates ####
You can use **-F parameter** for this. Heres a sample.
$ last -F
leni pts/0 10.0.76.162 Mon Dec 2 12:32:24 2013 Mon Dec 2013 13:25:24 2013 (00:53)
#### Print specific user name ####
If you want to trace specific user, you can print it specifically. Put the name of user behind last command.
$ last leni
leni tty1 Mon Dec 2 18-42 still logged in
leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162
Or if you want to know when **reboot** is done, you can also display it
$ last reboot
reboot system boot Mon Dec 2 09:20 - 16:55 (07:34)
reboot system boot Sun Dec 1 04:26 - 04:27 (00:01)
reboot system boot Wed Nov 27 20:27 - 01:24 (04:57)
reboot system boot Tue Nov 26 21:06 - 06:13 (09:06)
#### Print spesific tty / pts ####
Last can also print information about specific tty / pts. Just put the tty name or pty name behind the last command. Here are some sample outputs :
$ last tty1
pungki tty1 Mon Dec 2 09:31 still logged in
pungki tty1 Mon Dec 2 04:26 down (00:00)
pungki tty1 Mon Dec 2 04:07 down (00:00)
pungki tty1 Sun Dec 1 18:55 04:07 (09:12)
$ last pts/0
leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki pts/0 :0.0 Wed Nov 27 20:28 down (04:56)
When you see **down value** such as the second line above , it means that the user was logged in from specific time until the system is reboot or shutdown.
#### Use another file than /var/log/wtmp ####
By default, last command will parse information from **/var/log/wtmp**. If you want t**he last command** parse from another file, you can use **-f parameter**. For example, you may rotate the log after a certain condition. Lets say the previous file is named **/var/log/wtmp.1** . Then the last command will be like this.
$ last -f /var/log/wtmp.1
#### Display the run level changes ####
There is **-x parameter** if you want to display run level changes. Heres a sample output :
pungki tty1 Mon Dec 2 19:21 still logged in
runlevel (to lvl 3) 2.6.32-358.23.2 Mon Dec 2 19:20 19:29 (00:08)
reboot system boot 2.6.32-358.23.2 Mon Dec 2 19:20 19:29 (00:08)
shutdown system down 2.6.32-358.23.2 Mon Dec 2 18:56 19:20 (00:23)
runlevel (to lvl 0) 2.6.32-358.23.2 Mon Dec 2 18:56 18:56 (00:00)
leni tty1 Mon Dec 2 18:42 down (00:00)
You can see that there are two entries of run level. Runlevel which has **to lvl 3** entry means the system is running on full console mode. No active X Window or GUI. Meanwhile, when the system is **shutdown**, Linux us **run level 0**. Thats why last show you **to lvl 0** entry
#### View bad logins ####
While **last** command logs successful logins, then **lastb** command **record failed login attempts**. You **must have root** access to run lastb command. Heres a sample output from lastb command. Lastb will parse information from /var/log/btmp.
# lastb
leni tty1 Mon Dec 2 22:12 22:12 (00:00)
rahma tty1 Mon Dec 2 22:11 22:11 (00:00)
#### Rotate the logs ####
Since **/var/log/wtmp** record every single log in activities, the size of the file may grow quickly. By default, Linux will **rotate /var/log/wtmp** every month. The detail of rotation activity is put in /etc/logrotate.conf file. Heres the content of my **/etc/logrotate.conf** file.
/var/log/wtmp {
  monthly
  create 0664 root umtp
  minsize 1M
  rotate 1
}
And for **/var/log/btmp**, heres default configuration of rotate activity
/var/log/btmp {
  missingok
  monthly
  create 0600 root umtp
  minsize 1M
  rotate 1
}
### Conclusion ###
You can combine those parameters to custom the output of last and lastb. All parameter **which run on last** command, **also run on** lastb command. For more detail, please visit last manual page by typing **man last** on your console.
--------------------------------------------------------------------------------
via: http://linoxide.com/linux-command/linux-last-command/
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出

181
translated/Built in Audit Trail Tool – Last Command in Linux.md Normal file
View File

@ -0,0 +1,181 @@
内置审计跟踪工具- Linux last命令
================================================================================
![](http://linoxide.com/wp-content/uploads/2013/12/linux-last-command.jpg)
如果你是一个服务器管理员你或许理解你要保护你的服务器。不仅是从外部还要从内部保护。linux有一个内置工具来看到最后登陆服务器的用户
这个命令是**last**。命令**对于追踪非常有用**。让我们来看一下last可以为你做些什么。
### last命令的功能是什么 ###
**last**显示**/var/log/wtmp**文件创建起所有登录(和登出)的用户。这个文件是二进制文件,它不能被文本编辑器浏览比如vi,Joe或者其他软件。这个技巧非常聪明因为用户(或者root)不能向他们希望的那样修改文件文件。
last会给出所有已登录用户的用户名,tty,IP地址(如果用户是远程连接的话),日期-时间,用户已经登录的时间。
### 如何运行last ###
你只要在控制台中输入**last**.这是个例子:
$ last
leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)
这里是如何阅读last信息:
- 第一列告诉谁是用户
- 第二列给出了用户如何连接的信息
> pts/0 (伪终端) 意味着从诸如SSH或telnet的远程连接的用户
>
> tty (teletypewriter) 意味着直接连接到计算机或者本地连接的用户
>
> 除了重启活动,所有状态会在启动时显示
- 第三列**显示用户来自哪里**。如果用户来自于远程计算机,你会看到一个主机名或者IP地址。如果你看见:0.0 或者什么都没有,这意味着用户通过本地终端连接.除了重启活动,内核版本会显示在状态中。
- 剩下的列显示**日志活动发生在何时**。括号中的数字告诉我们连接持续了多少小时和分钟。
### 日常操作中last的一些示例 ###
#### 限制显示行的数目 ####
当你有很多行要显示时,你可以限制你想看到的行的数目.使用 **-n 参数**来这么做。
$ last -n 3
leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)
**-n parameter** 会使last显示从当前时间到以后的3条记录。
#### 不显示主机名 ####
使用 **-R parameter** 来这么做。这里是例子 :
$ last -R
leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot Mon Dec 2 09:20 - 13:25 (04:05)
如你所见,现在在也没有关于主机或者IP地址的信息了。
#### 最后一列显示主机名 ####
要这么做,我们使用 **-a parameter**
$ last -a
leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162
pungki tty1 Mon Dec 2 09:31 still logged in :0.0
reboot system boot Mon Dec 2 09:20 - 13:25 (04:05) 2.6.32-358.23.2.el6.i686
现在主机信息诸如10.0.76.162 会放在最后一列。
#### 显示完整登入登出时间日期 ####
对于此,你可以使用 **-F parameter**。这个是个示例:
$ last -F
leni pts/0 10.0.76.162 Mon Dec 2 12:32:24 2013 Mon Dec 2013 13:25:24 2013 (00:53)
#### 打印特定的用户名 ####
如果你想要追踪特定的用户,你可以特别打印它。在last命令后面输入用户名。
$ last leni
leni tty1 Mon Dec 2 18-42 still logged in
leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162
或者你想要知道**reboot**何时完成,你也可以这样显示它
$ last reboot
reboot system boot Mon Dec 2 09:20 - 16:55 (07:34)
reboot system boot Sun Dec 1 04:26 - 04:27 (00:01)
reboot system boot Wed Nov 27 20:27 - 01:24 (04:57)
reboot system boot Tue Nov 26 21:06 - 06:13 (09:06)
#### 打印特定 / pts ####
last同样可以打印特定tty/pts的信息. 只要在last命令后面输入tty名字或者pty名字。
这里有一些例子:
$ last tty1
pungki tty1 Mon Dec 2 09:31 still logged in
pungki tty1 Mon Dec 2 04:26 down (00:00)
pungki tty1 Mon Dec 2 04:07 down (00:00)
pungki tty1 Sun Dec 1 18:55 04:07 (09:12)
$ last pts/0
leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki pts/0 :0.0 Wed Nov 27 20:28 down (04:56)
当你看到 **down 的值** - 比如上面的第二行,它意味着用户从某个时间登录直到系统重启或关机。
#### 使用另一个文件而不是 /var/log/wtmp ####
默认上,last命令会从**/var/log/wtmp**中解析信息。如果你想要**last命令**从另外一个文件解析,你可以使用**-f参数**。比如,你可以在某些条件后倒换日志。让我们假设前面的文件名为**/var/log/wtmp.1**。那么last命令会像这样。
$ last -f /var/log/wtmp.1
#### 显示运行级别改变 ####
这里有个**-x 参数**如果你想要改变运行级别。这里示例输出:
pungki tty1 Mon Dec 2 19:21 still logged in
runlevel (to lvl 3) 2.6.32-358.23.2 Mon Dec 2 19:20 19:29 (00:08)
reboot system boot 2.6.32-358.23.2 Mon Dec 2 19:20 19:29 (00:08)
shutdown system down 2.6.32-358.23.2 Mon Dec 2 18:56 19:20 (00:23)
runlevel (to lvl 0) 2.6.32-358.23.2 Mon Dec 2 18:56 18:56 (00:00)
leni tty1 Mon Dec 2 18:42 down (00:00)
你可以看到这里有两个运行级别。运行级别**to lvl 3**的条目意味着系统运行在完整的控制台模式.没有活跃的X window或者GUI.同时,当系统**关机**时,Linux在**运行级别0**。这就是为什么last会显示**to lvl 0**。
#### 查看失败登录 ####
当**last**命令记录成功登录,那么 **lastb** 命令**记录失败的登录尝试**。你**必须拥有root**权限来运行lastb命令。这里有一个lastb命令的示例输出。lastb会解析/var/log/btmp的信息。
# lastb
leni tty1 Mon Dec 2 22:12 22:12 (00:00)
rahma tty1 Mon Dec 2 22:11 22:11 (00:00)
#### 倒换日志 ####
既然*/var/log/wtmp**记录每次的登录活动,文件的大小可能会快速地增长。默认上,Linux会每月**倒换 /var/log/wtmp/**。倒换活动的细节放在/etc/logrotate.conf 文件中。这里是我**/etc/logrotate.conf**文件的内容。
/var/log/wtmp {
  monthly
  create 0664 root umtp
  minsize 1M
  rotate 1
}
对于 **/var/log/btmp**, 这里是默认的倒换活动配置
/var/log/btmp {
  missingok
  monthly
  create 0600 root umtp
  minsize 1M
  rotate 1
}
### 总结 ###
你可以结合这些参数来自定义last和lastb的输出。所有可以**运行于last命令**的参数都**可运行在**lastb命令上。更多细节,请通过在控制台输入**man last**来访问。
--------------------------------------------------------------------------------
via: http://linoxide.com/linux-command/linux-last-command/
译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出