使用 ArchLinux 時,覺得有些奇怪,因為在使用 Linux 時,經常要查詢一些系統的 log 檔,都會到 /var/log 目錄之下搜尋,不過 ArchLinux 的 /var/log 實在是有些簡潔。
# ls -l /var/log
total 104
-rw——- 1 root utmp 1920 Sep 30 22:26 btmp
-rw——- 1 root root 1068 Sep 30 22:30 fail2ban.log
-rw——- 1 root root 984 Sep 30 22:30 faillog
drwxr-sr-x+ 4 root systemd-journal 4096 Sep 29 23:22 journal
-rw-r–r– 1 root root 11972 Sep 30 22:30 lastlog
-rw-r–r– 1 named named 0 Sep 29 23:41 named.log
drwxr-xr-x 2 root root 4096 Jun 4 2013 old
-rw-r–r– 1 root root 10229 Sep 30 22:38 pacman.log
-rw-rw-r– 1 root utmp 53760 Sep 30 22:30 wtmp[@more@]比如,想要查詢一下,經由 ssh 嘗試錯誤登錄的記錄,竟然都找不到,一般來說,大概是
/var/log/secure
或是
/var/log/auth.log
後來使用 Google 查詢了一下
arch linux – Where are my sshd logs? – Unix & Linux Stack Exchange
原來是可以用下面的指令來擷取關於 ssh 的 log
# journalctl -u sshd |tail -10
Sep 30 22:26:40 alarmpi sshd[308]: Failed password for root from 192.168.1.6 port 3192 ssh2
Sep 30 22:27:55 alarmpi sshd[308]: Connection closed by 192.168.1.6 [preauth]
Sep 30 22:27:55 alarmpi sshd[308]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=root
Sep 30 22:27:55 alarmpi sshd[308]: PAM service(sshd) ignoring max retries; 4 > 3
Sep 30 22:28:25 alarmpi systemd[1]: Stopping OpenSSH Daemon…
Sep 30 22:28:26 alarmpi systemd[1]: Stopped OpenSSH Daemon.
— Reboot —
Jan 01 08:00:16 alarmpi sshd[115]: Server listening on 0.0.0.0 port 22.
Sep 30 22:30:12 alarmpi sshd[265]: Accepted password for root from 192.168.1.6 port 3269 ssh2
Sep 30 22:30:12 alarmpi sshd[265]: pam_unix(sshd:session): session opened for user root by (uid=0)
在同一篇文章中也提到,可以在 /etc/syslog.conf 或 /etc/rsyslog.conf 中設定,把記錄檔單獨擷取出來
安裝 rsyslog 套件
# pacman -S syslog-ng
# sed -i ‘s/#ForwardToSyslog=no/ForwardToSyslog=yes/’ /etc/systemd/journald.conf
設定開機時啟動 syslog-ng 服務
# systemctl enable syslog-ng
Created symlink from /etc/systemd/system/syslog.service to /usr/lib/systemd/system/syslog-ng.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/syslog-ng.service to /usr/lib/systemd/system/syslog-ng.service.
啟動 syslog-ng 服務
# systemctl start syslog-ng
檢查 /var/log 目錄下的 log 檔
# ls -l /var/log
total 824
-rw-r—– 1 root log 1245 Oct 1 20:17 auth.log
-rw——- 1 root utmp 2688 Oct 1 20:17 btmp
-rw——- 1 root utmp 6912 Sep 30 23:29 btmp.1
-rw-r—– 1 root log 10952 Oct 1 20:16 daemon.log
-rw-r—– 1 root root 8000 Jan 1 1970 debug
-rw-r—– 1 root log 11910 Oct 1 20:16 everything.log
-rw——- 1 root root 4342 Oct 1 20:16 fail2ban.log
-rw——- 1 root root 984 Oct 1 20:17 faillog
drwxr-sr-x+ 4 root systemd-journal 4096 Sep 29 23:22 journal
-rw-r—– 1 root root 206836 Jan 1 1970 kern.log
-rw-r–r– 1 root root 11972 Oct 1 20:15 lastlog
-rw-r—– 1 root root 202786 Oct 1 19:49 messages
-rw-r—– 1 root log 10952 Oct 1 20:16 messages.log
-rw-r–r– 1 named named 0 Sep 29 23:41 named.log
drwxr-xr-x 2 root root 4096 Jun 4 2013 old
-rw-r–r– 1 root root 12889 Oct 1 19:51 pacman.log
-rw-r—– 1 root log 1005 Oct 1 20:17 ssh.log
-rw-r—– 1 root root 215446 Oct 1 19:49 syslog
-rw-r—– 1 root log 958 Jan 1 1970 syslog.log
-rw-rw-r– 1 root utmp 83712 Oct 1 20:15 wtmp
ssh log 檔儲存在 /var/log/auth.log
# cat /var/log/auth.log
Jan 1 08:00:15 alarmpi systemd-logind[126]: New seat seat0.
Oct 1 20:15:55 alarmpi sshd[258]: Accepted password for root from 192.168.1.6 port 2278 ssh2
Oct 1 20:15:55 alarmpi sshd[258]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 1 20:15:55 alarmpi systemd-logind[126]: New session c1 of user root.
Oct 1 20:15:55 alarmpi systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Oct 1 20:16:55 alarmpi sshd[275]: Address 192.168.1.10 maps to tces-doc-airport-express.home, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
Oct 1 20:16:57 alarmpi sshd[275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10 user=root
Oct 1 20:16:58 alarmpi sshd[275]: Failed password for root from 192.168.1.10 port 59403 ssh2
Oct 1 20:17:01 alarmpi sshd[275]: Failed password for root from 192.168.1.10 port 59403 ssh2
Oct 1 20:17:04 alarmpi sshd[275]: Failed password for root from 192.168.1.10 port 59403 ssh2
Oct 1 20:17:04 alarmpi sshd[275]: Connection closed by 192.168.1.10 [preauth]
Oct 1 20:17:04 alarmpi sshd[275]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10 user=root
也可以單獨把 ssh 的 log 檔抽離出來
修改 /etc/syslog-ng/syslog-ng.conf
# vim /etc/syslog-ng/syslog-ng.conf
#sshd configuration
加入下面三行設定
destination ssh { file(“/var/log/ssh.log”); };
filter f_ssh { program(“sshd”); };
log { source(src); filter(f_ssh); destination(ssh); };
重新啟動 syslog-ng 服務
# systemctl restart syslog-ng
只剩下和 ssh 相關的 log
# cat /var/log/ssh.log
Oct 1 20:15:55 alarmpi sshd[258]: Accepted password for root from 192.168.1.6 port 2278 ssh2
Oct 1 20:15:55 alarmpi sshd[258]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 1 20:16:55 alarmpi sshd[275]: Address 192.168.1.10 maps to tces-doc-airport-express.home, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
Oct 1 20:16:57 alarmpi sshd[275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10 user=root
Oct 1 20:16:58 alarmpi sshd[275]: Failed password for root from 192.168.1.10 port 59403 ssh2
Oct 1 20:17:01 alarmpi sshd[275]: Failed password for root from 192.168.1.10 port 59403 ssh2
Oct 1 20:17:04 alarmpi sshd[275]: Failed password for root from 192.168.1.10 port 59403 ssh2
Oct 1 20:17:04 alarmpi sshd[275]: Connection closed by 192.168.1.10 [preauth]
Oct 1 20:17:04 alarmpi sshd[275]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10 user=root