7

In CentOS 7, how can I locate and view all the system logs that tell me who tried to enter the system, who got in, what processes they contacted, what they accomplished, etc. I want to be able to link every activity to either a userid or a remote IP address.

My var/log/ directory contains numerous resources including /var/log/messages and /var/log/secure, but most of the files are of type Binary (application/octet-stream) and the OS does not know how to open them unless I associate some unknown viewing program with them. Also, var/log/firewalld does not seem to contain useful information.

I can find all the logs produced by my app, my database, and NginX/Apache.

CodeMed
  • 5,079
  • 45
  • 100
  • 147
  • Ok, you found `/var/log` and al of them are Binaries? you sure? How are you checking? – Braiam Nov 27 '14 at 23:46
  • @Braiam I did not say they were all binaries. I said most of them are binaries. For example, `/var/log/firewalld` is a text file that seems to contain useless information. I am checking by clicking on the files in the GUI. First left clicking to try to open, then right clicking to view properties to check file type. – CodeMed Nov 27 '14 at 23:55
  • The system doesn't do this by default. You have to enable audit logging to get this. I show many of the methods in this A: http://unix.stackexchange.com/questions/75051/commands-for-determining-level-of-usage-of-server. There's a good overview of auditd here: http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/. Search for others, there are many. – slm Nov 28 '14 at 01:07
  • @slm I read your links. Thank you. This will be a web server. I will need to track the identity of every individual who touches in any way any record in a database or any file in specific parts of the file system. I will also need to use this logging data to set up alerts that fire any time an unauthorized user accesses any data. I know how to do the application-and-database-level logging. I want to set up logging so that CentOS logs can be linked to the web container logs, app logs, and database logs, perhaps by ip. How should I frame questions about the CentOS level of this requirement? – CodeMed Nov 28 '14 at 01:48
  • @CodeMed - I'd state that it's CentOS 7, just as you have. I think you can do what you want using auditd, wrt the manipulation of the filesystem and what commands/processes are invoked by users on the local filesystem. This won't show anything beyond user nginx,apache,etc. doing X though from the application level. You might need to blend the 2 together. I would also frame it as a systemd Q, with CentOS 7 being the specific instance. – slm Nov 28 '14 at 01:53
  • @CodeMed - auditd logs to a file, I'm not sure if it can log to a database, I'd suspect that there's a way to do this that's off the shelf, IMO. – slm Nov 28 '14 at 01:54
  • @slm I asked a much narrower question yesterday, but I do not seem to be getting an answer to it. Are you willing to help me with it? here is the link: http://unix.stackexchange.com/questions/171335/viewing-firewalld-logs-via-remote-login-to-centos-7-server – CodeMed Dec 05 '14 at 00:10
  • For completeness, in CentOS 6 they're in `/var/log/nginx` FWIW :) – rogerdpack Nov 18 '19 at 16:54

1 Answers1

12

The (commandline) utility you should be using is journalctl. E.g. to look at the the dmesg output:

journalctl --dmesg

or parseable entries relating to the firewall:

journalctl --output=json-pretty UNIT=firewalld.service

For a list of selectable UNIT use the usual tools:

journalctl --output=json-pretty | grep -F UNIT | sort -u

See man journalctl on your system for more options to restrict and specify the output.

Anthon
  • 78,313
  • 42
  • 165
  • 222
  • Thank you. This is a start. But my question is more global. How do I get a list of all available logs? And how do I get the output into a format I can use? For example, a resource that can be imported into a java program that is tracked to a user or ip. `journalcdt --dmesg` does not seem to identify anyone more specific than `localhost.localdoman`, and `journalctl --firewalld` produces `unrecognized option`. So your suggestion does not really answer my question yet. – CodeMed Nov 27 '14 at 19:53
  • You should really look at the man page. It is pretty infromative. `journalctl --output=json-pretty UNIT=firewalld.service` gives you json output. – Anthon Nov 27 '14 at 20:04
  • Thank you for the update. I did read the manual, but your answer can make it easier to apply. Right now, `journalctl --output=json-pretty | grep -f UNIT | sort -u` gives `grep: UNIT: No such file or directory` – CodeMed Nov 27 '14 at 20:21
  • Also, `journalctl --output=json-pretty UNIT=firewalld.service` only works when I am logged in as root, but not when I try to use the terminal as a normal user. So I cannot use this code programmatically yet. If I could somehow auto-generate a fresh set of log files for every selectable unit without having to leave my root password in a hackable file, then this question would be answered. – CodeMed Nov 27 '14 at 21:02
  • @CodeMed There was a typo in the `grep` arguments ( I didn't cut and paste and lowercased the `-F` option). – Anthon Nov 28 '14 at 06:33
  • I have a follow up question about firewalld logs. Are you willing to help me with it? Here is the link: http://unix.stackexchange.com/questions/171335/viewing-firewalld-logs-via-remote-login-to-centos-7-server – CodeMed Dec 04 '14 at 18:51