| SHARE: |
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ██
█▌ - VARIOUS OTHER LOGS & HISTORY FILES - █▌
█▌ █▌
█ ▐▌
█ LOGS AND HISTORY ON THIS TUTORIAL: ▐▌
█ LFTP - LOGS: ▐▌
█ MYSQL - HISTORY: ▐▌
█ NANO - HISTORY: ▐▌
█ SAMBA - LOGS: ▐▌
█ WGET - LOGS: ▐▌
█ DEBIAN - OTHER LOGS: ▐▌
█ ▐▌
█ LOGS AND HISTORY FOR OTHER PROGRAMS NOT ON THIS TUTORIAL: ▐▌
█ apache2 logs view the tutorial HERE. ▐▌
█ delegate logs & removal of cache view the tutorial HERE. ▐▌
█ eggdrop logs view the tutorial HERE, toward the end. ▐▌
█ exim4 logs view the tutorial HERE. ▐▌
█ glftpd logs view the tutorial HERE. ▐▌
█ psybnc log view the tutorial HERE, toward the end. ▐▌
█ pzs-ng view the tutorial HERE, this section 'PZSNG SITE MIRROR'. ▐▌
█ weechat logs view the tutorial HERE, toward the end. ▐▌
█ ▐▌
█ MISC LOGROTATE NOTES: ▐▌
█ ````````````````````` ▐▌
█ To change logrotate's defaults so that if it isn't stated in a ▐▌
█ configuration file, it will use the settings here: ▐▌
█ pico /etc/logrotate.conf ▐▌
█ ▐▌
█ Easy to understand article HERE on the settings used in logrotate. ▐▌
█ ▐▌
█ To test, but NOT actually rotate all of your logs handled by logrotate: ▐▌
█ logrotate --debug --force /etc/logrotate.conf ▐▌
█ ▐▌
█ To rotate the logs manually: ▐▌
█ logrotate --force -v /etc/logrotate.conf ▐▌
█ ▐▌
█ LFTP - LOGS: ▐▌
█ ```````````` ▐▌
█ lftp site is here, tutorial here, and man page here, or: ▐▌
█ man lftp ▐▌
█ lftp --help ▐▌
█ On startup, lftp executes /etc/lftp.conf and then ~/.lftprc and ▐▌
█ ~/.lftp/rc. ▐▌
█ ls -alR ~/.lftp ▐▌
█ bookmarks {user made to store bookmarks ▐▌
█ .bookmarks.swp {bookmark file in MAC format ▐▌
█ cwd_history {last working dir for each site ▐▌
█ log {lftp log in nohup mode (exit lftp while it is working) ▐▌
█ rl_history {contains all cmds executed ▐▌
█ transfer_log {contains all transfers including paths and IPs. ▐▌
█ ▐▌
█ To view all of your variables: ▐▌
█ lftp ▐▌
█ set -a ▐▌
█ For example by default it will have 3 of log files set to yes: ▐▌
█ set cmd:save-cwd-history yes ▐▌
█ set cmd:save-rl-history yes ▐▌
█ set xfer:log yes ▐▌
█ ▐▌
█ To change your settings (while still in lftp mode): ▐▌
█ set cmd:save-cwd-history no ▐▌
█ set cmd:save-rl-history no ▐▌
█ set xfer:log no ▐▌
█ ▐▌
█ View your settings again: ▐▌
█ set -a ▐▌
█ To leave lftp: ▐▌
█ quit ▐▌
█ ▐▌
█ System-wide settings: ▐▌
█ su ▐▌
█ pico /etc/lftp.conf ▐▌
█ Paste in these lines: ▐▌
█ set cmd:save-cwd-history no ▐▌
█ set cmd:save-rl-history no ▐▌
█ set xfer:log no ▐▌
█ ▐▌
█ Then you'll need to manually delete those logs, to find them: ▐▌
█ find /home -type f \( -name transfer_log -o -name rl_history -o -name cwd_history \)
█ ▐▌
█ If your output above is correct, then to remove all of those files: ▐▌
█ find /home -type f \( -name transfer_log -o -name rl_history -o -name cwd_history \) \
█ -exec rm -f {} \; ▐▌
█ ▐▌
█ Note: Users can override those setting if they were to create the files ▐▌
█ ~/.lftprc & ~/.lftp/rc with the settings to 'yes' as those are read after ▐▌
█ the main config file /etc/lftp.conf. ▐▌
█ To send those files to a black hole in '/etc/profile' would mean that they ▐▌
█ couldn't have their own custom settings for lftp at all. ▐▌
█ ▐▌
█ That leaves us with one log file that I didn't find a setting to disable: ▐▌
█ ~/.lftp/log ▐▌
█ tail -20 ~/.lftp/log ▐▌
█ Not a great log to leave laying around :) ▐▌
█ To disable this log, find all instances of it first: ▐▌
█ find /home -type f -name log ▐▌
█ ▐▌
█ Then rm those that are the .lftp/log ▐▌
█ For example: rm /home/user/.lftp/log ▐▌
█ ▐▌
█ Then send all future instances of this log to a black hole: ▐▌
█ pico /etc/profile ▐▌
█ Add this line at the end: ▐▌
█ ln -sf /dev/null ~/.lftp/log ▐▌
█ exit ▐▌
█ ▐▌
█ Test it: ▐▌
█ lftp ▐▌
█ Perform some actions in lftp, exit it then: ▐▌
█ ls -alR ~/.lftp ▐▌
█ Which should now state: ▐▌
█ lrwxrwxrwx 1 user user 9 2010-06-03 09:05 log -> /dev/null ▐▌
█ ▐▌
█ MYSQL - HISTORY: ▐▌
█ ```````````````` ▐▌
█ The file ~/.mysql_history contains all the executed commands in typed in ▐▌
█ the mysql> prompt including the passwords which are stored as plain text. ▐▌
█ tail -20 ~/.mysql_history ▐▌
█ ▐▌
█ To disable mysql_history per session: ▐▌
█ mysql -B ▐▌
█ ▐▌
█ To clear the ~/.mysql_history file: ▐▌
█ cat /dev/null > ~/.mysql_history ▐▌
█ ▐▌
█ To stop mysql from logging your commands, few easy methods: ▐▌
█ Method 1: Disable MYSQL_HISTFILE environment variable: ▐▌
█ rm ~/.mysql_history ▐▌
█ export MYSQL_HISTFILE=/dev/null ▐▌
█ set | grep MYSQ ▐▌
█ ▐▌
█ Output will be similar to: ▐▌
█ MYSQL_HISTFILE=/dev/null ▐▌
█ _=MYSQL_HISTFILE ▐▌
█ ▐▌
█ Method 2: Disable MYSQL_HISTFILE by pointing it to /dev/null: ▐▌
█ rm ~/.mysql_history ▐▌
█ ln -s /dev/null ~/.mysql_history ▐▌
█ ▐▌
█ View its settings: ▐▌
█ ls -l ~/.mysql_history ▐▌
█ ▐▌
█ Test it by performing some mysql cmds, then view its file: ▐▌
█ cat ~/.mysql_history ▐▌
█ ▐▌
█ To have this for all users: ▐▌
█ su ▐▌
█ pico /etc/profile ▐▌
█ Add this line at the end: ▐▌
█ [ -f ~/.mysql_history2 ] && > ~/.mysql_history ▐▌
█ ▐▌
█ The problem with this is it isn't cleared until the user logins again. I ▐▌
█ would rather have this cmd executed after the user logs out but I haven't ▐▌
█ found an easy way to do this system wide yet - without users being able to ▐▌
█ alter that such as in .bash_logout. ▐▌
█ ▐▌
█ So instead of the line above, you could add this line to profile to send ▐▌
█ it to a black hole: ▐▌
█ ln /dev/null ~/.mysql_history -sf ▐▌
█ ▐▌
█ Then you'll need to delete all user's .mysql_history. To find it: ▐▌
█ find /home -type f -name .mysql_history ▐▌
█ ▐▌
█ If your output above is correct, then to remove all of those files: ▐▌
█ find /home -type f -name .mysql_history \ ▐▌
█ -exec rm -f {} \; ▐▌
█ exit ▐▌
█ ▐▌
█ NANO - HISTORY: ▐▌
█ ``````````````` ▐▌
█ Site is HERE & man page is HERE, or: ▐▌
█ man nanorc ▐▌
█ ls -l ~/.nano_history ▐▌
█ cat .nano_history ▐▌
█ ▐▌
█ To disable .nano_history for yourself, create the .nanorc file if it ▐▌
█ doesn't exist: ▐▌
█ pico ~/.nanorc ▐▌
█ Paste this in: ▐▌
█ unset historylog ▐▌
█ ▐▌
█ To disable .nano_history system wide: ▐▌
█ su ▐▌
█ pico /etc/nanorc ▐▌
█ search for (Ctrl+w): history ▐▌
█ Change this line: ▐▌
█ set historylog ▐▌
█ To: ▐▌
█ unset historylog ▐▌
█ ▐▌
█ Note that at the top of the file it states: ▐▌
█ ## Please note that you must have configured nano with --enable-nanorc ▐▌
█ ## for this file to be read! ▐▌
█ To know how it was compiled and the version: ▐▌
█ nano -V ▐▌
█ My output is: ▐▌
█ GNU nano version 2.0.7 (compiled 15:48:01, Aug 26 2008) ▐▌
█ [snip] ▐▌
█ Compiled options: --disable-wrapping-as-root --enable-color ▐▌
█ --enable-extra --enable-multibuffer --enable-nanorc --enable-utf8 ▐▌
█ ▐▌
█ The setting above 'unset historylog' can easily be bypassed by a user- ▐▌
█ since /etc/nanorc is read first, then the user-specific settings from ▐▌
█ ~/.nanorc (if it doesn't exist, users just need to create it), that can ▐▌
█ contain a series of set and unset commands, and then last command line ▐▌
█ options. ▐▌
█ So what I have done is added a line to profile so that each time a user ▐▌
█ logins it will be executed: ▐▌
█ pico /etc/profile ▐▌
█ Add this line: ▐▌
█ [ -f ~/.nano_history ] && > ~/.nano_history ▐▌
█ ▐▌
█ Then you'll need to delete all user's .nano_history. To find it: ▐▌
█ find /home -type f -name .nano_history ▐▌
█ ▐▌
█ If your output above is correct, then to remove all of those files: ▐▌
█ find /home -type f -name .nano_history \ ▐▌
█ -exec rm -f {} \; ▐▌
█ exit ▐▌
█ ▐▌
█ Side note for Debian nano v2.0.7 only: ▐▌
█ Now if you are like me, using a Debian and nano v2.0.7 and you read in the ▐▌
█ help files to view the '.nanorc.sample' file, don't waste your time ▐▌
█ searching for it-doesn't exist. ▐▌
█ You don't 'need' it for this, as we'll create our own, but if curious to ▐▌
█ view it I have put the 'nanorc.sample.in' from v2.2.4 HERE for you. ▐▌
█ There is tho this file: ▐▌
█ cat /usr/share/nano/nanorc.nanorc ▐▌
█ ▐▌
█ SAMBA - LOGS: ▐▌
█ ````````````` ▐▌
█ I don't use samba but it can make a mess of log files, into the 1000's ▐▌
█ easily especially if there script kiddies trying to gain access. ▐▌
█ ls /var/log/samba/ ▐▌
█ The default settings will make a log for - ▐▌
█ every IP that attempts to connect, for example log.__ffff_192.168.1.1 ▐▌
█ every machine name that attempts to connect, for example log.jerk ▐▌
█ And then various other logs. This is all good to know, so that you can ▐▌
█ look into moving your samba to different ports than the default. ▐▌
█ ▐▌
█ To use logrotate on this would make matters worse as it would recreate ▐▌
█ these files. ▐▌
█ The samba logrotate settings are here: ▐▌
█ pico /etc/logrotate.d/samba ▐▌
█ ▐▌
█ Since I don't use samba to test this out fully you should read more and ▐▌
█ not just follow this. HERE and HERE is a good article. If I were to use ▐▌
█ samba I would first though change how it logs: ▐▌
█ pico /etc/samba/smb.conf ▐▌
█ First read this line: ▐▌
█ # NOTE: Whenever you modify this file you should run the command ▐▌
█ [snip] ▐▌
█ Then after you have done what it states, start here to adjust your ▐▌
█ settings and I would try giving syslog a go: ▐▌
█ # This tells Samba to use a separate log file for each machine ▐▌
█ # that connects ▐▌
█ log file = /var/log/samba/log.%m ▐▌
█ ▐▌
█ After you are done changing the configs you need to restart samba: ▐▌
█ /etc/init.d/samba restart ▐▌
█ ▐▌
█ Remove old logs, for example: ▐▌
█ rm /var/log/samba/log.__ffff_* ▐▌
█ or, which will remove all including backed up compressed files: ▐▌
█ rm /var/log/samba/log.* ▐▌
█ ▐▌
█ SAMBA NOTES: ▐▌
█ If your log files are filled with this error: ▐▌
█ lib/util_sock.c:get_peer_addr_internal(1676) ▐▌
█ getpeername failed. Error was Transport endpoint is not connected ▐▌
█ read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by ▐▌
█ peer. ▐▌
█ ▐▌
█ According to what I have read HERE, this is caused by Window XP users ▐▌
█ connections. To fix this add to samba config as long as it's not a PDC: ▐▌
█ smb ports=139 ▐▌
█ HERE is another post about this error. ▐▌
█ ▐▌
█ BTW to turn off samba: ▐▌
█ sysv-rc-conf openbsd-inetd off ▐▌
█ /etc/init.d/samba stop ▐▌
█ ▐▌
█ WGET - LOGS: ▐▌
█ ```````````` ▐▌
█ wget does not log by default, but if you have entered wget with -o option ▐▌
█ it will have made a logfile in your home dir. ▐▌
█ ls ~/wget-log ▐▌
█ If you have it: ▐▌
█ rm ~/wget-log ▐▌
█ ▐▌
█ All users, find if they have it: ▐▌
█ su ▐▌
█ find /home -type f -name wget-log ▐▌
█ If they do and you want to remove it: ▐▌
█ find /home -type f -name wget-log \ ▐▌
█ -exec rm -f {} \; ▐▌
█ ▐▌
█ DEBIAN, OTHER LOGS: ▐▌
█ ``````````````````` ▐▌
█ All default logs are created with syslogd with the settings in this file ▐▌
█ (if they don't have their own config file): ▐▌
█ pico /etc/syslog.conf ▐▌
█ Or if you are using syslog-ng (tutorial HERE) then here: ▐▌
█ pico /etc/syslog-ng/syslog-ng.conf ▐▌
█ Most of these logs are rotated by logrotate or if you are using syslog-ng ▐▌
█ it will rotate them as well. An easy way to know which aren't is you ▐▌
█ won't see backups or compressed .gz files for that log: ▐▌
█ ls -al /var/log ▐▌
█ Linux log files, view HERE for more details of each log. ▐▌
█ Some brief descriptions of each: ▐▌
█ acpid - acpid log ▐▌
█ aptitude - aptitude log (handled by cat /etc/logrotate.d/aptitude) ▐▌
█ auth.log - authorization systems log (included failed attempts) ▐▌
█ boot - boot log ▐▌
█ btmp - failed login attempts (lastb = last -f /var/log/btmp) ▐▌
█ daemon.log - messages/log from daemons ▐▌
█ debug - log for system and application that log in debug mode ▐▌
█ dmesg - bootup & kernel bootup messages (dmesg | less) ▐▌
█ dpkg.log - Debian package managers log (dpkg, apt-get, synaptic, aptitude) ▐▌
█ faillog - binary 'login' failures (faillog or faillog -u user) ▐▌
█ fontconfig.log - font log ▐▌
█ kern.log - kernel messages/log ▐▌
█ lastlog - record of users last login (lastlog) ▐▌
█ lpr.log - printing log ▐▌
█ mail.err - mail errors ▐▌
█ mail.info - mail information such as greylist ▐▌
█ mail.log - " " : identical file ▐▌
█ mail.warn - mail warnings ▐▌
█ messages - system messages from syslogd ▐▌
█ mysql.err - mysql errors from database ▐▌
█ mysql.log - mysql log ▐▌
█ pycentral.log - python log ▐▌
█ syslog - system log ▐▌
█ user.log - userlevel log ▐▌
█ uucp.log - uucp log ▐▌
█ wtmp - login logout records (last / who reads from this) ▐▌
█ wtmp.report - pacct monthly report ▐▌
█ And then various directories containing those applications logs. For ▐▌
█ example: ▐▌
█ /var/log/apt/ - apt-get log ▐▌
█ /var/log/news - log for INN news system ▐▌
█ http://www.isc.org/software/inn ▐▌
█ BTW /var/run/utmp - log of 'who' is currently logged in ▐▌
█ ▐▌
█ Notice that the perms on two on these files are world readable ▐▌
█ (-rw-rw-r--, 664), when they needn't be. For security I'll change that to: ▐▌
█ chmod 640 /var/log/faillog ▐▌
█ chmod 660 /var/log/lastlog ▐▌
█ ▐▌
█ Also these two logs shouldn't need rotation as the programs that use them ▐▌
█ will update accordingly. ▐▌
█ ▐▌
█ Note on faillog: ▐▌
█ Faillog only contains failed logins using the binary 'login'. ▐▌
█ It doesn't contains failed logins using sshd or su. For example to view ▐▌
█ faillog: ▐▌
█ su ▐▌
█ faillog -a ▐▌
█ Replace 'user' with a user's name: ▐▌
█ faillog -u user ▐▌
█ For the past ten days, ▐▌
█ faillog -t 10 -u user ▐▌
█ Mine is empty. Test it by typing in: ▐▌
█ login ▐▌
█ password, type anything. ▐▌
█ Then view faillog again: ▐▌
█ faillog ▐▌
█ man faillog ▐▌
█ ▐▌
█ View this article HERE with faillog methods. ▐▌
█ pico /etc/login.defs ▐▌
█ FAILLOG_ENAB yes ▐▌
█ ▐▌
█ If you know of other sensitive logs that should be looked into - please ▐▌
█ post at mewbies forum, thx :D. ▐▌
█ ▐▌
█ HAVE LOGS E-MAILED AND CHANGE ROTATION SETTINGS: ▐▌
█ ```````````````````````````````````````````````` ▐▌
█ If you would like to have a log e-mailed out before it is compressed and ▐▌
█ or change any of its rotation settings its very simple to do. For example ▐▌
█ this is how you would do it for auth.log: ▐▌
█ SYSLOG: ▐▌
█ If you use syslog (default logging program) then you would edit ▐▌
█ (syslog-ng users instructions after): ▐▌
█ pico /etc/logrotate.conf ▐▌
█ If there is already a setting for 'auth.log' then paste in (changing to ▐▌
█ your e-mail): ▐▌
█ mailfirst ▐▌
█ mail your_email@gmail.com ▐▌
█ ▐▌
█ If there isn't a setting already then paste in, adjusting to your needs, ▐▌
█ after this first line: ▐▌
█ # system-specific logs may be configured here ▐▌
█ /var/log/auth.log { ▐▌
█ daily ▐▌
█ rotate 7 ▐▌
█ compress ▐▌
█ delaycompress ▐▌
█ notifempty ▐▌
█ create 640 root adm ▐▌
█ mailfirst ▐▌
█ mail my_email@gmail.com ▐▌
█ } ▐▌
█ ▐▌
█ If you want to test logrotation without actually rotating: ▐▌
█ logrotate --debug --force /etc/logrotate.conf ▐▌
█ ▐▌
█ Then to rotate manually: ▐▌
█ logrotate --force -v /etc/logrotate.conf ▐▌
█ ▐▌
█ SYSLOG-NG: ▐▌
█ If you use syslog-ng you would edit: ▐▌
█ pico /etc/logrotate.d/syslog-ng ▐▌
█ Has this: ▐▌
█ /var/log/auth.log { ▐▌
█ rotate 4 ▐▌
█ missingok ▐▌
█ notifempty ▐▌
█ weekly ▐▌
█ compress ▐▌
█ } ▐▌
█ ▐▌
█ Change it to for example: ▐▌
█ /var/log/auth.log { ▐▌
█ rotate 3 ▐▌
█ notifempty ▐▌
█ daily ▐▌
█ delaycompress ▐▌
█ compress ▐▌
█ create 640 root adm ▐▌
█ mailfirst ▐▌
█ mail my_email@gmail.com ▐▌
█ } ▐▌
█ ▐▌
█ Then you'll need to restart syslog-ng: ▐▌
█ /etc/init.d/syslog-ng restart ▐▌
█ ▐▌
█ If you want to test logrotation without actually rotating: ▐▌
█ logrotate --debug --force /etc/logrotate.d/syslog-ng ▐▌
█ ▐▌
█ Then to rotate manually: ▐▌
█ logrotate --force -v /etc/logrotate.d/syslog-ng ▐▌
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 24 Aug '10 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██