LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Closed Thread
  Search this Thread
Old 08-25-2012, 11:58 AM   #1
vk.khurava
LQ Newbie
 
Registered: Aug 2012
Posts: 7

Rep: Reputation: Disabled
Question USB mass storage logs


Hello everyone,

I really appreciate if someone quickly respond my question.

Well I am using RHEL v6.3 on my laptop & I want to clear all USB device(Mass storage/Modem/Flash Drive etc.) History from OS which I used in past or in current.

I tried to delete all logs from "/var/log" specially messages* but if I run below 2 command I am getting usb results which I connected to my laptop even after deleting /var/log.

sudo awk '/usb/ && (/Manufacturer/ || /Product/ ||/Serial/) && !/usb usb/ && !/New USB/' /var/log/messages*

sudo awk '/usb/ && /Product/ && !/usb usb/ && !/New USB/' /var/log/messages* |cut -f 8-12 -d ' ' |sort |uniq

Please help.
 
Old 08-25-2012, 03:16 PM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,932

Rep: Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691
Quote:
Originally Posted by vk.khurava View Post
Hello everyone,
I really appreciate if someone quickly respond my question.

Well I am using RHEL v6.3 on my laptop & I want to clear all USB device(Mass storage/Modem/Flash Drive etc.) History from OS which I used in past or in current. I tried to delete all logs from "/var/log" specially messages* but if I run below 2 command I am getting usb results which I connected to my laptop even after deleting /var/log.

sudo awk '/usb/ && (/Manufacturer/ || /Product/ ||/Serial/) && !/usb usb/ && !/New USB/' /var/log/messages*
sudo awk '/usb/ && /Product/ && !/usb usb/ && !/New USB/' /var/log/messages* |cut -f 8-12 -d ' ' |sort |uniq

Please help.
Help with WHAT? Unless you turn off ALL system logging, the log files will continue to be filled with system events. And if you want a quick answer, call Red Hat support...you're paying for it, since you're using Red Hat Enterprise, right??
 
Old 08-25-2012, 03:34 PM   #3
vk.khurava
LQ Newbie
 
Registered: Aug 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
Question

Quote:
Originally Posted by TB0ne View Post
Help with WHAT? Unless you turn off ALL system logging, the log files will continue to be filled with system events. And if you want a quick answer, call Red Hat support...you're paying for it, since you're using Red Hat Enterprise, right??
Thanks for your kind reply.
I am using office Red hat version which is not paid by me and I cant ask them for the same coz its not authorized. How can I turn off a particular system logging if you then pls reply. I agreed logs will be filled but just cleaned the logs and did not plugin any usb device then how come its still showing some old logs, I think there is any other location where logs are also being captured.
 
Old 08-25-2012, 04:51 PM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,932

Rep: Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691
Quote:
Originally Posted by vk.khurava View Post
Thanks for your kind reply.
I am using office Red hat version which is not paid by me and I cant ask them for the same coz its not authorized.
Then you should NOT be using it. RHEL is a commercial, PAY FOR distribution. If you're not going to pay, then you should load CentOS, which is nearly identical, but free.
Quote:
How can I turn off a particular system logging if you then pls reply. I agreed logs will be filled but just cleaned the logs and did not plugin any usb device then how come its still showing some old logs, I think there is any other location where logs are also being captured.
Spell out your words. If you want to turn off system logging, run "/etc/init.d/syslogd stop". Bear in mind, though, that unless you disable a LOT of system services (like automatic hardware discovery, etc.), then some things are going to run and tell you about what they do.
 
Old 08-25-2012, 05:02 PM   #5
vk.khurava
LQ Newbie
 
Registered: Aug 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
......

Last edited by vk.khurava; 08-25-2012 at 05:11 PM.
 
Old 08-25-2012, 05:04 PM   #6
vk.khurava
LQ Newbie
 
Registered: Aug 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Then you should NOT be using it. RHEL is a commercial, PAY FOR distribution. If you're not going to pay, then you should load CentOS, which is nearly identical, but free.

Spell out your words. If you want to turn off system logging, run "/etc/init.d/syslogd stop". Bear in mind, though, that unless you disable a LOT of system services (like automatic hardware discovery, etc.), then some things are going to run and tell you about what they do.
OK !
pls tell me about above mentioned 2 commands, how these commands are getting logs even after cleaning logs from messages log file, is there any other location for logs? how can i completely clean my usb logs from RHEL so that no one can track me abut what usb devices I have used in my RHEL.
 
Old 08-25-2012, 05:53 PM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,932

Rep: Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691
Quote:
Originally Posted by vk.khurava View Post
OK !
pls tell me about above mentioned 2 commands, how these commands are getting logs even after cleaning logs from messages log file, is there any other location for logs? how can i completely clean my usb logs from RHEL so that no one can track me abut what usb devices I have used in my RHEL.
Again, you need to spell out your words. And again, unless you TOTALLY DISABLE LOGGING, things will be written to the log files. So deleting log files makes no difference at all. You need to be root to delete system logs, or disable system logging, and again, will have to disable hardware discovery, and other automatic services too. It is not a trivial thing.

And your question is a bit suspicious...if you are an administrator, you have root access, and can delete files and disable services...there's no need for you to hide what you've plugged in. If you're not, why are you asking about this?

Last edited by TB0ne; 08-25-2012 at 05:59 PM.
 
Old 08-26-2012, 12:26 AM   #8
vk.khurava
LQ Newbie
 
Registered: Aug 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Again, you need to spell out your words. And again, unless you TOTALLY DISABLE LOGGING, things will be written to the log files. So deleting log files makes no difference at all. You need to be root to delete system logs, or disable system logging, and again, will have to disable hardware discovery, and other automatic services too. It is not a trivial thing.

And your question is a bit suspicious...if you are an administrator, you have root access, and can delete files and disable services...there's no need for you to hide what you've plugged in. If you're not, why are you asking about this?
You are not getting my point dear.
I am admin of my RHEL but there is a audit, which is coming soon @ my office, thats why I want to clear all logs. disabling all logging is not a good thought.

Try above 2 commands in your linux just after cleaning all logs, it will show you some logs which indicating that you have used usb devices in your linux.

My only & only question is from where these commands are getting these logs & how? can I delete these logs which is generated by above commands ?
 
Old 08-26-2012, 09:41 AM   #9
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,932

Rep: Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691
Quote:
Originally Posted by vk.khurava View Post
You are not getting my point dear.
Yes, I am...you are not understanding the answers.
Quote:
I am admin of my RHEL but there is a audit, which is coming soon @ my office, thats why I want to clear all logs. disabling all logging is not a good thought.
Right...and saying this makes what you're asking even MORE suspicious. Why would you want/need to delete your logs if you're getting audited??? And you say in your first post that this is on your laptop...why would your personal laptop be audited?

I gave you the command above to stop your system logging. I told you that you'd have to disable hardware discovery too. Logs are typically in /var/log, but since you're an admin, you know that some services (like apache), can keep their logs in a separate sub-directory.
Quote:
Try above 2 commands in your linux just after cleaning all logs, it will show you some logs which indicating that you have used usb devices in your linux.
My only & only question is from where these commands are getting these logs & how? can I delete these logs which is generated by above commands ?
Right...and I will AGAIN tell you that they're coming from the system log daemon, which (unless you stop), will CONTINUE TO WRITE TO THE SYSTEM LOGS. You also could have logrotate running, which will create BACKUP log files. Unless you delete all of them, the simple search you ran will look at all the OLD message files too. As the admin, do you have logrotate running???

Last edited by TB0ne; 08-26-2012 at 09:48 AM.
 
Old 08-26-2012, 09:55 AM   #10
vk.khurava
LQ Newbie
 
Registered: Aug 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Yes, I am...you are not understanding the answers.

Right...and saying this makes what you're asking even MORE suspicious. Why would you want/need to delete your logs if you're getting audited???

I gave you the command above to stop your system logging. I told you that you'd have to disable hardware discovery too. Logs are typically in /var/log, but since you're an admin, you know that some services (like apache), can keep their logs in a separate sub-directory.

Right...and I will AGAIN tell you that they're coming from the system log daemon, which (unless you stop), will CONTINUE TO WRITE TO THE SYSTEM LOGS. You also could have logrotate running, which will create BACKUP log files. Unless you delete all of them, the simple search you ran will look at all the OLD message files too. As the admin, do you have logrotate running???
1. What are these separate sub-directories and where ?
2. System log daemon: ok with it but what if I delete all logs from /var/logs then it should show clear report, right?
3. what is loratate and where it keeps backup files ?
4. Is there any tool which can clear all logs (hidden or backed up)?
 
Old 08-26-2012, 10:52 AM   #11
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,932

Rep: Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691
Quote:
Originally Posted by vk.khurava View Post
1. What are these separate sub-directories and where ?
I gave you one above. Again, they COULD be in separate sub-directories...as an admin, you should know that you can configure services to log pretty much wherever you want. I suggest you look in the /var/log directory, and see the sub-directories in there.
Quote:
2. System log daemon: ok with it but what if I delete all logs from /var/logs then it should show clear report, right?
AGAIN, no. It MAY, but may not, since you would also have to disable hardware discovery daemons, etc.
Quote:
3. what is loratate and where it keeps backup files ?
Logrotate is a program that will keep backups of log files. Where it keeps these files depends on how you set it up. As an admin, you should know if this is running or not, and how you configured it.
Quote:
4. Is there any tool which can clear all logs (hidden or backed up)?
No. Real admins rarely do this, since you WANT log files. I will again point out that this is VERY suspicious behavior....deleting log files before an audit?? And again, why would an auditor be looking at your personal laptop?
 
Old 08-26-2012, 11:37 AM   #12
vk.khurava
LQ Newbie
 
Registered: Aug 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
I gave you one above. Again, they COULD be in separate sub-directories...as an admin, you should know that you can configure services to log pretty much wherever you want. I suggest you look in the /var/log directory, and see the sub-directories in there.

AGAIN, no. It MAY, but may not, since you would also have to disable hardware discovery daemons, etc.

Logrotate is a program that will keep backups of log files. Where it keeps these files depends on how you set it up. As an admin, you should know if this is running or not, and how you configured it.

No. Real admins rarely do this, since you WANT log files. I will again point out that this is VERY suspicious behavior....deleting log files before an audit?? And again, why would an auditor be looking at your personal laptop?
Actualy USB mass storage is not permitted in my company and this is not my personal laptop hence I want to clear all the logs so if can pls help me then i will really appreciate it.

Still i have not received any relevant ans from you. our conversation is like round n round from the cor.
 
Old 08-26-2012, 01:36 PM   #13
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,932

Rep: Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691Reputation: 3691
Quote:
Originally Posted by vk.khurava View Post
Actualy USB mass storage is not permitted in my company and this is not my personal laptop hence I want to clear all the logs so if can pls help me then i will really appreciate it.

Still i have not received any relevant ans from you. our conversation is like round n round from the cor.
Right, because you ARE NOT UNDERSTANDING THE ANSWER. Pay attention, I will AGAIN tell you the answers:
  • Your logs are typically in /var/log.
  • Since you're a systems administrator, you should already know that the config file for syslog is typically in /etc/syslog-ng.conf.
  • Different services can be in subdirectories underneath that, but can conceivably be ANYWHERE on the system. AGAIN, look in /var/log, and you will SEE the many sub-directories in there.
  • If you're using logrotate, you can have MANY old log files. AGAIN, depending on where YOU set up logrotate to put them, they can be ANYWHERE.
  • You need to be admin/root to delete log files and any backup log files.
  • Unless you STOP system logging and hardware auto-discovery, you WILL GET MORE MESSAGES IN YOUR LOGS. Again, I told you before how to stop system logging.
Go look in /var/log, and delete whatever files you like. Run a "grep -H" on that directory to identify anything with USB in it, and delete it.

And again, you need to spell out your words. If this is your company's laptop and you're violating your company policies, it isn't a bad thing if you get caught. If you're a system administrator, you should already know how to stop system logging, where to look for log files, and (most importantly), how to adhere to company data security policies.

Last edited by TB0ne; 08-26-2012 at 01:37 PM.
 
1 members found this post helpful.
Old 08-26-2012, 04:41 PM   #14
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
This is definitely against best practices, and almost certainly against
your employment agreement. Closed.
 
1 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] usb-storage + usb card-reader = klogd spamming logs GrapefruiTgirl Linux - Kernel 9 08-10-2009 10:34 AM
How to disable USB Mass Storage device ( usb drive ) in Linux vijaush Linux - Newbie 4 06-25-2008 10:43 AM
After plug in apacer ht202 usb mass storage into usb port. Nothing appear. tellmeimhong Linux - Hardware 3 02-04-2006 03:32 AM
USB mass storage Roy-Svork Linux - Hardware 9 09-24-2003 05:34 PM
USB Mass Storage mrsolo Linux - Hardware 11 10-25-2002 07:24 PM


All times are GMT -5. The time now is 01:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration