为了达到一个目的,而进行的命令组合与分析
新装centos6.5-minimal所必须要做的初始动作,修改一些默认的东西
vi /boot/grub/grub.conf在内核行后加入vga=ask或788就启用了framebuffer cp /etc/DIR_COLORS ~/.dir_colors 控制台设置白底黑字 setterm -foreground black -background white -store
一。先列出系统中进程的pid,用ps或pstree都可以,哪个方便用哪个 [root@250-shiyan ~]# pstree -p init(1)─┬─auditd(934)───{auditd}(935) ├─crond(1130) ├─master(1120)─┬─pickup(9284) │ └─qmgr(1129) ├─mfsmount(5061)─┬─{mfsmount}(5062) │ ├─{mfsmount}(5063) │ ├─{mfsmount}(5064) │ ├─{mfsmount}(5065) │ ├─{mfsmount}(5066) │ ├─{mfsmount}(5067) │ ├─{mfsmount}(5068) │ ├─{mfsmount}(5069) │ ├─{mfsmount}(5071) │ ├─{mfsmount}(5072) │ └─{mfsmount}(5089) ├─mingetty(1143) ├─mingetty(1145) ├─mingetty(1147) ├─mingetty(1149) ├─mingetty(1151) ├─mingetty(1153) ├─rpc.idmapd(14858) ├─rpc.mountd(14820) ├─rpc.statd(991) ├─rpcbind(973) ├─rsyslogd(2453)─┬─{rsyslogd}(2454) │ ├─{rsyslogd}(2456) │ └─{rsyslogd}(2457) ├─sshd(12432)─┬─sshd(3634)───bash(3636) │ └─sshd(7655)───bash(7657)───pstree(9361) └─udevd(379)─┬─udevd(1159) └─udevd(1160) [root@250-shiyan ~]# ps -C rsyslogd PID TTY TIME CMD 2453 ? 00:00:00 rsyslogd 二。再查看相关线程信息 [root@250-shiyan ~]# pstack 2453 Thread 4 (Thread 0x7f59c23ac700 (LWP 2454)): #0 0x00007f59c3a005bc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f59c4078184 in wtiWorker () #2 0x00007f59c4077c1a in ?? () #3 0x00007f59c39fc9d1 in start_thread () from /lib64/libpthread.so.0 #4 0x00007f59c3127b6d in clone () from /lib64/libc.so.6 Thread 3 (Thread 0x7f59c19ab700 (LWP 2456)): #0 0x00007f59c31205e3 in select () from /lib64/libc.so.6 #1 0x00007f59c25c4d51 in ?? () from /lib64/rsyslog/imuxsock.so #2 0x00007f59c4086b6a in ?? () #3 0x00007f59c39fc9d1 in start_thread () from /lib64/libpthread.so.0 #4 0x00007f59c3127b6d in clone () from /lib64/libc.so.6 Thread 2 (Thread 0x7f59c0faa700 (LWP 2457)): #0 0x00007f59c3a0375d in read () from /lib64/libpthread.so.0 #1 0x00007f59c23afd04 in klogLogKMsg () from /lib64/rsyslog/imklog.so #2 0x00007f59c23af16c in ?? () from /lib64/rsyslog/imklog.so #3 0x00007f59c4086b6a in ?? () #4 0x00007f59c39fc9d1 in start_thread () from /lib64/libpthread.so.0 #5 0x00007f59c3127b6d in clone () from /lib64/libc.so.6 Thread 1 (Thread 0x7f59c403c700 (LWP 2453)): #0 0x00007f59c31205e3 in select () from /lib64/libc.so.6 #1 0x00007f59c40592f5 in ?? () #2 0x00007f59c405a9fa in realMain () #3 0x00007f59c305dd1d in __libc_start_main () from /lib64/libc.so.6 #4 0x00007f59c4056629 in _start ()
对待每一个守护进程都是这个过程。 一。先查看系统中都有哪些进程在运行 [root@84-monitor logs]# pstree init─┬─auditd───{auditd} ├─crond───4*[crond─┬─sendmail───postdrop] │ └─sh───sh───sh───sh───mail───mail] ├─httpd───8*[httpd] ├─java───23*[{java}] ├─master─┬─cleanup │ ├─local │ ├─pickup │ └─qmgr ├─6*[mingetty] ├─mysqld_safe───mysqld───9*[{mysqld}] ├─rpc.statd ├─rpcbind ├─rsyslogd───3*[{rsyslogd}] ├─sshd─┬─sshd───bash───pstree │ └─3*[sshd───bash───bash───ssh] └─udevd───2*[udevd] 二。其次列出以rsys开头的进程打开的所有文件 [root@84-monitor 972]# lsof -c rsys COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 972 root cwd DIR 253,0 4096 2 / rsyslogd 972 root rtd DIR 253,0 4096 2 / rsyslogd 972 root txt REG 253,0 396064 521732 /sbin/rsyslogd rsyslogd 972 root mem REG 253,0 27232 521711 /lib64/rsyslog/imklog.so rsyslogd 972 root mem REG 253,0 340568 521717 /lib64/rsyslog/imuxsock.so rsyslogd 972 root mem REG 253,0 110960 521867 /lib64/libresolv-2.12.so rsyslogd 972 root mem REG 253,0 27424 521245 /lib64/libnss_dns-2.12.so rsyslogd 972 root mem REG 253,0 65928 521865 /lib64/libnss_files-2.12.so rsyslogd 972 root mem REG 253,0 26984 521718 /lib64/rsyslog/lmnet.so rsyslogd 972 root mem REG 253,0 1921176 521231 /lib64/libc-2.12.so rsyslogd 972 root mem REG 253,0 90880 521844 /lib64/libgcc_s-4.4.7-20120601.so.1 rsyslogd 972 root mem REG 253,0 43880 521868 /lib64/librt-2.12.so rsyslogd 972 root mem REG 253,0 19536 521861 /lib64/libdl-2.12.so rsyslogd 972 root mem REG 253,0 142640 521255 /lib64/libpthread-2.12.so rsyslogd 972 root mem REG 253,0 88600 521285 /lib64/libz.so.1.2.3 rsyslogd 972 root mem REG 253,0 154624 521489 /lib64/ld-2.12.so rsyslogd 972 root 0u unix 0xffff88001fbd06c0 0t0 10252 /dev/log rsyslogd 972 root 1w REG 253,0 292 786284 /var/log/messages rsyslogd 972 root 2w REG 253,0 1191255 785232 /var/log/cron rsyslogd 972 root 3r REG 0,3 0 4026532040 /proc/kmsg rsyslogd 972 root 4w REG 253,0 564219 785245 /var/log/maillog rsyslogd 972 root 5w REG 253,0 1004 786285 /var/log/secure 三。随后进入到972的fd目录,列出文件列表,打开了5个文件 [root@84-monitor 972]# cd /proc/972/fd [root@84-monitor fd]# ll total 0 lrwx------. 1 root root 64 Mar 18 09:39 0 -> socket:[10252] l-wx------. 1 root root 64 Mar 18 09:39 1 -> /var/log/messages l-wx------. 1 root root 64 Mar 18 09:39 2 -> /var/log/cron lr-x------. 1 root root 64 Mar 18 09:39 3 -> /proc/kmsg l-wx------. 1 root root 64 Mar 18 09:39 4 -> /var/log/maillog l-wx------. 1 root root 64 Mar 18 09:39 5 -> /var/log/secure 四。查漏补缺 FD列 txt program text (code and data); rtd root directory; cwd current working directory; cwd,rtd这两个经常是一样的,因为如果没有具体的目录的话,默认全放到根下。 mem memory-mapped file; u for read and write access; TYPE列 unix for a UNIX domain socket; REG for a regular file; DIR for a directory; 一。 [root@84-monitor fd]# lsof -c rpcbind COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 32580 rpc cwd DIR 253,0 4096 2 / rpcbind 32580 rpc rtd DIR 253,0 4096 2 / rpcbind 32580 rpc txt REG 253,0 54408 521226 /sbin/rpcbind rpcbind 32580 rpc mem REG 253,0 65928 521865 /lib64/libnss_files-2.12.so rpcbind 32580 rpc mem REG 253,0 1921176 521231 /lib64/libc-2.12.so rpcbind 32580 rpc mem REG 253,0 142640 521255 /lib64/libpthread-2.12.so rpcbind 32580 rpc mem REG 253,0 19536 521861 /lib64/libdl-2.12.so rpcbind 32580 rpc mem REG 253,0 36584 521220 /lib64/libgssglue.so.1.0.0 rpcbind 32580 rpc mem REG 253,0 113432 521863 /lib64/libnsl-2.12.so rpcbind 32580 rpc mem REG 253,0 162016 521225 /lib64/libtirpc.so.1.0.10 rpcbind 32580 rpc mem REG 253,0 40792 521329 /lib64/libwrap.so.0.7.6 rpcbind 32580 rpc mem REG 253,0 154624 521489 /lib64/ld-2.12.so rpcbind 32580 rpc 0u CHR 1,3 0t0 3782 /dev/null rpcbind 32580 rpc 1u CHR 1,3 0t0 3782 /dev/null rpcbind 32580 rpc 2u CHR 1,3 0t0 3782 /dev/null rpcbind 32580 rpc 3r REG 253,0 0 786245 /var/run/rpcbind.lock rpcbind 32580 rpc 4u sock 0,6 0t0 3617563 can't identify protocol rpcbind 32580 rpc 5u unix 0xffff88001dfc3080 0t0 3617538 /var/run/rpcbind.sock rpcbind 32580 rpc 6u IPv4 3617540 0t0 UDP *:sunrpc rpcbind 32580 rpc 7u IPv4 3617542 0t0 UDP *:955 rpcbind 32580 rpc 8u IPv4 3617543 0t0 TCP *:sunrpc (LISTEN) rpcbind 32580 rpc 9u IPv6 3617545 0t0 UDP *:sunrpc rpcbind 32580 rpc 10u IPv6 3617547 0t0 UDP *:955 rpcbind 32580 rpc 11u IPv6 3617548 0t0 TCP *:sunrpc (LISTEN) 二。查漏补缺 TYPE列 sock for a socket of unknown domain; IPv4 for an IPv4 socket; IPv6 for an open IPv6 network file - even if its address is IPv4, mapped in an IPv6 address;
程序占用内存分析 一。
[root@250-shiyan ~]# top PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 5061 root 1 -19 649m 17m 908 S 0.0 3.6 1:17.03 mfsmount 二。 [root@250-shiyan ~]# lsof -c mfsmount COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mfsmount 5061 root cwd DIR 253,0 4096 781826 /root mfsmount 5061 root rtd DIR 253,0 4096 2 / mfsmount 5061 root txt REG 253,0 236648 403887 /usr/bin/mfsmount mfsmount 5061 root mem REG 253,0 65928 260640 /lib64/libnss_files-2.12.so mfsmount 5061 root mem REG 253,0 1921216 260624 /lib64/libc-2.12.so mfsmount 5061 root mem REG 253,0 142640 260648 /lib64/libpthread-2.12.so mfsmount 5061 root mem REG 253,0 596264 260632 /lib64/libm-2.12.so mfsmount 5061 root mem REG 253,0 43832 260652 /lib64/librt-2.12.so mfsmount 5061 root mem REG 253,0 258504 402028 /usr/lib64/libpcap.so.1.4.0 mfsmount 5061 root mem REG 253,0 19536 260630 /lib64/libdl-2.12.so mfsmount 5061 root mem REG 253,0 221728 261115 /lib64/libfuse.so.2.8.3 mfsmount 5061 root mem REG 253,0 154520 260617 /lib64/ld-2.12.so mfsmount 5061 root 0u CHR 1,3 0t0 3782 /dev/null mfsmount 5061 root 1u CHR 1,3 0t0 3782 /dev/null mfsmount 5061 root 2u CHR 1,3 0t0 3782 /dev/null mfsmount 5061 root 3r FIFO 0,8 0t0 1586590 pipe mfsmount 5061 root 4u IPv4 1892119 0t0 TCP 192.168.2.250:44567->mfsmaster:9421 (ESTABLISHED) mfsmount 5061 root 5u unix 0xffff88001fb876c0 0t0 1616111 socket mfsmount 5061 root 6u IPv4 1616113 0t0 TCP localhost:44911 (LISTEN) mfsmount 5061 root 8u CHR 10,229 0t0 6954 /dev/fuse [root@250-shiyan ~]# bc bc 1.06.95 Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. 65928+1921216+142640+596264+43832+258504+19536+221728+154520 3424168 [root@250-shiyan ~]# ll /usr/bin/mfsmount -rwxr-xr-x 1 root root 236648 Feb 10 19:27 /usr/bin/mfsmount [root@250-shiyan ~]# size /usr/bin/mfsmount text data bss dec hex filename 229679 4352 16923472 17157503 105cd7f /usr/bin/mfsmount 229679+4352+16923472=17157503 [root@250-shiyan ~]# pmap -x 5061 5061: mfsmount /mnt/mfs1 Address Kbytes RSS Dirty Mode Mapping ---------------- ------ ------ ------ total kB 664836 17980 17072 三。分析 top中显示的某一个进程的RES列大小,与size某个文件显示的dec列是一样的,lsof中的SIZE列只是size命令中所显示的text列 即: top-RES=size-dec lsof-SIZE=size-text
一。先查看哪个用户从哪来,时长等信息。w与who都可以 [root@109-com1 ~]# w 09:55:16 up 106 days, 21:48, 2 users, load average: 1.11, 1.14, 1.02 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/2 192.168.2.84 09:43 0.00s 0.08s 0.00s w root pts/3 1.85.49.230 09:44 7:17 0.08s 0.04s vi FLTPsThread.cpp [root@109-com1 ~]# who -a system boot 2014-12-02 11:59 run-level 3 2014-12-02 11:59 LOGIN tty2 2014-12-02 12:04 1499 id=2 LOGIN tty3 2014-12-02 12:04 1501 id=3 LOGIN tty1 2014-12-02 12:04 1497 id=1 LOGIN tty4 2014-12-02 12:04 1505 id=4 LOGIN tty5 2014-12-02 12:04 1507 id=5 LOGIN tty6 2014-12-02 12:04 1509 id=6 pts/0 2015-02-09 13:51 27045 id=ts/0 term=0 exit=0 pts/1 2015-03-10 22:16 11075 id=ts/1 term=0 exit=0 root + pts/2 2015-03-19 09:43 . 12395 (192.168.2.84) root + pts/3 2015-03-19 09:44 00:07 12448 (1.85.49.230) pts/4 2015-03-11 10:29 24135 id=ts/4 term=0 exit=0 二。再根据终端,pid,目录查看他在干什么,运用了哪些资源 [root@109-com1 ~]# lsof /dev/pts/3 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 12448 root 0u CHR 136,3 0t0 6 /dev/pts/3 bash 12448 root 1u CHR 136,3 0t0 6 /dev/pts/3 bash 12448 root 2u CHR 136,3 0t0 6 /dev/pts/3 bash 12448 root 255u CHR 136,3 0t0 6 /dev/pts/3 vi 12736 root 0u CHR 136,3 0t0 6 /dev/pts/3 vi 12736 root 1u CHR 136,3 0t0 6 /dev/pts/3 vi 12736 root 2u CHR 136,3 0t0 6 /dev/pts/3 [root@109-com1 ~]# lsof -p 12448 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 12448 root cwd DIR 253,0 4096 141592 /usr/local/ps/src bash 12448 root rtd DIR 253,0 4096 2 / bash 12448 root txt REG 253,0 903336 651864 /bin/bash bash 12448 root mem REG 253,0 99158576 138120 /usr/lib/locale/locale-archive bash 12448 root mem REG 253,0 65928 651834 /lib64/libnss_files-2.12.so bash 12448 root mem REG 253,0 1921216 651818 /lib64/libc-2.12.so bash 12448 root mem REG 253,0 19536 651824 /lib64/libdl-2.12.so bash 12448 root mem REG 253,0 135896 651863 /lib64/libtinfo.so.5.7 bash 12448 root mem REG 253,0 154520 655746 /lib64/ld-2.12.so bash 12448 root mem REG 253,0 26060 264514 /usr/lib64/gconv/gconv-modules.cache bash 12448 root 0u CHR 136,3 0t0 6 /dev/pts/3 bash 12448 root 1u CHR 136,3 0t0 6 /dev/pts/3 bash 12448 root 2u CHR 136,3 0t0 6 /dev/pts/3 bash 12448 root 255u CHR 136,3 0t0 6 /dev/pts/3 [root@109-com1 ~]# lsof +D /usr/local/ps COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME FLTServic 11167 root cwd DIR 253,0 4096 141580 /usr/local/ps/log FLTServic 11167 root txt REG 253,0 2264102 141634 /usr/local/ps/bin/FLTService FLTServic 11167 root 3u REG 253,0 626612286 136213 /usr/local/ps/log/debug20150319.log bash 12448 root cwd DIR 253,0 4096 141592 /usr/local/ps/src vi 12736 root cwd DIR 253,0 4096 141592 /usr/local/ps/src vi 12736 root 4u REG 253,0 16384 141668 /usr/local/ps/src/.FLTPsThread.cpp.swp
目的:分析出uid与euid 一。linux系统中每个进程都有2个ID,分别为用户ID(uid)和有效用户ID(euid),UID一般表示进程的创建者(属于哪个用户创建),而EUID表示进程对于文件和资源的访问权限(具备等同于哪个用户的权限)。C语言中,可以通过函数getuid()和geteuid()来获得进程的两个ID值。 当一个用户登陆系统时,系统会将UID和EUID都赋值为/etc/passwd文件中的UID,一般情况下2个ID是相同的,但是某些情况下会出现2个ID不同的情况。gid和egid同理。 新建用户 [root@250-shiyan ~]# useradd test2 [root@250-shiyan ~]# passwd test2 用新用户去登录 [test2@250-shiyan ~]$ id uid=503(test2) gid=503(test2) groups=503(test2) 下面一段C代码将解释区别:"printid.c" [test2@250-shiyan ~]$ vi printid.c #include <stdlib.h> #include <stdio.h> #include <unistd.h> #include <sys/types.h> int main(void) { printf(" UID\t= %d\n", getuid()); printf(" EUID\t= %d\n", geteuid()); printf(" GID\t= %d\n", getgid()); printf(" EGID\t= %d\n", getegid()); return EXIT_SUCCESS; } [test2@250-shiyan ~]$ gcc -o printid printid.c [test2@250-shiyan ~]$ id uid=503(test2) gid=503(test2) groups=503(test2) [test2@250-shiyan ~]$ ./printid UID = 503 EUID = 503 GID = 503 EGID = 503 看看/etc/passwd里uid和gid: [test2@250-shiyan ~]$ cat /etc/passwd|grep "\<test2\>"|awk -F ':' '{print "uid:"$3,"tgid:"$4}' uid:503 tgid:503 以上是相同的例子。 下面演示uid和euid不同的例子。 首先,修改一下文件属性,setuid或setgid [test2@250-shiyan ~]$ chmod u+s printid #这样一来,文件在执行阶段具有文件所有者的权限。 还可以再补充一个: [test2@250-shiyan ~]$ chmod g+s printid #这样一来,文件在执行阶段具有文件所属组的权限。 其次,变成其他用户,再来试验一下,比如变成root; [test2@250-shiyan ~]$ su Password: [root@250-shiyan test2]# ll total 12 -rwsrwxr-x 1 test2 test2 7055 Mar 24 10:31 printid -rw-rw-r-- 1 test2 test2 284 Mar 24 10:30 printid.c [root@250-shiyan test2]# ./printid UID = 0 EUID = 503 GID = 0 EGID = 0 这时uid虽是0,但EUID却是503,即文件所有者的权限 Linux系统就是使用setuid来解决这个矛盾的问题:如果一个程序被设置了setuid位,那么它无论被哪个用户启用,都会具备程序所有者的权限。而passwd程序的所有者是root用户,passwd的权限如下所示,那么任何用户执行该程序,程序的EUID就会变成root用户的EUID,而不是执行该程序的UID。 可以使用chmod u+s 或chmod g+s来设置二进制的可执行文件的euid。setuid只能对二进制的可执行设置。
[root@84-monitor httpd]# vi /etc/httpd/conf/httpd.conf # prefork MPM # StartServers: number of server processes to start # MinSpareServers: minimum number of server processes which are kept spare # MaxSpareServers: maximum number of server processes which are kept spare # ServerLimit: maximum value for MaxClients for the lifetime of the server # MaxClients: maximum number of server processes allowed to start # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule prefork.c> StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 </IfModule> [root@84-monitor httpd]# pstree -p|grep httpd |-httpd(13367)-+-httpd(13370) | |-httpd(13371) | |-httpd(13372) | |-httpd(13373) | |-httpd(13374) | |-httpd(13375) | |-httpd(13376) | |-httpd(13377) 在客户端浏览器F5刷新http://125.76.228.16:2002/about.php这个页面,就产生下面13个资源请求 总共13个对象,总共有8个进程在循环等待请求到来 [root@84-monitor httpd]# tail -f access_log.1428364800 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13372 "GET /about.php HTTP/1.1" 200 10569 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13375 "GET /cacti/include/main.css HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13377 "GET /cacti/include/layout.js HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13376 "GET /cacti/images/left_border.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13371 "GET /cacti/images/tab_console_down.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13373 "GET /cacti/images/tab_graphs.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13374 "GET /cacti/images/transparent_line.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13370 "GET /cacti/images/cacti_logo.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13372 "GET /images/cacti_about_logo.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13377 "GET /cacti/images/cacti_backdrop.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13375 "GET /cacti/images/shadow_gray.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13376 "GET /cacti/images/shadow.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13371 "GET /cacti/images/menu_line.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"