Table of Content
Weight: 3
Description: Candidates should be able to configure the syslog daemon. This objective also includes configuring the logging daemon to send log output to a central log server or accept log output as a central log server. Use of the systemd journal subsystem is covered. Also, awareness of rsyslog and syslog-ng as alternative logging systems is included.
Key Knowledge Areas:
- Configuration of the syslog daemon
- Understanding of standard facilities, priorities and actions
- Configuration of logrotate
- Awareness of rsyslog and syslog-ng
Terms and Utilities:
syslog.conf syslogd klogd /var/log/ logger logrotate /etc/logrotate.conf /etc/logrotate.d/ journalctl /etc/systemd/journald.conf /var/log/journal/
syslogd
/etc/syslog.conf
options
-f config file
-h remote host
-l one or multi hostnames by colons
-m time between 2 marked lines, default 20 mins
-r enable receipt of network message
kill syslogd
SIGHUP reinit syslogd and reload /etc/syslog.conf SIGQUIT, SIGTERM, SIGINT stop syslogd -d SIGUSR1 toggle debug on/off SIGALRM log the mark line, timer run down and action should run sys log /var/log/messages /var/log/dmesg # access by dmesg /var/log/wtmp # access by last command, login time, length of each session /var/log/lastlog # access by lastlog, only records most recent login time /var/log/utmp # access by who, w ,finger for currently login user
analyze syslog
grep -F1 ‘connect to service’ /var/log/samba/*
journalctl
The three primary systemd journal service components:
- daemon: The systemd journaling service is handled by the systemd-journald daemon
- Configuration file: The journal service’s configuration is set in the /etc/systemd/journald.conf file
- Search utility: The program used to search through the journal log files is journalctl
oldhorse@dclab:/etc/lightdm$ ll /etc/systemd/journald.conf -rw-r--r-- 1 root root 970 Apr 18 2015 /etc/systemd/journald.conf oldhorse@dclab:/etc/lightdm$ cat /etc/systemd/journald.conf [Journal] #Storage=auto #Compress=yes #Seal=yes #SplitMode=uid #SyncIntervalSec=5m #RateLimitInterval=30s #RateLimitBurst=1000 #SystemMaxUse= #SystemKeepFree= #SystemMaxFileSize= #RuntimeMaxUse= #RuntimeKeepFree= #RuntimeMaxFileSize= #MaxRetentionSec= #MaxFileSec=1month #ForwardToSyslog=yes #ForwardToKMsg=no #ForwardToConsole=no #ForwardToWall=yes #TTYPath=/dev/console #MaxLevelStore=debug #MaxLevelSyslog=debug #MaxLevelKMsg=notice #MaxLevelConsole=info #MaxLevelWall=emerg oldhorse@dclab:/etc/lightdm$ journalctl|head -5 -- Logs begin at Mon 2016-03-21 14:59:26 EDT, end at Mon 2016-03-21 15:35:34 EDT. -- Mar 21 14:59:26 dclab systemd-journal[295]: Runtime journal is using 4.0M (max allowed 9.8M, trying to leave 14.7M free of 94.2M available 鈫current limit 9.8M). Mar 21 14:59:26 dclab systemd-journal[295]: Runtime journal is using 4.0M (max allowed 9.8M, trying to leave 14.7M free of 94.2M available 鈫current limit 9.8M). Mar 21 14:59:26 dclab kernel: Initializing cgroup subsys cpuset Mar 21 14:59:26 dclab kernel: Initializing cgroup subsys cpu journalctl -a Display all data fields, including long fi elds and unprintable characters. -e Jump to the data file’s end inside the pager utility. -l Display all printable data fields fully. -n number Show the most recent journal data and limit it to number of lines. If number is not specified, it shows 10 recent data lines. -r Reverse the output of the journal data so that the newest data shows fi rst. time frame --since --until oldhorse@dclab:/etc/lightdm$ journalctl _TRANSPORT=kernel -- Logs begin at Mon 2016-03-21 14:59:26 EDT, end at Mon 2016-03-21 15:36:03 EDT. -- Mar 21 14:59:26 dclab kernel: Initializing cgroup subsys cpuset Mar 21 14:59:26 dclab kernel: Initializing cgroup subsys cpu Mar 21 14:59:26 dclab kernel: Initializing cgroup subsys cpuacct oldhorse@dclab:/etc/lightdm$ journalctl -n 6 _UID=0 -- Logs begin at Mon 2016-03-21 14:59:26 EDT, end at Mon 2016-03-21 15:36:03 EDT. -- Mar 21 15:35:32 dclab cracklib[2111]: no dictionary update necessary. Mar 21 15:35:33 dclab systemd[1]: Stopping CUPS Scheduler... Mar 21 15:35:33 dclab systemd[1]: Started CUPS Scheduler. Mar 21 15:35:33 dclab systemd[1]: Starting CUPS Scheduler... Mar 21 15:36:03 dclab anacron[972]: Job `cron.daily' terminated Mar 21 15:36:03 dclab anacron[972]: Normal exit (1 job run)
log priority
high to low : emerg, crit, warning, info, debug
quiz
which statements about system logging in Linux are correct? V You can use SIGHUP signal to stop syslogd and apply changes in /etc/syslog.conf V You can use /var/log/utmp to create which users are currently logging on X The syslogd daemon logs system messages in /etc/syslog.conf X You can use syslogd with -f to enable receipt of network messages # -r what does first field of each lines in /etc/syslog.conf file specific? V The type of messages that syslog deamon must log X the location to which syslog daemon must log messages X what syslog daemon must do with specific messages which field in an /etc/syscong.conf file entry specifies location to which syslog daemon must send messages? X Tie comments field V The action field X The selector field you have added following entry to /etc/syslog.conf *.emerg * X send all emergency messages to root user V send all emergency messages to all logged on users X send all critical messages to remote com[uters named "*" You want to log only daemon messages with warning priority level. V daemon.=warn X daemon.!warn X daemon.* You want syslog daemon to send all alerts and emergency system messages to root user V *.alert root X *.notice root X *.emerg root You want all mail messages with priority error to be logged to /var/log/mail/errors. mail.err /var/log/mail/errors A log entry in /var/log/messages includes 4 components. Place correct order of them: Date, Time, Facility, Messages which files log system messages on a Linux system? X /etc/ntp.conf X /etc/syslog.conf V /var/log/messages V /var/log/dmesg Each entry in /etc/syslog.conf contains specific fields. what does selector field specific? X the location to which messages must be logged V the type of messages to log X the date and time when a message was logged you have added following entry to /etc/syslog.conf *.notice user what does this instruct syslog to do ? send all messages with notice priority level to user which statements about system logging in Linux are correct? X /var/log/lastlog includes info about each of a user's login sessions X you can toggle debug on or off using SIGALRM V logging is controlled by syslogd daemon X you can use syslogd with 0h to enable receipt of messages from remote hosts what is function of 2nd field in /etc/syslog.conf ? V it specifies what daemon must to do with messages /etc/syslog.conf includes this entry: kern.emerg;user.warn /var/log/warnings X message from jernel go to emerg file; whereas messages from users go to warnings file V messages from multi facilities and prioprities can be sent to same log file X warning messages are logged in kern and user log files V you can combines facility priority pairs using semicolons