Ch10. Analyze and Store Logs
System logging:
1- Direct write (ex: Apache) 2- Through systemctl (journald) 3- Through rsyslogd (/var/log)
Journald:
[root@server ~]# yum search journal
[root@server ~]# systemctl status systemd-journald
[root@server ~]# journalctl
[root@server ~]# journalctl -n (shows the last 10 log entries)
[root@server ~]# journalctl -n 5 (shows the last 5 log entries)
[root@server ~]# journalctl -f (like tail -f)
[root@server ~]# journalctl -p err (filter the output to a specific severity)
[root@server ~]# journalctl -b (Logs during boot)
[root@server ~]# journalctl --since yesterday
[root@server ~]# journalctl --since yesterday --until 9:30:00
[root@server ~]# journalctl _PID=1
[root@server ~]# journalctl _UID=0
[root@server ~]# journalctl _SYSTEMD_UNIT=sshd
[root@server ~]# journalctl _SYSTEMD_UNIT=NetworkManager
[root@server ~]# cat /etc/systemd/journald.confrsyslogd:
[root@server ~]# yum search rsyslog
[root@server ~]# systemctl status rsyslog
[root@server ~]# vim /etc/rsyslog.conf
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
[root@server ~]# systemctl restart rsyslog
> Local logging:
[root@client ~]# tail -f /var/log/secure
[abeer@client ~]$ su -
> Logging to a syslog server:
[root@client ~]# vim /etc/rsyslog.conf
#### RULES ####
*.* @192.168.1.1 (facility.priority)(UDP session)
Or
*.* @@192.168.1.1 (TCP sessions)
Or
*.* @192.168.1.1:500 (Change the default UDP port number)
Or
*.* @@192.168.1.1:500 (Change the default TCP port number)
[root@client ~]# systemctl restart rsyslog
[abeer@client ~]$ su -
[root@server ~]# tail -f /var/log/secureLog file rotation:
- Logs are "rotated" by the log rotate utility after a week by default to keep them from filling up the file system containing /var/log/.
- When a log file is rotated, it is renamed with an extension indicating the date on which it was rotated.
- A cron job runs the log rotate program daily to see if any logs need to be rotated.
[root@server ~]# vim /etc/logrotate.conf
[root@server ~]# cd /etc/logrotate.d/ (Any config here will overwrite the logrotate.conf file)Send a syslog message with logger:
[root@server ~]# logger "Log entry created locally"
[root@server ~]# logger -i "Log entry created locally" (log the process ID too)
[root@server ~]# logger -p panic "Log entry created locally" (mark given message with this priority)Store the system journal permanently:
- By default, the systemd journal is kept in /run/log/journal, which means it is cleared when the system reboots.
- If the directory /var/log/journal exists, the journal will log to that directory instead. The advantage of this is the historic data will be available immediately at boot.
- However, even with a persistent journal , not all data will be kept forever. The journal has a built-in log rotation mechanism that will trigger monthly.
- by default, the journal will not be allowed to get larger than 10% of the file system it is on, or leave less than 15% of the file system free. These values can be tuned in /etc/systemd/journald.conf
[root@master ~]# mkdir /var/log/journal
[root@master ~]# chown root:systemd-journal /var/log/journal
[root@master ~]# chmod 2755 /var/log/journal
[root@master ~]# killall -USR1 systemd-journald (or reboot the system)**[root@master ~]# last
[root@master ~]# lastlogSet local clocks and time zone:
[root@master ~]# timedatectl (shows an overview of the current time settings)
[root@master ~]# timedatectl list-timezones (shows a list of all time zones)
[root@master ~]# timedatectl set-timezone Africa/Cairo
[root@master ~]# timedatectl set-time 9:00:00
[root@master ~]# timedatectl set-ntp true