Scribd
Upload
161 views

Chapter10 Analyzing and Storing Logs

This document summarizes different methods for system logging in Linux including journald, rsyslogd, and using the logger command. It also covers log file rotation, setting time/timezone, and ensuring journal logs are stored permanently. The key points are: 1. System logging can be done directly, through journald, or rsyslogd which write to /var/log. 2. Journalctl can be used to view and filter journald logs, and logs can be viewed remotely or stored permanently in /var/log/journal. 3. Rsyslogd can be configured to log to a remote syslog server, and its configuration is in /etc/rsyslog.conf. 4.

Uploaded by

YACINE NABIL
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
161 views

Chapter10 Analyzing and Storing Logs

This document summarizes different methods for system logging in Linux including journald, rsyslogd, and using the logger command. It also covers log file rotation, setting time/timezone, and ensuring journal logs are stored permanently. The key points are: 1. System logging can be done directly, through journald, or rsyslogd which write to /var/log. 2. Journalctl can be used to view and filter journald logs, and logs can be viewed remotely or stored permanently in /var/log/journal. 3. Rsyslogd can be configured to log to a remote syslog server, and its configuration is in /etc/rsyslog.conf. 4.

Uploaded by

YACINE NABIL
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

System logging:

1- Direct write (ex: Apache)


2- Through systemctl (journald)
3- Through rsyslogd (/var/log)
========================================================
journald:
[root@server ~]# yum search journal
[root@server ~]# systemctl status systemd-journald
[root@server ~]# journalctl
[root@server ~]# journalctl -n (shows the last 10 log entries)
[root@server ~]# journalctl -n 5 (shows the last 5 log entries)
[root@server ~]# journalctl -f (like tail -f)
[root@server ~]# journalctl -p err (filter the output to a specific severity)
[root@server ~]# journalctl -b (Logs during boot)
[root@server ~]# journalctl --since yesterday
[root@server ~]# journalctl --since yesterday --until 9:30:00
[root@server ~]# journalctl _PID=1
[root@server ~]# journalctl _UID=0
[root@server ~]# journalctl _SYSTEMD_UNIT=sshd
[root@server ~]# journalctl _SYSTEMD_UNIT=NetworkManager
[root@server ~]# cat /etc/systemd/journald.conf
========================================================
rsyslogd:
[root@server ~]# yum search rsyslog
[root@server ~]# systemctl status rsyslog
[root@server ~]# vim /etc/rsyslog.conf
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

[root@server ~]# systemctl restart rsyslog

> Local logging:


[root@client ~]# tail -f /var/log/secure
[abeer@client ~]$ su -

> Logging to a syslog server:


[root@client ~]# vim /etc/rsyslog.conf
#### RULES ####
*.* @192.168.1.1 (facility.priority)(UDP session)
Or
*.* @@192.168.1.1 (TCP sessions)
Or
*.* @192.168.1.1:500 (Change the default UDP port
number)
Or
*.* @@192.168.1.1:500 (Change the default TCP port
number)

[root@client ~]# systemctl restart rsyslog


[abeer@client ~]$ su -
[root@server ~]# tail -f /var/log/secure
========================================================
Log file rotation:
- Logs are "rotated" by the log rotate utility after a week by default to keep them
from filling up the file system containing /var/log/.
- When a log file is rotated, it is renamed with an extension indicating the date
on which it was rotated.
- A cron job runs the log rotate program daily to see if any logs need to be
rotated.
[root@server ~]# vim /etc/logrotate.conf
[root@server ~]# cd /etc/logrotate.d/ (Any config here will overwrite the
logrotate.conf file)
========================================================
Send a syslog message with logger:
[root@server ~]# logger "Log entry created locally"
[root@server ~]# logger -i "Log entry created locally" (log the
process ID too)
[root@server ~]# logger -p panic "Log entry created locally" (mark given
message with this priority)
========================================================
Store the system journal permanently:
- By default, the systemd journal is kept in /run/log/journal, which means it is
cleared when the system reboots.
- If the directory /var/log/journal exists, the journal will log to that directory
instead. The
advantage of this is the historic data will be available immediately at boot.
- However, even with a persistent journal , not all data will be kept forever. The
journal has a built-in log rotation mechanism that will trigger monthly.
- by default, the journal will not be allowed to get larger than 10% of the file
system it is on, or leave less than 15% of the file system free. These values can
be tuned in /etc/systemd/journald.conf

[root@master ~]# mkdir /var/log/journal


[root@master ~]# chown root:systemd-journal /var/log/journal
[root@master ~]# chmod 2755 /var/log/journal
[root@master ~]# killall -USR1 systemd-journald (or reboot the system)
========================================================
[root@master ~]# last
[root@master ~]# lastlog
========================================================
Set local clocks and time zone:
[root@master ~]# timedatectl (shows an overview of the current time
settings)
[root@master ~]# timedatectl list-timezones (shows a list of all time zones)
[root@master ~]# timedatectl set-timezone Africa/Cairo
[root@master ~]# timedatectl set-time 9:00:00
[root@master ~]# timedatectl set-ntp true
========================================================

Best wishes:
Abeer :)

You might also like