Analyzing and Storing Logs

Log file Type of Messages Stored

Most syslog messages are logged here. Exceptions include messages
/var/log/messages related to authentication and email processing, scheduled job
execution, and those which are purely debugging-related.
/var/log/secure Syslog messages related to security and authentication events.
/var/log/maillog Syslog messages related to the mail server.
/var/log/cron Syslog messages related to scheduled job execution.
/var/log/boot.log Non-syslog console messages related to system startup.

The rsyslog service uses the facility and priority of log messages to determine how to handle
them. This is configured by rules in the /etc/rsyslog.conf file and any file in the
/etc/rsyslog.d directory that has a file name extension of .conf. Software packages can easily
add rules by installing an appropriate file in the /etc/rsyslog.d directory.

For example, the following line would record messages sent to the authpriv facility at any
priority to the file /var/log/secure:

authpriv.* /var/log/secure

Sending Syslog Messages Manually

The logger command can send messages to the rsyslog service. By default, it sends the
message to the user facility with the notice priority (user.notice) unless specified
otherwise with the -p option. It is useful to test any change to the rsyslog service
configuration.

To send a message to the rsyslog service that gets recorded in the /var/log/boot.log log
file, execute the following logger command:

[root@host ~]# logger -p local7.notice "Log entry created on host"

Configure rsyslog on servera to log all messages with the debug priority, or higher, for any
service into the new /var/log/messages-debug log file by adding the rsyslog configuration file
/etc/rsyslog.d/debug.conf.

sudo -i

Create the /etc/rsyslog.d/debug.conf file with the necessary entries to redirect all log
messages having the debug priority to /var/log/messages-debug. You may use the vim
/etc/rsyslog.d/debug.conf command to create the file with the following content.
*.debug /var/log/messages-debug

The wildcard (*) in the facility or priority fields of the configuration line indicates any facility
or priority.

 Restart the rsyslog service.

[root@servera ~]# systemctl restart rsyslog

 Use the logger command with the -p option to generate a log message with the user
facility and the debug priority.

[root@servera ~]# logger -p user.debug "Debug Message Test"

 Use the tail command to view the last ten log messages from the /var/log/messages-
debug file and confirm that you see the Debug Message Test message among the other log
messages.

[root@servera ~]# tail /var/log/messages-debug

Reviewing System Journal Entries

The systemd-journald service stores logging data in a structured, indexed binary file called the
journal. This data includes extra information about the log event. For example, for syslog events this
includes the facility and the priority of the original message.

In Red Hat Enterprise Linux 8, the /run/log directory stores the system journal by default. The
contents of the /run/log directory get cleared after a reboot.

To retrieve log messages from the journal, use the journalctl command

journalctl

The journalctl command highlights important log messages: messages at notice or warning
priority are in bold text while messages at the error priority or higher are in red text.

journalctl -f command outputs the last 10 lines of the system journal and continues to output new
journal entries as they get written to the journal. To exit the journalctl -f process, use the Ctrl+C key
combination.

journalctl -f
Run the following journalctl command to list journal entries at the err priority or higher:

[root@host ~]# journalctl -p err

Run the following journalctl command to list all journal entries from today's records.

[root@host ~]# journalctl --since today

Run the following journalctl command to list all journal entries ranging from 2019-02-10
20:30:00 to 2019-02-13 12:00:00.

[root@host ~]# journalctl --since "2019-02-10 20:30:00" \

--until "2019-02-13 12:00:00"

[root@host ~]# journalctl -o verbose

Use the _PID=1 match with the journalctl command to display only log events originating from the
systemd process running with the process identifier of 1 on servera. To quit journalctl, press q.

[student@servera ~]$ journalctl _PID=1

Use the _UID=81 match with the journalctl command to display all log events originating
from a system service started with the user identifier of 81 on servera. To quit journalctl
press q.

[student@servera ~]$ journalctl _UID=81

Display all log events recorded in the past 10 minutes from the current time on servera.

[student@servera ~]$ journalctl --since "-10min"

Use the --since option and the _SYSTEMD_UNIT="sshd.service" match with the
journalctl command to display all the log events originating from the sshd service recorded
since 09:00:00 this morning on servera. To quit journalctl press q.
[student@servera ~]$ journalctl --since 9:00:00
_SYSTEMD_UNIT="sshd.service"

Preserving the System Journal

Storing the System Journal Permanently

By default, the system journals are kept in the /run/log/journal directory, which means
the journals are cleared when the system reboots. You can change the configuration settings
of the systemd-journald service in the /etc/systemd/journald.conf file to make the
journals persist across reboot.

The Storage parameter in the /etc/systemd/journald.conf file defines whether to store

system journals in a volatile manner or persistently across reboot. Set this parameter to
persistent, volatile, or auto as follows:

Configuring Persistent System Journals

To configure the systemd-journald service to preserve system journals persistently across

reboot, set Storage to persistent in the /etc/systemd/journald.conf file. Run the text
editor of your choice as the superuser to edit the /etc/systemd/journald.conf file.

systemctl restart systemd-journald

The following journalctl command retrieves the entries limited to the first system boot:

[root@host ~]# journalctl -b 1

he following journalctl command retrieves the entries limited to the second system boot. The
following argument is meaningful only if the system has been rebooted for more than twice:

[root@host ~]# journalctl -b 2

The following journalctl command retrieves the entries limited to the current system boot:

[root@host ~]# journalctl -b

journalctl -b -1 limits the output to only the previous boot.

The -b option can be accompanied by a negative number indicating how many prior system boots
the output should include
Use the ls command to list the /var/log/journal directory contents. Use sudo to elevate
the student user privileges. Use student as the password if asked.

[student@servera ~]$ sudo ls /var/log/journal

[sudo] password for student: student
ls: cannot access '/var/log/journal': No such file or directory

Since the /var/log/journal directory does not exist, systemd-journald service is not
preserving its journals.

Configure the systemd-journald service on servera to preserve journals across a reboot.

 Uncomment the Storage=auto line in the /etc/systemd/journald.conf file and set

Storage to persistent. You may use the sudo vim /etc/systemd/journald.conf command
to edit the configuration file. Type / Storage=auto from vim command mode to search for
the Storage=auto line.

...output omitted...
[Journal]
Storage=persistent
...output omitted...

sudo systemctl restart systemd-journald.service

sudo systemctl reboot

Maintaining Accurate Time

The timedatectl command shows an overview of the current time-related system settings,
including current time, time zone, and NTP synchronization settings of the system.

[user@host ~]$ timedatectl

timedatectl list-timezones

timedatectl set-timezone America/Phoenix

timedatectl set-time 9:00:00

The timedatectl set-ntp command enables or disables NTP synchronization for automatic time
adjustment.

timedatectl set-ntp true

Use the tzselect command to determine the appropriate time zone for Haiti.

[student@servera ~]$ tzselect

 Edit the /etc/chrony.conf file to specify the classroom.example.com server as the

NTP time source. You may use the sudo vim /etc/chrony.conf command to edit the
configuration file. The following output shows the configuration line you must add to the
configuration file:

...output omitted...
server classroom.example.com iburst
...output omitted...

The preceding line in the /etc/chrony.conf configuration file includes the iburst option to
speed up initial time synchronization.

 Use the timedatectl command to turn on the time synchronization on servera.

[student@servera ~]$ sudo timedatectl set-ntp yes

Pretend that the serverb system has been relocated to Jamaica and you must update the time
zone appropriately

1. Use the timedatectl command to view available time zones and determine the
appropriate time zone for Jamaica.
2. [student@serverb ~]$ timedatectl list-timezones | grep Jamaica
America/Jamaica

3. Use the timedatectl command to set the time zone of the serverb system to
America/Jamaica.
4. [student@serverb ~]$ sudo timedatectl set-timezone America/Jamaica
[sudo] password for student: student

5. Use the timedatectl command to verify that the time zone is successfully set to
America/Jamaica.
6. [student@serverb ~]$ timedatectl
7. Local time: Tue 2019-02-19 11:12:46 EST
8. Universal time: Tue 2019-02-19 16:12:46 UTC
9. RTC time: Tue 2019-02-19 16:12:45
10. Time zone: America/Jamaica (EST, -0500)
11. System clock synchronized: yes
12. NTP service: active
RTC in local TZ: no

Create the /etc/rsyslog.d/auth-errors.conf file, configured to have the rsyslog service

write messages related to authentication and security issues to the new /var/log/auth-errors
file. Use the authpriv facility and the alert priority in the configuration file.
 Create the /etc/rsyslog.d/auth-errors.conf file to specify the new
/var/log/auth-errors file as the destination for messages related to authentication and
security issues. You may use the sudo vim /etc/rsyslog.d/auth-errors.conf command to
create the configuration file.

authpriv.alert /var/log/auth-errors

 Restart the rsyslog service so that the changes in the configuration file take effect.

[student@serverb ~]$ sudo systemctl restart rsyslog

 Use the logger command to write a new log message to the /var/log/auth-errors file.
Apply the -p authpriv.alert option to generate a log message relevant to authentication
and security issues.

[student@serverb ~]$ logger -p authpriv.alert "Logging test authpriv.alert"

 Use the tail command to confirm that the /var/log/auth-errors file contains the log
entry with the Logging test authpriv.alert message.

[student@serverb ~]$ sudo tail /var/log/auth-errors