Scribd
Upload
11 views

Chapter 13_Configuring Logging

Uploaded by

Thien Duong
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views

Chapter 13_Configuring Logging

Uploaded by

Thien Duong
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

Computer Hardware & Network

Institute

LINUX-I

Chapter 13
Configuring Logging

Module: ……………..................... 1
Computer Hardware & Network
Institute
Recall
1. Where do you configure a cron job that needs to
be executed once every 2 weeks?
2. How do you specify the execution time in a cron
job that needs to be executed twice every month,
on the 1st and the 15th of the month at 2 p.m.?
3. How do you specify cron execution time for a job
that needs to run every 2 minutes on every day?
4. How do you specify a job that needs to be
executed on September 19 and every Thursday
in September?

Module: ……………..................... 2
Computer Hardware & Network
Institute
Recall (2)
5. Which command enables you to schedule a cron
job for user lisa?
6. How do you specify that user boris is never
allowed to schedule jobs through cron?
7. Which service must be running to schedule at
jobs?
8. Which command enables you to find out whether
any current at jobs are scheduled for execution?

Module: ……………..................... 3
Computer Hardware & Network
Institute
Chapter Objectives
• Understand System Logging
• Configuring rsyslogd
• Rotating Log Files
• Working with journald

Module: ……………..................... 4
Computer Hardware & Network
Institute
Understanding System Logging
• Most services used on a Linux server write
information to log files. This information can be
written to different destinations.
• There are multiple solutions to find the relevant
information in system logs:
• Direct write: Some services write logging
information directly to the log files.
• rsyslogd: is the enhancement of syslogd, a
service that takes care of managing centralized log
files.
• journald: allows administrators to read detailed
information from the journal while monitoring
service status using the systemctl status
<service-name> command.
Module: ……………..................... 5
Computer Hardware & Network
Institute
Understanding the Role of
rsyslogd and journald
• journald collects messages from the kernel, the
entire boot procedure, and services and writes
these messages to an event journal (can be
queried using the journalctl command).
• The journal that is written by journald is not
persistent between reboots, messages are also
forwarded to the rsyslogd service
• rsyslogd writes the messages to different files in
the /var/log directory.
• rsyslogd also offers features that do not exist in
journald, such as centralized logging and filtering
messages by using modules.

Module: ……………..................... 6
Computer Hardware & Network
Institute
Understanding the Role of
rsyslogd and journald (2)
• journald is not a replacement for rsyslog; it is
just another way of logging information
• journald is tightly integrated with systemd (a
system and service manager for Linux operating
systems) and therefore logs everything that your
server is doing.
• rsyslogd:
• Takes care of writing log information to specific files
• Allows to configure remote logging and log servers

Module: ……………..................... 7
Computer Hardware & Network
Institute
Understanding the Role of
rsyslogd and journald (3)
• Three approaches to get more information about
what has been happening on a machine running
RHEL:
• The files in /var/log that are written by rsyslogd
must be monitored.
• For a short overview of the last significant events
that have been logged by systemd units through
journald, administrators type systemctl status
<unit> (shows the status of services, as well as
the last couple of lines that have been logged).
• The journalctl command can be used to get more
detailed information from the journal.

Module: ……………..................... 8
Computer Hardware & Network
Institute
Reading Log Files

Module: ……………..................... 9
Computer Hardware & Network
Institute
Understanding Log File Contents
• Each line that is logged from the
/var/log/messages file has specific elements:
• Date and time: Every log message starts with a
timestamp.
• Host: The host the message originated from
(rsyslogd can be configured to handle remote
logging as well).
• Service or process name: The name of the
service or process that generated the message.
• Message content: The content of the message,
which contains the exact message that has been
logged.

Module: ……………..................... 10
Computer Hardware & Network
Institute
Live Log File Monitoring
• To read the content of a log file
• Use a pager utility (like less)
• Can live monitor what is happening in the log file:
tail -f <logfile>
• When you are configuring services on Linux, it
might be useful to see in real time what is
happening
• Open two terminal sessions at the same time.
• In one terminal session, configure and test the
service.
• In the other terminal session, see in real time what
is happening
• Use tail -f <logfile> command
• Press Ctrl+C to close it.
Module: ……………..................... 11
Computer Hardware & Network
Institute
Using logger
• The logger <message> command enables users
to write messages to rsyslog from the command
line.
• The logger utility offers a convenient solution to
write messages from scripts.
• Allows you to have a script write to syslog if
something goes wrong.
• When using logger, you can also specify the
priority and facility to log to
• The command logger -p kern.err <message>
writes message to the kernel facility, using the
error priority.
• Enables you to test the working of specific rsyslog
facilities.
Module: ……………..................... 12
Computer Hardware & Network
Institute
Understanding rsyslogd
Configuration Files
• The /etc/rsyslogd.conf file is the central
location where rsyslogd is configured.
• The directory /etc/rsyslog.d can be populated by
installing RPM packages on a server. When
looking for specific log configuration, make sure
to always consider the contents of this directory
also.

Module: ……………..................... 13
Computer Hardware & Network
Institute
Understanding Facilities,
Priorities, and Log Destinations
• To specify what information should be logged to
which destination, rsyslogd uses:
• A facility specifies a category of information that is
logged.
• A priority is used to define the severity of the
message that needs to be logged (by default all
messages with that priority and all higher priorities
are logged).
• A destination defines where the message should
be written to.

Module: ……………..................... 14
Computer Hardware & Network
Institute
rsyslogd Facilities

Module: ……………..................... 15
Computer Hardware & Network
Institute
rsyslogd Priorities

Module: ……………..................... 16
Computer Hardware & Network
Institute
Rotating Log Files
• To prevent syslog messages from filling up your
system completely, the log messages can be
rotated
• When a certain threshold has been reached, the old
log file is closed and a new log file is opened.
• The logrotate utility is started periodically through
the crond service to take care of rotating log files.
• When a log file is rotated, the old log file is
typically copied to a file that has the rotation date
in it.
• If /var/log/messages is rotated on Jan 17, 2022,
the rotated filename will be /var/log/messages-
20220117.
• As a default, four old log files are kept on the
Module: ……………..................... 18
Computer Hardware & Network
Institute
Preserving the systemd Journal
• By default, the journal is stored in the file
/run/log/journal
• The entire /run directory is used for current
process status information only
• The journal is cleared when the system reboots.
• To make the journal persistent between system
restarts, you should make sure that a directory
/var/log/journal exists.

Module: ……………..................... 20
Computer Hardware & Network
Institute
Preserving the systemd Journal
• Even when the journal is written to the
permanent file in /var/log/journal, that does not
mean that the journal is kept forever (the oldest
messages from the journal are dropped
automatically to make place for newer messages)
• The journal has built-in log rotation that will be
used monthly.
• The journal is limited to a maximum size of 10% of
the file system size that it is on, and it will also stop
growing if less than 15% of the file system is still
free.
• To change these settings, you can modify the
file /etc/systemd/journald.conf

Module: ……………..................... 21
Computer Hardware & Network
Institute
Summary
• In this chapter, you learnt:
• How to configure logging.
• How the rsyslogd and journald services are used on
RHEL 7 to keep log information.
• How to manage logs that are written by these
services.
• How to configure log rotation and make the journal
persistent.

Module: ……………..................... 22
Computer Hardware & Network
Institute
Review Questions
1. Which file is used to configure rsyslogd?
2. Which configuration file contains messages
related to authentication?
3. If you do not configure anything, how long will it
take for log files to be rotated away?
4. Which command enables you to log a message
from the command line to the user facility, using
the notice priority?
5. Which line would you add to write all messages
with a priority of info to the file
/var/log/messages.info?

Module: ……………..................... 23
Computer Hardware & Network
Institute
Review Questions (cont.)
6. Which configuration file enables you to allow the
journal to grow beyond its default size restrictions?
7. Which command enables you to see new
messages in the journal scrolling by in real time?
8. Which command enables you to see all journald
messages that have been written for PID 1 between
9:00 a.m. and 3:00 p.m.?
9. Which command enables you to see journald
messages since last reboot on a system where a
persistent journal has been configured?
10. Which procedure enables you to make the
journald journal persistent?

Module: ……………..................... 24
Computer Hardware & Network
Institute
Quiz
1. Which of the following statements about journald
is not true?
a. journald logs kernel messages.
b. journald writes to the journal, which by default
does not persist between boots.
c. journald is a replacement of rsyslogd.
d. To read files from the journal, the journalctl
command is used.

Module: ……………..................... 25
Computer Hardware & Network
Institute
Quiz
2. Which log would you read to find messages
related to authentication errors?
a. /var/log/messages
b. /var/log/lastlog
c. /var/log/audit/audit.log
d. /var/log/secure
3. Which log would you read to find information that
relates to SELinux events?
a. /var/log/messages
b. /var/log/lastlog
c. /var/log/audit/audit.log
d. /var/log/secure

Module: ……………..................... 26
Computer Hardware & Network
Institute
Quiz
4. What is the name of the rsyslogd configuration
file?
a. /etc/rsyslog.conf
b. /etc/sysconfig/rsyslogd.conf
c. /etc/sysconfig/rsyslog.conf
d. /etc/rsyslog.d/rsyslogd.conf

Module: ……………..................... 27
Computer Hardware & Network
Institute
Quiz
5. You need to change the startup behavior of the
rsyslogd service. Which of the following describes
the recommended approach to do so?
a. Include the startup parameter in the main rsyslog
configuration file.
b. Create a snap-in file in the directory /etc/rsyslog.d
and specify the required parameters in there.
c. Change the systemd unit file in
/usr/lib/systemd/system to include the required
startup parameter.
d. Use the SYSLOGD_OPTIONS line in the file
/etc/sysconfig/rsyslog and include the startup
parameter here.

Module: ……………..................... 28
Computer Hardware & Network
Institute
Quiz
6. In the rsyslog.conf file, which of the following
destinations refers to a specific rsyslogd module?
a. -/var/log/maillog
b. /var/log/messages
c. :omusrmsg:*
d. *
7. Which facility is the best solution if you want to
configure Apache to log messages through rsyslog?
a. daemon
b. apache
c. syslog
d. local0-7

Module: ……………..................... 29
Computer Hardware & Network
Institute
Quiz
8. You want to maximize the file size of a log file to
10MB. Where do you configure this?
a. Create a file in /etc/logrotate.d and specify the
maximal size in that file.
b. Put the maximal size in the logrotate cron job.
c. Configure the destination with the maximal size
option.
d. This cannot be done.
9. Which directory is used to store the journald
journal?
a. /var/log/journal
b. /var/run/journal
c. /run/log
d. /run/log/journal
Module: ……………..................... 30
Computer Hardware & Network
Institute
Quiz
10. What do you need to do to make the journald
journal persistent?
a. Create the directory /var/log/journal, set
appropriate permissions and reboot your machine.
b. Open /etc/sysconfig/journal and set the PERSISTENT
option to yes.
c. Open the /etc/systemd/journald.conf file and set the
PERSISTENT option to yes.
d. Create the /var/log/journal file and set appropriate
permissions.

Module: ……………..................... 31

You might also like