LPI 101-500 – 108.2: System logging

1. syslog, rsyslog

In the Linux environment. It is the absolute standard that various events are recorded in log files. This includes events from various programs, but also events from the Linux system itself. In a professional environment, you can hardly do without logs. If something doesn’t work, you can consult the relevant log files and then usually find out what is wrong in the relevant case. In order for the corresponding log files to be written at all, linux needs a program that takes on these tasks. As almost always, there are several here. First there is Syslog dyslock d. Syslog d was the first logging demon for Linux systems. Then there is syslog. Ng. Syslog ng is further development of Syslog d.

And then there is R. Syslock rsyslock has replaced syslog d from the prevalence in recent years. Rsyslock has become the standard, which is why you shouldn’t expect detailed questions about syslog d in the exam. Because of this, we don’t look at syslog d or Syslog ng in detail for the exam. It is sufficient to know that these login demons exist. There is also genre D. Genre D is part of system D, but we will go into it in more detail in a moment. First, let’s look at our syslog. This is preinstalled on my ubuntu system by default pscfr sysloc. And the result that we see here also says that the syslog b daemon is not installed. In theory, of course we could install it later, but as I said, this is not necessary for the exam.

First, let’s take a look at the main Rsis lock configuration file. As always, like the test, we need to know what the main configuration file is, what it is called and where it is located. And as always, it is in the ATC directory. So bi at crsyslock. Of course, we don’t have to be able to analyze this config file completely for the test. But you should already know that the directory varspool rsyslock is defined as the socalled work directory, and that additional files are used for the configuration, namely all files with the file extension conf in the directory at crzislog. Here you can see the work directory varspool rsyslock. You have to remember this for the exam.

And here you can see include config. So include all config files or confides in the directory at c rsis lock d. Okay, let’s take a look at the directory at the RSS lockd. In my case, there are two files here 20 u FW dot conf and 50 d four. com. I will open the file fiftydefault conf. Now with VI and here in this file we find rules for logging. These rules usually consists of three components facility followed by level or priority separated by a dot followed by action. Okay, let’s take a look at this. At the first entry, this one here. What is this about? On the far left we find the so called facility entry. It is determined here which facility that is, which source creates the corresponding entry.

In this case it is the source of both sources lock events that deal with authorizations.Further facility values would be cron Demon, kern, lpr, mail user here, then mark news syslog user uucp and local zero to local seven. You can fall back on that letter if you write your own programs and want to log on to Syslog. The level or priority value follows, separated from the facility value by a dot. So we have here facility values, then a dot and then our priority value. There are various so called lock levels that you should also know for the test. For example info, debug or arrow.

Under this video I have deposited a small pdf on which all logging levels and the corresponding description are stored. In this case we only see an asterisk, which means that everything is locked except debug. The third column action is expressed in somewhat ambitious way. Only the location or the file in which these logins take place is stored here. In this case it is the file Varlock auth. We also see in our file that the logins for cron, Demon, lpr and user are switched off, because here is a comment sign, and we see that kernel messages here kern are written to the file Varlock kerr lock and mail locks are written to the file lock. The second line says that all messages from the system, except the messages from off and offproof are written to the file VA log syslog.

This asterisk dot and another asterisk means all facilities and all lock levels are written to the file VAR lock. Syslog the semicolon here separates the facility level combination from another facility level entry. In this case, the none indicates that nothing should be locked, so nothing is locked by auth and auth. So after these entries we can determine that the directory for lock is the main directory for log files. So if we have any problem and are looking for a corresponding log file, these chances, or the chances are good that we will find it in Varlock. So let’s have a look. So we see a lot of log files here. Let’s take a look at the auth log file, for example lock.

Of course, we don’t have to be able to analyze everything down to the last detail, and such a question will not come up in the exam. But we can state that this is actually about authorization information. Depending on where a certain error occurs, we can guess in which lock file the data that will help us can be found. If necessary. We always refer to the Syslog file, and we see that there are several Syslog files here syslog syslog one, syslog two gzet under seven Gzet. This is because, as previously stated, it locks everything and grows very quickly, so that at some point the system will lock and compress it so that it can continue with a new file here is a practical tip.

If a certain error occurs that is reproducible, simply look at the corresponding log file with a tail and the option f trigger the problem in another terminal and watch what happens. For example tail f and then syslog. So here we would see in real time what is currently being written to this log file. In addition, I would always grab larger files according to certain lock levels. For example, according to the error lock level stop that again. So for example, grab error and then syslog. So we are owed only shown the messages that have recorded an error.

2. journalctl, logger, systemd-cat

Let’s come back to the various syslog files. The log rotate program is responsible for rewriting renaming and compressing them. Log rotate ensures that a file is processed accordingly after a certain interval has expired. The main configuration file of log rotate is the file locrotate conf. And this is as almost always in the at c directory. So let’s take a look VI at clocrotate conf and this file nicely describes how locrotate works. We can see here rotate lock files weekly. Use the adm group by default, since this is the owning group of Vallock fistlog. Keep four weeks worth of backlogs rotate four create new and empty log file or log files after rotating old ones.

Use date as a suffix of the rotated file, but this is not active, and this is also not active packages. Drop lock rotation information into this directory at c logrotate d so after four weeks the program lock rotate creates new syslog file and renames the other file and pack the old files together in the GVAT format. We also see a note here that further configuration files will be used, namely those that are in the at c locrootate d directory. So let’s take a look at this directory CD at clockrotate d and we have some files here. For example, let’s take a look at the Dpkg file, and the file has the same structure as the main configuration file locrotate conf.

Only the comments have been left out here, which makes them a little harder to read if you can’t remember it by heart. Just look at locrotate conf again, and you can easily find out when it is rotated, how often it is rotated, and so on. Again in detail. Using this example, the log file Varlock dpkg lock is rotated or renewed monthly. Twelve versions of the log files are saved, and old log files are compressed. Delay compressed means that the compression is not carried out immediately. So with the first rotation, but only with the next missing. Okay means that if the system cannot find the Dpkg log file, no error message should be output, but should simply continue.

Not IFMT means that empty log files are not rotated. Create means that a new log file will be created with a permission six, four four and the owner. And the owner group is root. Linux Systems, managed with system D. Also use the system d Genard, which is a direct part of system d. System djohnardi locks the corresponding events in the directory VAR lock journal. So let’s take a look CD Varlock jonah and we only see a directory with a long number here. Let’s go in here, and there are a few files with the ending journal, system g journal and so on. So let’s take a look at one of these bi user 1000, and we see that it doesn’t work. This means that the system djordal log files cannot be viewed with VI or cat or less.

This is where the genre Ctl program comes into play. Get out of this file. The command is Jonah Ctl. And if we call gena Ctl without options, we get an insight into a large log file. So everything is stored centrally here and not in different files. The entries start three months in advance, so we have to scroll if we want to see the locks for the last few days. Or we can use genre Ctl with the E option, because that ensures that we jump straight to the end.So Ctl and here we are at the end is January the 22 22nd on ten 03:00 P. m. . And we have ten three at the moment. So that’s the actual line here. Alternatively, you can use the the R option.

In this case R stands for reverse and ensures that we find the latest the latest entries at the top. So now Ctl R. And here we are at the top. We have to scroll down and so on. Here are the older ones at the bottom. Another interesting option is the N option. Here you can determine the number of the last lines that should be displayed to us. It can therefore be compared to the tail command. You remember, tail shows the last N lines of the file. And here is the same gen CTL n and maybe 30. And here we have the last 30 lines here. As with Tail, you can also use the F option with genre Ctl. Here too, we can see Live when something is written in the locks. And yeah, that’s the Live view.

If we now want to check whether this really works in real time, we can use the Logger command. With Logger you can create your own log entry. You can use this, for example, for scripts that you have written yourself. How it works is best demonstrated with a T parameter. T stands for day. We open a second terminal. You’ll see something happened here and here. Let’s run the program. Logger t test. This is a test. Let’s look into the other terminal window again and we see that this has actually been written to the locks test. This is a test with control C. You can close this window or stop this Ctl live view. There are other interesting options. As always, I recommend taking a look at the man page.

The genre D configuration file can be found in Etsy system D. And then we have here the Genardi confile. And here we see various settings. Of course, we don’t have to know all of them. It is enough to know where the genre deconfiguration file is located and what it looks like. Nevertheless, here are a few brief explanations. Let me look at the storage equals auto option ensures that the locks are written to Varlock genre. If this directory exists, the option compressed yes ensures that large locks are compressed to save space. The forward to syslog yes option specifies that the locks are also written to the vowel lock syslog file. Okay, I think that’s it. Let’s leave this file again.

Okay, finally, let’s take a quick look at the system DCAT command. As you might have guessed, system bcat is a system D command. This is not available on older systems. With system B cat, you can write commands or the results of the corresponding commands in the locks. So let’s look at that again with Jeannar Ctl F. So we need our second terminal again, and then Cdroot. And then for example, system DCAT LS. And we see in the log file that the result of LS was locked. I think there is no need to add much more to this. And according we are at the end of this lesson and see you in the next, then it comes to the basics of male transfer agents.