Linux Exercise: System Logging

syslogd configuration and files

  1. Look at the syslog configuration file. Depending on the exact version of syslog, this file is called /etc/syslog.conf, /etc/rsyslog.conf or /etc/syslog-ng.conf. What file gets most of the "info" messages?
    • # vi /etc/syslog.conf
    • # vi /etc/rsyslog.conf
    • # vi /etc/syslog-ng.conf
      The most important logfile on a typical Linux system is /var/log/messages, but certain facilities have their own logfiles. Messages about mail, for instance, go to /var/log/maillog.
  2. Look at the permissions on the logfiles. Do you agree to these?
    • # ls -l /var/log/*
  3. Run a tail -f on the most important logfile. Leave this command running.
    • # tail -f /var/log/messages

logger command

  1. Open a new window, or logon using a separate session, so that your tail -f command can remain running. Use the logger command to log a message to syslog.
    • # logger This is a test.
  2. Do the same thing, but use the "authpriv" facility. Do you see the message? If not, where did it end up?
    • # logger -p authpriv.info This is a test.
    • # tail /var/log/secure
  3. Do the same thing, but use the "kern" facility and the "panic" priority.
    • # logger -p kern.panic This is a test.

journald

  1. Use the journalctl command to list the journal.
    • # journalctl
  2. Do the same, but limit the output to messages about the ssh daemon (sshd).
    • # journalctl -u sshd
  3. Run the command systemctl status sshd. What do you see?
    • # systemctl status sshd
      This command shows the most recent entries about sshd from the journal.

log rotation

  1. Look at the files in /var/log. Did any logfiles rotate already? Make a note of the date of the most recent logfiles.
    • # ls -l /var/log/*
  2. Look at the file /etc/logrotate.conf and the files in /etc/logrotate.d. What logfiles are rotated?
    • # cat /etc/logrotate.conf
    • # ls -l /etc/logrotate.d
  3. Force a log rotation. Note that this is normally done from cron
    • # logrotate -f /etc/logrotate.conf
  4. Look at the files in /var/log again. Which files were rotated?
    • # ls -l /var/log/*

Log analysis

  1. Create an /etc/ignore file with log entries that you have no interest in. Run a grep -v -f /etc/ignore on /var/log/messages. Did you filter out the uninteresting messages?
    • # cat /var/log/messages
    • # vi /etc/ignore 
      sshd
dhclient
    • # grep -v -f /etc/ignore /var/log/messages
      You should now see the logfile with the uninteresting lines filtered out.
  2. (Optional) Add the log analysis to the logrotate configuration file for syslog, as a prerotate script. Mail the output to yourself. Then force a log rotate to see if the script is woring.
    • # vi /etc/logrotate.d/syslog
      Add the following within the block of curly braces: 
      prerotate
	grep -v -f /etc/ignore /var/log/messages | mail -s "Log analysis" root
endscript
    • # logrotate -f /etc/logrotate.conf
    • Wait a few seconds for the mail to come through. Then:
      # mail
End of exercise