CompTIA Linux+ XK0-005 – Unit 08 – System Maintenance Part 6
50. Sample rsyslog.conf
So let’s take a look at an example of what you might see. If you were to edit the Rsyslog config file, what you would see is a list of what we like to call the facilities and severity levels of what we want to look at. Now, what that means to us is that we’re going to talk about some of the standard log files and what we really care to see in those log files. So we’re going to list our log files, like users and daemons and kernel stuff and line printer mail, and we’re going to list those log files and where we want those log files to be stored. Then we’re going to havedown there the logging information.
So we might say, okay, as an example, I want into the mail log all things of severity level information or under mail, all severity levels of warning or error. That’s where I said you choose the facility, in this case, the mail server or the mail messaging and the severity levels, how important or how bad is the information? That’s kind of what severity means. If it’s an error, that’s certainly worse than a warning, which is worse than just regular information, like, hey, I started. So you have to choose again what you want to see.
51. Logging Facilities
Now when we talk about the facilities, the facilities are basically what am I monitoring? Off is a facility for all logon or login related components, short for authentication. Kron, obviously scheduled jobs. The daemons would be all of your system level daemons, like your FTP daemon or whatever else is running. Kern would be the facility for the kernel itself. LPO are for the printing system. It used to be for line printing. Mail for the mail system. Syslog is the syslog daemon itself. Syslog d or Rsyslog d. How is it running? User for any user level processes. These facilities are the things that we can look at. And then of course, that corresponds with the severity level of whatever the message is.
52. Priorities
Now the severity levels is what I’m used to calling it because that’s a syslog servers term. But you might also hear them referred to as priorities. Now, priorities mean how important or critical is it? And we generally will see that there’s eight different priorities ranging from zero through 70 being what we would consider the worst or emergency. Emergency may be something you actually never see because it’s just like what you’re going to hear right before the whole thing crashes to a halt and explodes and becomes a pile of ashes. Okay, not to that level, but I mean, emergency is so severe that it’s probably a system wide stop just gone. Alert is a cry for help. It’s telling us maybe we’re getting close to an emergency, but you need to know about a subsystem failure, a hardware failure, a hard drive dying. Those might be in the alert types. Then there’s critical errors, warnings. Warnings again, are just telling you about activities. Kind of like a yield sign in Windows that might not be in best practice area or an indication of something just not working the way it’s supposed to. Notice isn’t a bad thing. Notice is a notification. You might get a notice that says, hey, this configuration has been changed. It doesn’t mean it’s an error or critical or alert. It’s notifying you that something’s changed. Info is even more benign. Info is just simply saying things like, oh, the interface is up, this user has logged in or this user logged off. That’s an informational type of a thing. Now, there are so many things that would be classified as info and even notice that those might be areas where you just say, you know what, there’s too much data, I don’t need to see that.
Notice isn’t bad for auditing things like config changes. But again, that’s where you would have to choose that priority or severity level with the proper facility of what you’re trying to keep track of. And then finally there’s debug. That’s priority seven. Debug is just that. It’s telling me in real time about how something’s running. Now debug is designed to help you do just that. Debug a system. In other words, I’m going to look at the file, I’m going to watch this log file, try an activity and see what it did. Look to see why two machines aren’t talking or why a process isn’t firing off like it’s supposed to. That’s where we would use debug. That’s generally something that you turn on while you need to do the debug and then turn it off again.
53. Priority Notation
Now when you’re setting up your information about what you want to have logged, you do have to type it in, as I said, as a facility and the severity level. Now in many systems, like in routers if you include a severity level, it assumes that level and everything worse than that level. But that’s not how we do it in a Linux notation. Now the default if you said facility dot and then the level for example, if you put kern dot warning you’re saying the facility is kernel and the dot says the warning level and all things above. But if you wanted just the warning level, like maybe you want just the debug for a short while it would be kern dot equals warning. That would be that level.
Only if you for whatever reason wanted everything but a certain level it would be kern dot and then it’s the what we often call the we used to call it the bang. It was the exclamation point, which also universally stands for not something. So you would say kern dot exclamation point alert. So I would say kern dot bang alert. I know it sounds funny, but that’s programming language anyway, all accept that alert or higher. And if you haven’t the bang equal alert you would be saying I’ll accept the alert specifically. Okay, so that’s some ways that you might look at typing in the notation so that you can make a decision in your syslog config of what’s being logged, what facility and specifically what levels you’re interested in.
54. Demo – Examining the syslog.conf File
Okay, we’re going to take a look at some of the settings, the default settings of what’s going to be logged in our system. So we use the less command. So again, we can view a large output without actually running out of buffer room. And so here we see the configuration file for the Rsyslog. Some of you might have just the syslog daemon to use depending on the distro. And I’m going to page down until I find something that shows me what’s being logged. And here it is. We’re starting to see some of the now here’s the standard log files, which is nice to see. But here’s the logging for the first facility mail and the severity levels, one for the information, one for the warning levels. And if I hit the page down, we’ll start to see some more errors. The inn news, some catch all, and of course, emergencies it says, are going to be sent to everybody.
So Star Emergency will get to everybody that’s logged in. And again, it’s just nice to know what you’re logging and that you can edit this file and change what’s being logged. All right, so I’m going to hit Q for quit and let’s do another one. Let’s do a less VAR logthedemon log and Oops don’t have permission. So up arrow control, a sudo spacebar, hit Enter. Already logged in with pseudo on this particular shell, so it remembered me. And there I’m seeing some of the different types of information like the DHCP discover, offer request. That’s kind of nice to actually see that process back and forth. That little ping pong. Again, I can page down. I can go all the way to the end, which is a nice way to get to the very end of the file.
That was the end key. Now the page down and basically you’re looking for things like here’s an info level, here’s the activation of the ethernet cards and all of those types of commands. I can page up and looks like the worst I’ve had so far. Just informational messages. I don’t see any warnings, don’t see any errors. And of course, if you were looking for those, you could start searching them as well. If you hit H for help, it’ll take you through a lot of commands that you have here to especially here the pattern to look for particular patterns like the word error or something else. Okay, quit. There queue to quit that. And those were your quick views of how your logging has been configured and an example of looking at the Damon log.
55. Log Rotation
Now, one of the other things we have to look at is with this thing called log rotation. Now, there’s a daemon that deals with the log rotation. And here’s the idea. Log files shouldn’t get too unwieldy or too big, and for the most part, our log files are not are going to be complete historical documents. In other words, I don’t care what my log said a year ago because it’s not important to me. My my logs are designed for my debugging, for my current state, for knowing what’s happening now or in recent past, so I can look at a trend, so I can look at potential problems, or I can look to see why something died.
So you can use the daemon to go through the logging, which is what we might call archiving. For instance, you might decide that I want to keep only so large of a log file. Once the file gets to a certain size archive, it make a new log and at some point that archived one is going to get destroyed because I don’t need to use all that hard drive space. You’ll also configure that rotation that the Damon is going to use under the etsy folder, under the log rotate config file and the daemon itself, you’ll also see in the log rotate D and then look in the slash directory to look at all of the files that you have.
56. Sample logrotate.conf
So let’s take a look at an example anyway of a config file for the log rotate. So we’re going to see that we have some options such as how often we’re going to rotate, how many weeks worth of backlogs are we going to see? So we see a command like rotate four and then what are we going to do when we do rotate? Are we going to reuse an old file or create a new one? So you put in the option in this example create to create a new or empty log file, then compression. Again, if you want to, you can compress those files because again, compression was designed to save space. And then the packages, right, the drop, the log rotation information will be in a certain directory. So you put that in the include statement, as we talked about before, in that path of the Etsy logrotate D, then whatever you drop there.
Now you might have different rules for different types of files. For example, here we see example that says no packages are going to own the WTMP or the B temp. We’ll rotate them on a separate schedule. So we provide a path and we talk about how often we’re going to go through and rotate those doing it differently than you would do the other general logging information. This is an example, as I said, of just how you might configure your log. Rotate information for specific files for generally everything that you have. But notice that you are not keeping things here, it looks like for more than a month. Again, I don’t need to see seven years ago log files if the server is even around that long. That’s not as important information for me, it’s the recent stuff that’s important.
57. Demo – Examining Log Rotation
All right, let’s take a look at some of the information about our log rotation. Now remember, what that means is that we don’t let any one file get huge. We keep an archive on it so that it’s perhaps in a way a little faster to log to a small file than it is to open up this huge file and start appending things to the end. So sometimes that’s a performance issue, but we don’t want to lose our old stuff either. So what we’re going to do is look at with the less option command, we’re going to look at the contents of the VAR log. And here we can see some examples of the D message. Right, so this is a particular log file that has several archives.
Here that’s page down and see if we can find some others that actually quite unbusy at all. It’s Xorg log current log old. And looking at the newer version. So the dot zero is letting me know that it’s the newest of the archives. The dot one was probably the old zero page up. And again, it’s just helping me find some of the logging information and seeing how things are being archived. And it makes you wonder, is there a dot five allowed for some of these? What are your settings? Let me get the queue to quit out of there. And we’re also going to look and see if there’s anything in the Cron daily. So Lslfetaily, and there we can see some daily logs that are going to be dealt with.
These are the directory that are going to be run once per day by the Cron Damon. We’re going to look at the next one with the last command, and we’re going to say, let’s go to the etsy location and let’s go to the log rotate and see what we’re going to do with this configuration for the log rotate. And it looks like we’re rotating the logs weekly, rotating them four times. And it says, create a new empty log after I rotate an old one. So it’s the create command. We’re not compressing anything. And the packages drop log rotation information in this directory. So that’s where we’re going to include all the log rotate information.
And then it says that we’re not going to allow any packages, that no packages will own the WTMP or the Btmp. We’ll rotate those specifically right here as well. So I hit the space bar. It kind of takes you to the rest of it. So it’s again, let me queue to quit showing us that we’re really going to just rotate everything every week. We’re going to keep four of them for four weeks and go from there. Now, you can change those, but that’s kind of the idea is that you have the option about how much you want to store and how big these files get. But that’s just some of the defaults that you’re going to see as you’re working with most variations of linux.
58. Text Manipulation Commands Part
Alright? As you’re working with the actual log files you could potentially be faced with thousands and thousands of lines of information. How do you go about looking for a particular problem? I guess one thing you could do is read it from beginning to end. Alright, so you have some options. The first one is Grep. That’s the global regular expressions. Grep allows you to create a what we call a regular expression or a pattern to search for. It could be simply a word that you’re searching for. It could be a numerical range, it’s whatever you want to search for.
So you can basically go through this file and find all matching expressions to help you in locating certain things you’re trying to read. Now one of the great things about logging in Linux and Unix is they have the head and the tail commands. The head shows you the first ten lines of the file. Tail shows you the last ten lines. And this is an especially important thing if you want to keep up to date with entries that are in the law in this file. Remember that this file you open may be getting updated while you’re looking at it. So tail is a way of looking at those last entries and seeing what’s happening.
59. Text Manipulation Commands Part
You also have the ability to use what we call a stream editor, which is a search and replace tool. Mostly for us, a search tool. And the resultant information that you search for is often spit out onto the screen. You could redirect it if you want to, to another location, but it’s called Set. It’s a stream editor. And finally there’s another tool we use called AUC, which is named after its creators. It is a scripting tool.
It is very powerful and it can actually go out there and do some really cool things by creating what we call these Ox scripts. It’s great for daily tasks, it’s great for log manipulation, it’s great for file manipulation, it’s great for whatever you want to do that’s a repeated type of adventure. In other words, if there’s a grip you want to run all of the time again to a certain file, you can create that in your OC script so that it’s done over and over again, just the way you like.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »