CIS 193A – Lesson5
description
Transcript of CIS 193A – Lesson5
![Page 1: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/1.jpg)
CIS 193A – Lesson5CIS 193A – Lesson5
Vigilance!Logging & Monitoring
SyslogLogrotate
LogwatchAccounting
![Page 2: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/2.jpg)
CIS 193A – Lesson5
Focus Question
What tools does Linux provide for organizing and making useful sense of logged output?
![Page 3: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/3.jpg)
CIS 193A – Lesson5
The Syslog Utility
• Daemons: syslogd and klogd• Configuration: /etc/syslog.conf• Log files: /var/log/messages
secure maillog cron spooler boot.log
![Page 4: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/4.jpg)
CIS 193A – Lesson5
Syslog Facilities
Syslog categorizes messages into the following “facilities”:– authpriv - local0– cron - local1– daemon - local2– ftp - local3– kern - local4– lpr - local5– mail - local6– news - local7– syslog,user,uucp
![Page 5: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/5.jpg)
CIS 193A – Lesson5
Syslog – Levels of Logging• Syslog organizes messages within a facility
according to level of importance:– emerg– alert– crit– err– warning– notice– info– debug
• Logging at one of these levels, logs all messages at that level and above
![Page 6: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/6.jpg)
CIS 193A – Lesson5
Log Files
• Syslog logs to files, but in UNIX, everything is a file!– Regular files in /var/log/– Terminal screens: /dev/console– Another program: | program– A remote syslog server: @servername
![Page 7: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/7.jpg)
CIS 193A – Lesson5
The logger Command
The logger command allows shell scripts to use the syslog facility:
logger [-t tag] –p facility.level “message”
The logger command will also read the message to log from stdin:
echo “message” | logger –p facility.level
Often used in service init scripts.
![Page 8: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/8.jpg)
CIS 193A – Lesson5
The logrotate Facility
Customizable, pluggable log-rotating system.
• Executable: /usr/sbin/logrotate activated by cron on a daily basis
• Configuration: /etc/logrotate.conf and /etc/logrotate.d/*
logrotate.conf contains global settings, and individual services add their settings to logrotate.d
![Page 9: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/9.jpg)
CIS 193A – Lesson5
Features of logrotate
• Rotates any file through a series of predefined extensions: .1, .2, … .n
• You configure the frequency.• May compress files as well.• May rotate based on size of file.• May mail you the last file of series
rather than delete.
![Page 10: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/10.jpg)
CIS 193A – Lesson5
Configuration File Syntax
Filename [,filename] { rotate n # n is number of copies weekly # frequency: daily, monthly compress mail email size nk postrotate
command to restart logging service endscript}
![Page 11: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/11.jpg)
CIS 193A – Lesson5
logwatch
![Page 12: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/12.jpg)
CIS 193A – Lesson5
The logwatch Service
Customizable, pluggable log-monitoring system written in perl. Goes through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.
• Executable: /usr/sbin/logwatch• Configuration: /etc/logwatch
/usr/share/logwatch/default.conf/*
![Page 13: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/13.jpg)
CIS 193A – Lesson5
logwatch Features
• Will analyze logfiles by service.• Supports three levels of detail.• Analyzes today’s, yesterday’s or
historical data.• Mails summary of analysis to root
account.• Extensible, drop-in scripts and
configuration files.
![Page 14: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/14.jpg)
CIS 193A – Lesson5
Logwatch Examples
Although logwatch is normally run from cron just before a logrotate is done, you can run the command from the command line:
logwatch --range all –-detail high –-service sshd –-print
Logwatch –-range yesterday –-detail low –-logfile secure
![Page 15: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/15.jpg)
CIS 193A – Lesson5
Process Accounting
![Page 16: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/16.jpg)
CIS 193A – Lesson5
A Suite of Utilities
• As a service: psacct– logs to /var/account/pacct
• As a client: lastcomm• Other clients:
– ac– sa– last, lastb
![Page 17: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/17.jpg)
CIS 193A – Lesson5
Review
![Page 18: CIS 193A – Lesson5](https://reader033.fdocuments.in/reader033/viewer/2022042519/568139db550346895da1910c/html5/thumbnails/18.jpg)
CIS 193A – Lesson5
Focus Question
What tools does Linux provide for organizing and making useful sense of logging output?
Syslog allows you to organize log messages from different facilities according to their severity level. Logrotate prevents the log files from getting too large, and logwatch summarizes information from the logs.