What is the standard logging system in linux based on?
Syslog protocol
Which services handle the syslog messages in RH8?
Systemd-journald and rsyslog service
Which service is at the heart of operating system event logging architecture?
systemd-journald
Where does systemd-journald collect messages from?
Many sources including the kernel, early stages of boot process, standard output and standard error from daemons as they start up and run, and syslog events.
Do the entries in journald persist?
No.
Where do journal entries persist?
rsyslog
What does the rsyslog service do with messages received from systemd-journald?
Reads them as they arrive and it processes the syslog events, recording them to its log files or forwarding them to other services according to its own configuration.
Why do rsyslog messages persist?
Because they are written to /var/log
What is /var/log/messages?
Most syslog messages are logged here. Exceptions include messages related to authentication and email processing, scheduled job execution, and those which are purely debugging related.
What is /var/log/secure?
Syslog messages related to security and authentication events
What is /var/log/maillog?
Syslog messages related to the mail server
What is /var/log/cron?
Syslog messages related to scheduled job execution.
What is /var/log/boot.log?
Non-syslog console messages related to system startup.
Do all applications use syslog to manage their messages?
No. Although most apps will typically place their log files in a subdirectory of /var/log.
Which of these log files stores most syslog messages, with the exception of those that
are related to authentication, mail, scheduled jobs, and debugging?
B.
Which log file stores syslog messages related to security and authentication operations
in the system?
A.
Which service sorts and organizes syslog messages into files in /var/log?
D.
Which directory accommodates the human-readable syslog files?
C.
Which file stores syslog messages related to the mail server?
A.
Which file stores syslog messages related to the scheduled jobs?
A.
What file stores console messages related to system startup?
B.
Each log message is categorized by what?
By a facility (type of message, kern, auth, etc) and priority (critical, alert, info, etc)
Syslog code, 0
Priority, emerg, system is unusable
Syslog priority, alert
Action must me taken immediately, code 1
Syslog priority, critical condition
Code 2, Priority, crit
How does rsyslog service know how to handle facility and priority messages?
By rules in the /etc/rsyslog.conf file and any file in the /etc/ rsyslog.d directory that has a file name extension of .conf. Software packages can easily add rules by installing an appropriate file in the /etc/rsyslog.d directory.
Should you edit rsyslong.conf?
No. You should place a file in /etc/rsyslog.d
What would the following line do?
authpriv.* /var/log/secure
Record messages sent to the authpriv facility at any priority to /var/log/secure
What does this mean?
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
Log everything with a priority of info or higher to /var/log/messages except
Nothing with the mail facility regardless of priority.
Nothing with the authpriv facility regardless of priority.
Nothing with the corn facility, regardless of priority.
What does this mean?
*.emerg :omusrmsg:*
Everbody gets an emergency response.
What does logrotate do?
The logrotate tool rotates log files to keep them from taking up too much space in the file system containing the /var/log directory.
How long are rotated files usually kept for?
4 weeks, then they are discarded.
What command do you use to monitor log files in real time?
tail -f /path/to/file
What does the logger command do?
The logger command can send messages to the rsyslog service. By default, it sends the message to the user facility with the notice priority (user.notice) unless specified otherwise with the -p option. It is useful to test any change to the rsyslog service configuration.
How does systemd-journald store information?
The service stores logging data in a structured, indexed binary file called the journal. This data includes extra information about the log event. For example, for syslog events this includes the facility and the priority of the original message.
Where is the systm journal store by default on RH8?
/run/log
What happens to /run/log after a reboot?
It gets cleared.
journalctl command hightlights which words in what colors?
Notice or warning priority are in bold text. Messages with error are in red text.
What does journalctl -n show?
The last 10 log entries.
What does journal -f do?
Puts out new journal entries in real-time.
What are the journal entry priority names?
debug, info, notice, warning, err, crit, alert, and emerg
What does journalctl -p err do?
Shows only the priorities of err or higher.
What does journal --since today, do?
List all journal entries from today.
If you wanted to review journal entries between two dates how do you do this?
journal --since "2019-02-01" --until "2019-02-22"
What does jounral --since "-1 hour" do?
Looks at entries from an hour ago.
Where can you find more information on how to use more sophisticated options with journalctl?
man systemd.time(7)
What option do you run when you want a more detailed view in journalctl?
journalctl -o verbose
How do i search for journal entry with PID of 2213?
journalctl _PID=1182
What are some of the processes you can search for in journalctl?
• _COMM is the name of the command
• _EXE is the path to the executable for the process
• _PID is the PID of the process
• _UID is the UID of the user running the process
• _SYSTEMD_UNIT is the systemd unit that started the process
Where are system journals kept?
/run/log/journal
Where do you change the configuration of systemd-journald
/etc/systemd/journald.conf
What is the storage parameter in /etc/systemd/journald.conf
It defines whether to store system journals in a volatile manner or persistent across reboots.
In journald.conf what is persistent?
Stores journals in the /var/log/journal directory which persists across reboots.
In journald.conf what is volatile?
Stores journals in the volatile /run/log/journal directory.
In journald.conf what is auto?
if the /var/log/journal directory exists, then systemd-journald uses persistent
storage, otherwise it uses volatile storage.
Which action is the default in systemd-journald?
Auto
What happens when the default action in systemd-journald is set to none?
All logs are dropped but log forwarding will still work as expected.
What is the default action for storage parameter?
Auto
Be default, how when is the log rotation mechanism triggered?
Monthly.
By default how large are the journal files allowed to get?
It can not get larger than 10% of the file system or leave less than 15% of the filesystem free.
How do you set storage as persistent?
In /etc/systemd/journald.conf set storage to persistent.
What is journalctl -b -1
Retrieves the entries limited to the first system boot.
What does the command timedatectl do?
Overview of the current time-related system settings, including current time, time zone, and NTP synchronization settings of the system.
A database of available timezones is available and can be listed how?
Timedatectl list-timezones
What command helps you find the correct time zone?
tzselect
How do you update the current time zone to Arizona?
timedatectl set-timezone America/Phoenix
How do you set the time to 10:30 AM , March 3, 2021
timedatectl set-time 2021-03-03 10:30:00
How do you set the time on your computer using NTP
timedatectl set-ntp true
What does chronyd do?
The chronyd service keeps the usually-inaccurate local hardware clock (RTC) on track by synchronizing it to the configured NTP servers.
