Linux administration

• Many events that occur on a Linux system should be logged for administrative purposes

• Linux has a facility called syslog that allows any service or part of the system to log such events

• syslog can be configured to log different events to different places

  • Events can be selected based on severity ('level') and/or on the service that encountered the event ('facility')
  • Messages can go to files, to the system console, or to a centralised syslog server running on another machine

• syslog's configuration is in /etc/syslog.conf ; each line looks like:

facility.level  destination

• The facility is the creator of the message — one of auth, authpriv, cron, daemon, kern, lpr, mail, news, syslog, user, or local0 through local7
• The level is a severity threshold beyond which messages will be logged — one of (from lowest to highest): debug, info, notice, warning, err, crit, alert, emerg
• The destination indicates where messages selected by the facility and level will be sent
  • Normally the name of a log file (under /var/log), or /dev/console to send messages to the system console

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.*  /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# Notice that we separate message selectors with a semicolon.
# Note the use of severity "none" to exclude a facility.
*.info;mail.none;news.none;authpriv.none    /var/log/messages
# The authpriv file has restricted access.
authpriv.*  var/log/secure

# Log all the mail messages in one place.
mail.*  var/log/maillog

• If you change /etc/syslog.conf, you need to tell syslog to re-read the configuration
• Accomplished by sending the syslogd process a SIGHUP signal
• The process id to send the signal to can be found with the pidof command:

# kill -HUP $(pidof /sbin/syslogd)

• Alternatively, use the killall command to kill the syslogd process by name:

# killall -HUP /sbin/syslogd

• You sometimes need to manually scan log files for notable activity
• Since logs are plain text, you can use standard text-processing tools like to examine them
• To review the entire contents of a log file:

# less /var/log/messages

Note: you may need to be root to do this

• To look for messages on a certain topic:

# grep -i sshd /var/log/messages

Looks for messages from sshd, the Secure Shell server

• It is sometimes useful to keep an eye on new messages arriving in a log file
• The -f option to tail will watch the file forever:

# tail -f /var/log/messages

• Continually updates the display as new messages are appended to the end of the file. Kill it with Ctrl+C when you're done

• syslog will normally allow log files to grow without bound. Until you run out of disk space...

• The solution is to use log rotation: a scheme whereby existing log files are periodically renamed and ultimately deleted

  • But syslog continues to write messages into the file with the 'correct' name

• Most Linux systems come with a program called logrotate, which should be run daily by cron

• logrotate can be configured with /etc/logrotate.conf to perform rotation on any or all log files

  • You can choose for each file how often it is rotated and how many old logs are kept

# Gzip rotated files by default
compress
# Keep 5 weeks' worth, and restart syslogd after rotating
/var/log/messages {
    rotate 5
    weekly
    postrotate
    killall -HUP /sbin/syslogd
    endscript
}
# Keep 1 month's worth. Specify ownership and permissions of
# the new file.
    /var/log/wtmp {
    rotate 1
    monthly
    create 0664 root utmp
}

• a. Log on to your machine as root and use less to browse through /var/log/messages.
• b. Start monitoring the file for additions using tail.
• c. In another terminal, logged on as a normal user, try using su to change to root (find out what is written to the logs when correct and incorrect passwords are given to su).
• d. Look at the configuration file for logrotate to find out how /var/log/messages is rotated (some systems will have the configuration in a file in /etc/logrotate.d.