Analyzing and storing logs:::
logfiles are maintained by rsyslog service::
/var/log directories contain a variety of log files:::
all the log configuration are stored in the /etc/rsyslog.conf
Log file rotation::
by logrotate utility : when rotated logfiles are renamed by with an extension indicating the date on which it was rotated:
/var/log/messages file becomes /var/log/messages-20150126
rotated on January 26 2015
(logrotate man page)
analyze a syslog entry::
[root@localhost ~]# tail -f /var/log/secure
Jan 27 19:34:25 localhost gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Jan 27 19:34:37 localhost polkitd[947]: Registered Authentication Agent for unix-session:c1 (system bus name :1.30 [gnome-shell --mod
send a syslog message with logger::(confusion))
Reviewing systemd journal entries:::
journalctl command shows the full system journal starting with the oldest log entry.
[root@localhost ~]# journalctl
-- Logs begin at Wed 2016-01-27 19:33:21 EST, end at Wed 2016-01-27 20:
Jan 27 19:33:21 localhost.localdomain systemd-journal[342]: Runtime jou
Jan 27 19:33:21 localhost.localdomain systemd-journal[342]: Runtime jou
By default journalctl gives last 10 log entries
specifying we can get our desired: for example to get the last 5 entries:
[root@localhost ~]# journalctl -n 5
-- Logs begin at Wed 2016-01-27 19:33:21 EST, end at Wed 2016-01-27 20:
Jan 27 20:20:01 localhost.localdomain systemd[1]: Starting Session 8 of
Jan 27 20:20:01 localhost.localdomain CROND[5166]: (root) CMD (/usr/lib
Jan 27 20:30:01 localhost.localdomain systemd[1]: Started Session 9 of
Jan 27 20:30:01 localhost.localdomain systemd[1]: Starting Session 9 of
Jan 27 20:30:01 localhost.localdomain CROND[5367]: (root) CMD (/usr/lib
lines 1-6/6 (END)
also to log entry only those who have priority as err or above::
[root@localhost ~]# journalctl -p err
-- Logs begin at Wed 2016-01-27 19:33:21 EST, end at Wed 2016-01-27 20:
Jan 27 19:33:23 localhost.localdomain kernel: sd 2:0:0:0: [sda] Assumin
Jan 27 19:33:36 localhost.localdomain systemd-udevd[760]: unable to mov
Jan 27 19:33:37 localhost.localdomain kernel: piix4_smbus 0000:00:07.3:
Jan 27 19:34:23 localhost.localdomain dhclient[2084]: receive_packet fa
Jan 27 19:34:28 localhost.localdomain dhclient[2084]: send_packet: Netw
Jan 27 19:34:28 localhost.localdomain dhclient[2084]: dhclient.c:2407:
Jan 27 19:34:32 localhost.localdomain pulseaudio[2916]: [alsa-source-ES
journalctl -f itself can displsy last 10 lines of the journal and even can display updated one.(replacement of use of tail)
also we can use options like yesterday ,today tomorrow combined with either --since or --until
root@localhost ~]# journalctl --since yesterday
-- Logs begin at Wed 2016-01-27 19:33:21 EST, end at Wed 2016-01-27 20:
Jan 27 19:33:21 localhost.localdomain systemd-journal[342]: Runtime jou
Jan 27 19:33:21 localhost.localdomain systemd-journal[342]: Runtime jou
Jan 27 19:33:21 localhost.localdomain kernel: Initializing
also we can use date in YYYY-MM-DD format and time in HH-MM-SS format
[root@localhost ~]# journalctl --since 2015-12-23
-- Logs begin at Wed 2016-01-27 19:33:21 EST, end at Wed 2016-01-27 20:
Jan 27 19:33:21 localhost.localdomain systemd-journal[342]: Runtime jou
Jan 27 19:33:21 localhost.localdomain systemd-journal[342]: Runtime jou
Jan 27 19:33:21 localhost.localdomain kernel: Initial
output the journal entries from 10 the february 2015 20:30:00 to 13th february 2015 12:00:00
[root@localhost ~]# journalctl --since "2015-02-10 20:30:00" --until "2015-02-13 12:00:00"
also we can view detail By::
[root@localhost ~]# journalctl -o verbose
-- Logs begin at Wed 2016-01-27 19:33:21 EST, end at Wed 2016-01-27 20:
Wed 2016-01-27 19:33:21.697010 EST [s=d58dea757c3947e38eafaf5e1317364a;
PRIORITY=6
_TRANSPORT=driver
MESSAGE=Runtime journal is using 8.0M (max allowed 91.2M, trying to
MESSAGE_ID=ec387f577b844b8fa948f33cad9a75e6
_PID=342
_UID=0
_GID=0
_COMM=systemd-journal
Moreover we can access the particular process or event by using the options like::
_COMM the name of the command
_EXE the path to the execuatable for the process
_PID the PID of the process
_SYSTEM_UNIT the system unit that started the process.
can also be used combinely or individually such option::
[root@localhost ~]# journalctl _SYSTEM_UNIT=sshd.service _PID=112
journalctl with priority warning::
[root@localhost ~]# journalctl -p warning
-- Logs begin at Wed 2016-01-27 19:33:21 EST, end at Thu 2016-01-28 00:
Jan 27 19:33:21 localhost.localdomain kernel: ACPI: RSDP 00000000000f6a
Jan 27 19:33:21 localhost.localdomain kernel: ACPI: XSDT 000000007feea6
Jan 27 19:33:21 localhost.localdomain kernel: ACPI: FACP 000000007fefee
Jan 27 19:33:21 localhost.localdomain kernel: ACPI: DSDT 000000007feec0
Preserving the systemd journal::
store the journal permanently:
[root@localhost ~]# mkdir /var/log/journals
first of all a directory /var/log/journals is created.
[root@localhost ~]# chown root:systemd-journal /var/log/journals
change the ownership to root user and systemd-journal group for the file .
[root@localhost ~]# chmod 2755 /var/log/journals
then set the sticky bit so that every one can read and access but cannot delete the content.
[root@localhost ~]# kilall -USR1 systemd-journald
finally send the special USR1 signal as user root.
maintaining accurate time:::
timdatectl command
[root@localhost ~]# timedatectl
Local time: Thu 2016-01-28 13:06:07 EST
Universal time: Thu 2016-01-28 18:06:07 UTC
RTC time: Thu 2016-01-28 18:06:07
Time zone: America/New_York (EST, -0500)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: no
Last DST change: DST ended at
Sun 2015-11-01 01:59:59 EDT
Sun 2015-11-01 01:00:00 EST
Next DST change: DST begins (the clock jumps one hour forward) at
Sun 2016-03-13 01:59:59 EST
Sun 2016-03-13 03:00:00 EDT
[root@localhost ~]# timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
Africa/Asmara
tzselect command is useful for identifying various timezones on the basis of countries or continents.
[root@localhost ~]# tzselect
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
[root@localhost ~]# timedatectl set-time 9:00:00
Failed to set time: Automatic time synchronization is enabled
to set the current date[root@localhost ~]# timedatectl set-ntp false
to disable the network provided time.
Now we can change the time settings
[root@localhost ~]# timedatectl set-time 9:00:00
[root@localhost ~]# timedatectl
Local time: Thu 2016-01-28 09:00:06 MST
Universal time: Thu 2016-01-28 16:00:06 UTC
RTC time: Thu 2016-01-28 16:00:07
Time zone: America/Phoenix (MST, -0700)
root@localhost ~]# timedatectl set-time 1:45:00
[root@localhost ~]# timedatectl
Local time: Thu 2016-01-28 01:45:03 MST
Universal time: Thu 2016-01-28 08:45:03 UTC
RTC time: Thu 2016-01-28 08:45:04
Time zone: America/Phoenix (MST, -0700)
NTP enabled: no
NTP synchronized: no
RTC in local TZ: no
DST active: n/a
[root@localhost ~]# timedatectl set-ntp True
[root@localhost ~]# timedatectl
Local time: Thu 2016-01-28 11:46:24 MST
Universal time: Thu 2016-01-28 18:46:24 UTC
RTC time: Thu 2016-01-28 08:45:34
Time zone: America/Phoenix (MST, -0700)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
[root@localhost ~]# timedatectl set-ntp True
[root@localhost ~]# timedatectl
Local time: Thu 2016-01-28 11:46:24 MST
Universal time: Thu 2016-01-28 18:46:24 UTC
RTC time: Thu 2016-01-28 08:45:34
Time zone: America/Phoenix (MST, -0700)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
NTP enabled: no
Now agai we can change the time and enable the NTP
NTP synchronized: no
RTC in local TZ: no
DST active: n/a
configuring and monitoring chronyd((confusion)) time source change garney esko kaam chaai.....
for that we need to vi the given file first
[root@localhost ~]# vi /etc/chrony.conf
then change all the servers entries with the ip address of ur Pc as follows:
#use public servers fromthe pool.ntp.org project:::
server 192.168.122.1 iburst
Then restart the chronyd using systemctl command:
[root@localhost ~]# systemctl restart chronyd
now finally we can verify if the modifications is done ::
[root@localhost ~]# chronyc sources -v
210 Number of sources = 2
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? 192.168.122.1 0 7 0 10y +0ns[ +0ns] +/- 0ns
^* ec2-52-0-56-137.compute-1 2 6 17 6 -1851us[-1279us] +/- 60ms
###confusion related to adding directive through echo command and logger commadn
for example::[root@localhost ~]# echo "authpriv.alert /var/log/auth-errors" > /etc/rsylog.d/auth-errors.conf
No comments:
Post a Comment