Linux: Monitoring System Logs - Paiet/Tech-Journal-for-Everything GitHub Wiki

  • DMESG
    • Contains log messages from boot up
    • dmesg | less
    • /var/log/dmesg and /var/log/dmesg.old
  • System Log
    • syslog
    • Running log for system-wide activities
    • /var/log/messages
    • tail -f /var/log/messages | grep <string>
    • Individual logs are maintained for some applications
      • /var/log/<service_name>/
  • System Log Rotation
    • Defined in /etc/logrotate.conf
    • Individual service log rotation settings are stored in /etc/logrotate.d/*
    • Intervals
      • daily
      • weekly
      • monthly
      • yearly
    • rotate <#>
      • Indicates the number of logs to retain
      • Set to 0 to delete old logs
  • Remote System Log
    • rsyslog
    • Must allow incoming messages on the centralized server
      • vi /etc/rsyslog.conf and uncomment:
        • $ModLoad imtcp
        • $InputTCPServerRun 514
      • firewall-cmd --zone=public --permanent --add-service=syslog
      • service rsyslog restart
    • Must configure the client to send
      • vi /etc/rsyslog.conf
      • *.* @@192.168.0.100:514
      • service rsyslog restart
    • Ensure rsyslog is running on sender/receiver at boot
      • systemctl enable rsyslog
    • Can even export to a database
    • On high-loss networks consider using the Reliable Event Logging Protocol (RELP)
  • GUI
    • Applications -> System Tools -> System Log
    • Supports filtering
      • Gear -> Filters -> Manage Filters
      • Limits output
      • Can also colorize lines
    • Supports adding custom logs
      • Gear -> Open
      • Example: /var/log/httpd/access_log
  • systemd Journal
    • Designed as a replacement for SysLog
    • RHEL7 runs both simultaneously
    • Stores logs as a secured binary so they can not be altered
    • Stored in RAM by default and not retained after a reboot
    • Persistent storage can be enabled
      1. sudo mkdir -p /var/log/journal/
      2. sudo systemctl restart systemd-journald
    • Can only be accessed by administrators
      • usermod -a -G adm <username>
    • Accessed with journalctl command
    • See most recent entries
      • journalctl -n <#>
      • Defaults to 10 if no number specified
    • Monitor most recent entries
      • journalctl -f
      • Equivalent to tail -f
    • Can be filtered by priority
      • journalctl -p err
    • Filtering for time
      • journalctl --since="2016-11-29 00:00:00" --until="2016-11-29 23:59:59"
⚠️ **GitHub.com Fallback** ⚠️