17.2.7 Lab - Reading Server Logs
17.2.7 Lab - Reading Server Logs
Objectives
Part 1: Reading Log Files with Cat, More, Less, and Tail
Part 2: Log Files and Syslog
Part 3: Log Files and Journalctl
Background / Scenario
Log files are an important tool for troubleshooting and monitoring. Different application generates different log
files, each one containing its own set of fields and information. While the field structure may change between
log files, the tools used to read them are mostly the same. In this lab, you will learn about common tools used
to read log file and practice using them.
Required Resources
CyberOps Workstation virtual machine
Instructions
Part 1: Reading Log Files with Cat, More, Less, and Tail
Log files are files used to record specific events triggered by applications, services or the operating system
itself. Usually stored as plain-text, log files are an indispensable resource for troubleshooting.
Awal file mungkin hilang karena cat tidak mendukung pemecahan halaman.
Another popular tool for visualizing log files is more. Similar to cat, more is also a UNIX command-line-
based tool that can open a text-based file and display the file contents on the screen. The main difference
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 6 www.netacad.com
Lab - Reading Server Logs
between cat and more is that more supports page breaks, allowing the user to view the contents of a file,
one page at a time. This can be done using the space bar to display the next page.
c. From the same terminal window, use the command below to display the contents of the logstash-
tutorial.log file again. This time using more:
analyst@secOps ~$ more /home/analyst/lab.support.files/logstash-tutorial.log
The contents of the file should scroll through the terminal window and stop when one page is displayed.
Press the space bar to advance to the next page. Press enter to display the next line of text.
Awal file mungkin hilang karena cat tidak mendukung pemecahan halaman.
Building on the functionality of cat and more, the less tool allows the contents of a file to be displayed
page by page, while also allowing the user the choice of viewing previously displayed pages.
d. From the same terminal window, use less to display the contents the logstash-tutorial.log file again:
analyst@secOps ~$ less /home/analyst/lab.support.files/logstash-tutorial.log
The contents of the file should scroll through the terminal window and stop when one page is displayed.
Press the space bar to advance to the next page. Press enter to display the next line of text. Use the up
and down arrow keys to move back and forth through the text file.
Use the “q” key on your keyboard to exit the less tool.
e. The tail command displays the end of a text file. By default, tail displays the last ten lines of the file.
Use tail to display the last ten lines of the /home/analyst/lab.support.files/logstash-tutorial.log file.
analyst@secOps ~$ tail /home/analyst/lab.support.files/logstash-tutorial.log
218.30.103.62 - - [04/Jan/2015:05:28:43 +0000] "GET /blog/geekery/xvfb-firefox.html
HTTP/1.1" 200 10975 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
218.30.103.62 - - [04/Jan/2015:05:29:06 +0000] "GET /blog/geekery/puppet-facts-into-
mcollective.html HTTP/1.1" 200 9872 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] "GET /blog/geekery/disabling-battery-
in-ubuntu-
vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmai
n+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1" 200 9316 "-" "Tiny Tiny RSS/1.11
(http://tt-rss.org/)"
198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] "GET /blog/geekery/solving-good-or-
bad-
problems.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%
2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1" 200 10756 "-" "Tiny Tiny
RSS/1.11 (http://tt-rss.org/)"
218.30.103.62 - - [04/Jan/2015:05:29:26 +0000] "GET /blog/geekery/jquery-interface-
puffer.html%20target= HTTP/1.1" 200 202 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
218.30.103.62 - - [04/Jan/2015:05:29:48 +0000] "GET /blog/geekery/ec2-reserved-vs-
ondemand.html HTTP/1.1" 200 11834 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
66.249.73.135 - - [04/Jan/2015:05:30:06 +0000] "GET /blog/web/firefox-scrolling-
fix.html HTTP/1.1" 200 8956 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
86.1.76.62 - - [04/Jan/2015:05:30:37 +0000] "GET /projects/xdotool/ HTTP/1.1" 200
12292 "http://www.haskell.org/haskellwiki/Xmonad/Frequently_asked_questions"
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 6 www.netacad.com
Lab - Reading Server Logs
Setelah perintah tail -f dikeluarkan, terminal tampak terkunci dan tidak menerima perintah lagi. Ini terjadi
karena tail masih berjalan, menonton file log dan akan mencetak perubahan apa pun yang tertulis
padanya di layar.
b. To watch tail –f in action, open a second terminal window. Arrange your display so you can see both
terminal windows. Re-size the windows so you can see them both at the same, as shown in the image
below:
The terminal window on the top is running tail -f to monitor the
/home/analyst/lab.support.files/logstash-tutorial.log file. Use the terminal window on the bottom to
add information to the monitored file.
To make it easier to visualize, select the top terminal window (the one running tail -f) and press enter a
few times. This will add a few lines between the current contents of the file and the new information to be
added.
c. Select the bottom terminal window and enter the following command:
[analyst@secOps ~]$ echo "this is a new entry to the monitored log file" >>
lab.support.files/logstash-tutorial.log
The command above appends the "this is a new entry to the monitored log file" message to the
/home/analyst/lab.support.files/logstash-tutorial.log file. Because tail –f is monitoring the file at the
moment a line is added to the file. The top window should display the new line in real-time.
d. Press CTRL + C to stop the execution of tail -f and return to the shell prompt.
e. Close one of the two terminal windows.
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 6 www.netacad.com
Lab - Reading Server Logs
service.
Di VM CyberOps Workstation, /var/log/syslog milik root dan hanya bisa dibaca oleh root.
b. Notice that the /var/log/syslog file only stores the most recent log entries. To keep the syslog file small,
the operating system periodically rotates the log files, renaming older log files as syslog.1, syslog.2, and
so on.
Use the cat command to list older syslog files:
analyst@secOps ~$ sudo cat /var/log/syslog.2
analyst@secOps ~$ sudo cat /var/log/syslog.3
analyst@secOps ~$ sudo cat /var/log/syslog.4
Can you think of a reason why it is so important to keep the time and date of computers correctly
synchronized?
Sistem log menggunakan file log untuk merekam dan menyimpan peristiwa dan tanggal/waktu terjadinya.
Jika jam sistem salah atau tidak disinkronkan, itu akan membuat proses pemecahan masalah menjadi
lebih sulit.
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 6 www.netacad.com
Lab - Reading Server Logs
Part 3: Log Files and Journalctl
Another popular log management system is known as journal. Managed by the journald daemon, the
system is designed to centralize the management of logs regardless of where the messages are originating.
In the context of this lab, the most evident feature of the journal system daemon is the use of append-only
binary files serving as its log files.
c. Use journalctl to specify the service and timeframe for log entries. The command below shows all nginx
service logs recorded today:
analyst@secOps ~$ sudo journalctl -u nginx.service --since today
d. Use the -k switch to display only messages generated by the kernel:
analyst@secOps ~$ sudo journalctl –k
e. Similar to tail -f described above, use the -f switch to actively follow the logs as they are being written:
analyst@secOps ~$ sudo journalctl –f
Reflection Question
Compare Syslog and Journald. What are the advantages and disadvantages of each?
Syslog adalah solusi standar untuk logging. Ini menggunakan file plaintext tetapi memiliki kekurangan struktur.
Informasi tidak terpusat dan mungkin perlu mencari banyak informasi yang tidak terkait untuk menemukan
informasi yang relevan. Syslog tidak menyediakan cara untuk memisahkan pesan dengan aplikasi terkait.
Selain itu, file plaintext mungkin memerlukan rotasi agar tidak menjadi terlalu besar. Journald mengganti file
log plaintext dengan format file khusus untuk pesan log. Hal ini memudahkan untuk menemukan pesan log
yang relevan.
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 6 www.netacad.com