Analyze and Store Logs:

To locate and accurately interpret relevant system log files for troubleshooting purposes. Linux
logs provide a timeline of events for the Linux operating system, applications, and system, and
are a valuable troubleshooting tool when you encounter issues. Essentially, analyzing log files is
the first thing an administrator needs to do when an issue is discovered.

Logs File:
A log file is a file that records events that occur in an operating system, applications & services.
Logging is the act of keeping a log. There are different log files for different information. The
files are stored in plain text to make them easy to read.

System Logging:
Processes and the Operating System kernel need to be able to record a log of events that
happen. These logs can be useful for auditing the system and troubleshooting problems. Almost
all logfiles are located under /var/log directory and its sub-directories on Linux. You need be
the root user to view or access log files on Linux. You can use less, more, cat, grep, tail, etc
commands to see the log files. There are different log files for different information.
Log File Purpose
/var/log The main log files directory
/var/log/messages Most syslog messages are logged in this file. Such as system error
messages, system startups & shutdowns, change in network config
/var/log/cron.log The log file related to periodically executed tasks
/var/log/maillog The log file with mail server related messages such as sendmail
/var/log/boot.log Messages related to system startup are logged here starting service
/var/log/secure The log file for security & Authentication related such ssh

Syslog Files:
The Syslog protocol is supported by a wide range of devices and can be used to log different
types of events. Many programs use the syslog protocol to log events to the system. Each log
message is categorized by a facility (Type of Message) and a priority (Severity of the Message).
Syslog Priorities:
Priority Code Severity
Emergency 0 System-Unusable
Alert 1 Action Must be Taken Immediately
Critical 2 Critical Condition
Error 3 Non-Critical Error Condition
Warning 4 Warning Condition
Notice 5 Normal but Significant Events
Informational 6 Information Events
Debug 7 Debug Level Messages

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile# +966-564303717

Introduction to Rsyslog:
In Red Hat Enterprise Linux 7, syslog messages are handled by two services, Systemd-Journald
and Rsyslog. Rsyslog (Rocket-Fast System for Log Processing) is the most popular daemon for
centralizing your log data because it’s installed by default in most common distributions of
Linux. This service is responsible for listening to log messages from different parts of a Linux
system and routing the message to an appropriate log file in the /var/log directory. A list of log
files maintained by Rsyslogd can be found in the /etc/rsyslog.conf. Rsyslog provides extended
filtering, encryption protected relaying of messages, various configuration options, input and
output modules, support for transportation via the TCP or UDP protocols.
Commands Descriptions
# yum search rsyslog To check syslog package is install
# yum -y install rsyslog Install syslog package
/etc/rsyslog.conf Rsyslog default configuration file
# vi /etc/rsyslog.conf To edit Rsyslog configuration file
ModLoad imudp In configuration file uncomment to enable the
$UDPServerRun 514 syslog server to listen on the UDP
ModLoad imtcp In configuration file uncomment to enable the
$InputTCPServerRun 514 syslog server to listen on the TCP
*.* @Server_IP_Address End of file place this to send client message log
*.* @@Server_IP_Address to the server: @ for UDP and @@ for TCP
# systemctl restart rsyslog Restart Rsyslog services after changes
# systemctl status rsyslog Check Rsyslog services are running
# tail -f /var/log/secure To check authentication local logs
# tail -f /var/log/messages To check all messages local logs
# tail -f /var/log/maillog To check all mailing related logs
# tail -f /var/log/boot.log To check all booting related logs

Introduction to Journald:
Log files can also be managed by the journald daemon – a component of systemd. Logging data
is collected, stored, and processed by the Journal's journald service. It creates and maintains
binary files called journals based on logging information that is received from the kernel, from
user processes, from standard output, and standard error output of system services. These
journals are structured and indexed, which provides relatively fast seek times. Journal entries
can carry a unique identifier. The journald service collects numerous meta data fields for each
log message. The actual journal files are secured, and therefore cannot be manually edited.
Log files produced by journald are by default not persistent, log files are stored only in memory
in the /run/log/journal/ directory. The amount of logged data depends on free memory, when
you reach the capacity limit, the oldest entries are deleted. The journald daemon is the primary
tool for troubleshooting.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile# +966-564303717

Journalctl:
Like systemctl, journalctl (Journal Control) is also a systemd utility. It’s used for querying and
displaying messages from the journal. Since the journal comprises of one or more binary files,
journalctl is the standard way to read messages from it.
Commands Description
# yum search journal To check journal package is install
# systemctl status systemd-journald To check journald services is running
# journalctl Displaying full system logs oldest first
# journalctl -n Displaying Last 10 logs entries
# journalctl -n 5 Displaying last 5 logs entries
# journalctl -k Displaying Kernel Logs
# journalctl -f Displaying Last 10 events that happen
# journalctl -p err Displaying Logs by Priority
# journalctl -p {0,1,2,3,4,5,6,7} Displaying Logs by priority Number 0 to 7
# journalctl -b Displaying Logs Since Last Boot
# journalctl --since yesterday Displaying Logs of previous day
# journalctl --since yesterday --until 9:30:00 Displaying Logs of previous day & time
# journalctl --since "2 days ago" Displaying logs of last two days
# journalctl _PID=1 Displaying Logs by Process ID
# journalctl _UID=0 Displaying Logs by User or Group
# journalctl _SYSTEMD_UNIT=sshd Displaying logs by system Unit
# cat /etc/systemd/journald.conf

Store System Journal Permanently:

By default, the systemd journal is kept in /run/log/journal, which means it is cleared when the
system reboots. The systemd journal can be made persistent by creating the directory
/var/log/journal as user root, set ownership to root & group systemd-journal & reboot system.
Commands Description
# mkdir /var/log/journal Create directory in log folder
# chown root:systemd-journal /var/log/journal Set ownership to root and group journal
# chmod 2755 /var/log/journal Set permission on journal directory

Log File Rotation:

If logs were kept forever, they would eventually end up filling the filesystem where /var/log
resides. The logrotate program is a log file manager. It is used to regularly rotate log files by
removing the oldest ones from your system and creating new log files. It may be used to rotate
based on the age of the file or the file’s size, and usually runs automatically through the cron
utility. The logrotate program may also be used to compress log files and to configure e-mail to
users when they are rotated. When a log file is rotated, it is renamed with an extension
indicating the date on which it was rotated.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile# +966-564303717

 Commands Description
# vi /etc/logrotate.conf Default configuration file
# cd /etc/logrotate.d/ Default directory for different service or
application configuration file location
# yum install logrotate -y Install the logrotate package

Logger:
logger is a command-line application that sends messages to the system logger. In addition to
being a good diagnostic tool. By default, it sends the message to the facility user with severity
notice (user. notice) unless specified otherwise with the -p option. It is especially useful to test
changes to the rsyslog configuration. Logger facilities are auth, authpriv, cron, daemon, ftp,
kern, lpr, mail, news, security, syslog, user and uucp.
# logger -p daemon.warn "This is only a warning test."
# logger -p user.notice "This is only a notice test."
# logger -p security.warn "This is only a security test."
# logger "Log entry created locally"

Logger and Levels and Priority:

Priority Code Levels Example
Emergency 0 Emerg Security.emerg
Alert 1 Alert Mail.alert
Critical 2 Crit User.crit
Error 3 Err Cron.err
Warning 4 Warn Security.warn
Notice 5 Notice User.notice
Informational 6 Info User.info
Debug 7 Debug User.debug

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile# +966-564303717

View GUI System Logs:
To view system log files in an interactive, real-time application, use the System Log Viewer. To
start the application, go to Applications => System => System Logs, or type the command
gnome-system-log at a shell prompt.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile# +966-564303717

Maintaining Accurate Time:
Keeping accurate, synchronized time across your network is important for all sorts of reasons:
for accurate time stamps in logs, for ensuring that processes run on time, and also for
applications that depend on keeping good time.
Timedatectl:
The timedatectl command is a new utility for RHEL and CentOS 7, which comes as a part of
systemd system and service manager. The timedatectl command allows you to query and
change the configuration of the system clock and its settings, you can use this command to set
or change the current date, time & Timezone or enable automatic system clock synchronization
with a remote NTP server.

Commands
# timedatectl status
# timedatectl
# timedatectl set-time 22:31:14
# timedatectl set-time "2015-04-15
22:37:22"
# timedatectl set-timezone
America/New_York
# timedatectl list-timezones
# timedatectl set-ntp yes
# timedatectl set-ntp false
# timedatectl set-timezone UTC
# timedatectl | grep local
# timedatectl set-local-rtc 1
Description
Display the current time and date of system
Current Timezone
Set time only, we can use set-time
Set both date and time
Set your local timezone
View all available timezones
Synchronization with remote NTP server
Disable NTP time synchronization date
Set the coordinated universal time, UTC
Hardware clock is set to local timezone
Set hardware clock to local timezone

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile# +966-564303717