RsysLogd & Journald:

Why we have syslog?

1. To have centralized location which collect Events (started, stopped, error and
Crashed)
2. Events may be system event, Service event, result of cron job, network info
and security events.

What is the log info?

LOGS ==> Date:time)HH:MM:SS):hostname:event type:Log message (LOG)

To set local clock and times zone:

[root@server ~]# timedatectl display the time, date, time zone and NTP
settings
[root@server ~]# timedatectl list-timezones to list zones
[root@server ~]# timedatectl set-timezone Africa/Cairo
[root@server ~]# timedatectl set-ntp true to enable NTP

We have to differentiate between events type, so we have to treat each event

separate from each other to specify the severity of that event. (Security,
Network, Service and System event)

Example:
dhcpd service.error
Any log is created event and any event created from facility (kern,
authentication, mail, ssh) and have priority (severity Level) .

Example:
authpriv.err all of this section called selector
kern.info log info
Note: that the log is used to track security attacks (auditing) so the logs is very
important and we have to separate the log server from any other machine and
secure it.

Log origin:
 service create (httpd, samba, mail)
 rsyslogd
 systemctl  journald

Most know log locations:

/var/log/messages ==> most log is logged here

/var/log/secure ==> log file for security and authentication messages and
errors
/var/log/maillog ==> log file for mail server related messages
/var/log/cron ==> log file for periodically related tasks
/var/log/boot.log ==> log file for system startup

Server side:
Log server work with Either UDP or TCP port 514
To show how to write configuration to rsyslog:
[root@server ~]# man rsyslog.conf

The log file is /etc/rsyslog.conf

Programs and administrators can change rsyslogd configuration to rsyslog by

putting customized files with a .conf suffix to the /etc/rsyslog.d directory.
To enable connection either UDP or TCP we have to uncomment the
following section:
[root@srv1 ~]# vim /etc/rsyslog.conf

Any changes done in the syslog file yum must restart the service:
[root@server ~]# systemctl restart rsyslog.service
[root@server ~]# systemctl status rsyslog.service
[root@server ~]# logger -p local7.debug "testing log system"
Note: the rsyslog service for all system messages to systemd-journald service,
to have a complete view of all system logs.

Journald:

Everything in the system is just a binary file and can be extracted by using one
of two methods, it is a very large file but it allow you to get anything from it:
1.systemctl
2.journalctl

Service name: systemd-journald

Service configuration File: /etc/systemd/journald.conf
Log file is in /run/log/journal/ ==> temporary file

By default the journal stored in /run/log/journal, if the directory

/var/log/journal exist the journal will log to the directory but the data is rotated
when it reach from 10% to 15% of the file system.

[root@server ~]#journalctl ==> display all journal

[root@server ~]#journalctl -n 20 ==> will display last 20 line in journal
[root@server ~]#journalctl -f ==> it is like tail -f show real time
[root@server ~]# journalctl -b ==> boot
[root@server ~]# journalctl -p err ==> display error logs
[root@server ~]#Journalctl --since yyyy-mm-dd hh:mm:ss or yesterday or
today or tomorrow
[root@server ~]#Journalctl --until yyyy-mm-dd hh:mm:ss or yesterday or
today or tomorrow
[root@server ~]#Journalctl --since "2014-10-30 01:00:00" --until "2015-10-30
01:00:00"
[root@server ~]# journalctl --since yesterday
[root@server ~]# journalctl --since yesterday --until now
[root@server ~]# journalctl _PID=1 ==> logs of service that have PID 1
[root@server ~]# journalctl _UID=0 ==> logs of root user
[root@server ~]#journalctl _SYSTEMD_UNIT_=sshd.service
[root@server ~]# journalctl -u sshd ==> ssh daemon logs
[root@server ~]# journalctl -u sshd -o verbose ==> show logs text based
without time
[root@server ~]# journalctl -u sshd -p info ==> priority of log

To save logs Persistent:

[root@server ~]#chown -R root:systemd-journal /var/log/journal
[root@server ~]#chmod 2755 /var/log/journal
[root@server ~]#ls /etc/systemd/journald.conf
[root@server ~]#echo "Storage=persistent" >> /etc/systemd/journald.conf
[root@server ~]#echo "SystemMaxUse=100M" >> /etc/systemd/journald.conf
[root@server ~]#systemctl restart systemd-journald
[root@server ~]#reboot

Log Rotation Service:

Logging cannot fill server disk so some files is closed and others opened, after
a certain logging age this file is useless so it is rotated
/etc/logrotate.conf ==> /etc/cron.daily
/etc/logrotate.d/ ==> override the logrotate configuration file, used with
packages that is installed with rpm and other services.
Note: It is process managed by cron.daily directory
[root@server ~]#man logrotate ==> to make any configuration changes

[root@server ~]# vim /etc/logrotate.conf

Rotate log file weekly ==> this option configure weekly rotation
Keep for weeks worth of backlog ==> keep 4 files are kept (month)
create ==> to create new log files
dateext ==> date will be used as an extension for the created files
compress ==> to compress the rotated files to save space