03-Analyzing Linux Logs - The Ultimate Guide To Logging
03-Analyzing Linux Logs - The Ultimate Guide To Logging
loggly.com
In this section, we’ll show you how to use some of these tools
and how log management solutions like SolarWinds® Loggly®
can help automate and streamline the log analysis process.
1 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
Note this returns lines containing the exact match. This makes it
useful for searches where you know exactly what you’re looking
for.
Regular Expressions
2 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
Surround Search
3 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
[preauth]
Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]:
Received disconnect from 216.19.2.8: 11: Bye
Bye [preauth]
Tail
You can also use tail to print the last N lines of a file using
tail -n:
$ tail -n 5 /var/log/messages
Nov 11 23:15:40 rockyLinuxPepperAndEgg
DropletAgent[729407]: INFO:2022/11/11 23:15:40
creds_actioner.go:49: [Creds Actioner]
Attempting to update 1 dotty keys
Nov 11 23:15:40 rockyLinuxPepperAndEgg
DropletAgent[729407]: INFO:2022/11/11 23:15:40
creds_actioner.go:70: [Creds Actioner] Updating
1 keys
Nov 11 23:15:40 rockyLinuxPepperAndEgg
DropletAgent[729407]: INFO:2022/11/11 23:15:40
creds_actioner.go:75: [Creds Actioner] Keys
updated
Nov 11 23:15:41 rockyLinuxPepperAndEgg
systemd[1]: Started Session 4 of user root.
Nov 11 23:15:41 rockyLinuxPepperAndEgg systemd-
logind[790]: New session 4 of user root.
4 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
Cut
The cut command allows you to parse fields from delimited logs.
Delimiters are characters like equal signs or commas that break
up fields or key-value pairs.
We can use the cut command to get the eighth match. This
example is on an Ubuntu system:
5 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
Here’s how you can use the awk command. First, we’ll use the
regular expression /sshd.*invalid user/ to match the sshd invalid
user lines. Then, we’ll print the ninth field using the default
delimiter (a space character) using { print $9 }. This outputs the
usernames.
One of the most common things people want to see in their logs
6 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
There are two ways you can solve this problem. First, you can
modify your rsyslog configuration to output the severity in the log
file to make it easier to read and search. In your rsyslog
configuration, you can add a template with pri-text:
"<%pri-text%> :
%timegenerated%,%HOSTNAME%,%syslogtag%,%msg%n"
You can use awk to search for just the error messages. In this
example, we’re including some surrounding syntax to match this
field specifically:
7 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
Log management systems can also index each field so you can
quickly search through gigabytes or even terabytes of log data.
They often use query languages like Apache Lucene to provide
more flexible searches than grep with an easier search syntax
than regex. This can save both time and effort since you don’t
have to create your own parsing logic for each unique search.
8 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
9 de 10 23/3/23, 19:00
Analyzing Linux Logs - The Ultimate Guide To Logging about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.loggly.co...
Additional Resources
10 de 10 23/3/23, 19:00