Chapter 17 Flashcards
Implementing Logging Services
Describe the logging protocol used by most Linux logging applications.
The syslog protocol has become the de facto standard for most Linux logging applications. It identifies events using a facility code, which defines the event type, and a severity, which defines how important the event message is. The sysklogd, syslogd-ng, and rsyslogd applications all use the syslog protocol for managing system and application events in Linux.
Describe how the rsyslogd application directs events to specific locations.
The rsyslogd application uses the /etc/rsyslogd.conf configuration file to define rules for handling events. Each rule specifies a syslog facility and severity along with an action to take. Events that match the facility and have a priority equal to or higher than the severity defined are sent to the defined action. The action can be sending the event message to a log file, piping the message to an application, or sending the event message to a remote host or to a user on the system.
Explain how the Systemd service uses a different method for logging events.
The Systemd service package uses the systemd-journald application, which doesn’t use the syslog protocol for logging events. Instead, systemd-journald creates its own binary journal files for storing event messages. The binary journal file is indexed to provide faster searching for events. The journalctl application provides the interface for sending search queries to the journal files and displaying the search results.
What protocol became a de facto standard in Linux for tracking system event messages?
SMTP FTP NTP syslog journalctl
D. The syslog protocol created by the Sendmail project has become the de facto standard for logging system event messages in Linux, so option D is correct. SMTP is a mail protocol, and FTP stands for File Transfer Protocol, so both options A and B are incorrect. NTP stands for Network Time Protocol, so option C is incorrect. Option E, journalctl, is a tool used to read systemd-journald journal files, not a protocol for logging event messages, so it is also incorrect.
Nancy wants to write a rsyslogd rule that separates event messages coming from the system job scheduler to a separate log file. Which syslog facility keyword should she use?
cron user kern console local0
A. The cron application schedules jobs on Linux systems, so the cron facility keyword represents event messages received from the job scheduler, so option A is correct. The user keyword represents events received from users, so option B is incorrect. The kern keyword represents events received from the kernel, so option C is incorrect. The console keyword represents events received from a console on the system, so option D is incorrect. The local0 keyword is not defined in the standard and is normally defined within the system but doesn’t normally receive events from the job scheduler, so option E is incorrect.
What syslog severity level has the highest priority ranking in rsyslogd?
crit alert emerg notice err
C. The emerg severity level has a priority of 0, the highest level in syslog, so option C is correct. The crit severity level is at level 2, so it’s not the highest level and therefore option A is incorrect. The alert keyword is assigned level 1, but it’s not the highest level, so option B is incorrect. The notice keyword is assigned level 5 and is not the highest level, so option D is incorrect. The err keyword is assigned level 3 and is not the highest level, so option E is incorrect.
What syslog severity level represents normal but significant condition messages?
crit notice info alert local0
B. The notice severity level represents system event messages that are significant but normal, so option B is correct. The crit and alert keywords represent event messages that are critical or that require special attention, so options A and D are incorrect. The info keyword represents event messages that are only informational but not significant, so option C is incorrect. The local0 keyword is not defined in the syslog protocol but by the local system, so option E is incorrect.
What syslog application is known for its rocket-fast speed?
syslogd syslog-ng systemd-journald klogd rsyslogd
E. The rsyslogd application was designed to be a faster version of the syslogd application, so option E is correct. The syslogd application is the original syslog application and was not known for its speed, so option A is incorrect. The syslog-ng application was designed to be more versatile than syslogd, but not faster, so option B is incorrect. The systemd-journald application is known for faster queries in reading journal entries but wasn’t designed to be faster in handling event messages, so option C is incorrect. The klogd application is part of the original sysklogd application and is also not fast, so option D is incorrect.
What configuration file does the rsyslogd application use by default?
rsyslog.conf journald.conf syslogd.conf rsyslog.d syslog.d
A. The rsyslogd application uses the rsyslog.conf configuration file by default, so option A is correct. Option D, rsyslog.d, is commonly used as a folder for storing additional rsyslogd configuration files, but it isn’t the default configuration filename, so it is incorrect. Options B and C are configuration files for other logging applications, not rsyslogd, so they are incorrect. Option E is not a valid logging application configuration filename.
James needs to log all kernel messages that have a severity level of warning or higher to a separate log file. What facility and priority setting should he use?
kern.=warn kern.* *.info kern.warn kern.alert
D. The rsyslogd application priorities log event messages with the defined severity or higher, so option D would log all kernel event messages at the warn, alert, or emerg severities and therefore it is correct. The option A facility and priority setting would only log kernel messages with a severity of warning, so it is incorrect. Option B would log all kernel event messages, not just warnings or higher, so it is incorrect. Option C would log all facility type event messages but include the information or higher level severity, so it is incorrect. Option E would log kernel event messages but only at the alert or emerg severity levels, not the warning level, so it is incorrect.
Barbara wants to ensure that the journal log files will be saved after the next reboot of her Linux system. What systemd-journald configuration setting should she use?
Storage=auto Storage=persistent ForwardToSyslog=on Storage=volatile ForwardToSyslog=off
B. The Storage setting controls how systemd-journald manages the journal file. Setting the value to persistent ensures that the journal file will remain in the /var/log/journal directory, so option B is correct. Setting the value to auto only ensures that the journal file will be persistent if the /var/log/journal directory exists, so option A is incorrect. Setting the value to volatile ensures that the file does not persist, so option D is incorrect. Options C and E refer to settings that control whether or not event messages are passed to the rsyslogd application, so they are both incorrect.
Katie wants to display the most recent entries in the journal log on her Linux system. What journalctl option should she use?
-a -l -r -e -n
C. The -r option displays the journal entries in reverse order, so the most recent entry will appear first. Thus, option C is correct. The -a option displays all of the data fields, but in the normal order, so option A is incorrect. The -l option displays all printable data fields, but in the normal order, so option B is incorrect. The -e option jumps to the end of the journal file but displays the remaining entries in normal order instead of reverse order, so option D is incorrect. The -n option displays a specified number of entries, but in normal order, so option E is incorrect.
Tony is trying to troubleshoot errors produced by an application on his Linux system but has to dig through lots of entries in the journal log file to find them. What journalctl match option would help him by only displaying journal entries related to the specific application?
OBJECT_PID Kernel _TRANSPORT _UID _UDEV
A. The journalctl application allows you to filter event messages related to a specific application by the application process ID (PID) using the OBJECT_PID match, so option A is correct. The Kernel match retrieves event messages generated by the system kernel and not applications, so option B is incorrect. The _TRANSPORT option filters event messages based on how they were received and not by application, so option C is incorrect. Option D, _UID, filters event messages based on the user ID value, not the application, so it is incorrect. Option E, _UDEV, filters events by device ID and not by application, so it too is incorrect.
