Sylog Flashcards
What are the systemd built-in logging frameworks?
1) systemd-journald
2) rsyslog
Diff between:
1) systemd-journald
2) rsyslog
1) systemd-journald: stores journal in db
2) rsyslog: logs to /var/log
How do you query the systemd-journald database?
Use journalctl command
which of these logging framework implements the syslog protocol:
1) systemd-journald
2) rsyslog
Both
In syslog every event has two elements to it. Name them
1) Facility
2) Priority
What are some well known facilities
mail
authpriv
cron
kern
daemon
news
syslog
uucp
ftp
lpr
auth
local0 to local7
What are some well known priorities?
debug
info
notice
warn
error
crit
alert
emerg
(Experts Alert: Diagnosing issues Needs Wise Error Checking)
what is the daemon responsible for systemd-journald?
systemd-journald
what is the daemon responsible for rsyslog?
rsyslog NOT rsyslogd
Where are rsyslog config stored?
/etc/rsyslog.conf
What do rsyslog rules capture?
Which message goes to which file
General rule format of a rsyslog rule
FACILITY.PRIORITY[;EXCEPTED_FACILITY.none]* [-]/target/file
FACILITY.PRIORITY is called SELECTOR
What is the effect of a dash in front of a log file in /etc/rsyslog.conf
The dash causes the logs to be written asynchornously
what is the rsyslog drop in folder?
/etc/rsyslog.d/
How do you get help with rsyslog.conf?
man rsyslog.conf
Where do you put rsyslog custom configs?
Create a file and drop them in /etc/rsyslog.d/
What are the user definable facilities?
local0 to local7
Create a custom rsyslog rule for sshd
echo 'SyslogFacility local6' > /etc/sshd_config.d/99-logging.conf
echo 'local6.*. /var/log/ssh.log' >> /etc/rsyslog.d/99-sshd.conf
systemctl restart sshd rsylog
Send a log message manually as the facility SSHD with priority INFO
logger -p local6.info ‘here is the message’
By default, where are journals logged?
By default they are not logged. The volatile journal is used and saved in
/run/log/journal
which is deleted on reboot
View the content of the journal on stdout
journatlctl
What is the order of journalctl messages?
oldest to newest
How do you view journal messages from newest to oldest
journalctl -r
journalctl -f
stream the journal to stdout
Filter journal messages by priority and by unit
journalctl -p err -u ssd
Filter journal messages by date range
journalctl --since "2023-11-05 10:20:12" --until "2023-11-05 10:30:12"
journalctl --since "-1 hour"
What is the process with PID 1?
systemd
Print all journal by facility with PID 1
journaltcl _PID=1
Print all journal by user with ID 81
journaltcl _UID=1
How do you get help on journald
man journald.conf
What are storage options for journald?
auto (default)
volatile
none
persistent
Make journal persistent
In /etc/systemd/journald.conf
Storage=persistent
systemctl restart systemd-journald
List all journalctl boots
journalctl --list-boots
List journatlctl messages for a certain boot
journalctl -b 1
Display comprehensive time information on your server
timedatectl
What timezones are available so I may pick one
timedatectl list-timezones
Set timezone to Africa/Douala
timedatectl set-timezone Africa/Douala
Activate time synchronization
timedatectl set-ntp true
What is the time synchronization daemon?
chronyd (replaces ntpd)
Determine chronyd date sources
chronyc sources
what is tzselect
Timezone Select: utility that allows selection of time zone by menu navigation.
What are key system log files?
1) /var/log/messages
2) /varlog/secure
3) /var/log/cron
4) /var/log/maillog
5) /var/log/boot.log
What happens if a message is matched by many rules in rsyslog.conf?
The message is stored in all files with matching rule
none keyword in rsyslog.conf
indicates that no messages for the indicated facility are stored in the given file
Explain logrotate command
rotates log files to prevent them from taking too much space in the /var/log
key to successful use of the journal for troubleshooting and auditing
limit journal searches to show only relevant output.
Show 5 last entries of journal
journalctl -n 5
Different ways of filtering jorunalctl output
1) limit size with n option
2) tail with -f option
3) filter with since and until
4) filer by PID, UID, priority, user
5) filter by verbose field
Determine fields that you can filter journalctl output with
journalctl -o verbose
Popular journalctl fields that can be used for filter events
_COMM is the command name.
_EXE is the path to the executable file for the process.
_PID is the PID of the process.
_UID is the UID of the user that runs the process.
_SYSTEMD_UNIT is the systemd unit that started the process.
Explain volatile storage option
Stores journals in the volatile /run/log/journal directory
Explain auto storage option
If /var/log/journal exists, then persistent storage is used; otherwise it uses volatile is used.
Explain persistent storage option
Stores journals in /var/log/journal. If directory does not exist, then create it
How is journal data rotated?
journal has a built-in log rotation mechanism that triggers monthly
retrieves the entries from the current system boot only
journalctl -b
limits the output to only the previous boot
journalctl -b -1
Set time to 9:00:00
timedatectl set-time 9:00:00
stratum
number of hops that the machine is away from a high-performance reference clock
driftfile
a file (configured in /etc/chrony.conf) in which chronyd records the rate at which the RTC looses or gains time
what categories of time sources can you declare in /etc/chrony.conf
peer (same stratum)
server (one level above)
Example server configuration in /etc/chrony.conf
server classroom.example.com iburst
tar -p option
preserve permissions
tar –selinux option
: Enable SELinux context support, and store SELinux file contexts.
tar -a option
–auto-compress : Use the archive’s suffix to determine the algorithm to use
Explain ownership of extracted files
if root user extracts an archive, the original users and group ownership are preserved
if regular user extracts an archive, he becomes the owner
How are permissions of extracted files determined?
if -p was used, then the original permissions are maintained otherwise, umask is used to determine the permissions.
