\input{gl2.slide-header-beamer}% \errorcontextlines=99 %% Subtopic Number = '1.111.3' %% Title: 'Configure and use system log files to meet administrative %% and security needs' %% Weight: 3 %% Description: %% Candidate should be able to configure system logs. This %% objective includes managing the type and level of information logged, %% manually scanning log files for notable activity, monitoring log files, %% arranging for automatic rotation and archiving of logs and tracking down %% problems noted in logs. %% Key files, terms, and utilities include: %% /etc/syslog.conf %% /var/log/* %% logrotate %% tail -f \title{1.111.3\\Configure and use system log files to meet administrative and security needs\\Weight 3} \date{2005 November} \author[Nick Urbanik]{Nick Urbanik \texttt{}\\ {\scriptsize This document Licensed under GPL---see section~\ref{sec:license}}}% \subtitle{Linux Professional Institute Certification --- 102}% \mode
{\chead{1.111.3}}% \begin{document} \maketitle \mode
{\thispagestyle{empty}} \begin{frame} \frametitle{Outline} \mode {% %\footnotesize \begin{multicols}{2} \tableofcontents \end{multicols} % You might wish to add the option [pausesections] }% \mode
{% \tableofcontents }% \end{frame} \section{Context} \label{sec:context} \begin{frame} \frametitle{Topic 111 Administrative Tasks [21]}% \framesubtitle{Where we are up to}% \begin{description} \item[1.111.1] Manage users and group accounts and related system files [4] \item[1.111.2] Tune the user environment and system environment variables [3] % \uline depends on \usepackage[normalem]{ulem}: \item[1.111.3] \textbf{\uline{Configure and use system log files to meet administrative and security needs [3]}} \item[1.111.4] Automate system administration tasks by scheduling jobs to run in the future [4] \item[1.111.5] Maintain an effective data backup strategy [3] \item[1.111.6] Maintain system time [4] \end{description} \end{frame} \section{Objectives} \label{sec:objectives} \begin{frame} \frametitle{Description of Objective}% \framesubtitle{1.111.3\ \ Configure and use system log files to meet administrative and security needs [3]}% \mode{\Large}% Candidate should be able to configure system logs. This objective includes managing the type and level of information logged, manually scanning log files for notable activity, monitoring log files, arranging for automatic rotation and archiving of logs and tracking down problems noted in logs. \end{frame} \begin{frame}[fragile] \frametitle{Key files, terms, and utilities include:}% \framesubtitle{1.111.3\ \ Configure and use system log files to meet administrative and security needs [3]}% \mode{\large}% \begin{description} \item[\texttt{/etc/syslog.conf}] --- configuration file for \texttt{syslogd} \item[\texttt{/var/log/*}] --- where the log files are found \item[\texttt{logrotate}] --- the program that ``rotates'' log files \item[\texttt{tail -f}] --- the best way to watch log files as things happen \end{description} \end{frame} \section{Configuring Syslog} \label{sec:configuring-syslog} \begin{frame} \frametitle{\texttt{/etc/syslog.conf}} \begin{itemize} \item Each line in \texttt{/etc/syslog.conf} contains comments that start with a `\texttt{\#}' or rules of the form: \mbox{\meta{facility}.\meta{level}\hfill\meta{action}} \end{itemize} \end{frame} \subsection{syslog facility} \label{sec:facility} \begin{frame} \frametitle{syslog facility}% \framesubtitle{shows where the log message comes from:}% \begin{description} \item[\texttt{authpriv}] --- security/authorization messages (private) \item[\texttt{cron}] --- clock daemon (cron and at) \item[\texttt{daemon}] --- system daemons without separate facility value \item[\texttt{ftp}] --- ftp daemon \item[\texttt{kern}] --- kernel messages \item[\texttt{local0}\ldots\texttt{local7}] --- reserved for local use \item[\texttt{lpr}] --- line printer subsystem \item[\texttt{mail}] --- mail subsystem \item[\texttt{news}] --- USENET news subsystem \item[\texttt{syslog}] --- messages generated internally by \texttt{syslogd} \item[\texttt{user}] --- generic user-level message \item[\texttt{uucp}] --- UUCP subsystem \end{description} See \cmdbox{man 3 syslog} \end{frame} \subsection{syslog levels} \label{sec:levels} \begin{frame} \frametitle{syslog levels}% \frametitle{security threshhold beyond which messages are logged}% in decreasing importance: \begin{description} \item[\texttt{emerg}] --- system is unusable \item[\texttt{alert}] --- action must be taken immediately \item[\texttt{crit}] --- critical conditions \item[\texttt{err}] --- error conditions \item[\texttt{warning}] --- warning conditions \item[\texttt{notice}] --- normal, but significant, condition \item[\texttt{info}] --- informational message \item[\texttt{debug}] --- debug-level message \end{description} \end{frame} \subsection{syslog actions} \label{sec:syslog-actions} \begin{frame} \frametitle{syslog actions}% Can be:% \begin{itemize} \item filename (with full pathname), or \item a hostname preceded with `\texttt{@}', or \item a comma-separated list of users, or \item an asterisk `\texttt{*}' meaning all logged in users \end{itemize} \end{frame} \subsection{\texttt{syslog.conf} example} \label{sec:syslog.con-example} \begin{frame}[fragile] \frametitle{\texttt{syslog.conf} example}% \mode{\scriptsize}% \mode
{\footnotesize}% \begin{verbatim} # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler \end{verbatim} \end{frame} \begin{frame}[fragile] \frametitle{\texttt{syslog.conf} example --- 2}% \mode{\scriptsize}% \mode
{\footnotesize}% \begin{verbatim} # Save boot messages also to boot.log local7.* /var/log/boot.log # Note: the rawhide openldap /etc/init.d/ldap script starts slapd with # the -l daemon option, which was confusing. # I added the option -l local5 to the (newly created) # /etc/sysconfig/ldap local5.* -/var/log/slapd # local4.* /var/log/squid # Now I've set log-facility local1; in dhcpd.conf local1.* /var/log/dhcp-log # # INN # news.=crit /var/log/news/news.crit news.=err /var/log/news/news.err news.notice /var/log/news/news.notice daemon,kern.* /var/log/debug \end{verbatim} \end{frame} \section{Rotating Log Files with \texttt{logrotate}} \label{sec:rotating-log-files} \begin{frame} \frametitle{Rotating Log Files with \texttt{logrotate}} \begin{itemize} \item Log files grow rapidly \item Can grow to extreme sizes without rotation \item log rotation renames files and redirects logging to the new file: \texttt{messages} $\to$ \texttt{messages.1} $\to$ \texttt{messages.2} $\to$ \texttt{messages.3} $\to$ \texttt{messages.4} $\to$ delete \item Run \texttt{logrotate} from \texttt{cron} \end{itemize} \end{frame} \subsection{Configuring \texttt{logrotate}} \label{sec:configuring-logrotate} \begin{frame}[fragile] \frametitle{\texttt{logrotate} configuration} \begin{itemize} \item Main configuration file is \texttt{/etc/logrotate.conf} \item \ldots\,but most configuration belongs to the software packages, which put a file into directory \texttt{/etc/logrotate.d/} \mode{\scriptsize}% \begin{semiverbatim} \cmd{cat /etc/logrotate.d/ldap} # Nick 17 Aug 2003: copied from my /etc/logrotate.conf on ictlab: /var/log/slapd { weekly create 0664 ldap ldap rotate 20 postrotate /sbin/killall -HUP syslogd endscript notifempty } \cmd{cat /etc/logrotate.d/syslog} /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/debug { sharedscripts weekly rotate 60 postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } \end{semiverbatim} \end{itemize} \end{frame} \section{Examining Log Files} \label{sec:watching-logs} \begin{frame} \frametitle{Examining Log Files} \begin{itemize} \item Many log files are readable by none but root: \item Simplest: \cmdbox{sudo tail -f /var/log/messages} \item \cmdbox{sudo less /var/log/messages} \begin{itemize} \item within \texttt{less}, press \texttt{F} \end{itemize} \item Using either method, new additions to the log file are shown \end{itemize} \end{frame} \subsection{Log Messages} \label{sec:log-messages} \begin{frame} \frametitle{Log Messages}% \framesubtitle{Each syslog message contains these fields:} \begin{description} \item[date and time] --- in local time on my machine \item[hostname] --- of the machine that generated the message \item[program or user] --- that generated the message, e.g., \texttt{kernel}, \texttt{named}, \texttt{postfix}, \texttt{dhcpd},\,\ldots \item[message text] \end{description} \end{frame} \subsection{How to search for particular events} \label{sec:searching} \begin{frame}[fragile] \frametitle{Searching for particular events} \begin{itemize} \item Can \texttt{grep} for messages relating to a particular program: \end{itemize} \mode{\scriptsize} \mode
{\small} \begin{semiverbatim} \cmd{sudo grep dhcpd /var/log/messages} Nov 14 06:30:13 nicku dhcpd: DHCPDISCOVER from 00:04:e2:2e:c3:d6 via eth0 Nov 14 06:30:13 nicku dhcpd: DHCPOFFER on 192.168.0.8 to 00:04:e2:2e:c3:d6 via eth0 \end{semiverbatim} \end{frame} \mode {% \begin{frame} \frametitle{Topics Covered} %\footnotesize %\begin{multicols}{2} \tableofcontents[pausesections,pausesubsections] %\end{multicols} % You might wish to add the option [pausesections] \end{frame} } \section{License Of This Document} \label{sec:license} \begin{frame} \frametitle{License Of This Document} \raggedright% Copyright \copyright\ 2005 Nick Urbanik \par You can redistribute modified or unmodified copies of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation---either version 2 of the License or (at your option) any later version. \end{frame} \end{document}