RH124 - ch11s03

Many programs use the syslog protocol to log events to the system. Each log message is categorized by a facility (the type of message) and a priority (the severity of the message). Available facilities are documented in the rsyslog.conf(5) man page.

The following table lists the standard eight syslog priorities from highest to lowest.

Table 11.2. Overview of Syslog Priorities

Code	Priority	Severity
0	emerg	System is unusable
1	alert	Action must be taken immediately
2	crit	Critical condition
3	err	Non-critical error condition
4	warning	Warning condition
5	notice	Normal but significant event
6	info	Informational event
7	debug	Debugging-level message

The rsyslog service uses the facility and priority of log messages to determine how to handle them. This is configured by rules in the /etc/rsyslog.conf file and any file in the /etc/rsyslog.d directory that has a file name extension of .conf. Software packages can easily add rules by installing an appropriate file in the /etc/rsyslog.d directory.

Each rule that controls how to sort syslog messages is a line in one of the configuration files. The left side of each line indicates the facility and severity of the syslog messages the rule matches. The right side of each line indicates what file to save the log message in (or where else to deliver the message). An asterisk (*) is a wildcard that matches all values.

For example, the following line would record messages sent to the authpriv facility at any priority to the file /var/log/secure:

authpriv.*                  /var/log/secure

Log messages sometimes match more than one rule in rsyslog.conf. In such cases, one message is stored in more than one log file. To limit messages stored, the key word none in the priority field indicates that no messages for the indicated facility should be stored in the given file.

Instead of logging syslog messages to a file, they can also be printed to the terminals of all logged-in users. The rsyslog.conf file has a setting to print all the syslog messages with the emerg priority to the terminals of all logged-in users.

Sample Rules of Rsyslog

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

Note

The syslog subsystem has many more features beyond the scope of this course. For those who wish to explore further, consult the rsyslog.conf(5) man page and the extensive HTML documentation in /usr/share/doc/rsyslog/html/index.html contained in the rsyslog-doc package, available from the AppStream repository in Red Hat Enterprise Linux 8.

Log File Rotation

The logrotate tool rotates log files to keep them from taking up too much space in the file system containing the /var/log directory. When a log file is rotated, it is renamed with an extension indicating the date it was rotated. For example, the old /var/log/messages file may become /var/log/messages-20190130 if it is rotated on 2019-01-30. Once the old log file is rotated, a new log file is created and the service that writes to it is notified.

After a certain number of rotations, typically after four weeks, the oldest log file is discarded to free disk space. A scheduled job runs the logrotate program daily to see if any logs need to be rotated. Most log files are rotated weekly, but logrotate rotates some faster, or slower, or when they reach a certain size.

Configuration of logrotate is not covered in this course. For more information, see the logrotate(8) man page.

Analyzing a Syslog Entry

Log messages start with the oldest message on top and the newest message at the end of the log file. The rsyslog service uses a standard format while recording entries in log files. The following example explains the anatomy of a log message in the /var/log/secure log file.

Feb 11 20:11:48 localhost sshd[1433]: Failed password for student from 172.25.0.10 port 59344 ssh2

	The time stamp when the log entry was recorded
	The host from which the log message was sent
	The program or process name and PID number that sent the log message
	The actual message sent

Monitoring Logs

Monitoring one or more log files for events is helpful to reproduce problems and issues. The tail -f /path/to/file command outputs the last 10 lines of the file specified and continues to output new lines in the file as they get written.

For example, to monitor for failed login attempts, run the tail command in one terminal and then in another terminal, run the ssh command as the root user while a user tries to log in to the system.

In the first terminal, run the following tail command:

[root@host ~]# tail -f /var/log/secure

In the second terminal, run the following ssh command:

[root@host ~]# ssh root@localhost
root@localhost's password: redhat
...output omitted...
[root@host ~]#

Return to the first terminal and view the logs.

...output omitted...
Feb 10 09:01:13 host sshd[2712]: Accepted password for root from 172.25.254.254 port 56801 ssh2
Feb 10 09:01:13 host sshd[2712]: pam_unix(sshd:session): session opened for user root by (uid=0)

Sending Syslog Messages Manually

The logger command can send messages to the rsyslog service. By default, it sends the message to the user facility with the notice priority (user.notice) unless specified otherwise with the -p option. It is useful to test any change to the rsyslog service configuration.

To send a message to the rsyslog service that gets recorded in the /var/log/boot.log log file, execute the following logger command:

[root@host ~]# logger -p local7.notice "Log entry created on host"

References

logger(1), tail(1), rsyslog.conf(5), and logrotate(8) man pages

rsyslog Manual

/usr/share/doc/rsyslog/html/index.html provided by the rsyslog-doc package

For more information refer to the Troubleshooting problems using log files section in the Red Hat Enterprise Linux 8 Configuring basic system settings Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/index#troubleshooting-problems-using-log-files_getting-started-with-system-administration

Discuss Red Hat System Administration I

Go to community

RH124 Chapter 15 Lab 3: Install zsh Package

VictoriaB97

16 sty 2024

Hello,I am trying to finish up Lab 3 of the Chapter 15 Comprehensive Review Labs in RH124, and when I type in sudo dnf install zsh for the 6th specification of the lab, I get an error message basically saying that it failed to download metadata for the repo 'ansible-2.9-for-rhel-9-x86_64-rpms', and that they could not download repomd.xml. It provided a 404 status code.Can someone please let me know what the problem is, and if there is a current workaround? Thanks.

378

Red Hat System Administration I | Guided Exercise: Explain and Investigate RPM Software Pack

AbeHiero

10 lis 2023

I cannot start the lab with command: lab start software-rpm. I get this error:ModuleNotFoundError: No module named 'rhcsa-classroom'Script software-rpm not in course library rhcsa-classroom Anyone else see this?

172

Red Hat System Administration I (RH124)

Haley_Ruccio

19 lip 2023

The first of two courses covering the core system administration tasks needed to manage Red Hat Enterprise Linux serversRed Hat System Administration I (RH124) is designed for IT professionals without previous Linux system administration experience. The course provides students with Linux administration competence by focusing on core administration tasks. This course also provides a foundation for students who plan to become full-time Linux system administrators by introducing key command-line concepts and enterprise-level tools. This course is the first of a two-course series that takes a computer professional without Linux system administration knowledge to become a fully capable Linux administrator. These concepts are further developed in the follow-on course, Red Hat System Administration II (RH134).This course is based on Red Hat® Enterprise Linux 9.0.Course content summaryIntroduce Linux and the Red Hat Enterprise Linux ecosystem.Run commands and view shell environments.Manage, organize, and secure files.Manage users, groups and user security policies.Control and monitor systemd services.Configure remote access using the web console and SSH.Configure network interfaces and settings.Manage software using DNFAudience for this courseThe primary persona is a technical professional with current or pending responsibilities as a Linux enterprise or cloud system administrator.This course is popular in Red Hat Academy, and is targeted at the student who is planning to become a technical professional using Linux.Prerequisites for this courseBasic technical user skills with computer applications on some operating systems are expected.Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technical requirements for this course.This course is not designed for bring your own device (BYOD).Internet access is not required but is recommended so that students can research and browse Red Hat online resources.

336

Revision: rh124-8.2-df5a585