RH342 - ch01s03

Bookmark this page

Collecting Information to Support Troubleshooting

Objectives

Collect system information to support troubleshooting.

Locating Troubleshooting Information

Successfully solving troubleshooting problems requires not only evaluating current software and hardware behavior, but also discovering previous events that occurred, especially those that relate to the reported failure or issue. Current system behavior is evaluated with diagnostic commands, performance tools, and live monitoring, as discussed in later chapters. Previous events are discovered by viewing the system's journals and log files, as discussed in this section.

Journals and log files contain messages that are received from applications, services, and the kernel. Messages document events, errors, and configuration parameter changes as they occur. The following methods exist to store message information:

journald is a logging service that was introduced with the systemd service architecture.
rsyslog is a service that is designed to be a centralized message hub for other software to use.
Some applications write their own private log files and do not use journald or rsyslog.

systemd-journald Journal Files

The journald service writes binary-structured, memory-based log files, referred to as journals, that are viewed with the journalctl command. The journals are indexed for faster performance, and the binary format is more secure than plain text log files. The systemd-journald service manages the journals, rotating them automatically to limit their storage space and to reduce the need for maintenance.

Messages that journald obtains can be forwarded to rsyslog by using a memory-based socket file in /run/systemd/journal/. Current rsyslog implementations use an integrated module to access messages that the systemd journal generates instead of by monitoring the socket file.

Viewing Journal Log Files

The journalctl command with no options shows all collected journal entries.

[user@host ~]$ journalctl
-- Logs begin at Tue 2021-09-14 22:51:26 EDT, end at Wed 2021-09-15 02:01:01 EDT. --
Sep 14 22:51:26 localhost kernel: Linux version 4.18.0-305.el8.x86_64 (mockbuild@x86-vm-07.build.eng.bos.redhat.com) >
Sep 14 22:51:26 localhost kernel: Command line: BOOT_IMAGE=(hd0,gpt3)/boot/vmlinuz-4.18.0-305.el8.x86_64 root=/dev/vd>
...output omitted...

View journal entries that relate to a specific device, executable, or special file.

[user@host ~]$ journalctl /dev/vda
-- Logs begin at Tue 2021-09-14 22:52:15 EDT, end at Wed 2021-09-15 02:11:18 EDT. --
...output omitted...
Sep 14 22:52:17 localhost kernel: virtio_blk virtio2: [vda] 20971520 512-byte logical blocks (10.7 GB/10.0 GiB)

Filter the journal logs for messages that relate to a specified systemd service or other type of systemd unit.

[user@host ~]$ journalctl -b _SYSTEMD_UNIT=httpd.service
-- Logs begin at Tue 2021-09-14 22:52:15 EDT, end at Wed 2021-09-15 02:14:43 EDT. --
Sep 15 02:02:06 servera.lab.example.com httpd[5874]: Server configured, listening on: port 80

View logs for a single systemd service instance by using that daemon's process ID (PID).

[user@host ~]$ journalctl -b _SYSTEMD_UNIT=httpd.service _PID=5874
-- Logs begin at Tue 2021-09-14 22:52:15 EDT, end at Wed 2021-09-15 02:15:28 EDT. --
Sep 15 02:02:06 servera.lab.example.com httpd[5874]: Server configured, listening on: port 80

Viewing Previous Boot Session Messages

Because the systemd-journald service is one of the first to start at boot, the journal logs contain the earliest events and messages that are generated during the boot process.

By default, journalctl displays messages since the most current boot only. To view messages from a session before the current boot, first locate the boot ID for the previous session.

The journal log files must be configured for persistent storage to be able to view previous boot session messages. Non-persistent journals are stored in the /run memory-mounted file system, and are lost when the system reboots.

[user@host ~]$ journalctl --list-boots
 0 00552ebbabad42c3a439a303138914ee Tue 2021-09-14 22:52:15 EDT—Wed 2021-09-15 02:19:28 EDT
 0 30cd7eb9116d4078a1f11c0fbeac8082 Wed 2021-09-29 00:26:09 EDT-Wed 2021-09-29 00:22:47 EDT

View information about a specified systemd service by using a boot ID from a previous boot session.

[user@host ~]$ journalctl --boot 00552ebbabad42c3a439a303138914ee _SYSTEMD_UNIT=httpd.service
-- Logs begin at Tue 2021-09-14 22:52:15 EDT, end at Wed 2021-09-15 02:20:28 EDT. --
Sep 15 02:02:06 servera.lab.example.com httpd[5874]: Server configured, listening on: port 80

Configuring journald for Persistent Storage

By default, Red Hat Enterprise Linux 8 stores the system journal logs in a ring-buffer in /run/log/journal.

Enable persistent journal storage by creating a disk directory and configuring the service to use it.

Create the /var/log/journal directory.
```
[root@host ~]# mkdir /var/log/journal
```

Edit the /etc/systemd/journald.conf file to enable the persistent storage policy.

[root@host ~]# sed -i 's/#Storage=auto/Storage=persistent/' /etc/systemd/journald.conf

Restart the systemd-journald service to begin using the new persistent directory. If the configured directory does not exist or is not writable by systemd-journald, the service will continue to use the /run/log/journal location.
```
[root@host ~]# systemctl restart systemd-journald.service
```

rsyslog Log Files

The rsyslog service acts as a message processing hub. Applications can use system calls to send messages directly to rsyslog. The rsyslog service uses the imjournal input module to retrieve messages continuously from journald, and also forwards messages that it receives directly to journald by using the omjournal output module.

Messages that are sent to rsyslog include the facility and level fields, which are then used for sorting the messages into log files in the /var/log/ directory. The facility value indicates where the message originated, and the level value indicates the severity of the message. These facilities, among some others, send messages to rsyslog:

Kernel messages
User-level messages
Mail system
System daemons
Security and authorization messages
Messages that are generated internally by syslog

Locations of the syslog Log Files

The /etc/rsyslog.conf file contains rules for sorting incoming messages by facility and level, and storing them into specific log files. The following subdirectories under the /var/log directory contain rsyslog messages:

/var/log/messages stores all the syslog messages that are not explicitly configured for other rsyslog locations.
/var/log/secure stores security and authentication-related messages and errors.
/var/log/maillog stores mail server-related messages and errors.
/var/log/cron stores log files that relate to periodically executed tasks.
/var/log/boot.log stores log files that relate to system startup.

Note

You can access log files with the web console. Log in to the web console and then click Logs to view the default rsyslog log entries.

Private Log Files

Some applications maintain their own log files instead of using the rsyslog service. Those applications might need a custom message structure or might process their messages differently from rsyslog or journald. Typically, these log files are in subdirectories of /var/log. For example, the Apache Web Server on a RHEL server saves log messages to files under the /var/log/httpd directory. Samba is another service that uses private log files, with a default file location under the /var/log/samba directory.

Enabling Verbose Information

Many commands and services can increase the logging detail that they generate while running by including a log level option when they start. Examples of log level options include -v, -vv, -vvv, and --debug, which can be included in their startup configuration files. Refer to the documentation for individual services where you want to increase the verbosity or logging levels.

Note

Including a debug option for services that are configured under the /etc/sysconfig/ directory might cause that service to be unable to disconnect from its controlling terminal. When such services are started by using systemctl and the service type is forking, the systemctl command does not return until the service is passed an interrupt signal such as Ctrl-C.

Alternatively, when troubleshooting, you can run the service manually from the command line with the debug option.

Troubleshooting the Audit Log for SELinux Events

The audit system security log file, at /var/log/audit/audit.log, contains audit event objects that relate to possible SELinux access denials. Since the file is securely stored in binary, inspect these audit records with a search utility. Use the ausearch tool to query the audit logs for SElinux events.

To resolve SELinux denials, first analyze the root cause as stored in the audit log. Use the sealert command from the policycoreutils-python-utils and setroubleshoot-server packages to help in resolving the problem. SELinux denials might be caused by an incorrect SELinux label, context, Boolean, or port number.

SELinux context issues also occur when a service uses non-standard directories. For example, use of a web server with the non-standard /home/user/myweb directory requires that directory to be set with the correct SELinux label.

The semanage fcontext command stores a specified SELinux context with the directory location in the SELinux database.

[root@host ~]# semanage fcontext -a -t httpd_sys_content_t "/home/user/myweb"

The restorecon command looks up a specified directory in the database, retrieves the configured context for that directory, and applies the context on the directory.

Use the following command to apply the context change:

[root@host ~]# restorecon -R -v /home/user/myweb

SELinux Booleans allow exceptions to runtime policy that can be enabled or disabled without restarting a service. In this example, enabling this Boolean enables access to the home directories through a local web server, which is normally a policy behavior that is allowed to web servers.

[root@host ~]# setsebool httpd_enable_homedirs on

Many services are allowed by policy to run only on specific port numbers. The semanage port command allows the service to operate through a non-standard port. In this example, the default port of a web service is changed to use port 9876.

[root@host ~]# semanage port -a -t http_port_t -p tcp 9876

References

journalctl(1), systemd.journal-fields(7), and systemd-journald.service(8), auditd(8), ausearch(8), sealert(8) man pages.

For further information, refer to Chapter 10. Troubleshooting Problems Using Log Files at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/assembly_troubleshooting-problems-using-log-files_configuring-basic-system-settings

For further information, refer to Chapter 5. Troubleshooting Problems Related to SELinux at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux

Discuss Red Hat Enterprise Linux Diagnostics and Troubleshooting

Go to community

Welcome to the Red Hat Enterprise Linux Diagnostics and Troubleshooting (RH342) group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux Diagnostics and Troubleshooting! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH342.Read more about Red Hat Enterprise Linux Diagnostics and Troubleshooting here.

445

Revision: rh342-8.4-6dd89bd

Click Create to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
When a lab is created, click Start to run all of the virtual machines in the classroom.
Click Stop to stop all the virtual machines from running. This will not delete your lab.
If you Delete your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.

Virtual machine actions

Click Start to power on the virtual machine.
Click Shutdown to gracefully shut down the virtual machine, preserving disk contents.
Click Power off to forcefully shut down the virtual machine, while still preserving disk contents.
Click Open console to connect to the system console of the virtual machine in a new browser.

Auto-stop timer

The Red Hat Learning Subscription entitles you to set allotment of lab time.
To help conserving your allotted time, the lab environment uses automatic timers to stop or destroy your lab environment when the timer expires.

Click the Auto-stop button [+] to extend the time you would like to spend with the labs.
Click the Auto-destroy button [+] to add day(s) to the auto-destroy timer.

Auto-stop has a maximum of 11 hours, and auto-destroy has a maximum of 14 days.
Be careful to keep the timers set while you are working, so that your environment doesn't shut down unexpectedly.
We also suggest not to set the auto-timers unnecessarily high, which could waste your lab time allotment