Being Proactive, Part 1 Labs

1. Centralized Logging

Goals

  • Configure server1 to forward log messages to desktop1

  • When the logger command is run on server1, the messages of info priority or higher appear in /var/log/messages on desktop1

One of the first steps taken when troubleshooting a broken system is reviewing the log files. Sometimes when a system has problems the log files on its local hard drive cannot be accessed. This is where centralized logging is a benefit.

In this lab, configure desktop1 to receive remote log messages from server1. Then, configure server1 to send copies of all log messages of info priority and higher to desktop1. Lastly, test that messages are going to desktop1 by running logger on server1 and viewing the message in /var/log/messages on desktop1.

  1. Configure desktop1 to receive remote log messages from server1.

    The logging service on Red Hat Enterprise Linux is called rsyslog. The following steps enable logging from remote servers on desktop1.

    1. Examine the contents of /etc/rsyslog.conf on desktop1. Uncomment the two lines following the comment that reads:

      # Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

    2. Restart the rsyslog service once your changes have been saved.

      [root@desktop1 ~]# systemctl restart rsyslog

  2. Enable inbound port 514/UDP in the host firewall on desktop1.

  3. Configure server1 to send copies of all log messages of info priority and higher to desktop1.

    The same service must be configured on server1 to send copies of its log messages to desktop1. Add the following logging rule below the "RULES" line and restart the rsyslog service:

    *.info          @desktop1FQDN
    [root@server1 ~]# systemctl restart rsyslog

  4. Test.

    To test, run the logger command on server1, and then look at the /var/log/messages file on both systems.

    [root@server1 ~]# logger "Hello from server1"
[root@server1 ~]# tail /var/log/messages
Jan 18 14:24:37 server1 root: Hello from server1
    [root@desktop1 ~]# tail /var/log/messages
Jan 18 14:24:37 server1 root: Hello from server1

2. Baselining: Using aide

Goals

  • Install and configure aide to monitor for file system changes on server1

  • Changed files on the file system are detected by the aide command

On server1, install the aide utility and create the initial database. Subsequently, change some system files and use aide to check your system.

  1. Install the aide utility and create the initial database.

    [root@server1 ~]# yum install -y aide
... Output omitted ...
[root@server1 ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

    It will take several minutes to initialize the aide database. When it completes, copy the database where aide expects it to reside on the system.

    [root@server1 ~]# cd /var/lib/aide
[root@server1 aide]# cp aide.db.new.gz aide.db.gz
[root@server1 aide]# cd

  2. Change some system files and use aide to check your system.

    [root@server1 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2014-12-15 08:22:04

Summary:
  Total number of files:        107530
  Added files:                  9
  Removed files:                0
  Changed files:                10


---------------------------------------------------
Added files:
---------------------------------------------------

... Output omitted ...

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /usr/bin/tcsh
... Output omitted ...

3. Baselining: Using sar

Goals

  • Install sar performance monitoring collection agents

  • Generate reports on system utilization from sar

Install the package that provides the sar utility. Then, given our impatience, find the data-gathering script in the /etc/cron.d/ directory for sar and execute it a couple times.

Display the collected data about memory usage and CPU utilization. If you are working on a machine with multiple cores, extract the data per core

Use multiple -P cpu-number flags on a single command line.

  1. Install the package that provides the sar utility.

    There is not a package called sar, but if you cannot remember which package provides that utility you can always run yum whatprovides *bin/sar. This will inform you that the package is called sysstat.

    [root@server1 ~]# yum install -y sysstat
... Output omitted ...

  2. Once sar is installed, data will be collected periodically. Normally cron will handle that, but we are a little impatient. Find the data-gathering script in the /etc/cron.d/ directory for sar and execute it a couple times.

    The cron file for sar is /etc/cron.d/sysstat. It contains the following lines:

    # Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A

    Now you know the command you need to execute to collect some data for sar reports. Run /usr/lib64/sa/sa1 1 1 a few times.

  3. Display the collected data about memory usage from sar. Also display the data collected about CPU utilization. If you are working on a machine with multiple cores, extract the data per core.

    Run the following command to display memory usage:

    [root@server1 ~]# LANG=C sar -r
... Output omitted ...

    The following commands display CPU utilization:

    [root@server1 ~]# LANG=C sar -p
... Output omitted ...
[root@server1 ~]# LANG=C sar -P 0 -P 1 -p
... Output omitted ...