Log Management (Demo)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey Cybrarians.
00:00
>> Welcome back to the Linux+ course here at Cybrary.
00:00
>> I'm your instructor Rob Goelz,
00:00
and in today's lesson,
00:00
we're going to be covering log management.
00:00
Upon completion of today's lesson,
00:00
you're going to be able to understand
00:00
how syslog is used to manage logs,
00:00
we're going to differentiate between a few of
00:00
the different syslog implementations
00:00
that have come along,
00:00
and then finally in our demo today we're going to use
00:00
the rsyslog configuration file
00:00
and see how we can modify syslog.
00:00
Modern links distributions have
00:00
two different logging systems there's syslog,
00:00
which we're talking about in this lesson, and journald,
00:00
which we're going to cover later in this module.
00:00
Now syslog has been the de facto logging protocol
00:00
since it was created in the mid 1980s,
00:00
it defines a standard message format
00:00
and that can be used to record
00:00
log messages to disk or also with
00:00
later versions of syslog
00:00
you could send them to a remote server.
00:00
It can be used for OS applications
00:00
and device logs, it does everything.
00:00
The standard format for
00:00
syslog includes a couple of event fields.
00:00
Obviously we're going to have a timestamp
00:00
so we can see when things occurred,
00:00
we're going to have a field for the type
00:00
which is actually called a facility,
00:00
we have a severity to indicate what trouble we're in,
00:00
and then finally, we'll have the details
00:00
about the log message.
00:00
Now in syslog a facility is a category or
00:00
type of message that indicates the source of the event,
00:00
like where did we get this log message from?
00:00
What service or application is saying this having issues.
00:00
There are 23 facilities and eight of those are
00:00
user-definable a local 0 through 7 you
00:00
can use to send custom log messages out.
00:00
We're not going to cover all 23
00:00
of them because I'd be nuts.
00:00
But here are some that you're going to likely encounter.
00:00
There's kern which are messages generated by
00:00
the kernel and that's facility number 0.
00:00
Facility 1 is used for
00:00
user-level messages generated by user events.
00:00
Anything male related is going to be facility 2,
00:00
anything service or application related
00:00
is going to be daemon facility 3.
00:00
We're going to see auth for security logs and then
00:00
cron for scheduled jobs from cron or app,
00:00
that's facility 9,
00:00
and then authpriv is used for
00:00
private security logs that uses facility level 10.
00:00
Now, the other thing we mentioned is that in syslog,
00:00
there's a log associated with the severity.
00:00
Every log is associated with the severity type.
00:00
There are eight severity types in
00:00
syslogs and they go from zero,
00:00
which is actually the highest
00:00
to seven, which is the lowest.
00:00
Now a zero is an emergency.
00:00
This is basically the system is
00:00
become completely unstable,
00:00
this thing needs to be
00:00
aspiring to be put out immediately.
00:00
We also have an alert which is level 1.
00:00
That's any event that's
00:00
happened that requires immediate attention.
00:00
We have critical, which is
00:00
an event that's really important,
00:00
but it's not raising to the level of being an alert.
00:00
It's not a critical event
00:00
that requires immediate attention,
00:00
but you need to jump on it,
00:00
then you have an error message.
00:00
It's an error condition.
00:00
It doesn't interrupt the system,
00:00
but it is important,
00:00
just low that is warning this level 4,
00:00
that's an abnormal system condition,
00:00
but it hasn't raised the level
00:00
of something's going terribly wrong.
00:00
We have rounding things out,
00:00
we have noticed which are significant events
00:00
but they're normal and then we
00:00
have information level events
00:00
and finally, debug level messages.
00:00
Now these are used for developers and or support.
00:00
Sometimes when you open a ticket for open-source product,
00:00
they'll ask you to turn on debug level logging.
00:00
That information is just
00:00
really granular information
00:00
that they can get into and dig
00:00
into to try and determine
00:00
the cause of some of the issues you
00:00
might be seeing either in the Linux distribution,
00:00
the operating system itself,
00:00
or maybe one of the applications you're running.
00:00
The main thing to know about this chart in
00:00
this area from 0-7 is that as you go from 0-7,
00:00
each level that you go up
00:00
increases the amount of
00:00
logs that you're going to store on your disk.
00:00
Don't run debug for very long unless you've
00:00
got a lot of disk space
00:00
that you're willing to let it chew up.
00:00
All logging outputs short detail messages that are
00:00
covering at a minimum what happened and when it happened.
00:00
Remember this runs continuously.
00:00
Again, and if you're doing debug logging,
00:00
it's going to run continuously you need it this space.
00:00
But combining the details in the logs along with
00:00
the timestamp facility and severity are going
00:00
to help you to troubleshoot a lot of issues in Linux.
00:00
As I said, logs are system administrators best friends
00:00
because they record what happened
00:00
on the system when you weren't there to see it.
00:00
There had been a few versions of syslog and as I
00:00
indicated that some features came along later,
00:00
we started out with sysklogd.
00:00
This is the original recipe syslog application.
00:00
Now it actually included two separate programs.
00:00
There was syslog which
00:00
monitored the system and applications,
00:00
and then klog,
00:00
which monitor the Linux kernel for events.
00:00
Later on we got syslogd-ng.
00:00
This added features to sysklogd such as filtering and
00:00
sending things to remote
00:00
syslog server and this unified things.
00:00
We didn't need two different programs to run logging.
00:00
Later on we got rsyslog r for
00:00
rocket fast and this was a focus on speed
00:00
and is still the current syslog standard
00:00
that you will find on mostly in distributions.
00:00
Then finally we do have journald,
00:00
but we'll talk about that later in this module.
00:00
Let's have a look at all of this and
00:00
our syslog with some demo time.
00:00
Here we are back in our CentOS
00:00
environment and let's go ahead and
00:00
open up the configuration file for our syslog.
00:00
We can do that by doing a sudoedit
00:00
on etc/rsyslog.conf and I
00:00
will put in my sudo password so that we can
00:00
get root privileges and view this file.
00:00
In this file we can see that rsyslog loads a few modules.
00:00
They're right here in the module section.
00:00
Now it's going to have one to work
00:00
with actual system logging
00:00
and it has another one that works with journald.
00:00
Again, we'll talk about journald later in this module.
00:00
Now further down in this system,
00:00
we can see the global directive section and
00:00
specifically we're going to see
00:00
an include line right here.
00:00
This include line indicates to include content
00:00
in etc/rsyslog.d anything that
00:00
has the conf file suffix right here.
00:00
You see etc/rsyslog.d star.conf.
00:00
That means anything that has
00:00
a configuration at the end of it,
00:00
dot conf in that file will get included.
00:00
This is where you're going to find
00:00
additional log rules that are set for applications.
00:00
Applications will put application specific configuration
00:00
for rsyslog into etc/syslog.d.
00:00
Then lastly we're going to see our rule section.
00:00
This is where syslog ties in
00:00
that concept of facilities and severities.
00:00
For example, anything that has
00:00
the facility type of authpriv, we see that right here.
00:00
Anything that has authpriv
00:00
regardless severity is authpriv.*,
00:00
winds up going into varlog secure.
00:00
We said authpriv those are private secure messages.
00:00
But we can also see if we scroll up here that
00:00
anything that has the severity of info,
00:00
so any facility star, any facility.info,
00:00
infos of severity that winds up in
00:00
varlog messages along with
00:00
anything that's not privileged,
00:00
authentication, a cron and
00:00
male information that all of those into varlog messages.
00:00
With that, we've reached the end of this lesson and in
00:00
this lesson we covered how syslog manages logs,
00:00
we also talked about the difference between
00:00
the various syslog implementations
00:00
and then finally in our demo,
00:00
we saw how this rsyslog file
00:00
is used to configure syslog,
00:00
how we talked about our syslog.conf.
00:00
Thanks so much for being here
00:00
>> and I look forward to seeing you in the next lesson.
Up Next