chapter-11-the-logging-system.md

Chapter 11: The Logging System

Overview

The logging system in Linux is essential for monitoring, debugging, and auditing system activities. It provides detailed information about system events, errors, and application behaviors. This chapter covers how to view, configure, and manage logs effectively.

---

1. Introduction to Logging

Key Components:

• Log Files: Files that record system and application events.
• Syslog: A standardized logging protocol used by many services.
• Journal: System logs managed by systemd.

Common Log Directories:

• /var/log/: Primary location for system logs.
• /var/log/syslog: General system messages.
• /var/log/auth.log: Authentication logs.
• /var/log/dmesg: Kernel ring buffer logs.

---

2. Viewing Log Files

cat, less, and tail

• Use these commands to view log files directly.

Examples:

• Display the entire log:

  cat /var/log/syslog

• View logs page by page:

  less /var/log/syslog

• Monitor logs in real-time:

  tail -f /var/log/syslog

journalctl: Viewing Systemd Logs

• View logs maintained by the systemd journal.

Syntax:

journalctl [options]

Examples:

• View all logs:

  journalctl

• View logs for a specific unit:

  journalctl -u apache2.service

• View logs since boot:

  journalctl -b

---

3. Managing Log Files

Log Rotation with logrotate

• Ensures log files don’t consume excessive disk space by rotating and compressing them.

Configuration File:

• /etc/logrotate.conf: Global configuration.
• /etc/logrotate.d/: Per-service configurations.

Example Configuration:

/var/log/syslog {
    weekly
    rotate 4
    compress
    missingok
    notifempty
}

• Explanation:
  • weekly: Rotate logs weekly.
  • rotate 4: Keep four old log files.
  • compress: Compress rotated logs.
  • missingok: Skip errors if the log file is missing.
  • notifempty: Do not rotate empty files.

Forcing Log Rotation:

sudo logrotate -f /etc/logrotate.conf

---

4. Configuring Syslog

Syslog Daemons:

• rsyslog: A common syslog daemon, highly configurable.
• syslog-ng: Alternative to rsyslog, offering advanced features.

Configuring rsyslog:

• Configuration file: /etc/rsyslog.conf

Example:

• Log all authentication messages to a custom file:

  auth.*    /var/log/auth.log

• Restart the service:

  sudo systemctl restart rsyslog

---

5. Log Analysis Tools

grep: Search for Patterns

• Extract specific information from logs.

Examples:

• Search for errors:

  grep "error" /var/log/syslog

• Search for a specific IP:

  grep "192.168.1.100" /var/log/auth.log

awk: Process Log Data

• Extract and format specific log fields.

Example:

awk '{print $1, $2, $3}' /var/log/syslog

logwatch: Log Summarization

• Generates summaries of log activities.

Installation:

sudo apt install logwatch

Generate a Log Report:

sudo logwatch --detail high --mailto admin@example.com --range today

---

6. Securing Logs

Restrict Access to Logs:

• Only authorized users should access sensitive logs.

Example:

sudo chmod 640 /var/log/auth.log
sudo chown root:adm /var/log/auth.log

Remote Logging:

• Forward logs to a central server for secure storage and analysis.

Configure rsyslog for Remote Logging:

1. Add the following to /etc/rsyslog.conf:

   *.* @@remote-log-server:514

2. Restart rsyslog:

   sudo systemctl restart rsyslog

---

Summary

By the end of this chapter, you should be able to:

• View and analyze log files using tools like journalctl, tail, and grep.
• Configure log rotation with logrotate.
• Customize logging behavior using rsyslog or syslog-ng.
• Secure log files and forward them to a remote server.

Next Steps:

• Move to Chapter 12: Using and Abusing Services to learn about configuring and testing Linux services.

---

Exercises

1. View the last 20 lines of the /var/log/syslog file in real-time.
2. Configure logrotate to compress and rotate /var/log/auth.log weekly.
3. Search for failed login attempts in /var/log/auth.log.
4. Forward logs from your system to a remote logging server.
5. Generate a daily summary of logs using logwatch.