Logging - JA Smith

# common log locations - `/var/log/lastlog` for login info - `/var/log/boot.log` for system startup and initialization ![[images/Pasted image 20250803140930.png]] - `var/log/auth.log` (debian) and `/var/log/secure` (red hat) for authentication and security - `/var/log/syslog` (debian) and `/var/log/messages` (red hat) for system messages - `/var/log/btmp` and `/var/log/wtmp` for binary logins - `/var/log/kern.log` for kernel events and HW logs - `/var/log/audit.log` for policy violations - `/var/log/cron` for cron job logs - `/var/log/journal` for `journalctl` logs - `/var/log/dmesg` for kernel ring buffer - look at `dmesg` for kernel ring buffer ![[images/Pasted image 20250803141352.png]] - look at `sudo journalctl` for systemd logs ![[images/Pasted image 20250803141316.png]] - -f to follow in real time - -k for only kernel messages - -r for reverse chronological order - -b for current boot entries - -u service_name for service specific logs # log rotation - `/etc/logrotate.conf` includes log rotation config for system![[images/Pasted image 20250803141651.png]] - `/etc/logrotate.d` includes log rotation config files for individual services ![[images/Pasted image 20250803141638.png]] # systemd-journald - `systemd-journald` reads its config from `/etc/systemd/journald.conf` - `sudo journalctl | tail -f` follows `journald` logs in real time - view with `journalctl options matches` - options: - -a display all data fields - -f live follow - -r reserve order - -k for only kernel messages - -b for current boot entries - `-u service_name` for service specific logs - -l displays all printable data fields - matches - fields - kernel - priority=value - \_UID=user_id - \_HOSTNAME=host - \_TRANSPORT=method - OBJECT_PID=PID - ![[images/Pasted image 20250802203513.png]] - similar output to `dmesg` ![[images/Pasted image 20250802203802.png]] # syslog - port 514 - rsyslog uses `rsyslogd` to monitor events and log as directed based on the `/etc/rsyslog.conf` config file - many distros uses `/etc/rsyslog.d` to store individual config files includes in `/etc/rsyslog.conf` - logging occurs based on rules as follows `facility.priority action` - facility values & keywords![[images/Pasted image 20250802201628.png]] - priority values & keywords ![[images/Pasted image 20250802202016.png]] - views rsyslog entries within `/var/log/syslog`