Lab 9 - Logging and Monitoring

This unit provides an introduction to how to configure logging and monitoring software on Linux systems. Unless otherwise specified, all activities in this lab are to be run on the main lab VM provided at the start of the semester.

rsyslog

  1. Review the rsyslog.conf and if there are any, the rsyslog.d/*.conf config files to see what the default syslog configuration includes

    sudo more /etc/rsyslog.conf /etc/rsyslog.d/*.conf 
    sudo more /etc/rsyslog.conf /etc/rsyslog.d/*.conf

  2. Compare the kernel ring buffer (e.g. dmesg) to the kernel messages log file to see if the log file is up to date with the in-memory kernel log

    • in one terminal window: sudo dmesg|tail -20
    • in another terminal window: sudo tail -20 /var/log/kern.log

  3. Can you figure out your sshd access history from the log files? see what you can find in the /var/log/auth.log file

logrotate

  1. Use webmin to examine the logrotate configuration of your main lab VM. webmin is a web app system management tool running on port 10000 on the main lab VM and can be accessed using a browser and logging in with a Linux account that has sudo privileges.
  2. Can you manage logrotate from cockpit on that machine? cockpit is a web app system management tool running on port 9090 on the main lab VM and can be accessed using a browser and logging in with a Linux account that has sudo privileges.

logwatch

  1. All of the commands in this section of the lab require root, so start a root shell

    sudo bash 
    sudo bash

  2. Install logwatch and make the cache directory which the install script doesn’t make

    apt update ; apt install logwatch ; mkdir /var/cache/logwatch 
    apt update ; apt install logwatch ; mkdir /var/cache/logwatch

  3. Make an override config file for any of the default ones you want to modify

    cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/ 
    cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

  4. logwatch has several useful options for us to try

    logwatch --range all
logwatch --range 'since last week'
logwatch --logfile secure --logfile http --range all --detail high 
    logwatch --range all
logwatch --range 'since last week'
logwatch --logfile secure --logfile http --range all --detail high

  5. logwatch can be added to cron easily, some package builds create /etc/cron.daily/00logwatch automatically for you which is a script instead of just a command line to run at specific times

    • current installs for Ubuntu >=20.04 do this automatically and you *do not need to do this for our lab.
    echo "59 23 * * * logwatch -range 'since yesterday' --format html --output mail" | crontab -
crontab -l 
    echo "59 23 * * * logwatch -range 'since yesterday' --format html --output mail" | crontab -
crontab -l

  6. To preserve us from ourselves, leave the root shell we used for this section of the lab

    exit 
    exit

loganalyzer

Install the loganalyzer package Alternatively, download the latest version from the loganalyzer website and follow the instructions in the INSTALL file Once you have it installed, use your browser to open http://yourserver/loganalyzer and see what you can do with it.

Grading

This lab is for practice to reinforce learning. There are no marks for it, and there is nothing to hand in.