1 00:00:00,000 --> 00:00:02,290 [No audio] 2 00:00:02,290 --> 00:00:05,550 Hello, and welcome to log monitoring lesson. 3 00:00:06,770 --> 00:00:08,970 Another and most important way of 4 00:00:09,020 --> 00:00:11,914 system administration is log monitors. 5 00:00:12,082 --> 00:00:14,718 Think of a log monitor in a way as if you 6 00:00:14,744 --> 00:00:18,694 have, if you have your personal physician or a doctor 7 00:00:18,862 --> 00:00:22,474 every time you go to him, he or she has a chart 8 00:00:22,582 --> 00:00:27,682 on you with the record of your medical history, which tells 9 00:00:27,706 --> 00:00:31,338 the doctor what are the problems you had in the past, 10 00:00:31,424 --> 00:00:35,746 whether you had any surgery, whether you're allergic to any medicine. 11 00:00:35,878 --> 00:00:38,434 So that is the way doctors 12 00:00:38,482 --> 00:00:41,960 keep logs on your physical health. 13 00:00:42,710 --> 00:00:43,890 Just like that, 14 00:00:44,060 --> 00:00:48,478 systems also have to keep logs and generate logs 15 00:00:48,514 --> 00:00:51,822 and record everything that goes on with the system. 16 00:00:52,016 --> 00:00:55,978 So in our log directory, right here in our Linux 17 00:00:56,014 --> 00:01:01,566 system, the primary log directory is var and /log. 18 00:01:01,748 --> 00:01:04,318 All the logs that are generated in Linux 19 00:01:04,354 --> 00:01:09,250 machines are mainly in /var/log directory, unless 20 00:01:09,430 --> 00:01:13,998 specified or changed in the configuration file of 21 00:01:14,024 --> 00:01:16,890 an application to change the log location. 22 00:01:17,990 --> 00:01:19,506 Few of the logs that we will 23 00:01:19,568 --> 00:01:23,818 cover in this lesson are one, number one is boot. 24 00:01:23,914 --> 00:01:29,470 boot is the log when your system boots up, reboots, it generates 25 00:01:29,530 --> 00:01:32,370 this log, and records everything that goes on 26 00:01:32,420 --> 00:01:34,818 to your system, how it cleans up the 27 00:01:34,844 --> 00:01:37,520 memory, what are the processes starting up, 28 00:01:38,570 --> 00:01:40,434 if it is having any issues, 29 00:01:40,592 --> 00:01:42,270 it will log everything in there. 30 00:01:42,380 --> 00:01:46,378 Then you have chronyd, which is a newer version of NTP, 31 00:01:46,474 --> 00:01:51,658 it has its own log. cron, maillog, secure logs, 32 00:01:51,754 --> 00:01:53,434 the next one we have the messages 33 00:01:53,482 --> 00:01:56,550 log. messages is one of the important logs that 34 00:01:56,600 --> 00:02:01,650 every system administer, uses to monitor system activities. 35 00:02:01,970 --> 00:02:07,146 Everything that is hardware wise, application wise or process 36 00:02:07,208 --> 00:02:09,834 wise, anything that has to do with assistance or 37 00:02:09,872 --> 00:02:14,386 even application wise, it goes into /var/log messages. 38 00:02:14,578 --> 00:02:17,314 Then at the last one we have httpd, 39 00:02:17,362 --> 00:02:20,130 which is also an Apache application log. 40 00:02:20,240 --> 00:02:21,978 So, without further ado, I will 41 00:02:22,004 --> 00:02:25,170 log into my Linux machine. 42 00:02:26,030 --> 00:02:27,680 I log in as myself. 43 00:02:28,610 --> 00:02:31,890 I already have an IP that has specified. 44 00:02:33,650 --> 00:02:39,930 So once I log in, I will go into /var/log directry. 45 00:02:41,030 --> 00:02:45,870 When I am in /var/log directory, I could run ls -l 46 00:02:45,920 --> 00:02:51,574 command, or simply run ll, and view all the logs. 47 00:02:51,682 --> 00:02:54,210 And once again, when I run that it has 48 00:02:54,260 --> 00:02:56,734 so many logs, so many files, so many directories 49 00:02:56,842 --> 00:02:59,010 that I cannot view them all in one page. 50 00:02:59,060 --> 00:03:03,102 So what I will do is ll, pipe it to more, and you 51 00:03:03,116 --> 00:03:08,550 will see, ll will list all the files by alphabetical orders. 52 00:03:09,230 --> 00:03:11,722 So the first one is audit. 53 00:03:11,806 --> 00:03:14,562 audit is one of the files or 54 00:03:14,636 --> 00:03:17,360 directory that has all the audit information. 55 00:03:17,750 --> 00:03:19,890 Then we have boot.log. 56 00:03:20,000 --> 00:03:21,702 Let's look at boot.log. 57 00:03:21,776 --> 00:03:25,040 When you do more on boot log, 58 00:03:25,850 --> 00:03:29,122 I get a message say Permission denied. 59 00:03:29,266 --> 00:03:31,746 Why do I get that message? 60 00:03:31,928 --> 00:03:36,834 Because the boot.log is owned by root, and 61 00:03:36,932 --> 00:03:40,618 the group who owns that file is also root. 62 00:03:40,774 --> 00:03:42,394 So, am I root? 63 00:03:42,502 --> 00:03:45,046 whoami, I'm not root. 64 00:03:45,178 --> 00:03:47,730 Okay, so if I'm not root, do I have 65 00:03:47,780 --> 00:03:50,538 the permission to read the file? And as others 66 00:03:50,624 --> 00:03:53,562 I should have read permission right here, right? 67 00:03:53,636 --> 00:03:54,766 Last three bits. 68 00:03:54,898 --> 00:03:58,434 Or if I'm part of the group, I should have access here. 69 00:03:58,472 --> 00:04:02,014 So neither group nor regular ordinary users 70 00:04:02,062 --> 00:04:03,646 have access to read a file. 71 00:04:03,718 --> 00:04:05,010 So only root has it. 72 00:04:05,060 --> 00:04:07,410 So we will become root. 73 00:04:07,447 --> 00:04:11,310 [No audio] 74 00:04:11,310 --> 00:04:16,560 Go back to /var/log and we'll do boot.log. 75 00:04:17,130 --> 00:04:21,190 When I hit enter, you'll see on the left side, it 76 00:04:21,240 --> 00:04:26,458 is coming up with OK messages while system is booting up. 77 00:04:26,603 --> 00:04:28,978 Every time there is an issue with the 78 00:04:29,004 --> 00:04:30,898 system booting up, it will come up with 79 00:04:30,924 --> 00:04:35,018 a message saying false or error or alert. 80 00:04:35,174 --> 00:04:36,790 So you'll see, it is starting 81 00:04:36,900 --> 00:04:38,806 all the services one by one. 82 00:04:38,868 --> 00:04:41,290 It is starting all the processes. 83 00:04:42,150 --> 00:04:44,494 Welcome to CentOS Linux 7. 84 00:04:44,592 --> 00:04:49,570 It's going through each step of this boot startup, and 85 00:04:49,620 --> 00:04:53,820 when it starts up completely, it stops the log. 86 00:04:54,510 --> 00:05:00,766 When you reboot your system, this file, which 87 00:05:00,828 --> 00:05:06,422 is sorry, ls -l boot.log, this file gets overwritten. 88 00:05:06,566 --> 00:05:10,190 So if I reboot my machine right now, it will generate 89 00:05:10,250 --> 00:05:14,280 a newer file and it will rewrite the boot.log. 90 00:05:14,970 --> 00:05:17,530 Okay, so next one we have 91 00:05:17,691 --> 00:05:25,351 is chrony. chrony is replacement of NTP service. 92 00:05:25,870 --> 00:05:29,330 Any type of changes that we make on the 93 00:05:29,380 --> 00:05:34,250 chrony service, it actually generates a log and it 94 00:05:34,300 --> 00:05:37,298 actually logs that information into that log. 95 00:05:37,444 --> 00:05:40,910 Next one we have in the list is cron. 96 00:05:41,470 --> 00:05:43,418 If you look at it on the left hand 97 00:05:43,444 --> 00:05:45,954 side, I'm just going by what I have listed. 98 00:05:46,062 --> 00:05:50,798 There are many other files and if you have 99 00:05:50,884 --> 00:05:55,454 time and if you are interested in learning all 100 00:05:55,492 --> 00:05:58,430 these different logs, then please be my guest. Try 101 00:05:58,430 --> 00:05:59,890 out every command, oh sorry, 102 00:05:59,890 --> 00:06:02,920 try out every file and see what they are used for. 103 00:06:03,490 --> 00:06:04,874 The next one I wanted to cover 104 00:06:04,912 --> 00:06:07,180 is the cron, which is right here. 105 00:06:08,110 --> 00:06:11,198 Whenever you schedule a job or a process through a 106 00:06:11,224 --> 00:06:16,274 cron tab entry, it generates some kind of activity and 107 00:06:16,312 --> 00:06:20,418 that activity or that record is logged into this file. 108 00:06:20,514 --> 00:06:22,934 So you could do cron and you will 109 00:06:22,972 --> 00:06:25,446 see all the information about the cron. 110 00:06:25,578 --> 00:06:28,070 And by the way, whenever you open up a log 111 00:06:28,120 --> 00:06:32,414 file, the first is the month, second is the date, 112 00:06:32,512 --> 00:06:36,338 time, the name of your hostname, the daemon which 113 00:06:36,364 --> 00:06:40,890 is CROND, and Process ID associated with that daemon, 114 00:06:41,010 --> 00:06:45,470 the user who's running that, and the command or the 115 00:06:45,520 --> 00:06:48,318 entry that has been associated with the cron. 116 00:06:48,474 --> 00:06:53,090 Moving on, we have the next one, we have 117 00:06:53,200 --> 00:06:56,726 quickly, there is a command called the message. 118 00:06:56,908 --> 00:06:58,790 When you run this command, this one 119 00:06:58,840 --> 00:07:01,326 also gives you information about the hardware. 120 00:07:01,458 --> 00:07:03,630 If you do not want to run this command, 121 00:07:03,690 --> 00:07:06,278 you could simply do cat on the messages as 122 00:07:06,304 --> 00:07:09,520 well, which will give you the exact same information. 123 00:07:10,030 --> 00:07:14,390 The next one we have is maillog. 124 00:07:14,560 --> 00:07:20,342 maillog has all the information about your sendmail daemon, 125 00:07:20,342 --> 00:07:22,358 which means every time you send an 126 00:07:22,384 --> 00:07:25,502 email out or every time an email comes in, 127 00:07:25,636 --> 00:07:29,260 all that activity is being recorded in this log. 128 00:07:29,260 --> 00:07:31,450 [No audio] 129 00:07:31,450 --> 00:07:33,734 Whenever you are troubleshooting issues 130 00:07:33,832 --> 00:07:35,630 with sendmail service, 131 00:07:35,800 --> 00:07:38,102 this is one of the logs you will have to look into 132 00:07:38,176 --> 00:07:42,890 to see why your server is not able to send emails. 133 00:07:43,570 --> 00:07:48,314 Moving on, then we have secure log right here. 134 00:07:48,412 --> 00:07:51,340 Now secure logs is the log that actually 135 00:07:52,330 --> 00:07:55,970 records all your logging in, logging out activity. 136 00:07:56,350 --> 00:08:00,098 So when you do more on secure, you'll see all 137 00:08:00,124 --> 00:08:02,654 the users that have been logged in, if they have 138 00:08:02,692 --> 00:08:06,774 failed logging in, or from which machine they are logging 139 00:08:06,822 --> 00:08:09,378 in, all the information about the users. 140 00:08:09,474 --> 00:08:14,678 So what I'm going to do is I'm going to do tail -f. 141 00:08:14,824 --> 00:08:17,246 Now -f is the option that 142 00:08:17,308 --> 00:08:20,246 will keep on sniffing the log. 143 00:08:20,368 --> 00:08:24,374 And every time a new record is updated to the log, that 144 00:08:24,412 --> 00:08:27,722 tail -f will get that newest log at the bottom. 145 00:08:27,856 --> 00:08:32,857 So if I do tail -f secure, and 146 00:08:32,884 --> 00:08:35,774 I'll keep running this command. This command is running 147 00:08:35,812 --> 00:08:39,626 now I'm going to open up another session, another 148 00:08:39,688 --> 00:08:42,169 PuTTY session I have already saved. 149 00:08:42,789 --> 00:08:48,049 And if I log in as myself and I type 150 00:08:48,100 --> 00:08:51,169 in wrong password, let's say, as soon as I type 151 00:08:51,220 --> 00:08:54,193 wrong password, you see in the background, it says right 152 00:08:54,232 --> 00:08:58,190 here, Failed password for iafzal, and I'm trying 153 00:08:58,240 --> 00:09:01,843 to log in from this machine, 192.168.1.8 154 00:09:02,870 --> 00:09:06,150 If I log back in with the correct password, 155 00:09:07,490 --> 00:09:12,594 then I will get that additional record for my 156 00:09:12,632 --> 00:09:16,460 session saying, session opened for user iafzal. 157 00:09:17,030 --> 00:09:22,842 So this is about the secure, the secure log file and 158 00:09:22,976 --> 00:09:28,470 the next one is one of the most important log 159 00:09:28,520 --> 00:09:33,270 files that you should spend your time in is messages. 160 00:09:34,010 --> 00:09:36,858 Every time there is an issue with your machine, the 161 00:09:36,884 --> 00:09:41,638 first thing an administrator does, they log into your machine 162 00:09:41,734 --> 00:09:46,306 and they will trace logs in messages file. 163 00:09:46,438 --> 00:09:49,350 So you go into cd /var/log, and 164 00:09:49,400 --> 00:09:51,330 then you do more on messages. 165 00:09:51,710 --> 00:09:54,418 Now this file has again, once again this file 166 00:09:54,454 --> 00:09:57,906 has all the hardware information, all the software information, 167 00:09:58,088 --> 00:10:02,406 all the application information, all the processes information, everything 168 00:10:02,468 --> 00:10:04,820 is being logged into this log. 169 00:10:05,330 --> 00:10:10,858 So if I wanted to see how many lines this log file 170 00:10:10,894 --> 00:10:14,742 has, I could do cat messages and do wc -l. 171 00:10:14,816 --> 00:10:18,714 So you see I have 7103 lines. If I wanted to see 172 00:10:18,752 --> 00:10:21,646 if there are any error messages in this file. 173 00:10:21,718 --> 00:10:24,114 So I'll do grep -i, i is to 174 00:10:24,152 --> 00:10:30,102 ignore uppercase lowercase from messages file. and you'll see 175 00:10:30,176 --> 00:10:33,750 it actually greppd every line inside of this log 176 00:10:33,800 --> 00:10:36,898 file that has a message called error. 177 00:10:36,994 --> 00:10:38,514 So this way you could go in and 178 00:10:38,552 --> 00:10:41,550 see what's going on with your system, what 179 00:10:41,600 --> 00:10:44,530 happened, why it failed, what time it failed. 180 00:10:44,650 --> 00:10:49,398 So anyway, let's wrap up the lesson and 181 00:10:49,484 --> 00:10:52,710 again spend some time in this /var/log messages. 182 00:10:53,210 --> 00:10:57,234 Go over all these log files, specifically the 183 00:10:57,272 --> 00:10:59,622 ones I have in this lesson and see 184 00:10:59,696 --> 00:11:01,590 what type of different logs there are. 185 00:11:01,640 --> 00:11:04,030 view them, grep them for certain errors 186 00:11:04,150 --> 00:11:05,801 and get yourself familiar with them. 187 00:11:05,801 --> 00:11:08,202 [No audio]