Chapter 11: Analyze and Store Logs

Welcome to this blog post where I will be delving into the fascinating world of analyzing and storing logs in Red Hat Enterprise Linux. Chapter 11 of the RH124 course covers the fundamental concepts of logging architecture and its importance in troubleshooting system issues and reviewing system status. In this lab, I will explore how to interpret and find entries in syslog files and the system journal, and configure the system journal to preserve the record of events after a server reboot. Additionally, I will learn how to maintain accurate time synchronization with Network Time Protocol (NTP) and configure the time zone to ensure correct time stamps for events recorded by the system journal and logs. By the end of this lab, I will have a solid understanding of the basics of Red Hat Enterprise Linux logging architecture and its practical applications. So, let's get started!

Question 1: Log in to the serverb machine as the student user.

Solution:

To achieve this, I use the ssh student@serverb command. This command allows us to securely log in to the serverb machine via SSH protocol with the student user's credentials.

Question 2: Pretend that the serverb machine is relocated to Jamaica and that you must update the time zone to America/Jamaica. Verify that you correctly set the appropriate time zone. Solution:

To accomplish this, I start by using the tzselect command to list the available time zones by continent. In this case, we select the Americas (option 2) and then choose Jamaica (option 30). After confirming that the information displayed is correct, I used the sudo timedatectl set-timezone America/Jamaica command to set the time zone to America/Jamaica using root privileges.

To ensure that I have successfully set the time zone, I used the timedatectl command to view the current time zone of the serverb machine. Upon running this command, I can verify that the time zone has been correctly set to America/Jamaica. And just like that, I have successfully updated the time zone to reflect the new location of the serverb machine!

Question 3: View the recorded log events in the previous 30 minutes on the serverb machine.

Solution:

To accomplish this, I'll be using the journalctl command, which is a powerful tool that allows us to query and view log events from the systemd journal. To specifically view the logs within the last 30 minutes, I'll use the journalctl ****``--since and --until options. These options allow us to specify a time range to search for log events. In this case, I'll use the command journalctl --since 04:56:21 --until 05:26:21 to view all recorded log events that occurred within the past 30 minutes. Upon executing this command, the journalctl tool will display all log events that match the specified time range, providing us with a detailed insight into any recent system activity. By using this command, I can quickly identify any issues or errors that may have occurred on the serverb machine within the past 30 minutes.

Question 4: Create the /etc/rsyslog.d/auth-errors.conf file. Configure the rsyslog service to write the message Logging test authpriv.alert to the /var/log/auth-errors file. Use the authpriv facility and the alert priority.

Solution:

To do this, I'll need to create a new configuration file and set up the logging rules accordingly. First, I'll create a new file /etc/rsyslog.d/auth-errors.conf using the vim editor with the command sudo vim /etc/rsyslog.d/auth-errors.conf. In this file, I'll configure the rsyslog service to write messages with the authpriv facility and alert priority to the /var/log/auth-errors file. I'll do this by adding the following line to the file: authpriv.alert /var/log/auth-errors. Once I've saved and closed the file, I'll need to restart the rsyslog service to apply the changes with the command sudo systemctl restart rsyslog. Now that my logging rules are configured, I can test them by using the logger command to write a message to the log file. I'll use the command logger -p authpriv.alert "Logging test authpriv.alert" to write the message "Logging test authpriv.alert" with the authpriv facility and alert priority. Finally, I can verify that our message was successfully logged by checking the contents of the /var/log/auth-errors file using the command sudo tail /var/log/auth-errors. This will display the last few lines of the file, allowing me to confirm that our message was indeed logged to the file.

Conclusion

In this lab, I've explored some of the key features and tools for managing system logging on Red Hat Enterprise Linux. I started by logging into the serverb machine and then configuring the time zone to America/Jamaica to ensure accurate time stamps for logged events. Next, I used the journalctl command to view recorded log events in the previous 30 minutes, which can be useful for troubleshooting system problems or reviewing system status. Finally, I configured the rsyslog service to write a specific message to a log file, demonstrating the flexibility and power of Red Hat Enterprise Linux's logging architecture. By completing these tasks, I've gained valuable experience and knowledge that will help us better understand and manage system logging on this platform. If you have any questions or comments about this lab or system logging in general, please feel free to share them in the comments section below. I am always happy to hear from my readers and engage in conversations about system administration and related topics. Thank you for reading, and we look forward to hearing from you!