Difference between revisions of "Linux Logging"
Tags: Mobile web edit, Mobile edit |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | Linux logs are save usually in <code>/var/log</code> folder. Most linux distribution uses [[syslog]], [[syslog-ng]] or [[Rsyslogd|rsyslog]] software for logging or sending them to remote servers. Analytics and visualisation software such a [[Elasticsearch]] and [[Kibana]] can be used for log inspection. | + | Linux [[logs]] are save usually in <code>/var/log</code> folder. Most linux distribution uses [[syslog]], [[syslog-ng]] or [[Rsyslogd|rsyslog]] software for logging or sending them to remote servers. Analytics and visualisation software such a [[Elasticsearch]] and [[Kibana]] can be used for log inspection. |
Usage by Distribution: | Usage by Distribution: | ||
Line 10: | Line 10: | ||
[[SSH]] sessions logging: | [[SSH]] sessions logging: | ||
− | * Debian/Ubuntu: <code>/var/log/auth.log</code> | + | * Debian/Ubuntu: <code>/var/log/[[auth.log]]</code> |
* RHEL/Fedora: <code>/var/log/secure</code> | * RHEL/Fedora: <code>/var/log/secure</code> | ||
Ubuntu: | Ubuntu: | ||
− | * <code>/var/log/[[kern.log]]</code> | + | * <code>[[/var/log/]][[kern.log]]</code> |
== Rsyslog == | == Rsyslog == | ||
− | Rsyslogd supports queued operations to handle offline outputs. | + | [[Rsyslogd]] supports queued operations to handle offline outputs. |
Official documentation: https://www.rsyslog.com/doc/v8-stable/configuration/index.html | Official documentation: https://www.rsyslog.com/doc/v8-stable/configuration/index.html | ||
Line 35: | Line 35: | ||
* <code>[[docker-compose logs]]</code> | * <code>[[docker-compose logs]]</code> | ||
+ | |||
+ | |||
+ | == Related terms == | ||
+ | * [[Zabbix agent]] | ||
+ | * [[Cisco logging]] | ||
== Activities == | == Activities == | ||
* Understand [[container logging]] (part of [[CKAD]] certification) | * Understand [[container logging]] (part of [[CKAD]] certification) | ||
* Read "The Twelve-Factor App": XI.: Logs https://12factor.net/logs | * Read "The Twelve-Factor App": XI.: Logs https://12factor.net/logs | ||
+ | * Review linux [[Journalctl logs]] messages | ||
== See also == | == See also == | ||
Line 46: | Line 52: | ||
* {{audit}} | * {{audit}} | ||
* [[Netflow]] for network logging | * [[Netflow]] for network logging | ||
− | * | + | * {{MQ}} |
* [[fluentd]] | * [[fluentd]] | ||
* {{ELK}} | * {{ELK}} | ||
* {{stdin}} | * {{stdin}} | ||
− | * | + | * {{show logging}} |
[[Category:Linux]] | [[Category:Linux]] |
Latest revision as of 06:34, 14 April 2021
Linux logs are save usually in /var/log
folder. Most linux distribution uses syslog, syslog-ng or rsyslog software for logging or sending them to remote servers. Analytics and visualisation software such a Elasticsearch and Kibana can be used for log inspection.
Usage by Distribution:
- Debian/Ubuntu: rsyslog
- RHEL/Fedora:
Standard logs:
- Debian/Ubuntu:
/var/log/syslog
- RHEL/Fedora:
/var/log/message
SSH sessions logging:
- Debian/Ubuntu:
/var/log/auth.log
- RHEL/Fedora:
/var/log/secure
Ubuntu:
Contents
Rsyslog[edit]
Rsyslogd supports queued operations to handle offline outputs. Official documentation: https://www.rsyslog.com/doc/v8-stable/configuration/index.html
Log checkers[edit]
Rsyslog Configuration[edit]
Default configuration files by Distribution:
- Debian:
/etc/rsyslog.conf
man rsyslog.conf: https://linux.die.net/man/5/rsyslog.conf - Ubuntu:
/etc/rsyslog.d/50-default.conf
Container logging: Docker[edit]
docker logs
command show docker logs.
See also https://stackoverflow.com/questions/30969435/where-is-the-docker-daemon-log/30970134#30970134 for further information about docker logs.
Related terms[edit]
Activities[edit]
- Understand container logging (part of CKAD certification)
- Read "The Twelve-Factor App": XI.: Logs https://12factor.net/logs
- Review linux Journalctl logs messages
See also[edit]
ack, ag, grep
,egrep, fgrep
,agrep
,ngrep
,pgrep
,awk
,sed
,strings
,tr
,tail
,mtail
,git grep
,wc
,uniq
,LogQL
,findstr (Windows)
,rg, git-grep, cut
- journald:
journalctl
journald.conf
,journalctl --help
,/dev/console
- Linux logging, Cisco IOS logging
- Audit:
acct
,atop
,tripwire
,AIDE
,auditd
,debsums
, AWS Cloudtrail,logwatch
,logcheck
, Google Santa, Coguard - Netflow for network logging
- MQ, PubSub, AMQP, NATS, Apache Kafka, IBM MQ, ActiveMQ, Fuse Message Broker, MQTT, NSQ, RabbitMQ, AWS Kinesis and NATS Messaging, ZeroMQ, Message-oriented middleware (MOM), Apache Pulsar, HiveMQ
- fluentd
- Elastic: ELK,
Elasticsearch
,Logstash
,Kibana
, Installation, AWS Elasticsearch, Elastic SIEM, Elastic Beats,metricbeat
,filebeat
,journalbeat
, Elastisearch Service , Search guard, Elasticsearch logs, curator, ILM, Lumberjack protocol,aws_elasticsearch_domain
, KQL,elasticsearch.yml, elasticsearch-plugin, elasticsearch-certutil
, Elasticsearch release notes/changelog - Standard streams:
/dev/stdin
,/dev/stdout
,/dev/stderr
,/dev/null
, File descriptor,set -x, 2>&1, stdbuf
- Cisco IOS logging:
show logging
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Original source: https://en.wikiversity.org/wiki/Linux/logging
Advertising: