LINUX-
31 LINUX LOGS (RHEL-7) P1
LINUX LOG’s AND IT’s
SIGNIFICANCE,
All Posts under Linux Logs:
LINUX LOGS (RHEL-7) P1
LINUX LOGS (RHEL-7) P2
LINUX LOGS (RHEL-7) P3
When every thing is green and all are Happy Happy, then nobody bothers about anything. Even they don’t know the name of person who is responsible to manage their system. But when there is any issue with system then the magic start…
Everyone is thinking about…
Who
is looking in to the issue?
Who
is managing our system?
what’s
his/her name & extension?
what
is the ETR?
Where
is update?
Chaos
depends upon how bigger the issue is. You are the sys admin and now
you are the center of attraction…
CHEERS and CONGRATS ……
So,
what you will do in this situation ……
Your
only rescue are LOGS…
Whatever
you have to do in respect of findings simply TROUBLESHOOTING, you need logs.
Where
you can find logs?
/var/log
[root@rhel7-server ~]# cd /var/log
[root@rhel7-server log]# ls -ltr
Ohhhh….
There are too many……….
OK… nothing to scare, let’s
start with baby steps.
Mostly logs are bifurcated
in,
Application Logs:
several
applications create their log dir in /var/log
E.g.
Apache
HTTP Server Logs = /var/log/httpd/ (directory)
Samba
SMB Server Logs = /var/log/samba (directory)
Event Logs:
/var/log/messages
which records a variety of events, such as the system error messages, system
startups and shutdowns, change in the network configuration, etc.
System Logs:
Most
information about system belongs to System Logs. It also contains everything
that used to be in /var/log/messages.
Authorization
Log
Daemon
Log
Debug
Log
Kernel
Log
System
Log
/var/log/boot.log
A
repository of all information related to booting and messages logged during
system startup process. This contains information about the boot process.
[root@rhel7-server log]# tail -10 boot.log
Starting Login Service...
Starting Accounts Service...
Starting RealtimeKit Scheduling Policy Service...
Starting firstboot configuration program (graphical mode)...
Starting LSB: Start the ipr init daemon...
Starting D-Bus System Message Bus...
[ OK ] Started D-Bus System Message Bus.
[ OK ] Started Dump dmesg to /var/log/dmesg.
[ OK ] Started Permit User Sessions.
[ OK ] Started Kernel Samepage Merging.
/var/log/dmesg
During
the boot process or kernel load, the system detects and identifies much of the
hardware devices on your system. This includes several things such as the hard
disk, memory, printers, webcams etc. All of these detections are also referred
as the kernel ring buffer information and is logged in the dmesg file. You can
also view this information by using dmesg command tool.
This
file is overwritten when new messages are sent to it. Example: the next boot.
The
kernel ring buffer (Simply it means, when the kernel spins up it logs all of
the information here) is not really a log file, but rather an area in the
running kernel you can query for kernel bootup messages via the dmesg utility.
To see the messages, use this:
dmesg
| less
[root@rhel7-server log]# tail -5 dmesg
[ 11.651854]
XFS (sda1): Ending recovery (logdev: internal)
[ 11.651868]
SELinux: initialized (dev sda1, type xfs), uses xattr
[ 11.669973]
systemd-journald[830]: Received request to flush runtime journal from PID 1
[ 11.744794]
systemd-journald[830]: File
/var/log/journal/d576823ceabd4711959e4f1dca3f9d3f/system.journal corrupted or
uncleanly shut down, renaming and replacing.
[ 12.266816]
type=1305 audit(1532793122.728:4): audit_pid=990 old=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
OR,
[root@rhel7-server log]# dmesg | tail -5
[ 3842.558415] e1000: eth0 NIC Link is Down
[ 3842.575452] e1000: eth2 NIC Link is Down
[ 3848.521870] e1000: eth1 NIC Link is Up 1000 Mbps
Full Duplex, Flow Control: None
[ 3848.578315] e1000: eth0 NIC Link is Up 1000 Mbps
Full Duplex, Flow Control: None
[ 3848.597565] e1000: eth2 NIC Link is Up 1000 Mbps
Full Duplex, Flow Control: None
/var/log/cron
All
cron daemon related logs are recorded here.
[root@rhel7-server log]# tail -5 cron
Jul 28 18:01:01 rhel7-server
run-parts(/etc/cron.hourly)[4183]: starting 0anacron
Jul 28 18:01:01 rhel7-server
run-parts(/etc/cron.hourly)[4192]: finished 0anacron
Jul 28 18:01:01 rhel7-server
run-parts(/etc/cron.hourly)[4183]: starting 0yum-hourly.cron
Jul 28 18:01:01 rhel7-server
run-parts(/etc/cron.hourly)[4198]: finished 0yum-hourly.cron
Jul 28 18:10:01 rhel7-server CROND[4276]: (root) CMD
(/usr/lib64/sa/sa1 1 1)
/var/log/messages
This
is the event viewer of Linux; this log file contains generic system activity
logs Contains global system messages, including the messages during the system
startup. It is mainly used to store informational and non-critical system
messages. There are several things that are logged in /var/log/messages
including mail, cron, daemon, kern, auth, etc.
[root@rhel7-server log]# tail -5 messages
Jul 28 18:01:01 rhel7-server systemd: Started
Session 18 of user root.
Jul 28 18:10:01 rhel7-server systemd: Starting
Session 19 of user root.
Jul 28 18:10:01 rhel7-server systemd: Started
Session 19 of user root.
Jul 28 18:20:01 rhel7-server systemd: Starting
Session 20 of user root.
Jul 28 18:20:01 rhel7-server systemd: Started
Session 20 of user root.
/var/log/yum.log
Information
that is recorded when a package is installed or removed is stored here.
[root@rhel7-server log]# tail -5 yum.log
Jul 22 17:46:42 Installed:
apr-util-1.5.2-6.el7.x86_64
Jul 22 17:46:43 Installed: httpd-tools-2.4.6-17.el7.x86_64
Jul 22 17:46:43 Installed:
mailcap-2.1.41-2.el7.noarch
Jul 22 17:46:45 Installed: httpd-2.4.6-17.el7.x86_64
Jul 28 17:28:56 Installed: samba-4.1.1-31.el7.x86_64
/var/log/secure
This
log file contains all the authentication and authorization related messages,
both failed and successful. This contains information about who logged in when
and the authentication mechanisms that were used.
[root@rhel7-server log]# tail -5 secure
Jul 28 15:53:27 rhel7-server polkitd[1192]: Registered
Authentication Agent for unix-session:c1 (system bus name :1.53 [gnome-shell
--mode=gdm], object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8)
Jul 28 17:13:38 rhel7-server sshd[3528]: Accepted
password for root from 192.168.135.1 port 4708 ssh2
Jul 28 17:13:38 rhel7-server sshd[3528]:
pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 28 17:15:35 rhel7-server sshd[3617]: Accepted
password for root from 192.168.135.1 port 4751 ssh2
Jul 28 17:15:35 rhel7-server sshd[3617]:
pam_unix(sshd:session): session opened for user root by (uid=0)
/var/log/maillog
Contains
the log information from the mail server that is running on the system. Useful
when we need information about postfix, smtpd, or any email-related services
running on your server.
[root@rhel7-server log]# tail -5 maillog
Jul 21 17:13:13 rhel7-server postfix/master[1865]:
terminating on signal 15
Jul 21 17:14:03 rhel7-server
postfix/postfix-script[2189]: starting the Postfix mail system
Jul 21 17:14:04 rhel7-server postfix/master[2194]:
daemon started -- version 2.10.1, configuration /etc/postfix
Jul 28 15:53:23 rhel7-server
postfix/postfix-script[2345]: starting the Postfix mail system
Jul 28 15:53:23 rhel7-server postfix/master[2347]:
daemon started -- version 2.10.1, configuration /etc/postfix
/var/log/ Xorg.0.log
These
are messages related to your Xorg server. If you having issues with your X
server or graphical environment, then this is probably the file to look into.
[root@rhel7-server log]# tail -5 Xorg.0.log
[ 11692.550] (II) vmware(0): Modeline
"1856x1392"x60.0 218.25 1856 1952 2176 2528 1392 1393 1396 1439 -hsync +vsync (86.3 kHz
e)
[ 11692.550] (II) vmware(0): Modeline
"1920x1200"x59.9 193.25 1920 2056 2256 2592 1200 1203 1209 1245 -hsync +vsync (74.6 kHz e)
[ 11692.550] (II) vmware(0): Modeline
"1920x1440"x60.0 234.00 1920 2048 2256 2600 1440 1441 1444 1500 -hsync +vsync (90.0 kHz
e)
[ 11692.550] (II) vmware(0): Modeline
"2560x1600"x60.0 348.50 2560 2752 3032 3504 1600 1603 1609 1658 -hsync +vsync (99.5 kHz e)
[ 11692.550] (II) vmware(0): Modeline
"1280x768"x60.0 78.76 1280 1330 1380 1430 768 818 868 918 -hsync +vsync (55.1 kHz eP)
for
better understanding “messages” can be also checked,
[root@rhel7-server log]# tail -10 messages
Jul 28 19:07:54 rhel7-server /usr/bin/dbus-launch:
gnome-session-is-accelerated: No composite extension.
Jul 28 19:07:54 rhel7-server /usr/bin/dbus-launch:
gnome-session-check-accelerated: Helper exited with code 256
Jul 28 19:07:59 rhel7-server /usr/bin/dbus-launch:
gnome-session-is-accelerated: No composite extension.
Jul 28 19:07:59 rhel7-server /usr/bin/dbus-launch:
gnome-session-check-accelerated: Helper exited with code 256
Jul 28 19:07:59 rhel7-server /usr/bin/dbus-launch:
** (process:5547): WARNING **: software acceleration check failed: Child
process exited with code 1
Jul 28 19:08:08 rhel7-server gnome-session: **
(gnome-session-quit:5579): WARNING **: Failed to call logout: The name
org.gnome.SessionManager was not provided by any .service files
Jul 28 19:08:14 rhel7-server fprintd: ** Message: No
devices in use, exit
Jul 28 19:08:54 rhel7-server gnome-session:
(gnome-session:5547): Gdk-WARNING **: gnome-session: Fatal IO error 11
(Resource temporarily unavailable) on X server 192.168.135.1:1.
Jul 28 19:10:01 rhel7-server systemd: Starting
Session 27 of user root.
Jul 28 19:10:01 rhel7-server systemd: Started
Session 27 of user root.
/var/log/firewalld
To
record firewalld related actions,
[root@rhel7-server log]# tail -5 firewalld
2018-07-15 19:14:56 ERROR: ZONE_ALREADY_SET
2018-07-21 19:24:22 ERROR: INVALID_SERVICE: htts
2018-07-22 16:02:05 ERROR: INVALID_ZONE: default
2018-07-22 16:02:34 ERROR: ZONE_CONFLICT
/var/log/cups & /var/log/spooler
All
printer and printing related log messages. The Common Unix Printing System (CUPS) uses the default log file /var/log/cups/error_log to store informational and error messages.
[root@rhel7-server ~]# cd /var/log/cups/
[root@rhel7-server cups]# ls -ltr
total 27
-rw-------. 1 root lp 999 May
6 15:36 access_log-20180506
-rw-------. 1 root lp 1332 May 19 14:00 access_log-20180519
-rw-------. 1 root lp 111 May 19 14:59 access_log-20180520
-rw-------. 1 root lp 213 Jul 21 17:01 access_log-20180722
-rw-------. 1 root lp 141 Jul 29 16:49 page_log
-rw-------. 1 root lp 142 Jul 29 16:53 error_log
-rw-------. 1 root lp 1125 Jul 29 16:53 access_log
[root@rhel7-server cups]# cat access_log
localhost - - [29/Jul/2018:16:45:06 +0530]
"POST /admin/ HTTP/1.1" 401 210 CUPS-Add-Modify-Printer successful-ok
localhost - root [29/Jul/2018:16:45:06 +0530]
"POST /admin/ HTTP/1.1" 200 210 CUPS-Add-Modify-Printer successful-ok
localhost - root [29/Jul/2018:16:45:06 +0530]
"POST /admin/ HTTP/1.1" 200 186 CUPS-Add-Modify-Printer successful-ok
localhost - - [29/Jul/2018:16:45:14 +0530]
"POST /printers/nowhere HTTP/1.1" 200 304 Create-Job successful-ok
localhost - - [29/Jul/2018:16:45:14 +0530]
"POST /printers/nowhere HTTP/1.1" 200 525 Send-Document successful-ok
localhost - - [29/Jul/2018:16:49:03 +0530]
"POST /printers/nowhere HTTP/1.1" 200 301 Create-Job successful-ok
localhost - - [29/Jul/2018:16:49:03 +0530]
"POST /printers/nowhere HTTP/1.1" 200 2815 Send-Document
successful-ok
localhost - - [29/Jul/2018:16:53:13 +0530] "POST
/printers/nowhere HTTP/1.1" 200 310 Create-Job successful-ok
localhost - - [29/Jul/2018:16:53:13 +0530]
"POST /printers/nowhere HTTP/1.1" 200 265 Send-Document
client-error-bad-request
localhost - - [29/Jul/2018:16:53:13 +0530]
"POST /jobs/ HTTP/1.1" 200 171 Cancel-Job successful-ok
[root@rhel7-server cups]# cat error_log
E [29/Jul/2018:16:53:13 +0530] Returning IPP
client-error-bad-request for Send-Document
(ipp://localhost:631/printers/nowhere) from localhost
[root@rhel7-server cups]# cat page_log
nowhere root 1 [29/Jul/2018:16:45:14 +0530] 1 1 -
localhost (stdin) - -
nowhere root 2 [29/Jul/2018:16:49:03 +0530] 1 1 -
localhost cron - -
CONT………………………..
No comments:
Post a Comment