Wise people learn when they can; fools learn when they must - Arthur Wellesley

Saturday, 4 August 2018

LINUX- 33 LINUX LOGS (RHEL-7) P3



                   LINUX- 33 LINUX LOGS (RHEL-7) P3

HOW TO VIEW LINUX LOG’s,

All Posts under Linux Logs:

Well, got idea about almost all logs under /var/log and their significance.

GREAT….

Now let’s check, how to view them.

I am very confident and I want to view whole logs.

No prob, show your confidence and just “cat” the file.

[root@rhel7-server ~]# cat /var/log/messages

OMG, its coming and coming like flood, I think it’s not a good idea to cat whole messages file, now I want to lowering my confidence and use some talent of mine. Instead of viewing whole file
I want to check last 200 lines.

No prob, show your talent,

[root@rhel7-server ~]# tail -200 /var/log/messages

Ohhhh… this is also not I want, now I think I should use some mind instead of confidence & talent, because I want only live logs.

No Prob, use your mind,

[root@rhel7-server ~]# tail -f /var/log/messages

Great, this is what I want.

If there is an ongoing issue then it’s always better to check live logs as above.

I want to check just last 10 lines,

[root@rhel7-server ~]# tail -f -n 10 /var/log/messages
[root@rhel7-server ~]# tail -10 /var/log/messages

Now I want to find something in my logs.

[root@rhel7-server ~]# grep eth0 /var/log/messages
Jul 29 15:07:58 rhel7-server kernel: e1000: eth0 NIC Link is Down
Jul 29 15:08:04 rhel7-server kernel: e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
Jul 29 15:36:18 rhel7-server kernel: e1000: eth0 NIC Link is Down
Jul 29 15:36:24 rhel7-server kernel: e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None

[root@rhel7-server ~]# grep "anurag" /var/log/secure
Jul 29 15:24:20 rhel7-server unix_chkpwd[7299]: password check failed for user (anurag)
Jul 29 15:24:20 rhel7-server sshd[7297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.135.1  user=anurag
Jul 29 15:24:22 rhel7-server sshd[7297]: Failed password for anurag from 192.168.135.1 port 7218 ssh2
Jul 29 15:24:24 rhel7-server unix_chkpwd[7300]: password check failed for user (anurag)
Jul 29 15:24:27 rhel7-server sshd[7297]: Failed password for anurag from 192.168.135.1 port 7218 ssh2

Now I want to find out the failed login attempts,

# awk '/sshd.*Failed/ { print $9 }' /var/log/secure
root
root
root
root
root
root
anurag
anurag
test1
user1

[root@rhel7-server ~]# grep Failed /var/log/secure
Jul 29 15:15:30 rhel7-server sshd[7201]: Failed password for root from 192.168.135.1 port 7179 ssh2
Jul 29 15:15:33 rhel7-server sshd[7201]: Failed password for root from 192.168.135.1 port 7179 ssh2
Jul 29 15:15:36 rhel7-server sshd[7201]: Failed password for root from 192.168.135.1 port 7179 ssh2
Jul 29 15:15:40 rhel7-server sshd[7201]: Failed password for root from 192.168.135.1 port 7179 ssh2
Jul 29 15:15:42 rhel7-server sshd[7201]: Failed password for root from 192.168.135.1 port 7179 ssh2
Jul 29 15:15:45 rhel7-server sshd[7201]: Failed password for root from 192.168.135.1 port 7179 ssh2
Jul 29 15:24:22 rhel7-server sshd[7297]: Failed password for anurag from 192.168.135.1 port 7218 ssh2
Jul 29 15:24:27 rhel7-server sshd[7297]: Failed password for anurag from 192.168.135.1 port 7218 ssh2
Jul 29 15:24:47 rhel7-server sshd[7302]: Failed password for test1 from 192.168.135.1 port 7219 ssh2
Jul 29 15:24:58 rhel7-server sshd[7305]: Failed password for user1 from 192.168.135.1 port 7220 ssh2

I want to view the logs of particular date.

[root@rhel7-server ~]# grep "Aug  4" /var/log/messages
Aug  4 12:47:32 rhel7-server systemd: Time has been changed
Aug  4 12:47:32 rhel7-server kernel: usb 2-2.1: USB disconnect, device number 5
Aug  4 12:47:32 rhel7-server bluetoothd: bluetoothd[1018]: Adapter /org/bluez/1018/hci0 has been disabled
Aug  4 12:47:32 rhel7-server bluetoothd: bluetoothd[1018]: Unregister path: /org/bluez/1018/hci0
Aug  4 12:47:32 rhel7-server bluetoothd[1018]: Adapter /org/bluez/1018/hci0 has been disabled
Aug  4 12:47:32 rhel7-server bluetoothd[1018]: Unregister path: /org/bluez/1018/hci0
Aug  4 12:47:32 rhel7-server systemd: Service bluetooth.target is not needed anymore. Stopping.
Aug  4 12:47:32 rhel7-server systemd: Stopping Bluetooth.
Aug  4 12:47:32 rhel7-server systemd: Stopped target Bluetooth.
Aug  4 12:47:33 rhel7-server dbus-daemon: dbus[1066]: [system] Activating via systemd: service name='org.freedesktop.NetworkManager' unit='dbus-org.freedesktop.NetworkManager.service'

I want to find something in particular date.

[root@rhel7-server ~]# grep "Aug  4" /var/log/messages |grep ppp
Aug  4 13:20:55 rhel7-server pppd[10687]: pppd 2.4.5 started by root, uid 0
Aug  4 13:21:00 rhel7-server pppd[10687]: Couldn't set tty to PPP discipline: Device or resource busy
Aug  4 13:21:00 rhel7-server pppd[10687]: Exit.
Aug  4 13:21:19 rhel7-server pppd[10697]: pppd 2.4.5 started by root, uid 0
Aug  4 13:21:24 rhel7-server pppd[10697]: Couldn't set tty to PPP discipline: Device or resource busy
Aug  4 13:21:24 rhel7-server pppd[10697]: Exit.
Aug  4 13:22:39 rhel7-server pppd[10791]: pppd 2.4.5 started by root, uid 0
Aug  4 13:22:44 rhel7-server pppd[10791]: Couldn't set tty to PPP discipline: Device or resource busy
Aug  4 13:22:44 rhel7-server pppd[10791]: Exit.
Aug  4 13:27:57 rhel7-server pppd[10962]: pppd 2.4.5 started by root, uid 0
Aug  4 13:28:02 rhel7-server pppd[10962]: Couldn't set tty to PPP discipline: Device or resource busy
Aug  4 13:28:02 rhel7-server pppd[10962]: Exit.

I want to view the logs between two dates.

# sed -n '/Jul 28/,/Jul 29/p' /var/log/messages-20180729

We can use “grep” also for same search/output,

# grep "Jul 2[2-9]" /var/log/messages-20180729 |more

2 is the no before search pattern [2-9] means between 22 and 29

# sed -n '/Jul 28/,/Jul 29/p' /var/log/messages-20180729 |head -3
Jul 28 21:22:04 rhel7-server rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="1030" x-info="http://www.rsyslog.com"] start
Jul 21 17:13:11 rhel7-server systemd: Stopping Command Scheduler...
Jul 21 17:13:11 rhel7-server systemd: Stopping Virtualization daemon...

# sed -n '/Jul 28/,/Jul 29/p' /var/log/messages-20180729 |tail -3
Jul 28 19:17:47 rhel7-server kernel: e1000: eth1 NIC Link is Down
Jul 28 19:17:47 rhel7-server kernel: usb 2-2.1: USB disconnect, device number 4
Jul 29 13:52:50 rhel7-server bluetoothd: bluetoothd[1018]: Adapter /org/bluez/1018/hci0 has been disabled


I want to view the logs in between particular minutes.

Following will show the logs of 28 July from 19:01 to 19:09

# grep "Jul 28 19:0[1-9]" /var/log/secure-20180729
Jul 28 19:02:06 rhel7-server sshd[4773]: Accepted password for root from 192.168.135.1 port 5929 ssh2
Jul 28 19:02:06 rhel7-server sshd[4773]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 28 19:05:06 rhel7-server sshd[4773]: pam_unix(sshd:session): session closed for user root
Jul 28 19:05:53 rhel7-server polkitd[1192]: Unregistered Authentication Agent for unix-session:c1 (system bus name :1.53, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 28 19:05:53 rhel7-server gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session closed for user gdm
Jul 28 19:07:41 rhel7-server gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (unknown)(uid=0)
Jul 28 19:07:44 rhel7-server polkitd[1192]: Registered Authentication Agent for unix-session:c2 (system bus name :1.142 [gnome-shell --mode=gdm], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 28 19:07:54 rhel7-server gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Jul 28 19:08:54 rhel7-server gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session closed for user gdm

I want to view the logs in between two timestamps.

# awk '/Jul 29 15:06/,/Aug  4 12:49/' /var/log/secure

# awk '/Jul 29 15:06/,/Aug  4 12:49/' /var/log/secure |head -3
Jul 29 15:06:31 rhel7-server sshd[7021]: Accepted password for root from 192.168.135.1 port 7132 ssh2
Jul 29 15:06:31 rhel7-server sshd[7021]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 29 15:15:28 rhel7-server unix_chkpwd[7203]: password check failed for user (root)

# awk '/Jul 29 15:06/,/Aug  4 12:49/' /var/log/secure |tail -3
Jul 29 19:09:08 rhel7-server sshd[5792]: pam_unix(sshd:session): session closed for user root
Jul 29 19:09:10 rhel7-server sshd[7021]: pam_unix(sshd:session): session closed for user root
Aug  4 12:49:30 rhel7-server sshd[10221]: Accepted password for root from 192.168.135.1 port 2456 ssh2


I want to view the login details or logged in users.

[root@rhel7-server ~]# last -f /var/log/wtmp |head -10
user2    pts/9                         Sat Aug  4 16:54   still logged in
user2    pts/8        192.168.135.1    Sat Aug  4 16:54   still logged in
user1    pts/7                         Sat Aug  4 16:54   still logged in
user1    pts/6        192.168.135.1    Sat Aug  4 16:54   still logged in
user2    pts/8        192.168.135.1    Sat Aug  4 16:46 - 16:46  (00:00)
anurag   pts/7                         Sat Aug  4 16:45 - 16:53  (00:07)
anurag   pts/6        192.168.135.1    Sat Aug  4 16:45 - 16:53  (00:08)
root     pts/3                         Sat Aug  4 15:33   still logged in
root     pts/2        192.168.135.1    Sat Aug  4 15:33   still logged in
root     pts/5                         Sat Aug  4 13:26   still logged in

[root@rhel7-server ~]# who
(unknown) :0           2018-07-28 19:07 (:0)
root     pts/0        2018-08-04 12:49 (192.168.135.1)
root     pts/1        2018-08-04 12:49
root     pts/2        2018-08-04 15:33 (192.168.135.1)
root     pts/3        2018-08-04 15:33
(unknown)              2018-07-28 19:07 (192.168.135.1:1)
root     pts/4        2018-08-04 13:26 (192.168.135.1)
root     pts/5        2018-08-04 13:26
user1    pts/6        2018-08-04 16:54 (192.168.135.1)
user1    pts/7        2018-08-04 16:54
user2    pts/8        2018-08-04 16:54 (192.168.135.1)
user2    pts/9        2018-08-04 16:54

[root@rhel7-server ~]# lastlog

[root@rhel7-server ~]# last -f /var/run/utmp
user2    pts/9                         Sat Aug  4 16:54   still logged in
user2    pts/8        192.168.135.1    Sat Aug  4 16:54   still logged in
user1    pts/7                         Sat Aug  4 16:54   still logged in
user1    pts/6        192.168.135.1    Sat Aug  4 16:54   still logged in
root     pts/5                         Sat Aug  4 13:26   still logged in
root     pts/4        192.168.135.1    Sat Aug  4 13:26   still logged in
(unknown              192.168.135.1:1  Sat Jul 28 19:07   still logged in
root     pts/3                         Sat Aug  4 15:33   still logged in
root     pts/2        192.168.135.1    Sat Aug  4 15:33   still logged in
root     pts/1                         Sat Aug  4 12:49   still logged in
root     pts/0        192.168.135.1    Sat Aug  4 12:49   still logged in
(unknown :0           :0               Sat Jul 28 19:07   still logged in
reboot   system boot  3.10.0-121.el7.x Sat Jul 28 21:21 - 16:56 (6+19:34)

utmp begins Sat Jul 28 21:21:55 2018

I want to view the reboot date and time.

[root@rhel7-server ~]# last |grep reboot
[root@rhel7-server ~]# last reboot

I want to view the shutdown date and time.

[root@rhel7-server ~]# last -x|grep shutdown

I want to view any errors while booting.

[root@rhel7-server log]# cat boot.log |grep -i error
systemd-fsck[634]: fsck: error 2 (No such file or directory) while executing fsck.ext2 for /dev/disk/by-uuid/104508c3-8394-4e6c-bc48-b20f6344d361




Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)