Last modified: Nov. 23 2011

CIS 191B
Lab 10: Monitoring System Logs

The purpose of this lab is to explore the various ways to use the UNIX syslog daemon. It includes knowing where log files are kept and how to find information within them, as well as using the cron facility to setup your own monitoring services.

Part One: Viewing Log Files

The syslog daemon is a daemon that handles collecting information and error messages from various services (programs) and logging them in various log files, usually in the directory, /var/log. The /etc/syslog.conf can be used to tell the syslog daemon how you want to collect this logging information.
The following procedure must be performed on the opus camputer.
  1. Log in to opus using your regular account.
  2. Change directory to /var/log:
    cd /var/log
  3. Use the ls command to determine how many log files are active in this directory. Notice that log files are rotated.
    How many backups are there of each log file?
    How often are these log files backed up (rotated)?
    Are there any log files in subdirectories?
  4. Use the ls -l command to determine which log files are most heavily used.
    What is the most heavily used log file?
  5. Run the following command on the log files:
    file * | more
    Note that most logs are either empty or have ASCII text in them. Which logs are data files and cannot be viewed as text?
  6. Look for the oldest wtmp file. Uses that file as an argument to the who command:
    who wtmp.? | more
    What does this file tell you?
  7. View the file, /etc/logrotate.conf. In this file, find where it controls the number and frequency of logfile rotations.

Part Two: Configuring the syslog daemon

In this procedure, you will configure the syslog daemon on your cis191B virtual machine.
  1. Boot your cis191B machine and log in as root.
  2. Let's add a new log entry to catch all system notices, and we'll log these notices to the file /var/log/notices. Add the following line to the /etc/syslog.conf file: *.=notice /var/log/notices
  3. Create the new log file:
    > /var/log/notices
  4. Now restart the syslog services:
    service syslog restart
    You may get a notification that both the syslogd and the klogd stopped and started successfully. In any case proceed to the next step.
  5. Switch to another console screen and log in as cis191.
    After logging in as cis191, attempt to su to superuser, but do not type the correct password.
  6. Now exit the shell and log back in as root
  7. Now check the "notices" log file. What is there?

Part Three: Monitoring Idle Logins

In this part, you will implement a new service that logs off idle users. This service will be run from a cron job, and you will configure syslog to log its activty to a specific file, and configure logrotate to rotate that log file once a month.
  1. Login as root and download the shell script, idled from the /home/cis191/bin directory on opus.cabrillo.edu to root's home directory.
    Make sure the file is executable.
  2. Setup a cronjob for root to execute this script every minute from 8:00AM until 5:00PM on weekdays in November.
  3. The idled daemon uses the user facility of syslog, and logs at the alert priority when it kicks a user off the system for idle time exceeding 5 minutes. If the daemon is invoked with the -d option, it will log messages at the user.debug priority; these messages simply cronicle all user idle time over 1 minute.
  4. Configure the syslog.conf file to send all alerts from the user facility to a log file called /var/log/idle
    Also configure all debug statements from any facility to go a file called /var/log/debug.
  5. Configure the syslog file in /etc/logrotate.d to schedule these two new files to be rotated monthly and to keep the latest 2 copies, but don't rotate the log if it is empty.

To turn in

lab10 should include 5 files, and your crontab -l output: Copy the lab10 file to your account on opus.cabrillo.edu using the following command:
scp lab10 logname@opus.cabrillo.edu:lab10
 
After you have submitted your lab, don't forget to remove your cron job for idled.