Study Guide - Chap17: Implementing Logging Services Flashcards
(12 cards)
1- What protocol became a de facto standard in Linux for tracking system event messages?
- SMTP
- FTP
- NTP
- syslog
- journalctl
syslog
The syslog protocol created by the Sendmail project has become the de facto standard for logging system event messages in Linux, so option D is correct. SMTP is a mail protocol, and FTP stands for File Transfer Protocol, so both options A and B are incorrect. NTP stands for Network Time Protocol, so option C is incorrect. Option E, journalctl, is a tool used to read systemd-journald journal files, not a protocol for logging event messages, so it is also incorrect.
2- Nancy wants to write a rsyslogd rule that separates event messages coming from the system job scheduler to a separate log file. Which syslog facility keyword should she use?
- cron
- user
- kern
- console
- local0
cron
The cron application schedules jobs on Linux systems, so the cron facility keyword represents event messages received from the job scheduler, so option A is correct. The user keyword represents events received from users, so option B is incorrect. The kern keyword represents events received from the kernel, so option C is incorrect. The console keyword represents events received from a console on the system, so option D is incorrect. The local0 keyword is not defined in the standard and is normally defined within the system but doesn’t normally receive events from the job scheduler, so option E is incorrect.
3- What syslog severity level has the highest priority ranking in rsyslogd?
- crit
- alert
- emerg
- notice
- err
emerg
The emerg severity level has a priority of 0, the highest level in syslog, so option C is correct. The crit severity level is at level 2, so it’s not the highest level and therefore option A is incorrect. The alert keyword is assigned level 1, but it’s not the highest level, so option B is incorrect. The notice keyword is assigned level 5 and is not the highest level, so option D is incorrect. The err keyword is assigned level 3 and is not the highest level, so option E is incorrect.
4- What syslog severity level represents normal but significant condition messages?
- crit
- notice
- info
- alert
- local0
notice
The notice severity level represents system event messages that are significant but normal, so option B is correct. The crit and alert keywords represent event messages that are critical or that require special attention, so options A and D are incorrect. The info keyword represents event messages that are only informational but not significant, so option C is incorrect. The local0 keyword is not defined in the syslog protocol but by the local system, so option E is incorrect.
syslog severity levels
- 0=Emergency
- 1=Alert
- 2=Critical
- 3=Error
- 4=Warning
- 5=Notice
- 6=Informational
- 7=Debug
5- What syslog application is known for its rocket‐fast speed?
- syslogd
- syslog-ng
- systemd-journald
- klogd
- rsyslogd
rsyslogd
The rsyslogd application was designed to be a faster version of the syslogd application, so option E is correct. The syslogd application is the original syslog application and was not known for its speed, so option A is incorrect. The syslog-ng application was designed to be more versatile than syslogd, but not faster, so option B is incorrect. The systemd-journald application is known for faster queries in reading journal entries but wasn’t designed to be faster in handling event messages, so option C is incorrect. The klogd application is part of the original sysklogd application and is also not fast, so option D is incorrect.
6- What configuration file does the rsyslogd application use by default?
- rsyslog.conf
- journald.conf
- syslogd.conf
- rsyslog.d
- syslog.d
rsyslog.conf
The rsyslogd application uses the rsyslog.conf configuration file by default, so option A is correct. Option D, rsyslog.d, is commonly used as a folder for storing additional rsyslogd configuration files, but it isn’t the default configuration filename, so it is incorrect. Options B and C are configuration files for other logging applications, not rsyslogd, so they are incorrect. Option E is not a valid logging application configuration filename.
7- James needs to log all kernel messages that have a severity level of warning or higher to a separate log file. What facility and priority setting should he use?
- kern.=warn
- kern./*
- *.info
- kern.warn
- kern.alert
kern.warn
The rsyslogd application priorities log event messages with the defined severity or higher, so option D would log all kernel event messages at the warn, alert, or emerg severities and therefore it is correct. The option A facility and priority setting would only log kernel messages with a severity of warning, so it is incorrect. Option B would log all kernel event messages, not just warnings or higher, so it is incorrect. Option C would log all facility type event messages but include the information or higher level severity, so it is incorrect. Option E would log kernel event messages but only at the alert or emerg severity levels, not the warning level, so it is incorrect.
8- Barbara wants to ensure that the journal log files will be saved after the next reboot of her Linux system. What systemd-journald configuration setting should she use?
- Storage=auto
- Storage=persistent
- ForwardToSyslog=on
- Storage=volatile
- ForwardToSyslog=off
Storage=persistent
The Storage setting controls how systemd-journald manages the journal file. Setting the value to persistent ensures that the journal file will remain in the /var/log/journal directory, so option B is correct. Setting the value to auto only ensures that the journal file will be persistent if the /var/log/journal directory exists, so option A is incorrect. Setting the value to volatile ensures that the file does not persist, so option D is incorrect. Options C and E refer to settings that control whether or not event messages are passed to the rsyslogd application, so they are both incorrect.
9- Katie wants to display the most recent entries in the journal log on her Linux system. What journalctl option should she use?
- -a
- -l
- -r
- -e
- -n
-r
The -r option displays the journal entries in reverse order, so the most recent entry will appear first. Thus, option C is correct. The -a option displays all of the data fields, but in the normal order, so option A is incorrect. The -l option displays all printable data fields, but in the normal order, so option B is incorrect. The -e option jumps to the end of the journal file but displays the remaining entries in normal order instead of reverse order, so option D is incorrect. The -n option displays a specified number of entries, but in normal order, so option E is incorrect.
10- Tony is trying to troubleshoot errors produced by an application on his Linux system but has to dig through lots of entries in the journal log file to find them. What journalctl match option would help him by only displaying journal entries related to the specific application?
- OBJECT_PID
- Kernel
- _TRANSPORT
- _UID
- _UDEV
OBJECT_PID
The journalctl application allows you to filter event messages related to a specific application by the application process ID (PID) using the OBJECT_PID match, so option A is correct. The Kernel match retrieves event messages generated by the system kernel and not applications, so option B is incorrect. The _TRANSPORT option filters event messages based on how they were received and not by application, so option C is incorrect. Option D, _UID, filters event messages based on the user ID value, not the application, so it is incorrect. Option E, _UDEV, filters events by device ID and not by application, so it too is incorrect.
journalctl options to know
- -f (follow/tail logs in real-time)
- -u servicename (show logs for specific systemd service)
- -b (show logs since last boot)
- -r (reverse chronological order).
- Priority filtering uses -p to filter by log level (like -p err for errors and above)
