Sylog

Question 1

What are the systemd built-in logging frameworks?

Answer 1

1) systemd-journald
2) rsyslog

Question 2

Diff between:

1) systemd-journald
2) rsyslog

Answer 2

1) systemd-journald: stores journal in db
2) rsyslog: logs to /var/log

Question 3

How do you query the systemd-journald database?

Answer 3

Use journalctl command

Question 4

which of these logging framework implements the syslog protocol:

1) systemd-journald
2) rsyslog

Answer 4

Both

Question 5

In syslog every event has two elements to it. Name them

Answer 5

1) Facility
2) Priority

Question 6

What are some well known facilities

Answer 6

mail
authpriv
cron
kern
daemon
news
syslog
uucp
ftp
lpr
auth
local0 to local7

Question 7

What are some well known priorities?

Answer 7

debug
info
notice
warn
error
crit
alert
emerg

(Experts Alert: Diagnosing issues Needs Wise Error Checking)

Question 8

what is the daemon responsible for systemd-journald?

Answer 8

systemd-journald

Question 9

what is the daemon responsible for rsyslog?

Answer 9

rsyslog NOT rsyslogd

Question 10

Where are rsyslog config stored?

Answer 10

/etc/rsyslog.conf

Question 11

What do rsyslog rules capture?

Answer 11

Which message goes to which file

Question 12

General rule format of a rsyslog rule

Answer 12

FACILITY.PRIORITY[;EXCEPTED_FACILITY.none]* [-]/target/file

FACILITY.PRIORITY is called SELECTOR

Question 13

What is the effect of a dash in front of a log file in /etc/rsyslog.conf

Answer 13

The dash causes the logs to be written asynchornously

Question 14

what is the rsyslog drop in folder?

Answer 14

/etc/rsyslog.d/

Question 15

How do you get help with rsyslog.conf?

Answer 15

man rsyslog.conf

Question 16

Where do you put rsyslog custom configs?

Answer 16

Create a file and drop them in /etc/rsyslog.d/

Question 17

What are the user definable facilities?

Answer 17

local0 to local7

Question 18

Create a custom rsyslog rule for sshd

Answer 18

echo 'SyslogFacility local6' > /etc/sshd_config.d/99-logging.conf

echo 'local6.*.   /var/log/ssh.log'  >> /etc/rsyslog.d/99-sshd.conf

systemctl restart sshd rsylog

Question 19

Send a log message manually as the facility SSHD with priority INFO

Answer 19

logger -p local6.info ‘here is the message’

Question 20

By default, where are journals logged?

Answer 20

By default they are not logged. The volatile journal is used and saved in

/run/log/journal

which is deleted on reboot

Question 21

View the content of the journal on stdout

Answer 21

journatlctl

Question 22

What is the order of journalctl messages?

Answer 22

oldest to newest

Question 23

How do you view journal messages from newest to oldest

Answer 23

journalctl -r

Question 24

journalctl -f

Answer 24

stream the journal to stdout

Question 25

Filter journal messages by priority and by unit

Answer 25

```journalctl -p err -u ssd```

Question 26

Filter journal messages by date range

Answer 26

```journalctl --since "2023-11-05 10:20:12" --until "2023-11-05 10:30:12" ``` ```journalctl --since "-1 hour"```

Question 27

What is the process with PID 1?

Answer 27

systemd

Question 28

Print all journal by facility with PID 1

Answer 28

journaltcl _PID=1

Question 29

Print all journal by user with ID 81

Answer 29

```journaltcl _UID=1```

Question 30

How do you get help on journald

Answer 30

man journald.conf

Question 31

What are storage options for journald?

Answer 31

auto (default) volatile none persistent

Question 32

Make journal persistent

Answer 32

In /etc/systemd/journald.conf Storage=persistent ```systemctl restart systemd-journald```

Question 33

List all journalctl boots

Answer 33

```journalctl --list-boots```

Question 34

List journatlctl messages for a certain boot

Answer 34

journalctl -b 1

Question 35

Display comprehensive time information on your server

Answer 35

timedatectl

Question 36

What timezones are available so I may pick one

Answer 36

timedatectl list-timezones

Question 37

Set timezone to Africa/Douala

Answer 37

timedatectl set-timezone Africa/Douala

Question 38

Activate time synchronization

Answer 38

```timedatectl set-ntp true```

Question 39

What is the time synchronization daemon?

Answer 39

chronyd (replaces ntpd)

Question 40

Determine chronyd date sources

Answer 40

```chronyc sources```

Question 41

what is tzselect

Answer 41

Timezone Select: utility that allows selection of time zone by menu navigation.

Question 42

What are key system log files?

Answer 42

1) /var/log/messages 2) /varlog/secure 3) /var/log/cron 4) /var/log/maillog 5) /var/log/boot.log

Question 43

What happens if a message is matched by many rules in rsyslog.conf?

Answer 43

The message is stored in all files with matching rule

Question 44

none keyword in rsyslog.conf

Answer 44

indicates that no messages for the indicated facility are stored in the given file

Question 45

Explain logrotate command

Answer 45

rotates log files to prevent them from taking too much space in the /var/log

Question 46

key to successful use of the journal for troubleshooting and auditing

Answer 46

limit journal searches to show only relevant output.

Question 47

Show 5 last entries of journal

Answer 47

journalctl -n 5

Question 48

Different ways of filtering jorunalctl output

Answer 48

1) limit size with n option 2) tail with -f option 3) filter with since and until 4) filer by PID, UID, priority, user 5) filter by verbose field

Question 49

Determine fields that you can filter journalctl output with

Answer 49

journalctl -o verbose

Question 50

Popular journalctl fields that can be used for filter events

Answer 50

_COMM is the command name. _EXE is the path to the executable file for the process. _PID is the PID of the process. _UID is the UID of the user that runs the process. _SYSTEMD_UNIT is the systemd unit that started the process.

Question 51

Explain volatile storage option

Answer 51

Stores journals in the volatile /run/log/journal directory

Question 52

Explain auto storage option

Answer 52

If /var/log/journal exists, then persistent storage is used; otherwise it uses volatile is used.

Question 53

Explain persistent storage option

Answer 53

Stores journals in /var/log/journal. If directory does not exist, then create it

Question 54

How is journal data rotated?

Answer 54

journal has a built-in log rotation mechanism that triggers monthly

Question 55

retrieves the entries from the current system boot only

Answer 55

journalctl -b

Question 56

limits the output to only the previous boot

Answer 56

journalctl -b -1

Question 57

Set time to 9:00:00

Answer 57

timedatectl set-time 9:00:00

Question 58

stratum

Answer 58

number of hops that the machine is away from a high-performance reference clock

Question 59

driftfile

Answer 59

a file (configured in /etc/chrony.conf) in which chronyd records the rate at which the RTC looses or gains time

Question 60

what categories of time sources can you declare in /etc/chrony.conf

Answer 60

peer (same stratum) server (one level above)

Question 61

Example server configuration in /etc/chrony.conf

Answer 61

``` server classroom.example.com iburst ```

Question 62

tar -p option

Answer 62

preserve permissions

Question 63

tar --selinux option

Answer 63

: Enable SELinux context support, and store SELinux file contexts.

Question 64

tar -a option

Answer 64

--auto-compress : Use the archive's suffix to determine the algorithm to use

Question 65

Explain ownership of extracted files

Answer 65

if root user extracts an archive, the original users and group ownership are preserved if regular user extracts an archive, he becomes the owner

Question 66

How are permissions of extracted files determined?

Answer 66

if -p was used, then the original permissions are maintained otherwise, umask is used to determine the permissions.