Administration Utilities Objectives –to use standard administration utilities Contents –manual pages –identifying your system –communicating with Users –finding files –looking at files and logs –system defaults –Syslog –Logrotate –logserver Practicals –to become familiar with these commands Summary

On-Line Manuals $ man man $ man –k tcp $ man passwd $ man 5 passwd $ man man $ man –k tcp $ man passwd $ man 5 passwd On-line manuals in many sections: May vary on systems 1user commands5 fileformats like /etc/paswd (8)1Mmaintenance commands6 games 2system calls7 Miscellaneous 3functions and libraries8 System administration commands 4special files found in /dev9 Kernel routines man displays first manual page found man –k man is optional with Some systems provide a whatis database (originally BSD) –whatis command one line description of command –apropos command keyword search for command –Info commandmore information about command –/usr/ucb/catmanre-creates database from manual source files

Manual pages are stored under /usr/share/man/ and /usr/local/man man[1-8]troff/nroff format manual pages (gz compressed) cat[1-8]formatted manual pages (gz compressed) Manuals can be stored in different or multiple directories by setting the MANPATH variable –don’t forget to include /usr/share/man if defining MANPATH Manuals pages are displayed using a pager program –less is default in SuSE but usually more is used by default –set the PAGER variable to override default Gentoo Application documentation is in /usr/share/doc Adding Manual Entries $ MANPATH=/usr/share/man:/usr/X11/man $ export MANPATH $ man xterm $ MANPATH=/usr/share/man:/usr/X11/man $ export MANPATH $ man xterm $ PAGER=less; export PAGER $ man xterm $ PAGER=less; export PAGER $ man xterm

Identifying the Unix System The uname command (uname) shows system information –the command hostname also identifies the current host options -aall information -nsystem name (nodename on network) -sO/S name -rO/S release number -vO/S version number -mmachine hardware -pprocessor type $ uname -a Linux linux a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686 i686 i386 GNU/Linux $ hostname mash4077 $ uname -a Linux linux a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686 i686 i386 GNU/Linux $ hostname mash4077

Identifying active users The who command shows who is currently logged on –information kept in /var/run/utmp –a history of every login is also kept in /var/log/wtmp Who can also be used to identify the current effective user who am i Who can also be used to identify the original user whoami The command id identifies the current user in more details some systems also have a w command (originally BSD) The last command show all historical logins $ who trapper pts/0 Jul 25 11:01 hawkeye console Jul 25 11:31 $ who am i hawkeye console Jul 25 11:31 $ who trapper pts/0 Jul 25 11:01 hawkeye console Jul 25 11:31 $ who am i hawkeye console Jul 25 11:31 $ id uid=318(hawkeye) gid=300(users) $ who /var/log/wtmp history of all system logins $ last 10 history of 10 system logins $ id uid=318(hawkeye) gid=300(users) $ who /var/log/wtmp history of all system logins $ last 10 history of 10 system logins

Talking to users Use write to display a message on a user's terminal –user's can disable messages using mesg n command –root can always write to a user Write all (wall) will display to all logged in users –useful for sending out broadcasts –used by the system shutdown mechanism Use the talk command to set up a two way dialogue. Block all exept wall with mesg n Enable all again with mesg y $ write trapper Do you know where the system logbook is? ^D $ mesg is no $ mesg y $ write trapper Do you know where the system logbook is? ^D $ mesg is no $ mesg y $ talk trapper

Finding Files The find command locates files using specified search criteria find directories... search_criteria... action Search Criteria: -name name finds only files called name (can use shell wildcards) -user name finds only files owned by user name -type letter finds files of specified type:f (plain files) d (dirs), etc. -mtime n finds files modified n days ago, less than (-n ), greater than (+n ) -size n[c|K] finds files of size n, larger than (+n ), smaller than (-n ), c=chars, K=kilobytes (when omitted, 512 block size is implied) -newer pathname finds files newer than specified file -mount don't cross disk boundaries Action: -print print filenames found -exec cmd {} \; executes given command (filename will be given in place of {}) -ok cmd {} \; executes command but prompts for confirmation

Exercise - Revision Of Using find What do the following find commands mean? # find. -print # find /etc -type d -print # find /home -name.bash_profile -exec more {} \; # find /dev -type f -mtime -7 -exec ls -l {} \; # find /sbin /usr/sbin -name "user*" -exec ls -ld {} \; # find. -print # find /etc -type d -print # find /home -name.bash_profile -exec more {} \; # find /dev -type f -mtime -7 -exec ls -l {} \; # find /sbin /usr/sbin -name "user*" -exec ls -ld {} \;

The grep Family All grep commands provide pattern matching criteria for filtering lines containing a pattern fgrep [ options ] pattern [ files... ] –fgrep uses fixed (simple patterns) grep [ options ] pattern [ files... ] –grep uses "regular expressions" to define powerful pattern matching templates egrep [ options ] pattern|pattern [ files... ] –egrep uses extended regular expressions, allows multi-pattern search common options -v output non-matched lines -c output count of lines matched -i ignore lower/upper case -n mark each matched line with its relative line number

Exercise - Revision Of Using grep Always using single quotes round grep regular expression What do the following grep commands mean? # ls -l | grep '^d' # grep 'bash$' /etc/passwd # ls -a | grep '^\.[^.]' # fgrep 'su:' /var/log/messages # who | egrep '(hawkeye|trapper)' # ls -l | grep '^d' # grep 'bash$' /etc/passwd # ls -a | grep '^\.[^.]' # fgrep 'su:' /var/log/messages # who | egrep '(hawkeye|trapper)'

Looking Inside Files Use the file command to identify a file type Command dependency is found with ldd command Text files: use less or more to look at the file Data files: use octal dump (od) –some systems supply a hex dump (hd) program –use the -c option to characters where possible Use the strings command to list ASCII strings in a data file MS-DOS files can be examined with mtype # file /bin/bash /bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped # od -c /bin/bash | less # file /bin/bash /bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped # od -c /bin/bash | less

Inspecting Log Files Use a pager such as less or more or mcedit –can be slow when working with large log files Use grep to look for particular words Use the tail command to look at the last 10 lines –if the log file is growing than use the -f option Use view (vi read only) to read the whole file Whatever method you choose: DO LOOK AT LOG FILES # tail /var/messages... Sep 24 19:40:32 linux su: (to root) peter on /dev/pts/0 Sep 24 22:35:16 linux su: (to lp) peter on /dev/pts/0 # tail /var/messages... Sep 24 19:40:32 linux su: (to root) peter on /dev/pts/0 Sep 24 22:35:16 linux su: (to lp) peter on /dev/pts/0

System Default Files & logbooks SuSE & RedHat sysconfig /etc/sysconfig/ –SuSE specific setup and boot files General linux config /etc/ –Many files, system wide configs Useradd enviroment /etc/default –When adding users /etc/skel is added to user enviroment –Useradd takes also information from /etc/login.defs Unix system logbooks (exherpt only) Undependent of syslog/syslog-ng: /var/log/maillog : Mail /var/log/samba/ : Samba server logs Other log catalog standards: /var/log/messages: (SYSLOG) Systems services & hardware log /var/log/boot.* : System boot messages /var/log/mail.* : Mailsystem messages /var/log/warn : Warnings from system services

Syslog-ng Controlling logfiles Gentoo comes with syslog engine called syslog next generation Syslog-ng is much more flexable than majority of unix system using syslog Syslog-NG source: Syslog-ng is a client server engine Usally local workstation forwards all important logfiles to central logserver Logserver increases security and system stability. Gentoo comes with syslog setup to log locally only To stop / start and check the logging facility: Configuration is found in: /etc/syslog-ng/ Here you define log sources, message filters and destinations Sources/Destinations can be local or remote sevices and servers. # /etc/init.d/syslog-ng stop Shutting down syslog services done # /etc/init.d/syslog-ng start Starting syslog services done # /etc/init.d/syslog-ng status Checking for service syslog: running # /etc/init.d/syslog-ng stop Shutting down syslog services done # /etc/init.d/syslog-ng start Starting syslog services done # /etc/init.d/syslog-ng status Checking for service syslog: running

Mastering Syslog-ng logging Syslog options –How syslog behaves what permissions files should have and so on. Syslog source –Define where the data sources is collected (local or network) Syslog destination –Define destination directories to send collected datasources (local or network) Syslog log –Connection of syslog sources to syslog destionation directories Syslog filter –Define message filters Syslog-ng listens for network sources to be a logserv Unlike a regular syslog server which listens for client messages on UDP port 514, syslog-ng also listens on TCP port 514

Syslog Facility and Levels Facility(…) –auth Messages generated by authorization programs. –daemon Messages generated by system server processes. –local0-7 Names reserved for user-defined facilities. –mail Messages generated by a mail system. –news Messages generated by a news system. –syslog Messages generated by the syslog daemon. –user Messages generated by a process (user). –mark Messages generated by a mark signal from the syslog daemon. –cronMessages generated by cronograph. –kernMessages generated by kernel. Level(…) –emerg — system service is unusable. –alert — Action must be taken immediately to address the problem. –crit — A critical condition has occurred. –err(or)— An error has occurred. –warn(ing) — A significant event that may require attention has occurred. –notice — An event that does not affect system operation has occurred. –info — An normal operation has occurred. –debug — Diagnostic output detailing normal operations.

Syslog Filters Define filters –Use filter blocks to match or exclude logs. The following shows two example filters. Use filters – log blocks to join source to destination with optional filter specifications. filter notdebug { level(info...emerg); } filter notmail { not facility(mail); } filter notdebug { level(info...emerg); } filter notmail { not facility(mail); } log { source(local); filter(notdebug); filter(notmail); destination(messages) }; log { source(local); filter(notdebug); filter(notmail); destination(messages) };

Syslog servers You can setup four types of logservers –Syslog local logserver only (standard) –Syslog proxy –Syslog forward only (Syslog client) –Syslog logserver Syslog logserver, the server named ”loghost” Enter loghost ip address in /etc/hosts server.ikea.seserverloghost client.ikea.seclientlocal0 In syslog-ng.conf as ”source” udp(ip(" ") port(514)); And in client syslog-ng.conf as ”destination”: udp(" " port(514)); Check that server is listening: Manually restart your client logserver: # netstat –a | grep syslog udp 0 0 *:syslog *:* # netstat –an | grep 514 udp : :* # netstat –a | grep syslog udp 0 0 *:syslog *:* # netstat –an | grep 514 udp : :* # /etc/init.d/syslog-ng restart Shutting down syslog services done Starting syslog services done # /etc/init.d/syslog-ng restart Shutting down syslog services done Starting syslog services done

Syslog forward only (Syslog Client) Syslog client config OPTIONS In /etc/syslog-ng/syslog-ng.conf at OPTIONS add or change: Defines options for local logging only you prepare for sending logs to logserver. If you like you can keep all but sync(0)! Syslog client config SOURCE Most sources are predefined so you can leave this out! The general linux/unix source convention looks like this: Next will be to FILTER and route SOURCE to logserver source local { unix-dgram("/var/run/log"); file("/dev/klog"); udp(ip( ) port(514)); internal(); }; options { use_fqdn(no); log_fifo_size(8192); };

Syslog forward only (Syslog Client) Syslog client config FILTER Goto end of file /etc/syslog-ng/syslog-ng.conf and add a very simple filter that look like this: Predefines filter for any logging situation regarding mail server, kernel messages and so on, and is little more comples than the simple above. For examle one mail filer looks like this: Syslog client config DESTINATION We need to declare where to send log files, standard is local log file, in our case we want log on the logserver. Go to end of file: /etc/syslog-ng/syslog-ng.conf and add: Syslog client config LOG Filter and Destination themself does not do anything, we must connect source with filter and destination. Add after your new destination: Parse and apply the new syslog-ng configuration filter f_mailerr { level(err, crit) and facility(mail); }; filter notdebug { level(info...emerg); } destination loghost {udp("loghost" port (514));}; log { source(src);filter(notdebug);destination(loghost); }; # /etc/init.d/syslog-ng restart

Logrotate The /etc/logrotate.conf File –This is logrotate's general configuration file. You can specify either "weekly" or "daily" rotation parameter. The "rotate" parameter specifies the number of copies of log files The "create" parameter creates a new log file after each rotation Sample contents of /etc/logrotate.conf Logrotate is controlled by ”cron” /etc/cron.daily/logrotate All files that sit in /etc/cron.daily is executed one time per day. # rotate log files weekly Weekly # rotate log files daily # daily # keep 4 weeks worth of backlogs rotate 4 # keep 7 days worth of backlogs # rotate 7 # create new (empty) log files after rotating old ones create # configuration by service/facility include /etc/logrotate.d/ # rotate log files weekly Weekly # rotate log files daily # daily # keep 4 weeks worth of backlogs rotate 4 # keep 7 days worth of backlogs # rotate 7 # create new (empty) log files after rotating old ones create # configuration by service/facility include /etc/logrotate.d/

Logrotate for general service’s Placeholder is defined as default to be /etc/logrotate.d directory –This directory contains all logrotaion configuration for services generating logs The /etc/logrotate.d/syslog File –This is the system general logfiles –Format is: logfile { logrotate handling } It should look something like this: /var/log/warn /var/log/messages /var/log/allmessages /var/log/localmessages /var /log/firewall { compress dateext maxage 365 rotate 99 missingok notifempty size +4096k create 640 root root sharedscripts postrotate /etc/init.d/syslog reload endscript } Samba and Apache is included in logrotate, if they are instaled /var/log/samba/*.log { logrotate handling } Forcing logrotate to run logrotate –fWhole logrotate logrotate -f /etc/logrotate.d/syslogOnly syslog

Summary Unix administrators have a wide suite of utility programs for interrogating the system man uname who, id write, wall, talk find grep pg/more, tail Learn what programs are available Read the manual pages to find out what the programs can do besides their basic function Learn reading logs and howto find anamoly states