Tuesday, August 30, 2011

Details about syslog on linux

■ Requirement : syslog logging mechanism
■ OS Environment : Linux ( RHEL, Centos etc)
■ Resolution : 

Syslog :

Whenever syslogd, the syslog dæmon, receives a log message, it acts based on the message's type (or facility) and its priority. syslog's mapping of actions to facilities and priorities is specified in /etc/syslog.conf. Each line in this file specifies one or more facility/priority selectors followed by an action. A selector consists of a facility or facilities and a (single) priority.

In the following syslog.conf line, mail.notice is the selector and /var/log/mail is the action (i.e., “write messages to /var/log/mail”):

mail.notice /var/log/mail

facility.level_of_priority file_where_msg_will_be_saved

Within the selector, “mail” is the facility (message category) and “notice” is the level of priority.

Facilities :

Facilities are simply categories. Supported facilities in Linux are auth, authpriv, cron, dæmon, kern, lpr, mail, mark, news, syslog, user, UUCP and local0 through local7. Some of these are self-explanatory, but of special note are:

* auth: used for many security events.
* authpriv: used for access-control-related messages.
* dæmon: used by system processes and other dæmons.
* kern: used for kernel messages.
* mark: messages generated by syslogd itself that contain only a timestamp and the string “--MARK--”. To specify how many minutes should transpire between marks, invoke syslogd with the -m [minutes] flag.
* user: the default facility when none is specified by an application or in a selector.
* local7: boot messages.
* *: wildcard signifying “any facility”.
* none: wildcard signifying “no facility”

Priorities :

Unlike facilities, which have no relationship to each other, priorities are hierarchical. Possible priorities in Linux are (in increasing order of urgency): debug > info > notice > warning > err > crit > alert and > emerg. Note that the urgency of a given message is determined by the programmer who wrote it; facility and priority are set by the programs that generate messages, not by syslog.

If you specify a single priority in a selector (without modifiers), you're actually specifying that priority plus all higher priorities. Thus the selector mail.notice translates to “all mail-related messages having a priority of notice or higher”, i.e., having a priority of notice, warning, err, crit, alert or emerg.

This behaviour can be cancelled by prepending an = to the priority. The selector mail.=notice translates to “all mail-related messages having a priority of notice”. Priorities may also be negated: mail.!notice is equivalent to “all mail messages except those with priority of notice or higher”, and mail.!=notice corresponds to “all mail messages except those with the priority notice”.

If overall system performance becomes an important factor in regard to logging, you can tell syslogd **not** to sync the disk each time it writes to a log file. This is done by putting a minus sign (-) in front of the file name, like this:

lpr.info -/var/adm/printer.log

Sending the log messages to another machine is done by using an at-sign (@) in front of the machine name as the action. For example:

*.emerg @logserver

details abnout rsyslog : http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog

Logrotate :

The Linux utility logrotate renames and reuses system error log files on a periodic basis so that they don't occupy excessive disk space.

The /etc/logrotate.conf File :
This is logrotate's general configuration file in which you can specify the frequency with which the files are reused.

* You can specify either a weekly or daily rotation parameter. In the case below the weekly option is commented out with a #, allowing for daily updates.
* The rotate parameter specifies the number of copies of log files logrotate will maintain. In the case below the 4 copy option is commented out with a #, while allowing 7 copies.
* The create parameter creates a new log file after each rotation

Sample conf file:

# rotate log files weekly

# rotate log files daily

# keep 4 weeks worth of backlogs
#rotate 4

# keep 7 days worth of backlogs
rotate 7

# create new (empty) log files after rotating old ones

The /etc/logrotate.d Directory :

Most Linux applications that use syslog will put an additional configuration file in this directory to specify the names of the log files to be rotated. It is a good practice to verify that all new applications that you want to use the syslog log have configuration files in this directory. Here are some sample files that define the specific files to be rotated for each application.

Here is an example of a custom file located in this directory that rotates files with the .tgz extension which are located in the /data/backups directory. The parameters in this file will override the global defaults in the /etc/logrotate.conf file. In this case, the rotated files won't be compressed, they'll be held for 30 days only if they are not empty, and they will be given file permissions of 600 for user root.

/data/backups/*.tgz {

rotate 30
create 0600 root root

Activating logrotate :

The above logrotate settings in the previous section will not take effect until you issue the following command:
#logrotate -f

If you want logrotate to reload only a specific configuration file, and not all of them, then issue the logrotate command with just that filename as the argument like this:

[root@me]# logrotate -f /etc/logrotate.d/syslog

To compress log file use "compress" in main conf file.

How to check the logrotate status?

To check the current logrotate status, e.g. which files are covered by logrotate, what are their last processed date etc.

You can check the /var/lib/logrotate/status file

Monday, August 29, 2011

How to create custom SELinux module on linux box?

■ Requirement : Create a custom SELinux module
■ OS Environment : Linux ( RHEL, Centos)
■ Symptom Encountered : 

        sftp was setup on linux box and sshd was not allowing sftp users to access their directories. Following messages found in audit.log:

type=CRED_ACQ msg=audit(1314648699.931:26195): user pid=25524 uid=0 auid=503 ses=671 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="user" exe="/usr/sbin/sshd" hostname=kmaiti.pnq.redhat.com addr= terminal=ssh res=success'
type=AVC msg=audit(1314648699.931:26196): avc: denied { getattr } for pid=25524 comm="sshd" path="/chroots" dev=dm-0 ino=34612 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

■ Implementation Steps : 

1. To allow source context to target once I created a custom module and loaded it in SELinux .

$ grep sshd_t /var/log/audit/audit.log | audit2allow -m sftplocal > sftplocal.te
$ checkmodule -M -m -o sftplocal.mod sftplocal.te
$ semodule_package -o sftplocal.pp -m sftplocal.mod
$ semodule -i sftplocal.pp
$ semodule -l |grep sftplocal

2. To unload module do:

$ semodule module -d --disable sftplocal.pp

How to add sudo user in linux?

■ Requirement : add sudo user
■ OS Environment : Linux[RHEL, Centos]
■ Application:sudo
■ Implementation Steps : 

1. Add user : 

$ useradd test123

2. add user to wheel group

$ usermod -G wheel -a test123 

3. Uncomment following in /etc/sudoers file :

# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL

4. [Optional]Add user test123 in /etc/sudoers file :

# User privilege specification

root ALL=(ALL) ALL
test123 ALL=(ALL) ALL

NOTE : test123 has full access as root has. It can be enabled particular commands to be executed by test123. Check manual of sudo in more detail.

Saturday, August 27, 2011

Why did I encounter error message "Access Denied Error Code : 0x8007005" during accessing samba share from windows machine?

Incident : 

  • Received error message "Access Denied  Error Code : 0x8007005" during accessing samba share from windows machine

■ OS Environment : Linux[RHEL, Centos], Windows
■ Application: samba
■ Existing Configuration :

Samba server (smb) has on linux box ie rhel 6.1. It has following configuration :

$ cat /etc/samba/smb.conf

workgroup = IMSDOWNLOADS
server string = IMS Downloads
hosts allow = 10.*
log file = /var/log/samba/%m.log
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

comment = u1
path = /u1
browseable = yes
writable = yes
public = yes
read only = no

comment = log
path = /log
browseable = yes
writable = yes
public = yes
read only = no

■ Resolution :

$ chcon -R -t samba_share_t /u1
$ chcon -R -t samba_share_t /log
$ chmod +x /u1
$ chmod +x /log

Wednesday, August 10, 2011

How to redirect output of script to a file(Need to save log in a file and file should be mentioned in the script itself?

■ Requirement : redirect output of script to a file(Need to save log in a file and file should be mentioned in the script itself)
■ OS Environment : Linux[RHEL, Centos]
■ Application: bash
■ Implementation Steps : 

1. Create a bash script.
2. add following line :

exec > >(tee /var/log/my_logfile.txt)

Example :

$ cat /etc/init.d/crond |head -5
#! /bin/bash -x
exec > >(tee /var/log/my_cron_logfile.txt)

$ service crond restart 
$ cat /var/log/my_cron_logfile.txt
Starting crond: [ OK ]

Tuesday, August 9, 2011

How to check change log of package?

Requirement : check change log of package
■ OS Environment : Linux[RHEL, Centos]
■ Application: rpm
■ Resolution : 

$ rpm -q --changelog pkg_name

Sunday, August 7, 2011

How to capture good out put from strace command?

■ Requirement : capturing strace output
■ OS Environment : Linux[RHEL, Centos]
■ Application:strace
■ Implementation Steps : 

$ touch /tmp/strace_op
$ strace -s 128 -fvTttto /tmp/strace_op command

NOTE : Analysis content of the file /tmp/strace_op. Note that time stamp has been captured here. So, you can check which system call took much time. If any command takes much time then you can do strace to that command and analysis the output.

$strace -fvTtt  

Friday, August 5, 2011

Why device name changed on system update or how to use UUID for device?

■ Requirement : Investigate why device name changed on system update or how to use UUID for device
■ OS Environment : Linux[RHEL, Centos]
■ Application: uuid
■ Implementation Steps : 

          This problem can be avoided through the use of UUIDs (universally unique identifiers) instead of traditional block device names (/dev/hda1, /dev/hda5, /dev/sdb) to uniquely identify harddisk or other storage media. This is because UUIDs are unique and never change even if you switch the harddisk ordering. Follow these steps to use existing UUIDs to identify  storage devices.

1. List the UUIDs of block devices :

Use the blkid command-line utility to locate/print block device attributes:

$ blkid
/dev/sda3: LABEL="SWAP-sdb3" TYPE="swap"
/dev/sda2: LABEL="/" UUID="f52529cb-a959-4a11-8d43-0e4fd8fdecd2" TYPE="ext3"
/dev/sda1: LABEL="/boot" UUID="15721694-cc09-4b79-baf0-e56f128676c3" TYPE="ext3"

Another method which works universally on systems is:

$ ls -al /dev/disk/by-uuid
lrwxrwxrwx 1 root root 10 Sep 29 13:35 15721694-cc09-4b79-baf0-e56f128676c3 -> ../../sda1
lrwxrwxrwx 1 root root 10 Sep 29 13:35 f52529cb-a959-4a11-8d43-0e4fd8fdecd2 -> ../../sda2

2. Use UUID in the grub.conf file:

The system identifies the root partition on the kernel line in grub.conf. RHEL 5 uses disk labels or device names by default:
(This is an example)

title Red Hat Enterprise Linux Server (2.6.18-128.el5PAE)
root (hd0,0)
kernel /vmlinuz-2.6.18-128.el5PAE ro root=LABEL=/
initrd /initrd-2.6.18-128.el5PAE.img


kernel /vmlinuz-2.6.18-128.el5PAE ro root=/dev/sda2

If the LABEL or block device name of the root drive changes, it will throw a kernel panic. We can use the UUID of root partition in grub.conf to avoid this problem:

kernel /vmlinuz-2.6.18-128.el5PAE ro root=UUID=f52529cb-a959-4a11-8d43-0e4fd8fdecd2

3. Use UUID in the /etc/fstab file:

A typical /etc/fstab entry would look something like this:

/dev/sda2 / ext3 defaults 1 1
LABEL=/ / ext3 defaults 1 1

Under the new system, the same entry would look something like this:

UUID=f52529cb-a959-4a11-8d43-0e4fd8fdecd2 / ext3 defaults 1 1

           The only difference is the first entry in the table. Instead of /dev/sda1 or LABEL, the UUID f52529cb-a959-4a11-8d43-0e4fd8fdecd2 now designates the drive. Because of this, it wouldn't matter if the drive were moved and became /dev/sdb1; the root drive would still mount and function as expected.

Thursday, August 4, 2011

How to disable MSI at network driver level?

■ Requirement : Disable MSI at NIC driver
■ OS Environment : Linux[RHEL, Centos]
■ Application: modprobe
■ Implementation Steps : 

$ insmod bnx2.ko disable_msi=1
$ modprobe bnx2 disable_msi=1

NOTE: bnx2 driver is used in above command.