Unix System Admin
Download
Report
Transcript Unix System Admin
Administration Utilities
• Objectives
– to use standard administration utilities
• Contents
–
–
–
–
–
–
–
–
–
manual pages
identifying your system
communicating with Users
finding files
looking at files and logs
system defaults
Syslog
Logrotate
logserver
• Practicals
– to become familiar with these commands
• Summary
On-Line Manuals
• On-line manuals in many sections: May vary on systems
1
(8)1M
2
3
4
user commands
maintenance commands
system calls
functions and libraries
special files found in /dev
5
6
7
8
9
fileformats like /etc/paswd
games
Miscellaneous
System administration commands
Kernel routines
• man <command> displays first manual page found
$ man man
• man –k <keyword> <command> $ man –k tcp
$ man passwd
• man <section> <command>
$ man 5 passwd
<command> is optional with <keyword>
• Some systems provide a whatis database (originally BSD)
–
–
–
–
whatis command
apropos command
Info command
/usr/ucb/catman
one line description of command
keyword search for command
more information about command
re-creates database from manual source files
Adding Manual Entries
• Manual pages are stored under /usr/share/man/ and
/usr/local/man
man[1-8]
cat[1-8]
troff/nroff format manual pages (gz compressed)
formatted manual pages (gz compressed)
• Manuals can be stored in different or multiple directories
by setting the MANPATH variable
– don’t forget to include /usr/share/man if defining MANPATH
$ MANPATH=/usr/share/man:/usr/X11/man
$ export MANPATH
$ man xterm
• Manuals pages are displayed using a pager program
– less is default in SuSE but usually more is used by default
– set the PAGER variable to override default
$ PAGER=less; export PAGER
$ man xterm
• Gentoo Application documentation is in /usr/share/doc
Identifying the Unix System
• The uname command (uname) shows system information
– the command hostname also identifies the current host
• options
-a
-n
-s
-r
-v
-m
-p
all information
system name (nodename on network)
O/S name
O/S release number
O/S version number
machine hardware
processor type
$ uname -a
Linux linux 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC
2005 i686 i686 i386 GNU/Linux
$ hostname
mash4077
Identifying active users
• The who command shows who is currently logged on
– information kept in /var/run/utmp
– a history of every login is also kept in /var/log/wtmp
• Who can also be used to identify the current effective user
who am i
• Who can also be used to identify the original user
whoami
• The command id identifies the current user in more details
• some systems also have a w command (originally BSD)
• The last command show all historical logins
$ who
trapper
pts/0
hawkeye
console
$ who am i
hawkeye
console
Jul 25 11:01
Jul 25 11:31
Jul 25 11:31
$ id
uid=318(hawkeye) gid=300(users)
$ who /var/log/wtmp
history of all system logins
$ last 10
history of 10 system logins
Talking to users
• Use write to display a message on a user's terminal
– user's can disable messages using mesg n command
– root can always write to a user
• Write all (wall) will display to all logged in users
– useful for sending out broadcasts
– used by the system shutdown mechanism
• Use the talk command to set up a two way dialogue.
$ write trapper
Do you know where the system logbook is?
^D
$ mesg
is no
$ mesg y
• Block all exept wall with mesg n
• Enable all again with mesg y
$ talk trapper
Finding Files
• The find command locates files using specified search criteria
find directories... search_criteria... action
• Search Criteria:
-name name
-user name
-type letter
-mtime n
-size n[c|K]
-newer pathname
-mount
finds only files called name (can use shell wildcards)
finds only files owned by user name
finds files of specified type: f (plain files) d (dirs), etc.
finds files modified n days ago, less than (-n ), greater than (+n )
finds files of size n , larger than (+n ), smaller than (-n ), c=chars,
K=kilobytes (when omitted, 512 block size is implied)
finds files newer than specified file
don't cross disk boundaries
• Action:
-print
-exec cmd {} \;
-ok cmd {} \;
print filenames found
executes given command (filename will be given in place of {})
executes command but prompts for confirmation
Exercise - Revision Of Using find
• What do the following find commands mean?
# find . -print
# find /etc -type d -print
# find /home -name .bash_profile -exec more {} \;
# find /dev -type f -mtime -7 -exec ls -l {} \;
# find /sbin /usr/sbin -name "user*" -exec ls -ld {} \;
The grep Family
• All grep commands provide pattern matching criteria for
filtering lines containing a pattern
fgrep [options] pattern [files...]
– fgrep uses fixed (simple patterns)
grep [options] pattern [files...]
– grep uses "regular expressions" to define powerful pattern matching
templates
egrep [options] pattern|pattern [files...]
– egrep uses extended regular expressions, allows multi-pattern search
• common options
-v
-c
-i
-n
output non-matched lines
output count of lines matched
ignore lower/upper case
mark each matched line with its relative line number
Exercise - Revision Of Using grep
• Always using single quotes round grep regular expression
• What do the following grep commands mean?
# ls -l | grep '^d'
# grep 'bash$' /etc/passwd
# ls -a | grep '^\.[^.]'
# fgrep 'su:' /var/log/messages
# who | egrep '(hawkeye|trapper)'
Looking Inside Files
•
•
•
•
Use the file command to identify a file type
Command dependency is found with ldd command
Text files: use less or more to look at the file
Data files: use octal dump (od)
– some systems supply a hex dump (hd) program
– use the -c option to characters where possible
# file /bin/bash
/bin/bash: ELF 32-bit LSB executable,
Intel 80386,
version 1 (SYSV),
for GNU/Linux 2.2.5,
dynamically linked (uses shared libs),
stripped
# od -c /bin/bash | less
• Use the strings command to list ASCII strings in a data file
• MS-DOS files can be examined with mtype
Inspecting Log Files
• Use a pager such as less or more or mcedit
– can be slow when working with large log files
• Use grep to look for particular words
• Use the tail command to look at the last 10 lines
– if the log file is growing than use the -f option
• Use view (vi read only) to read the whole file
# tail /var/messages
...
Sep 24 19:40:32 linux su: (to root) peter on /dev/pts/0
Sep 24 22:35:16 linux su: (to lp) peter on /dev/pts/0
Whatever method you choose:
DO LOOK AT LOG FILES
System Default Files & logbooks
• SuSE & RedHat sysconfig /etc/sysconfig/
– SuSE specific setup and boot files
• General linux config /etc/
– Many files, system wide configs
• Useradd enviroment /etc/default
– When adding users /etc/skel is added to user enviroment
– Useradd takes also information from /etc/login.defs
• Unix system logbooks (exherpt only)
Undependent of syslog/syslog-ng:
/var/log/maillog
: Mail
/var/log/samba/
: Samba server logs
Other log catalog standards:
/var/log/messages
: (SYSLOG) Systems services & hardware log
/var/log/boot.*
: System boot messages
/var/log/mail.*
: Mailsystem messages
/var/log/warn
: Warnings from system services
Syslog-ng Controlling logfiles
• Gentoo comes with syslog engine called syslog next generation
Syslog-ng is much more flexable than majority of unix system using syslog
• Syslog-NG source: http://www.balabit.com/
• Syslog-ng is a client server engine
• Usally local workstation forwards all important logfiles to central logserver
Logserver increases security and system stability.
• Gentoo comes with syslog setup to log locally only
• To stop / start and check the logging facility:
# /etc/init.d/syslog-ng stop
Shutting down syslog services
# /etc/init.d/syslog-ng start
Starting syslog services
# /etc/init.d/syslog-ng status
Checking for service syslog:
done
done
running
• Configuration is found in: /etc/syslog-ng/
Here you define log sources, message filters and destinations
Sources/Destinations can be local or remote sevices and servers.
Mastering Syslog-ng logging
• Syslog options
– How syslog behaves what permissions files should have and so on.
• Syslog source
– Define where the data sources is collected (local or network)
• Syslog destination
– Define destination directories to send collected datasources (local or network)
• Syslog log
– Connection of syslog sources to syslog destionation directories
• Syslog filter
– Define message filters
• Syslog-ng listens for network sources to be a logserv
Unlike a regular syslog server which listens for client messages on UDP port 514,
syslog-ng also listens on TCP port 514
Syslog Facility and Levels
• Facility(…)
–
–
–
–
–
–
–
–
–
–
auth
Messages generated by authorization programs.
daemon Messages generated by system server processes.
local0-7 Names reserved for user-defined facilities.
mail
Messages generated by a mail system.
news
Messages generated by a news system.
syslog Messages generated by the syslog daemon.
user
Messages generated by a process (user).
mark
Messages generated by a mark signal from the syslog daemon.
cron
Messages generated by cronograph.
kern
Messages generated by kernel.
• Level(…)
–
–
–
–
–
–
–
–
emerg — system service is unusable.
alert
— Action must be taken immediately to address the problem.
crit
— A critical condition has occurred.
err(or) — An error has occurred.
warn(ing) — A significant event that may require attention has occurred.
notice — An event that does not affect system operation has occurred.
info
— An normal operation has occurred.
debug — Diagnostic output detailing normal operations.
Syslog Filters
• Define filters
– Use filter blocks to match or exclude logs. The following shows two
example filters.
filter notdebug {
level(info...emerg);
}
filter notmail {
not facility(mail);
}
• Use filters
– log blocks to join source to destination with optional filter specifications.
log {
source(local);
filter(notdebug);
filter(notmail);
destination(messages)
};
Syslog servers
• You can setup four types of logservers
–
–
–
–
Syslog local logserver only (standard)
Syslog proxy
Syslog forward only (Syslog client)
Syslog logserver
• Syslog logserver, the server named ”loghost”
Enter loghost ip address in /etc/hosts
192.168.0.42 server.ikea.se
server loghost
192.168.0.231 client.ikea.se client local0
In syslog-ng.conf as ”source”
udp(ip("0.0.0.0") port(514));
And in client syslog-ng.conf as ”destination”:
udp("10.0.0.1" port(514));
# netstat –a | grep syslog
Check that server is listening:
udp
0
0 *:syslog
# netstat –an | grep 514
udp
0
0 0.0.0.0:514
Manually restart your client logserver:
*:*
0.0.0.0:*
# /etc/init.d/syslog-ng restart
Shutting down syslog services
Starting syslog services
done
done
Syslog forward only (Syslog Client)
• Syslog client config OPTIONS
In /etc/syslog-ng/syslog-ng.conf at OPTIONS add or change:
options {
Defines options for local logging only
use_fqdn(no);
log_fifo_size(8192);
you prepare for sending logs to logserver.
};
If you like you can keep all but sync(0)!
• Syslog client config SOURCE
Most sources are predefined so you can leave this out!
The general linux/unix source convention looks like this:
source local {
unix-dgram("/var/run/log");
file("/dev/klog");
udp(ip(127.0.0.1) port(514));
internal();
};
• Next will be to FILTER and route SOURCE to logserver
Syslog forward only (Syslog Client)
• Syslog client config FILTER
Goto end of file /etc/syslog-ng/syslog-ng.conf and add
a very simple filter that look like this:
filter notdebug
{ level(info...emerg); }
Predefines filter for any logging situation regarding mail server, kernel messages
and so on, and is little more comples than the simple above.
For examle one mail filer looks like this:
filter f_mailerr
{ level(err, crit) and facility(mail); };
• Syslog client config DESTINATION
We need to declare where to send log files, standard is local log file, in our case
we want log on the logserver.
Go to end of file: /etc/syslog-ng/syslog-ng.conf and add:
destination loghost {udp("loghost" port (514));};
• Syslog client config LOG
Filter and Destination themself does not do anything, we must connect source with
filter and destination. Add after your new destination:
log { source(src);filter(notdebug);destination(loghost); };
• Parse and apply the new syslog-ng configuration
# /etc/init.d/syslog-ng restart
Logrotate
• The /etc/logrotate.conf File
– This is logrotate's general configuration file.
You can specify either "weekly" or "daily" rotation parameter.
The "rotate" parameter specifies the number of copies of log files
The "create" parameter creates a new log file after each rotation
• Sample contents of /etc/logrotate.conf
# rotate log files weekly
Weekly
# rotate log files daily
# daily
# keep 4 weeks worth of backlogs
rotate 4
# keep 7 days worth of backlogs
# rotate 7
# create new (empty) log files after rotating old ones
create
# configuration by service/facility
include /etc/logrotate.d/
• Logrotate is controlled by ”cron” /etc/cron.daily/logrotate
All files that sit in /etc/cron.daily is executed one time per day.
Logrotate for general service’s
• Placeholder is defined as default to be /etc/logrotate.d directory
– This directory contains all logrotaion configuration for services generating logs
• The /etc/logrotate.d/syslog File
– This is the system general logfiles
– Format is: logfile { logrotate handling }
It should look something like this:
/var/log/warn /var/log/messages /var/log/allmessages /var/log/localmessages /var
/log/firewall {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload
endscript
}
• Samba and Apache is included in logrotate, if they are instaled
/var/log/samba/*.log { logrotate handling }
• Forcing logrotate to run
logrotate –f
logrotate -f /etc/logrotate.d/syslog
Whole logrotate
Only syslog
Summary
• Unix administrators have a wide suite of
utility programs for interrogating the system
man
uname
who, id
write, wall, talk
find
grep
pg/more, tail
• Learn what programs are available
• Read the manual pages to find out what the
programs can do besides their basic function
• Learn reading logs and howto find anamoly
states