Administration Utilities

• Objectives
– to use standard administration utilities
• Contents
– manual pages
– identifying your system
– communicating with Users
– finding files
– looking at files and logs
– system defaults
– Syslog
– Logrotate
– logserver
• Practicals
– to become familiar with these commands
• Summary
On-Line Manuals
• On-line manuals in many sections: May vary on systems
1 user commands 5 fileformats like /etc/paswd
(8)1M maintenance commands 6 games
2 system calls 7 Miscellaneous
3 functions and libraries 8 System administration commands
4 special files found in /dev 9 Kernel routines
• man <command> displays first manual page found
$ man man
• man –k <keyword> <command> $ man –k tcp
• man <section> <command> $ man passwd
$ man 5 passwd
<command> is optional with <keyword>
• Some systems provide a whatis database (originally BSD)
– whatis command one line description of command
– apropos command keyword search for command
– Info command more information about command
– /usr/ucb/catman re-creates database from manual source files
Adding Manual Entries
• Manual pages are stored under /usr/share/man/ and
/usr/local/man
man[1-8] troff/nroff format manual pages (gz compressed)
cat[1-8] formatted manual pages (gz compressed)
• Manuals can be stored in different or multiple directories
by setting the MANPATH variable
– don’t forget to include /usr/share/man if defining MANPATH
$ MANPATH=/usr/share/man:/usr/X11/man
$ export MANPATH
$ man xterm

• Manuals pages are displayed using a pager program

– less is default in SuSE but usually more is used by default
– set the PAGER variable to override default
$ PAGER=less; export PAGER
$ man xterm

• SuSE Application documentation is in /usr/share/doc

Identifying the Unix System
• The uname command (uname) shows system information
– the command hostname also identifies the current host
• options
-a all information
-n system name (nodename on network)
-s O/S name
-r O/S release number
-v O/S version number
-m machine hardware
-p processor type

$ uname -a
Linux linux 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC
2005 i686 i686 i386 GNU/Linux
$ hostname
mash4077
 Identifying active users
• The who command shows who is currently logged on
– information kept in /var/run/utmp
– a history of every login is also kept in /var/log/wtmp
• Who can also be used to identify the current effective user
who am i
• Who can also be used to identify the original user
whoami
• The command id identifies the current user in more details
• some systems also have a w command (originally BSD)
• The last command show all historical logins
$ who $ id
trapper pts/0 Jul 25 11:01 uid=318(hawkeye) gid=300(users)
hawkeye console Jul 25 11:31 $ who /var/log/wtmp
$ who am i history of all system logins
hawkeye console Jul 25 11:31 $ last 10
history of 10 system logins
Talking to users
• Use write to display a message on a user's terminal
– user's can disable messages using mesg n command
– root can always write to a user
• Write all (wall) will display to all logged in users
– useful for sending out broadcasts
– used by the system shutdown mechanism
• Use the talk command to set up a two way dialogue.
$ write trapper $ talk trapper
Do you know where the system logbook is?
^D
$ mesg
is no
$ mesg y

• Block all exept wall with mesg n

• Enable all again with mesg y
 Finding Files
• The find command locates files using specified search criteria
find directories... search_criteria... action
• Search Criteria:
-name name finds only files called name (can use shell wildcards)
-user name finds only files owned by user name
-type letter finds files of specified type: f (plain files) d (dirs), etc.
-mtime n finds files modified n days ago, less than (-n ), greater than (+n )
-size n[c|K] finds files of size n , larger than (+n ), smaller than (-n ), c=chars,
K=kilobytes (when omitted, 512 block size is implied)
-newer pathname finds files newer than specified file
-mount don't cross disk boundaries
• Action:
-print print filenames found
-exec cmd {} \; executes given command (filename will be given in place of {})
-ok cmd {} \; executes command but prompts for confirmation
Exercise - Revision Of Using find
• What do the following find commands mean?

# find . -print

# find /etc -type d -print

# find /home -name .bash_profile -exec more {} \;

# find /dev -type f -mtime -7 -exec ls -l {} \;

# find /sbin /usr/sbin -name "user*" -exec ls -ld {} \;

The grep Family
• All grep commands provide pattern matching criteria for
filtering lines containing a pattern
fgrep [options] pattern [files...]
– fgrep uses fixed (simple patterns)
grep [options] pattern [files...]
– grep uses "regular expressions" to define powerful pattern matching
templates
egrep [options] pattern|pattern [files...]
– egrep uses extended regular expressions, allows multi-pattern search
• common options
-v output non-matched lines
-c output count of lines matched
-i ignore lower/upper case
-n mark each matched line with its relative line number
Exercise - Revision Of Using grep
• Always using single quotes round grep regular expression
• What do the following grep commands mean?

# ls -l | grep '^d'

# grep 'bash$' /etc/passwd

# ls -a | grep '^\.[^.]'

# fgrep 'su:' /var/log/messages

# who | egrep '(hawkeye|trapper)'

Looking Inside Files
• Use the file command to identify a file type
• Command dependency is found with ldd command
• Text files: use less or more to look at the file
• Data files: use octal dump (od)
– some systems supply a hex dump (hd) program
– use the -c option to characters where possible
# file /bin/bash
/bin/bash: ELF 32-bit LSB executable,
Intel 80386,
version 1 (SYSV),
for GNU/Linux 2.2.5,
dynamically linked (uses shared libs),
stripped
# od -c /bin/bash | less

• Use the strings command to list ASCII strings in a data file

• MS-DOS files can be examined with mtype
Inspecting Log Files
• Use a pager such as less or more or mcedit
– can be slow when working with large log files
• Use grep to look for particular words
• Use the tail command to look at the last 10 lines
– if the log file is growing than use the -f option
• Use view (vi read only) to read the whole file
# tail /var/messages
...
Sep 24 19:40:32 linux su: (to root) peter on /dev/pts/0
Sep 24 22:35:16 linux su: (to lp) peter on /dev/pts/0

Whatever method you choose:

DO LOOK AT LOG FILES
System Default Files & logbooks
• SuSE & RedHat sysconfig /etc/sysconfig/
– SuSE specific setup and boot files
• General linux config /etc/
– Many files, system wide configs
• Useradd enviroment /etc/default
– When adding users /etc/skel is added to user enviroment
– Useradd takes also information from /etc/login.defs
• Unix system logbooks (exherpt only)
Undependent of syslog/syslog-ng:
/var/log/maillog : Mail
/var/log/samba/ : Samba server logs
SuSE log catalog standards:
/var/log/messages : (SYSLOG) Systems services & hardware log
/var/log/boot.* : System boot messages
/var/log/mail.* : Mailsystem messages
/var/log/warn : Warnings from system services
Syslog-ng Controlling logfiles
• SuSE comes with syslog engine called syslog next generation
Syslog-ng is much more flexable than majority of unix system using syslog
• Syslog-NG source: http://www.balabit.com/
• Syslog-ng is a client server engine
• Usally local workstation forwards all important logfiles to central logserver
Logserver increases security and system stability.
• SuSE comes with syslog setup to log locally only
• To stop / start and check the logging facility:
# /etc/init.d/syslog stop
Shutting down syslog services done
# /etc/init.d/syslog start
Starting syslog services done
# /etc/init.d/syslog status
Checking for service syslog: running

• Configuration is found in: /etc/syslog-ng/

Here you define log sources, message filters and destinations
Sources/Destinations can be local or remote sevices and servers.
Mastering Syslog-ng logging
• Syslog options
– How syslog behaves what permissions files should have and so on.
• Syslog source
– Define where the data sources is collected (local or network)
• Syslog destination
– Define destination directories to send collected datasources (local or network)
• Syslog log
– Connection of syslog sources to syslog destionation directories

• Syslog filter
– Define message filters

• Syslog-ng listens for network sources to be a logserv

Unlike a regular syslog server which listens for client messages on UDP port 514,
syslog-ng also listens on TCP port 514
Syslog Facility and Levels
• Facility(…)
– auth Messages generated by authorization programs.
– daemon Messages generated by system server processes.
– local0-7 Names reserved for user-defined facilities.
– mail Messages generated by a mail system.
– news Messages generated by a news system.
– syslog Messages generated by the syslog daemon.
– user Messages generated by a process (user).
– mark Messages generated by a mark signal from the syslog daemon.
– cron Messages generated by cronograph.
– kern Messages generated by kernel.
• Level(…)
– emerg — system service is unusable.
– alert — Action must be taken immediately to address the problem.
– crit — A critical condition has occurred.
– err(or) — An error has occurred.
– warn(ing) — A significant event that may require attention has occurred.
– notice — An event that does not affect system operation has occurred.
– info — An normal operation has occurred.
– debug — Diagnostic output detailing normal operations.
Syslog Filters
• Define filters
– Use filter blocks to match or exclude logs. The following shows two
example filters. filter notdebug {
level(info...em
erg);
}
filter notmail {
not
facility(mail);
}
• Use filters
– log blocks to join source to destination with optional filter specifications.

log {
source(local);
filter(notdebug)
;
filter(notmail);
destination(mess
ages)
};
Syslog servers
• You can setup four types of logservers
– Syslog local logserver only (standard)
– Syslog proxy
– Syslog forward only (Syslog client)
– Syslog logserver
• Syslog logserver, the server named ”loghost”
Enter loghost ip address in /etc/hosts
192.168.0.42 server.ikea.se server loghost
192.168.0.231 client.ikea.se client local0
SuSE mandatory /etc/syslog-ng/syslog-ng.conf.in uncomment by removing ”#” on line 43:
udp(ip("0.0.0.0") port(514));
Apply configuration the SuSE way: # SuSEconfig --module syslog-ng
…
Check that server is listening: Finished.

# netstat –a | grep syslog

udp 0 0 *:syslog *:*
# netstat –an | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:* # /etc/init.d/syslog restart
Shutting down syslog services done
Manually restart your client logserver:
Starting syslog services done
Syslog forward only (Syslog Client)
• Syslog client config OPTIONS
In /etc/syslog-ng/syslog-ng.conf.in at OPTIONS add or change:
SuSE Defines options for local logging only options {
use_fqdn(no);
you prepare for sending logs to logserver. log_fifo_size(8192);
};
If you like you can keep all but sync(0)!
• Syslog client config SOURCE
Most sources are predefined so you can leave this out!
The general linux/unix source convention looks like this: source local {
unix-
dgram("/var/run/log");
SuSE SOURCE looks like this: file("/dev/klog");
udp(ip(127.0.0.1)
source src { port(514));
internal();
internal();
};
# variables from
/etc/sysconfig/syslog:
@SuSEconfig_SOCKETS@
#udp(ip("0.0.0.0")
port(514));
• Next will be to FILTER and route SOURCE to logserver
};
Syslog forward only (Syslog Client)
• Syslog client config FILTER
Goto end of file /etc/syslog-ng/syslog-ng.conf.in and add
a very simple filter that look like this: filter notdebug {
level(info...emerg); }

SuSE predefines filter for any logging situation regarding mail server, kernel
messages and so on, and is little more comples than the simple above.
For examle one mail filer looks like this: filter f_mailerr { level(err, crit)
and facility(mail); };
• Syslog client config DESTINATION
We need to declare where to send log files, standard is local log file, in our case
we want log on the logserver.
Go to end of file: /etc/syslog-ng/syslog-ng.conf.in and add:
destination loghost {udp("loghost" port
(514));};
• Syslog client config LOG
Filter and Destination themself does not do anything, we must connect source with
filter and destination. Add after your new destination:
log {
source(src);filter(notdebug);destination
• Parse and apply the new syslog-ng configuration
(loghost); };

# SuSEconfig --module
syslog-ng
Logrotate
• The /etc/logrotate.conf File
– This is logrotate's general configuration file.
You can specify either "weekly" or "daily" rotation parameter.
The "rotate" parameter specifies the number of copies of log files
The "create" parameter creates a new log file after each rotation
• Sample contents of /etc/logrotate.conf
# rotate log files weekly
Weekly
# rotate log files daily
# daily
# keep 4 weeks worth of backlogs
rotate 4
# keep 7 days worth of backlogs
# rotate 7
# create new (empty) log files after rotating old ones
create
# configuration by service/facility
include /etc/logrotate.d/

• Logrotate is controlled by ”cron” /etc/cron.daily/logrotate

All files that sit in /etc/cron.daily is executed one time per day.
Logrotate for general service’s
• Placeholder is defined as default to be /etc/logrotate.d directory
– This directory contains all logrotaion configuration for services generating logs
• The /etc/logrotate.d/syslog File
– This is the system general logfiles
– Format is: logfile { logrotate handling }
It should look something like this:
/var/log/warn /var/log/messages /var/log/allmessages /var/log/localmessages /var
/log/firewall {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload
endscript
}

• Samba and Apache is included in logrotate, if they are instaled

/var/log/samba/*.log { logrotate handling }
• Forcing logrotate to run
logrotate –f Whole logrotate
logrotate -f /etc/logrotate.d/syslog Only syslog
Summary
• Unix administrators have a wide suite of
utility programs for interrogating the system
man
uname
who, id
write, wall, talk
find
grep
pg/more, tail
• Learn what programs are available
• Read the manual pages to find out what the
programs can do besides their basic function
• Learn reading logs and howto find anamoly
states