Linux System Accounting and Logging Basics
After you have completed installing Linux and set it up to do whatever you wanted it do, next big challenges is to maintain it. It appears a taunting task if you're not sure what's going on within the system. But you'll be much comfortable if you know about it. That's where System Accounting and Logging of Linux system comes in.
Linux has very good system accounting and logging system in it. But you need to know certain thing in order to fully utilize the service. In this post, we'll be discussing four important areas where you will be checking what's going on withing your Linux system rather than configuring or modifying it.
1. Monitoring User Information
2. System Logs
4. Monitoring Log Files
MONITORING USER INFORMATION
As Linux is a multi-user and multi-tasking system, it is extremely essential for you as system administrator to keep eyes on each users. Linux by default stores lot of information about its user unless it asked specifically not to. The information is saved in a file called utmp under /var/log directory
Lets discuss some of the important utilities under this category -
This utilities simply give you details about currently logged in user and provide you with following details -
[a]. Name of the users [b]. which tty users are using [c]. what time they logged in
This takes the who to next level and gives you more information about users and adds which programs users are running. It also provides detailed information of each users separately. It also displays system information at the top line in following order -
[a]. Current Time [b]. Uptime Information [c]. Number of users [d]. System Load
This is another powerful utility for getting user information in the system or in a remote system. To get user information from remote system, you need to supply a username@hotname to finger command. The finger utility provides following information about user -
[a]. Login names [b]. Real name of the user [c]. What tty they are using [d]. Idle time since their login time [e]. Login Date and Time [f]. Extended information if there is any
MONITORING USER INFORMATION PAST SYSTEM LOGINS
Apart from keeping user information in utml file, Linux also keeps log of all logins to the system in another file called wtmp under /var/log directory. Please note that some Linux system uses log rotator program to delete logs after very few days or weeks. You can check the configuration of log rotation utilities under /etc/logrotate.conf or /etc/logrotate.d/
This command gets the information from wtmp file and displays listing of every logins since the last time the log file was rotated. It display following details-
[a]. Login name [b]. tty [c]. Where the user login from (localhost or remote) [d]. Date, Time and Duration
This command provides Total Login Times per-user, per-day or total system basis.
- ac run with no parameters gives you total amount of time used on the system in hours by all users
- ac username : gives you total login time information for that particular user
- ac- d username : gives you total login time of that user per-day basis
- ac p -d :This gives day-by-day listing of each user individually
Quotas are used to limit use of hard drive per-user or per-group basis - means every user or group can only have certain amount of hard drive to store their files. It is also used to set soft and hard limits and grace period.
Most of the new Linux distributions already have quota enabled but for your knowledge, quota support needs to be compiled into the kernel. Most likely your Linux distribution will already have compiled it by default but if you're compiling Linux yourself, you need to include it and this is done by answering YES to Quota support (CONFIG_QUOTA) during configuration. Several other utilities are required to support quota. You need to refer HOW-TO Quota for in-depth knowledge.
Moving further, you need to prepare the Filesystem for Quota to work. You need to modify /etc/fstab file and specify whether you are be using user-quotas, group-quotas or both.
For example, look for similar entry -
/dev/hdb1 /home ext2 defaults 1 1
and replace the default with usrquota or grpquota or let be both there sepacated by comma (,)
/dev/hdb1 /home ext2 usrquota, grpquota 1 1
Now, you will need to create two separate files for user and group quotas. You only create two separate files if you'r using both quotas or you can just create one file whichever you are going to use. such as-
#chmod 600 /home/quota.user /home/user/quota.group
After this step, you will need to add Quota support to the system initialization process by modifying init process. In Red Hat system, you will want to add these two commands - quotacheck -avug and quotaon -avug
After this, use can use following commands to manage the Quotas on the system -
#quotaon / quotaoff : This is used to enable and disable quotas on system respectively for a give filesystem. By default, it only affects user quotas, add -g with it to affect group quotas. To affect all filesystem, add -a to the command.
#quotacheck : This utility is run to update the quotas on the given filesystem. This command also takes -a for all filesystem, -u for user, -g for group and -v for verbose operation.
#quota : This command is used by user to check how much of their quotas have been used along with soft and hard limits.
#edquota : This command is only for Superuser and sets the user's quotas (soft and hard limits). A value of 0 (zero) means no limit imposed on user or group.
The syslog, a system logger, is a daemon in Linux system which accepts logging information from other programs and acts like a central point for logging system wide logs and saves them into pre-designated area in the system. Non-privileged processes can also sends their logging information to syslog to be logged. This logging daemon can also send or accept logging information to or from remote hosts. This makes it really easy to capture and store logs files from several servers or workstations spread across various locations into one central location.
The syslog configuration file is located in /etc/syslog.conf file. It is a well commented file so it is really easy for anyone to customize it.
Whenever a program wants to save its logging information through syslog, it must provide its name and logging level to syslog. The logging levels can be warning, alert, crit, err, info, notice etc.
Most likely, the log files in your system are stored in /var/log/ directory. If it is not, refer to /etc/syslog.conf file to know its location. The syslog files are written in plain text format so you can use any text editor or paging utility to view the log files.
# cat log-file-name : It will show print the content from the log file to the screen.
A paging utility such as less or more could also be used to view the log file as paginated so that you scroll up or down. But if you want to search for a particular text in a log file, you should use grep command.
For example, if you want to look for "Error" in log file, you would need to run the following command -
# grep Error logs-file-name | less
Sometime, you also might want to monitor log files in progress as it's being captured. For example - If you have squid proxy running in your system, you can use the command below to monitor websites being visited in real time by users.
# tail -f /var/log/squid3/access.log
CURRENT SYSTEM LOAD AND RUNNING PROCESSES
As a system administrator, you are also required to monitor system load and current process from time to time to make sure everything is running normal in your system. Lets look into the command which you will be using to find out this -
Usually "load average" term in Linux is used to determine the system load. This is basically tell you - how many processes (average) had to wait for the CPU in a given amount of time and typcally that time is last 1 minute, last 5 minutes and last 15 minutes. It looks something like this -
load average: 0.08, 0.03, 0.01
For a normal system load, the value of the load average has to be below 1. We shall be discussing three command here to deal with average load and process.
The uptime command shows current time, Total system up time, Number of total logged on users, and the load average.
The top command is used to view currently running processes in the system. It also provides load average, CPU and memory statistics.
The ps is very powerful command to view and analyze running processes on the system. The ps command run without any option lists all the running process; # ps u display detailed listing of running processes, # ps au usernames associated with each process and # ps aux will display processes associated with a tty and #ps auxwww - displays each entry on a separate line and each w makes the output to be one line longer to better presentation.