{"id":2880,"date":"2022-05-23T19:44:35","date_gmt":"2022-05-23T19:44:35","guid":{"rendered":"https:\/\/dft.wiki\/?p=2880"},"modified":"2025-11-20T18:36:48","modified_gmt":"2025-11-20T23:36:48","slug":"linux-log-management-and-audit","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2880","title":{"rendered":"Linux Log Management and Audit"},"content":{"rendered":"<p><strong>INDEX<\/strong><\/p>\n<ul>\n<li><a href=\"#JournalControl\">Journal Control<\/a>\n<ul>\n<li>Used to view and manipulate Systemd logs.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Rsyslog\">Remote Syslog<\/a>\n<ul>\n<li><span data-preserver-spaces=\"true\">Forwards log messages over an IP network.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#LogRotate\">Log Rotating<\/a>\n<ul>\n<li>Allows automatic rotating, compressing, removing, and messaging of log files.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#LogWatch\">Log Watch<\/a>\n<ul>\n<li>Periodically goes through your logs for a given period and makes a report via email or output file.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#LogCheck\">Log Check<\/a>\n<ul>\n<li>Helps to spot problems and security violations in your log files automatically and sends the results via email.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#AuditDaemon\">Audit Daemon<\/a>\n<ul>\n<li>Is a powerful audit framework to log events on Linux systems.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>SYSLOG PRIORITY\/SEVERITY LEVELS<\/strong><\/p>\n<ul>\n<li>0 &#8211; Emergency<\/li>\n<li>1 &#8211; Alert<\/li>\n<li>2 &#8211; Critical<\/li>\n<li>3 &#8211; Error<\/li>\n<li>4 &#8211; Warning &#8211; Default<\/li>\n<li>5 &#8211; Notifications<\/li>\n<li>6 &#8211; Information<\/li>\n<li>7 &#8211; Debug<\/li>\n<\/ul>\n<hr id=\"JournalControl\" \/>\n<p><strong>JOURNAL CONTROL<\/strong><\/p>\n<p>JournalCTL (aka Journal Control) is used to query the contents of the <strong>systemd journal<\/strong> (<strong>systemd-journald.service)<\/strong>.<\/p>\n<p><strong>Note:<\/strong> by default, Journal users can only watch their own logs, unless they are <strong>root<\/strong> or in the <strong>adm<\/strong> (or <strong>systemd-journal<\/strong>) group (<code>usermod -a -G adm userName<\/code>).<\/p>\n<ul>\n<li><strong>journalctl<\/strong>\n<ul>\n<li>shows the full content of the journal, starting with the oldest entry collected.<\/li>\n<\/ul>\n<\/li>\n<li>journalctl <strong>-r -n 10<\/strong>\n<ul>\n<li>shows the content of the journal in reverse order, limited to 10 entries. The newest at the top.<\/li>\n<\/ul>\n<\/li>\n<li><strong>sudo<\/strong> journalctl<strong> -u ssh.service -f<\/strong>\n<ul>\n<li>filters and outputs the logs for the unit: <code>ssh<\/code>, and follows for real-time entries.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl &#8211;since <strong>&#8220;2021-12-31 23:59:59&#8221;<\/strong>\n<ul>\n<li>filters the entries by a starting date and time.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl &#8211;since <strong>&#8220;yesterday&#8221;<\/strong> -p <strong>err<\/strong>\n<ul>\n<li>filters the entries by a relative time window with the priority:\n<ul>\n<li>since and\/or until can contain strings like &#8220;today&#8221;, &#8220;1 hour ago&#8221;, &#8220;2 days ago&#8221;&#8230;<\/li>\n<li>the priorities are directly related to the <strong>syslog levels<\/strong> and can be expressed in text or numerically (&#8220;emerg&#8221;\/0, &#8220;alert&#8221;\/1, &#8220;crit&#8221;\/2, &#8220;err&#8221;\/3, &#8220;warning&#8221;\/4, &#8220;notice&#8221;\/5, &#8220;info&#8221;\/6, &#8220;debug&#8221;\/7).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>SYSLOG_IDENTIFIER=<\/strong>sshd <strong>-S<\/strong> &#8220;13:30:00&#8221; <strong>-U<\/strong> &#8220;14:00:00&#8221;\n<ul>\n<li>filters the entries by an identifier, since, and until time.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>-k<\/strong>\n<ul>\n<li>shows kernel messages.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>-b<\/strong>\n<ul>\n<li>Shows the current boot messages.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl -b <strong>-2 &#8211;utc<\/strong>\n<ul>\n<li>Shows the messages from the second previous boot represented in UTC timezone.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>&#8211;list-boots<\/strong>\n<ul>\n<li>lists the available boot messages with ordinal number time stamping.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Journal Clean Up<\/strong><\/p>\n<pre>sudo journalctl --verify\r\nsudo journalctl --disk-usage\r\nsudo journalctl --vacuum-size=200M\r\nsudo journalctl --vacuum-files=2\r\nsudo journalctl --vacuum-time=3d\r\nsudo journalctl --vacuum-size=1G --vacuum-time=5d --vacuum-files=5<\/pre>\n<p><strong>Customizing Configuration<\/strong><\/p>\n<pre>sudo nano \/etc\/systemd\/journald.conf<\/pre>\n<ul>\n<li><strong>Storage=<\/strong>\n<ul>\n<li>One of &#8220;volatile&#8221;, &#8220;persistent&#8221;, &#8220;auto&#8221;, and &#8220;none&#8221;.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Compress=<\/strong>\n<ul>\n<li>Suffixes like K, M, and G can be used to specify larger units.<\/li>\n<\/ul>\n<\/li>\n<li><strong>SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, SystemMaxFiles=, RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize=, RuntimeMaxFiles=<\/strong>\n<ul>\n<li>Use the variables above to define limits to disk utilization in case the Journal starts to affect or jeopardize the stability of the system.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MaxFileSec=, MaxRetentionSec=, SyncIntervalSec=<\/strong>\n<ul>\n<li>Define additional retention and synchronization parameters with the variables above.<\/li>\n<\/ul>\n<\/li>\n<li><strong>ForwardToSyslog=, ForwardToKMsg=, ForwardToConsole=, ForwardToWall=,\u00a0MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole=, MaxLevelWall=<\/strong>\n<ul>\n<li>Limit and define what and how to forward messages.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Finding Failures<\/strong><\/p>\n<pre>journalctl --no-pager --since today --grep 'fail|error|fatal' --output json|jq '._EXE' | sort | uniq -c | sort --numeric --reverse --key 1<\/pre>\n<hr id=\"Rsyslog\" \/>\n<p><strong>REMOTE SYSLOG<\/strong><\/p>\n<p><strong>Rsyslog<\/strong> (aka &#8220;the <strong>R<\/strong>ocket-fast <strong>SYS<\/strong>tem for <strong>LOG<\/strong> processing&#8221;) uses the standard BSD syslog protocol to send messages over the IP protocol, but supports many others via extensions. The format of relayed messages can be customized.<\/p>\n<p>Locally, the <strong>rsyslog<\/strong> is responsible for reading the Journal and sorting the entries based on filters to appropriately store\/output the information accordingly because the Journal is ephemeral and disappears after the reboot.<\/p>\n<p><strong>Server-Side<\/strong><\/p>\n<p>Edit the configuration file:<\/p>\n<pre>sudo nano \/etc\/rsyslog.conf<\/pre>\n<p>Uncomment the following lines to start listening over <strong>UDP<\/strong> (faster &#8211; recommended):<\/p>\n<pre># provides UDP syslog reception\r\nmodule(load=\"imudp\")\r\ninput(type=\"imudp\" port=\"514\")<\/pre>\n<p>Or uncomment the following lines to start listening over <strong>TDP<\/strong> (more reliable):<\/p>\n<pre># provides TCP syslog reception\r\nmodule(load=\"imtcp\")\r\ninput(type=\"imtcp\" port=\"514\")<\/pre>\n<p>Right below the uncommented lines, add:<\/p>\n<pre>$template RemoteLogs,\"\/var\/log\/RemoteHosts\/%HOSTNAME%-%$now%.log\"\r\nif $fromhost-ip != '127.0.0.1' then -?RemoteLogs\r\n&amp; stop<\/pre>\n<p><strong>Note:<\/strong> it will create a template called RemoteLogs that will store the logs based on the hostname of the client. This template will not be applied to localhost and will stop to prevent double logs. Another variable that is popularly used it <strong>%PROGRAMNAME%<\/strong>.<\/p>\n<p>Restart the service, check if it&#8217;s listening on port 514, and start monitoring for incoming messages:<\/p>\n<pre>sudo systemctl restart rsyslog\r\nsudo ss -tulpn\r\nsudo tail -f \/var\/log\/messages<\/pre>\n<p><strong>Client-Side<\/strong><\/p>\n<p>Edit the configuration file:<\/p>\n<pre>sudo nano \/etc\/rsyslog.conf<\/pre>\n<p>Append the following lines:<\/p>\n<pre>*.* action(type=\"omfwd\" target=\"10.10.10.10\" port=\"514\" protocol=\"<strong>udp<\/strong>\")<\/pre>\n<p><strong>OR<\/strong><\/p>\n<pre>*.* action(type=\"omfwd\" target=\"10.10.10.10\" port=\"514\" protocol=\"<strong>tcp<\/strong>\")<\/pre>\n<p>Also, consider flags for mode reliability.<\/p>\n<pre>*.* action(type=\"omfwd\" target=\"10.10.10.10\" port=\"514\" protocol=\"tcp\"<strong> tcp_framing=\"octet-counted\" keepalive=\"on\"<\/strong>)<\/pre>\n<p>If you prefer, the old-fashioned syntax is:<\/p>\n<p>For <strong>UDP<\/strong>:<\/p>\n<pre>*.* @<strong>10.10.10.10<\/strong>:514<\/pre>\n<p>For <strong>TCP<\/strong>:<\/p>\n<pre>*.* @@<strong>10.10.10.10<\/strong>:514<\/pre>\n<p><strong>Note:<\/strong> the expression <strong>*<\/strong>.<strong>*<\/strong> means <strong>AllFacilities<\/strong> and <strong>AllSeverityLevels,<\/strong> respectively. Replace the IP address with the IP or Hostname of the server.<\/p>\n<p>Restart the service and test it:<\/p>\n<pre>sudo systemctl restart rsyslog\r\nlogger -t \"TagName\" Value\r\nlogger -t \"LocalTime\" $(date)<\/pre>\n<hr id=\"LogRotate\" \/>\n<p><strong>LOG ROTATING<\/strong><\/p>\n<p><b>Log rotation<\/b> is an automated process in which log files are compressed, moved (archived), renamed, or deleted once they are too old or too big.<\/p>\n<p>The files <code>\/etc\/logrotate.conf<\/code> contains the default configuration that applies to all log files unless there is a specific configuration that overwrites it.<\/p>\n<p>Each specific configuration file must be located at <code>\/etc\/logrotate.d<\/code>. See the example that can be applied to the example of the rsyslog server above:<\/p>\n<pre>\/var\/log\/RemoteHosts\/*.log {\r\n  weekly \r\n  rotate 26\r\n  copytruncate\r\n  compress\r\n  delaycompress\r\n  missingok\r\n  notifempty\r\n  create 600 root root\r\n  maxsize 500M\r\n  minsize 50M\r\n}<\/pre>\n<ul>\n<li><strong>weekly<\/strong>\n<ul>\n<li>Rotates file once a week. It could also be daily, monthly, or early.<\/li>\n<\/ul>\n<\/li>\n<li><strong>rotate 26<\/strong>\n<ul>\n<li>Keeps 26 files.<\/li>\n<\/ul>\n<\/li>\n<li><strong>copytruncate<\/strong>\n<ul>\n<li>Instructs to create a copy of the original file and truncates the original file to zero byte size.<\/li>\n<\/ul>\n<\/li>\n<li><strong>compress<\/strong>\n<ul>\n<li>Use gzip compression to save disk space.<\/li>\n<\/ul>\n<\/li>\n<li><strong>delaycompress<\/strong>\n<ul>\n<li>Do not compress the first rotation, but all the others.<\/li>\n<\/ul>\n<\/li>\n<li><strong>missingok<\/strong>\n<ul>\n<li>Ignore if one file is missing.<\/li>\n<\/ul>\n<\/li>\n<li><strong>notifempty<\/strong>\n<ul>\n<li>Do not rotate if the file is empty.<\/li>\n<\/ul>\n<\/li>\n<li><strong>create 600 root root<\/strong>\n<ul>\n<li>Apply the desired permission to the created files.<\/li>\n<\/ul>\n<\/li>\n<li><strong>maxsize 500M<\/strong>\n<ul>\n<li>Rotate immediately if the file gets bigger than specified. Possible to use K for kilobyte, M for megabyte, and G for gigabit.<\/li>\n<\/ul>\n<\/li>\n<li><strong>minsize 50M<\/strong>\n<ul>\n<li>Do not rotate if the file is too small. Possible to use K for kilobyte, M for megabyte, and G for gigabit.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Additionally:<\/strong><\/p>\n<ul>\n<li><strong>sharedscripts<\/strong>\n<ul>\n<li>This option will execute the prerotate and the postrotate scripts only once, even if there is more than one file to rotate, instead of executing for each file being rotated.<\/li>\n<\/ul>\n<\/li>\n<li><strong>prerotate<\/strong>\n<ul>\n<li>The content of this option has to be written in bash and execute any needed procedure prior to the file being rotated.<\/li>\n<li>Has to end with <code>endscript<\/code>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>postrotate<\/strong>\n<ul>\n<li>The content of this option has to be written in bash and execute any needed procedure after the file is rotated.<\/li>\n<li>Has to end with <code>endscript<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Note:<\/strong><\/p>\n<p>Logrotate is <strong>executed daily by the cron<\/strong> via the script <code>\/etc\/cron.daily\/logrotate<\/code> and also via timers set on the System Control with the configuration <code>\/usr\/lib\/systemd\/system\/logrotate.timer<\/code> and <code>\/usr\/lib\/systemd\/system\/logrotate.service<\/code> (<strong>systemctl list-timers<\/strong>).<\/p>\n<p>The reason why there is a combination of <strong>cron<\/strong> and <strong>systemd<\/strong> managing the execution of the <strong>logrotate<\/strong> is to allow the execution of the rotation to occur within a range of acceptable times that will look for the best time to reduce resource competition based on the load of the system, for example.<\/p>\n<p>In case it is needed to <strong>execute the logrotate manually<\/strong> or at a frequency higher than daily, for example, every 6 hours (depending on the needs of the system and the amount of data stored), use the -f or -force.<\/p>\n<pre>\/usr\/sbin\/logrotate <strong>-f<\/strong> \/etc\/logrotate.conf<\/pre>\n<p>Check the health of its timer.<\/p>\n<pre>systemctl status logrotate.timer<\/pre>\n<hr id=\"LogWatch\" \/>\n<p><strong>LOGWATCH<\/strong><\/p>\n<p>Logwatch is a log parser and analyzer designed to give a unified report of all activity on a server, which can be delivered through the command line or email.<\/p>\n<pre>sudo apt install logwatch -y\r\nsudo cp \/usr\/share\/logwatch\/default.conf\/logwatch.conf \/etc\/logwatch\/conf\/\r\nsudo nano \/etc\/logwatch\/conf\/logwatch.conf<\/pre>\n<p>Basic configuration:<\/p>\n<ul>\n<li><strong>Output = stdout<\/strong>\n<ul>\n<li>By default, it will print to the standard output (console).<\/li>\n<\/ul>\n<\/li>\n<li><strong>Output = mail<\/strong>\n<ul>\n<li>Alternatively, it can send an email whenever the analysis is completed.<\/li>\n<li>See option <strong>mailer = &#8220;\/usr\/sbin\/sendmail -t&#8221;<\/strong> for additional configuration.<\/li>\n<li>Also, consider using an MSMTP [<a href=\"https:\/\/dft.wiki\/?p=478\">Link<\/a>] to provide email capability to the system.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Format = text<\/strong>\n<ul>\n<li>The default is in text format (no encoding). Good enough for console reading.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Format = html<\/strong>\n<ul>\n<li>It is recommended to change the format to HTML if the report is sent via email.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MailTo = root<\/strong>\n<ul>\n<li>Defines the local account that will receive the report.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MailTo = username@domain.com<\/strong>\n<ul>\n<li>For a complete email address, just follow the example.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MailFrom = Logwatch<\/strong>\n<ul>\n<li>Same for the sender address. Can be a local account or a complete email address.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Filename = \/tmp\/logwatch<\/strong>\n<ul>\n<li>Defines where the report will be saved and requires the <strong>Output<\/strong> variable to be set to <strong>file<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Archives = No<\/strong>\n<ul>\n<li>Uncomment the configuration above to disable the achieve feature. It is enabled by default.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Range = yesterday<\/strong>\n<ul>\n<li>Default range. Can also be set for Today or All.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Detail = Low<\/strong>\n<ul>\n<li>Defines the level of detail for the report. From 0 for low up to 10 for high.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Service = All<\/strong>\n<ul>\n<li>It is recommended to leave the as All for no filter.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Most popular commands and their attributes:<\/p>\n<ul>\n<li>logwatch <strong>&#8211;help<\/strong><\/li>\n<li>logwatch <strong>&#8211;range<\/strong> &#8220;-5 days&#8221;\n<ul>\n<li>It defines the range to be analyzed as the whole history. The default range is the previous day.<\/li>\n<\/ul>\n<\/li>\n<li>logwatch <strong>&#8211;range<\/strong> &#8220;between -7 days and -3 days&#8221; <strong>&#8211;output<\/strong> mail\n<ul>\n<li>In addition to the range, it defines the output method to email.<\/li>\n<\/ul>\n<\/li>\n<li>logwatch <strong>&#8211;servic<\/strong>e all<strong> &#8211;detail<\/strong> high <strong>&#8211;mailto<\/strong> username@domain.com\n<ul>\n<li>Requests a highly detailed report of all services to a specific email destination.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr id=\"LogCheck\" \/>\n<p><strong>LOG CHECK<\/strong><\/p>\n<p>It checks the logs hourly and after a reboot for &#8220;interesting&#8221; lines, looking for clues of misuse, security violations, or problems.<\/p>\n<pre>sudo apt install logcheck -y\r\nsudo nano \/etc\/logcheck\/logcheck.conf<\/pre>\n<p>Popular configuration options:<\/p>\n<ul>\n<li>REPORTLEVEL=&#8221;server&#8221;\n<ul>\n<li>Controls the level for the filtering, from &#8220;workstation&#8221; for the low state of alert, until &#8220;paranoid&#8221; for the highest state of alert.<\/li>\n<\/ul>\n<\/li>\n<li>SENDMAILTO=&#8221;logcheck&#8221;\n<ul>\n<li>Change it to the destination email address of choice to receive the warnings\/alerts. E.g. <strong>SENDMAILTO=&#8221;username@domain.com&#8221;<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>See the list of log files to be checked at:<\/p>\n<pre>sudo nano \/etc\/logcheck\/logcheck.logfiles<\/pre>\n<hr id=\"AuditDaemon\" \/>\n<p><strong> AUDIT DAEMON<\/strong><\/p>\n<p><strong>auditd<\/strong> is the userspace component to the Linux Auditing System responsible for writing audit records to the disk. <strong>ausearch<\/strong> and <strong>aureport<\/strong> are the tools to view the logs.<\/p>\n<pre>sudo apt install auditd -y\r\nsudo nano \/etc\/audit\/auditd.conf<\/pre>\n<p><strong>Popular commands and temporary rules:<\/strong><\/p>\n<ul>\n<li>sudo auditctl -s\n<ul>\n<li>shows the status of the auditd.<\/li>\n<\/ul>\n<\/li>\n<li>sudo auditctl -e 1\n<ul>\n<li>sets the enable flag to ON.<\/li>\n<\/ul>\n<\/li>\n<li>sudo auditctl -w \/etc\/passwd -p wrsa -k passwd_watch_key\n<ul>\n<li>adds the file in the path to the &#8220;watched&#8221; under the permission access types: <b>r<\/b>=read,\u00a0<b>w<\/b>=write,\u00a0<b>x<\/b>=execute,\u00a0<b>a<\/b>=attribute change. And give it an identification key.<\/li>\n<\/ul>\n<\/li>\n<li>sudo ausearch -k passwd_watch_key\n<ul>\n<li>shows the status of the watched file and lists the accesses.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Make the new rules persistent after reboot, and append them to the file <code>\/etc\/audit\/rules.d\/audit.rules<\/code>:<\/p>\n<pre>-w \/etc\/passwd -p wrsa -k passwd_watch_key<\/pre>\n<p>It will require restarting the service:<\/p>\n<pre>sudo systemctl restart auditd<\/pre>\n<hr \/>\n<p><strong>TUI NAVIGATION<\/strong><\/p>\n<p><strong>The File Navigator<\/strong> (sks <code>LNAV<\/code>) will be your best friend [<a href=\"https:\/\/lnav.org\/\">Link<\/a>]. This terminal user interface transforms the painful experience of diving into logs from a terminal by adding features such as colouring\/highlighting, regular expressions for searching, filtering, merging multiple files into a single view, and more [<a href=\"https:\/\/github.com\/tstack\/lnav\">Link<\/a>].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5174\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58.png\" alt=\"\" width=\"1097\" height=\"543\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58.png 1097w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58-300x148.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58-1024x507.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58-768x380.png 768w\" sizes=\"auto, (max-width: 1097px) 100vw, 1097px\" \/><\/p>\n<p>Install with APT<\/p>\n<pre>sudo apt install lnav -y<\/pre>\n<p>Or Brew<\/p>\n<pre>brew install lnav<\/pre>\n<p>Common Usage<\/p>\n<pre>lnav \/var\/log\/syslog\r\nlnav \/var\/log\/syslog \/var\/log\/apache2\r\njournalctl -f | lnav<\/pre>\n<p>Try out the key bindings:<\/p>\n<ul>\n<li><code>f<\/code> goes to the next file.<\/li>\n<li><code>e<\/code> goes to the next error.<\/li>\n<li><code>shift e<\/code>\u00a0 goes to the previous error.<\/li>\n<li><code>\/<\/code> to open the search prompt.\n<ul>\n<li><code>n<\/code> goes to the next search hit.<\/li>\n<li><code>shift+n<\/code> goes back.<\/li>\n<\/ul>\n<\/li>\n<li><code>:<\/code>takes you to the commands menu.\n<ul>\n<li>Then, enable the mouse mode.<\/li>\n<li>Or apply a filter.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<p>Remote Syslog with <strong>syslog-ng<\/strong> [<a href=\"https:\/\/www.syslog-ng.com\/products\/open-source-log-management\/\">Link<\/a>]. Current version 3.36.1 (2022-05-25) available at [<a href=\"https:\/\/github.com\/syslog-ng\/syslog-ng\">Link<\/a>].<\/p>\n<p><strong>Install syslog-ng<\/strong> on both sides, server and client:<\/p>\n<pre>sudo apt-get install syslog-ng -y<\/pre>\n<p>OR (on Ubuntu\/Debian)<\/p>\n<pre>wget -qO - https:\/\/ose-repo.syslog-ng.com\/apt\/syslog-ng-ose-pub.asc | sudo apt-key add -\r\necho \"deb https:\/\/ose-repo.syslog-ng.com\/apt\/ stable ubuntu-focal\" | sudo tee -a \/etc\/apt\/sources.list.d\/syslog-ng-ose.list\r\napt-get update &amp;&amp; apt-get install syslog-ng -y<\/pre>\n<p>On the server-side, create a new file called <code>\/etc\/syslog-ng\/syslog-ng.conf<\/code>:<\/p>\n<pre>@version: 3.36\r\n@include \"scl.conf\"\r\noptions {\r\n    time-reap(30);\r\n    mark-freq(10);\r\n    keep-hostname(yes);\r\n};\r\nsource s_local {\r\n    system(); internal();\r\n};\r\nsource s_network {\r\n    syslog(transport(tcp));\r\n};\r\ndestination d_logs {\r\n    file(\r\n        \"\/var\/log\/syslog-ng\/${HOST}.txt\"\r\n        owner(\"root\")\r\n        group(\"root\")\r\n        perm(0755)\r\n        );\r\n    };\r\nlog {\r\n    source(s_local); source(s_network); destination(d_logs);\r\n};<\/pre>\n<p>Restart the service with <code>sudo systemctl restart syslog-ng<\/code>.<\/p>\n<p>On the client-side, create a new file called <code>\/etc\/syslog-ng\/syslog-ng.conf<\/code>:<\/p>\n<pre>@version: 3.36\r\n@include \"scl.conf\"\r\nsource s_local {\r\n    system(); internal();\r\n};\r\ndestination d_syslog_tcp {\r\n    syslog(\"10.10.10.10\" transport(\"tcp\") port(514));\r\n};\r\nlog {\r\n    source(s_local);destination(d_syslog_tcp);\r\n};<\/pre>\n<p>Restart the service with <code>sudo systemctl restart syslog-ng<\/code>.<\/p>\n<p>Remember to open the respective port on the firewall of the server to allow the inbound connection on the respective port.<\/p>\n<p>Default ports:<\/p>\n<ul>\n<li>UDP &#8211; port 514<\/li>\n<li>TCP &#8211; port 601<\/li>\n<li>TLS\/TCP &#8211; port 6514<\/li>\n<\/ul>\n<hr \/>\n<p><strong>READ MORE<\/strong><\/p>\n<ul>\n<li><strong>Centralized Log Server with GrayLog<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=2928\">Link<\/a>].<\/li>\n<li><span style=\"color: #777777; font-size: 1rem;\">Another open-source tools for centralizing logs are <\/span><strong style=\"color: #777777; font-size: 1rem;\">Zabbix<\/strong><span style=\"color: #777777; font-size: 1rem;\"> [<\/span><a style=\"background-color: #ffffff; font-size: 1rem;\" href=\"https:\/\/www.zabbix.com\/\">Link<\/a><span style=\"color: #777777; font-size: 1rem;\">], <\/span><strong style=\"color: #777777; font-size: 1rem;\">Nagios<\/strong><span style=\"color: #777777; font-size: 1rem;\"> [<\/span><a style=\"background-color: #ffffff; font-size: 1rem;\" href=\"https:\/\/www.nagios.com\/\">Link<\/a><span style=\"color: #777777; font-size: 1rem;\">], and <\/span><strong style=\"color: #777777; font-size: 1rem;\">NXLog<\/strong><span style=\"color: #777777; font-size: 1rem;\"> [<\/span><a style=\"background-color: #ffffff; font-size: 1rem;\" href=\"https:\/\/nxlog.co\/products\/nxlog-community-edition\">Link<\/a><span style=\"color: #777777; font-size: 1rem;\">]. Consider giving it a try before deciding what is the best tool for your needs.<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>INDEX Journal Control Used to view and manipulate Systemd logs. Remote Syslog Forwards log messages [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-2880","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2880"}],"version-history":[{"count":26,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2880\/revisions"}],"predecessor-version":[{"id":5175,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2880\/revisions\/5175"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}