Log Files and Syslog

Because of their importance, it is common practice to concentrate log files in one monitoring computer.
Syslog is a system designed to allow devices to send their log files to a centralized server, known as a
syslog server. Clients communicate to a syslog server using the syslog protocol. Syslog is commonly
deployed and supports practically all computer platforms.
The CyberOps Workstation VM generates operating system level log files and hands them over to
syslog.

a. Use the cat command as root to list the contents of the /var/log/syslog file. This file
holds the log entries that are generated by the CyberOps Workstation VM operating
system and sent to the syslog service.
```
analyst@secOps ~$ sudo cat /var/log/syslog
[sudo] password for analyst:
Feb 7 13:23:15 secOps kernel: [ 5.458959] psmouse serio1: hgpk: ID: 10 00 64
Feb 7 13:23:15 secOps kernel: [ 5.467285] input: ImExPS/2 BYD TouchPad as /
devices/platform/i8042/serio1/input/input6
Feb 7 13:23:15 secOps kernel: [ 5.502469] RAPL PMU: API unit is 2^-32 Joules,
4 fixed counters, 10737418240 ms ovfl timer
Feb 7 13:23:15 secOps kernel: [ 5.502476] RAPL PMU: hw unit of domain pp0-
core 2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.502478] RAPL PMU: hw unit of domain package
2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.502479] RAPL PMU: hw unit of domain dram
2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.502480] RAPL PMU: hw unit of domain pp1-gpu
2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.672547] ppdev: user-space parallel port
driver
Feb 7 13:23:15 secOps kernel: [ 5.709000] pcnet32 0000:00:03.0 enp0s3:
renamed from eth0
Feb 7 13:23:16 secOps kernel: [ 6.166738] pcnet32 0000:00:03.0 enp0s3: link
up, 100Mbps, full-duplex
Feb 7 13:23:16 secOps kernel: [ 6.706058] random: crng init done
Feb 7 13:23:18 secOps kernel: [ 8.318984] floppy0: no floppy controllers
found
Feb 7 13:23:18 secOps kernel: [ 8.319028] work still pending
Feb 7 14:26:35 secOps kernel: [ 3806.118242] hrtimer: interrupt took 4085149 ns
Feb 7 15:02:13 secOps kernel: [ 5943.582952] pcnet32 0000:00:03.0 enp0s3: link
down
Feb 7 15:02:19 secOps kernel: [ 5949.556153] pcnet32 0000:00:03.0 enp0s3: link
up, 100Mbps, full-duplex
```
analyst@secOps ~$ sudo cat /var/log/syslog
[sudo] password for analyst:
Feb 7 13:23:15 secOps kernel: [ 5.458959] psmouse serio1: hgpk: ID: 10 00 64
Feb 7 13:23:15 secOps kernel: [ 5.467285] input: ImExPS/2 BYD TouchPad as /
devices/platform/i8042/serio1/input/input6
Feb 7 13:23:15 secOps kernel: [ 5.502469] RAPL PMU: API unit is 2^-32 Joules,
4 fixed counters, 10737418240 ms ovfl timer
Feb 7 13:23:15 secOps kernel: [ 5.502476] RAPL PMU: hw unit of domain pp0-
core 2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.502478] RAPL PMU: hw unit of domain package
2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.502479] RAPL PMU: hw unit of domain dram
2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.502480] RAPL PMU: hw unit of domain pp1-gpu
2^-0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.672547] ppdev: user-space parallel port
driver
Feb 7 13:23:15 secOps kernel: [ 5.709000] pcnet32 0000:00:03.0 enp0s3:
renamed from eth0
Feb 7 13:23:16 secOps kernel: [ 6.166738] pcnet32 0000:00:03.0 enp0s3: link
up, 100Mbps, full-duplex
Feb 7 13:23:16 secOps kernel: [ 6.706058] random: crng init done
Feb 7 13:23:18 secOps kernel: [ 8.318984] floppy0: no floppy controllers
found
Feb 7 13:23:18 secOps kernel: [ 8.319028] work still pending
Feb 7 14:26:35 secOps kernel: [ 3806.118242] hrtimer: interrupt took 4085149 ns
Feb 7 15:02:13 secOps kernel: [ 5943.582952] pcnet32 0000:00:03.0 enp0s3: link
down
Feb 7 15:02:19 secOps kernel: [ 5949.556153] pcnet32 0000:00:03.0 enp0s3: link
up, 100Mbps, full-duplex
Why did the cat command have to be executed as root?
In the CyberOps Workstation VM, the /var/log/syslog belongs to root and can only be
read by root.
b. Notice that the /var/log/syslog file only stores the most recent log entries. To keep the
syslog file small, the operating system periodically rotates the log files, renaming older
log files as syslog.1, syslog.2, and so on.
Use the cat command to list older syslog files:
```
analyst@secOps ~$ sudo cat /var/log/syslog.2
analyst@secOps ~$ sudo cat /var/log/syslog.3
analyst@secOps ~$ sudo cat /var/log/syslog.4
```
Can you think of a reason why it is so important to keep the time and date of computers
correctly synchronized?
Log systems use log files to record and store events and the date/time they took place.
If the system clock is incorrect or not synchronized, it will make the troubleshooting
process more difficult.