Linux Shell Script: Logging Tasks

Linux Shell Scripting Cookbook

Getting ready

This recipe will introduce the commands who, w, users, uptime, last, and lastb.

How to do it...

To obtain information about users currently logged in to the machine use:

$ who
 slynux   pts/0   2010-09-29 05:24 (slynuxs-macbook-pro.local)
 slynux   tty7    2010-09-29 07:08 (:0)

Or:

$ w
 07:09:05 up  1:45,  2 users,  load average: 0.12, 0.06, 0.02
 USER     TTY     FROM    LOGIN@   IDLE  JCPU PCPU WHAT
 slynux   pts/0   slynuxs 05:24  0.00s  0.65s 0.11s sshd: slynux
 slynux   tty7    :0      07:08  1:45m  3.28s 0.26s gnome-session

It will provide information about logged in users, the pseudo TTY used by the users, the command that is currently executing from the pseudo terminal, and the IP address from which the users have logged in. If it is localhost, it will show the hostname. who and w format outputs with slight difference. The w command provides more detail than who.

TTY is the device file associated with a text terminal. When a terminal is newly spawned by the user, a corresponding device is created in /dev/ (for example, /dev/pts/3). The device path for the current terminal can be found out by typing and executing the command tty.

In order to list the users currently logged in to the machine, use:

$ users
 Slynux slynux slynux hacker

If a user has opened multiple pseudo terminals, it will show that many entries for the same user. In the above output, the user slynux has opened three pseudo terminals. The easiest way to print unique users is to use sort and uniq to filter as follows:

$ users | tr ' ' 'n' | sort | uniq
 slynux
 hacker

We have used tr to replace ' ' with 'n'. Then combination of sort and uniq will produce unique entries for each user.

In order to see how long the system has been powered on, use:

$ uptime
 21:44:33 up  3:17,  8 users,  load average: 0.09, 0.14, 0.09

The time that follows the word up indicates the time for which the system has been powered on. We can write a simple one-liner to extract the uptime only.

Load average in uptime's output is a parameter that indicates system load. In order to get information about previous boot and user logged sessions, use:

$ last
slynux tty7         :0              Tue Sep 28 18:27   still logged in
reboot system boot 2.6.32-21-generi Tue Sep 28 18:10 - 21:46 (03:35)
slynux pts/0      :0.0          Tue Sep 28 05:31 - crash (12:39)

The last command will provide information about logged in sessions. It is actually a log of system logins that consists of information such as tty from which it has logged in, login time, status, and so on.

The last command uses the log file /var/log/wtmp for input log data. It is also possible to explicitly specify the log file for the last command using the –f option. For example:

$ last -f /var/log/wtmp

In order to obtain info about login sessions for a single user, use:

$ last USER

Get information about reboot sessions as follows:

$ last reboot
reboot system boot 2.6.32-21-generi Tue Sep 28 18:10 - 21:48 (03:37)
reboot system boot 2.6.32-21-generi Tue Sep 28 05:14 - 21:48 (16:33)

In order to get information about failed user login sessions use:

# lastb
 test     tty8    :0          Wed Dec 15 03:56 - 03:56  (00:00)
 slynux tty8    :0          Wed Dec 15 03:55 - 03:55  (00:00)

You should run lastb as the root user.

Logging access to files and directories

Logging of file and directory access is very helpful to keep track of changes that are happening to files and folders. This recipe will describe how to log user accesses.

Getting ready

The inotifywait command can be used to gather information about file accesses. It doesn't come by default with every Linux distro. You have to install the inotify-tools package by using a package manager. It also requires the Linux kernel to be compiled with inotify support. Most of the new GNU/Linux distributions come with inotify enabled in the kernel.

How to do it...

Let's walk through the shell script to monitor the directory access:

#/bin/bash
 #Filename: watchdir.sh
 #Description: Watch directory access
 path=$1
 #Provide path of directory or file as argument to script
 inotifywait -m -r -e create,move,delete $path -q

A sample output is as follows:

$ ./watchdir.sh .
 ./ CREATE new
 ./ MOVED_FROM new
 ./ MOVED_TO news
 ./ DELETE news

How it works...

The previous script will log events create, move, and delete files and folders from the given path. The -m option is given for monitoring the changes continuously rather than going to exit after an event happens. -r is given for enabling a recursive watch the directories. -e specifies the list of events to be watched. -q is to reduce the verbose messages and print only required ones. This output can be redirected to a log file.

We can add or remove the event list. Important events available are as follows:

Logfile management with logrotate

Logfiles are essential components of a Linux system's maintenance. Logfiles help to keep track of events happening on different services on the system. This helps the sysadmin to debug issues and also provides statistics on events happening on the live machine. Management of logfiles is required because as time passes the size of a logfile gets bigger and bigger. Therefore, we use a technique called rotation to limit the size of the logfile and if the logfile reaches a size beyond the limit, it will strip the logfile and store the older entries from the logfile in an archive. Hence older logs can be stored and kept for future reference. Let's see how to rotate logs and store them.

Getting ready

logrotate is a command every Linux system admin should know. It helps to restrict the size of logfile to the given SIZE. In a logfile, the logger appends information to the log file. Hence the recent information appears at the bottom of the log file. logrotate will scan specific logfiles according to the configuration file. It will keep the last 100 kilobytes (for example, specified SIZE = 100k) from the logfile and move rest of the data (older log data) to a new file logfile_name.1 with older entries. When more entries occur in the logfile (logfile_name.1) and it exceeds the SIZE, it updates the logfile with recent entries and creates logfile_name.2 with older logs. This process can easily be configured with logrotate.logrotate can also compress the older logs as logfile_name.1.gz, logfile_name2.gz, and so on. The option for whether older log files are to be compressed or not is available with the logrotate configuration.

How to do it...

logrotate has the configuration directory at /etc/logrotate.d. If you look at this directory by listing contents, many other logfile configurations can be found.

We can write our custom configuration for our logfile (say /var/log/program.log) as follows:

$ cat /etc/logrotate.d/program
 /var/log/program.log {
 missingok
 notifempty
 size 30k
 compress
 weekly
 rotate 5
 create 0600 root root
 }

Now the configuration is complete. /var/log/program.log in the configuration specifies the logfile path. It will archive old logs in the same directory path. Let's see what each of these parameters are:

The options specified in the table are optional; we can specify the required options only in the logrotate configuration file. There are numerous options available with logrotate. Please refer to the man pages (http://linux.die.net/man/8/logrotate) for more information on logrotate.