How to Get Answers from Your Linux Logs
Let’s say that you’re responsible for managing an application running on Linux. Your days are a lot easier (and more predictable) if you have visibility into what’s happening with your machines. Luckily, Loggly is here to help.
The Loggly application pack for Linux automatically creates a dashboard with a great deal of useful information. It includes the following:
- The Top Syslog Hosts and Top Syslog Applications widgets give you an overview of what kind of logs are available in your account, which can provide insight into things you might want to monitor more closely using alerts or drill down into for troubleshooting issues.
- Top Applications with Error lets you know which applications are the most error-prone.
- Syslog Severity in the Last Hour: This widget helps you spot spikes in error counts and know what’s “normal” for your system.
- The Invalid SSH Usernames and Invalid SSH Hosts charts can surface situations when attackers are trying to access your systems. This might prompt you to blacklist certain IP addresses, change passwords, or undertake other security reviews.
If you are experiencing a problem with your systems, saved searches help you quickly isolate the log data that contains answers. For example:
- Cron Jobs: Cron jobs may serve a number of different purposes in your application. Here at Loggly, we use them to generate stats for search engine usage per cluster. It’s not good news when a cron job fails, so it’s good to log the cron standard output. The cron job saved search then lets you quickly isolate failed jobs or examine all cron jobs over a specific time period.
- Failed SSH Logins can indicate a number of problems. For example, a step in your build process could be misconfigured. They are also an important clue in investigating potential attacks. If you see accounts with multiple failed logins, these could be accounts that attackers are trying to access. You might want to remove those accounts.
In Loggly, you find saved searches by clicking the star icon to the right of the search button.
You can set up any of your saved searches as alerts, so that Loggly will proactively notify you when an event occurs or when the number of events exceeds some threshold. For example, you might want to create an alert for whenever a failed SSH login occurs from the user jenkins.
If you’re a Loggly trial user, application packs are a great way to get your feet wet with Loggly. You can install the Linux application pack from the Source Setup tab of your application.
If you’re a Linux user who wants to get more insight from log data, there’s no faster way than starting a Loggly free trial!