applied linux.

Chapter 8 of 9

Storage Monitoring, and Troubleshooting

On this page

Monitoring and Logging Essentials

Analyzing Log Files

Log files are crucial for identifying and diagnosing system issues. They contain records of system events, service messages, and application activities, offering a detailed view of what’s happening on your system. Key log files include system logs, service logs, and application logs.

Key Tools for Log Analysis:

  1. /var/log

The /var/log/ directory in Linux is a critical component of the system’s logging infrastructure. It serves as the centralized location for all log files generated by the operating system, applications, and various services running on the machine. These logs are essential for system administrators and developers to monitor, troubleshoot, and audit the system’s behavior and performance.

Purpose of /var/log/

The primary purpose of the /var/log/ directory is to store log files that record system events, errors, and other messages generated by the kernel, system services, and applications. These logs provide a historical record of activities on the system, which can be invaluable for diagnosing issues, understanding system performance, and ensuring security compliance.

Structure of /var/log/

The structure of the /var/log/ directory can vary slightly between different Linux distributions, but there are common files and subdirectories that you will typically find:

System Logs

  • /var/log/syslog or /var/log/messages: This is one of the most important log files in the system, capturing general system activity and messages. The exact name of this file depends on the distribution (e.g., Ubuntu uses syslog, while Red Hat-based systems use messages). It includes information about system boot, kernel messages, and other critical events.

  • Authentication Logs:

  • /var/log/auth.log: This file records all authentication-related events, including successful and failed login attempts, changes to user accounts, and activities related to system security.

  • Kernel Logs:

  • /var/log/kern.log: Contains messages generated by the Linux kernel. This log is crucial for diagnosing hardware issues, kernel crashes, and other low-level system events.

  • Boot Logs:

  • /var/log/boot.log: Captures messages related to the boot process. It includes information about services starting up and other events that occur when the system boots.

  • Daemons and Services:

  • /var/log/daemon.log: Logs messages from system daemons, which are background services that handle tasks like printing, network management, and system monitoring.

  • /var/log/httpd/ or /var/log/apache2/: These directories store logs generated by the Apache web server. They typically include access logs (access.log) and error logs (error.log).

  • Package Management Logs:

  • /var/log/dpkg.log: On Debian-based systems, this log records all package management actions performed using dpkg, such as package installations, upgrades, and removals.

  • /var/log/yum.log or /var/log/dnf.log: Similar to dpkg.log, but for Red Hat-based distributions using the YUM or DNF package managers.

  • Cron Logs:

  • /var/log/cron.log: Contains logs related to cron jobs, which are scheduled tasks that run at specified intervals. This log helps track the execution of scheduled scripts and commands.

  • Mail Logs:

  • /var/log/mail.log: Stores logs related to mail services, such as sendmail or postfix. This log is essential for diagnosing issues with email delivery and processing.

File Structure and Format

The files in /var/log/ are typically plain text files, which makes them easy to read using standard text utilities like cat, less, or grep. Most log files follow a simple structure with each line representing a log entry. A typical log entry includes:

  • Timestamp: Indicates when the event occurred.
  • Hostname: The name of the system where the log was generated.
  • Service or Application Name: Identifies the source of the log message.
  • Message: Describes the event or error in detail.

For example, a line in auth.log might look like this:

Sep  3 14:32:16 myserver sshd[29674]: Failed password for root from 192.168.1.1 port 22 ssh2

This line indicates a failed SSH login attempt to the root account from a specific IP address.

Log Interfaces

Key information can quickly be gathered from file logs and system buffers using simple commands:

  1. journalctl - Purpose: journalctl is a powerful command-line tool used to access and view logs from the systemd journal. The systemd journal is the central logging system in Linux systems that use systemd, recording messages from the system, kernel, and various services. - Usage:

    • Running journalctl without any options will display all logs in the journal, including those from the kernel, system services, and other components, in chronological order.
    • You can filter logs to focus on specific services or time periods. For example, to view logs related to the Apache HTTP server, you would use: bash journalctl -u httpd
    • This command is particularly useful for troubleshooting issues with specific services, as it allows you to narrow down the logs to only those relevant to the service in question.
    • Why It’s Important: journalctl enables you to efficiently monitor system activities, catch errors early, and troubleshoot problems by reviewing detailed logs. For instance, if a service fails to start, you can quickly identify the cause by examining the relevant logs.

  2. dmesg - Purpose: The dmesg command displays messages from the kernel ring buffer. These messages often relate to hardware operations and drivers, making dmesg particularly useful for diagnosing hardware-related issues, such as problems with devices or kernel modules. - Usage:

    • Simply running dmesg displays the kernel messages, but you can also filter or search through these messages to find specific information. For example, to search for USB-related messages, you could use: bash dmesg | grep USB
    • Why It’s Important: Understanding kernel messages is crucial for diagnosing and resolving hardware issues. dmesg gives you direct insight into what the kernel is doing, helping you troubleshoot problems with drivers, hardware, or the boot process.

  3. logrotate - Purpose: logrotate is a utility that automates the rotation, compression, and management of log files. Over time, log files can grow large and consume significant disk space, making it harder to find relevant information. logrotate helps by archiving older logs and starting new ones based on predefined criteria like file size or time interval. - How It Works:

    • logrotate operates according to configuration files, usually located in /etc/logrotate.conf and additional configurations in /etc/logrotate.d/. These files specify how and when logs should be rotated.
    • A typical configuration might rotate logs daily, keep the last seven days’ worth of logs, and compress older logs to save space.
  • Example Configuration
  • To rotate Apache logs daily, the configuration might look like this: plaintext /var/log/httpd/*.log { daily missingok rotate 7 compress delaycompress notifempty create 640 root adm sharedscripts postrotate /usr/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true endscript } This configuration ensures that Apache logs are rotated daily, old logs are compressed, and the system reloads the Apache service after log rotation.
  • Why It’s Important: By automatically managing log files, logrotate ensures that logs do not consume excessive disk space and remain manageable. This allows for continuous logging without the risk of filling up disk space, which could lead to system failures.

Troubleshooting

Troubleshooting is the process of diagnosing and resolving issues in a system. It requires a methodical approach to identify the root cause of a problem and apply appropriate solutions. Effective troubleshooting ensures that issues are resolved quickly and that the system remains stable and secure.

Common Troubleshooting Steps:

  • Identifying the Issue:

  • Use monitoring and logging tools like journalctl, dmesg, and system resource monitors (top, htop, etc.) to identify the source of the problem. For example, if a service fails to start, you would check the logs related to that service using journalctl -u [service_name].

  • Isolating the Problem:

  • Determine whether the issue is related to hardware or software. For hardware issues, dmesg might reveal errors related to device drivers or hardware failures. For software issues, logs from journalctl or specific application logs can provide clues.

  • Applying Solutions:

  • Once you’ve identified the problem, use appropriate tools and commands to resolve it. This might involve restarting a service, reconfiguring a system component, or applying updates and patches. For example, if a service is misconfigured, you might edit its configuration file and then restart the service.

  • Testing and Verification:

  • After applying a solution, verify that the issue has been resolved and test the system to ensure stability. This might involve monitoring the system for a period to ensure the problem does not reoccur and that the system performs as expected.

Effective Storage Management

In addition to monitoring logs, managing storage effectively is crucial to avoid potential system problems. This involves regularly checking disk usage and ensuring that your system doesn’t run out of space unexpectedly.

  • Disk Usage Monitoring

  • Regularly checking disk usage helps you identify if any partitions are running low on space. Linux provides several commands to monitor disk usage, such as df (disk free) and du (disk usage).

  • df This command shows how much disk space is available on your file system. Running df -h gives a human-readable summary, making it easy to spot if a partition is nearly full.

  • du This command provides a summary of disk usage by files and directories. It’s useful for finding large files or directories that might be consuming more space than expected.

Identifying Potential Issues

  • Monitoring tools like iostat can help you keep an eye on input/output performance, allowing you to spot bottlenecks that could indicate storage issues.
  • SMART tools like smartctl can be used to check the health of your storage devices, potentially identifying failing hard drives before they lead to data loss.

Effective storage management also involves monitoring disk usage and identifying potential issues before they lead to system problems.

df

The df (disk free) command reports the amount of disk space used and available on file systems. It is useful for quickly checking how much space is left on your partitions and identifying any that are close to full, which could lead to system errors if not addressed.

  • Usage df -h provides a human-readable format (e.g., in GB or MB) to make the information easier to interpret.

du

The du (disk usage) command estimates the amount of space used by files and directories. It’s helpful for identifying large files or directories that may be consuming excessive storage space.

  • Usage: du -sh /path/to/directory provides a summary of the total space used by the specified directory, with the -h option making the output human-readable.

iostat

The iostat command provides statistics on CPU and I/O usage, helping to identify bottlenecks in disk performance. It is particularly useful for diagnosing issues related to disk speed and efficiency.

  • Usage: Running iostat gives you a report of CPU and I/O statistics, which you can use to determine if your storage devices are the cause of system slowdowns.

SMART (Self-Monitoring, Analysis, and Reporting Technology)

SMART tools, such as smartctl, are used to monitor the health of storage devices, particularly hard drives and SSDs. SMART data can help predict potential disk failures before they occur, allowing you to take preventative action, such as backing up data or replacing a failing drive.

  • Usage: smartctl -a /dev/sda displays comprehensive SMART data for the specified drive, including error rates, temperature, and reallocated sectors.

Peripheral Devices

Managing peripheral devices such as USB drives, printers, and other external hardware is an important skill for Linux system administrators.

lsusb

The lsusb command lists all USB devices connected to the system. It provides details about each device, such as the manufacturer, product ID, and bus location. This is essential for troubleshooting USB devices that are not recognized or not functioning properly.

  • Usage: Running lsusb shows a basic list of connected USB devices. For more detailed information, use lsusb -v.

lspci

The lspci command lists all PCI devices connected to the system, such as network cards, sound cards, and graphics cards. This tool is particularly useful for identifying and troubleshooting internal hardware components.

  • Usage: Running lspci provides a list of all PCI devices, including their vendor and device IDs. For more detailed information, use lspci -vv.

Optimize System Performance

Adjust System Settings

  • Manage Swap Usage
    • Swap space helps when your system runs out of physical RAM by providing additional memory on the disk. However, excessive use of swap can slow down your system. You can control how aggressively your system uses swap by adjusting the swappiness value.
    • Command: bash sudo sysctl vm.swappiness=11
    • Lower values (e.g., 11) make the system prefer using RAM over swap, which can improve performance in most cases.

Disable Unnecessary Startup Services

  • Reduce Boot Time:
    • Services that are not needed can consume system resources and slow down boot time. Disabling these services can speed up your system’s startup.
    • Command: bash sudo systemctl disable service_name
    • Replace service_name with the actual name of the service you want to disable. Be cautious and ensure that the service is not critical to your system’s operation.

Adjust I/O Scheduler

  • Optimize Disk Performance
    • The I/O scheduler determines how disk input/output operations are managed. Different schedulers can be better suited for different workloads.
    • Check Current Scheduler: bash cat /sys/block/sda/queue/scheduler
    • Change Scheduler: bash echo cfq | sudo tee /sys/block/sda/queue/scheduler
    • cfq is a common choice, but noop or deadline may be more suitable for SSDs.

Optimize CPU Performance

  • Governor Settings
    • The CPU governor controls how your CPU scales its frequency to balance power consumption and performance.
    • Check Available Governors: bash cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_available_governors
    • Set Governor to Performance: bash sudo cpupower frequency-set -g performance
    • This setting keeps the CPU running at its highest frequency for maximum performance.

Memory Management

  • Clear Cache
    • Over time, the system cache can consume a significant amount of memory. Clearing the cache can free up memory and improve performance.
    • Command: bash sudo sync; echo 3 | sudo tee /proc/sys/vm/drop_caches
    • This clears the page cache, dentries, and inodes. It’s a non-destructive operation but should be used judiciously.

Network Performance

  • Optimize TCP Settings
    • Adjusting TCP settings can improve network performance, especially in high-traffic environments.
    • Command: bash sudo sysctl -w net.core.rmem_max=16777216 sudo sysctl -w net.core.wmem_max=16777216
    • These settings increase the maximum TCP buffer sizes for receive and send operations.

Filesystem Performance

  • Enable Writeback Caching
    • If your system uses SSDs, enabling writeback caching can improve disk write performance.
    • Command: bash sudo hdparm -W1 /dev/sda
    • Replace /dev/sda with your actual disk device.

Scheduling Optimizations with Cron

  • Automate System Maintenance
    • Regularly running maintenance tasks like clearing logs or updating databases can keep your system running smoothly.
    • Example Cron Job: bash 0 3 * * * /usr/sbin/logrotate /etc/logrotate.conf
    • This cron job runs log rotation at 3:00 AM daily, preventing logs from growing too large.

Log Analysis

  • Regularly Review Logs
    • Check system logs (/var/log/syslog, /var/log/messages) for warnings and errors that might indicate performance issues.

System Monitoring

Monitoring system performance and troubleshooting issues are essential tasks for maintaining a healthy and efficient Linux system. This involves tracking the usage of various system resources, identifying potential bottlenecks, and resolving issues before they impact system stability or performance.

Performance Monitoring

Performance monitoring is crucial for understanding how your system’s resources—such as CPU, memory, disk, and network—are being utilized. By regularly monitoring these resources, you can ensure that your system operates efficiently and can identify any areas that may require attention.

Key Tools for Performance Monitoring

  • top: The top command provides a real-time, dynamic view of system resource usage. It displays information about CPU usage, memory usage, and running processes, allowing you to monitor how resources are being allocated and identify any processes that may be consuming excessive resources.

  • htop: htop is an enhanced version of top with a more user-friendly, colorful interface. It offers better visual representation and interaction options, such as the ability to scroll through processes and kill them directly from the interface.

  • iotop: The iotop command focuses on disk I/O usage, showing which processes are consuming the most disk resources. This is particularly useful for identifying processes that may be causing disk bottlenecks.

  • sar: The sar command collects, reports, and saves system activity information over time. It can be used to monitor CPU usage, memory utilization, I/O, and network statistics. For example, sar -u 1 3 reports CPU usage every second for three seconds.

Continuous Monitoring and Tuning

Continuous monitoring of system resources is key to maintaining optimal performance. By using real-time monitoring tools, you can quickly identify resource bottlenecks and make necessary adjustments to system settings.

Real-Time System Monitoring:

  • top and htop: Both top and htop provide real-time monitoring of CPU and memory usage. htop is particularly favored for its enhanced usability.

  • To start htop, simply run: bash htop

  • iotop: Use iotop to monitor disk I/O in real-time, helping to identify which processes are causing high disk usage.

  • iftop: While not mentioned previously, iftop is another useful tool that monitors network traffic in real-time, showing which connections are using the most bandwidth.

By leveraging these tools, system administrators can maintain a continuous awareness of how system resources are being used and take proactive steps to tune performance, ensuring that the system remains responsive and efficient. Regular monitoring and prompt troubleshooting are crucial for preventing minor issues from becoming major problems.

Network Troubleshooting in Linux

Diagnosing Network Issues

  • Using ping

The ping command is one of the simplest yet most effective tools for checking network connectivity. It works by sending ICMP (Internet Control Message Protocol) echo request packets to a target host and waits for a response. This helps determine whether the target host is reachable and how long it takes for the data to travel to and from the host.

  • Example Command: bash ping example.com
  • Expected Output: bash PING example.com (93.184.216.34) 56(84) bytes of data. 64 bytes from 93.184.216.34: icmp_seq=1 ttl=56 time=10.2 ms 64 bytes from 93.184.216.34: icmp_seq=2 ttl=56 time=10.4 ms 64 bytes from 93.184.216.34: icmp_seq=3 ttl=56 time=10.3 ms

  • Explanation:

    icmp_seq: Sequence number of the ICMP packet.

    ttl: Time to live, indicating how many hops the packet can make before being discarded.

    time: Round-trip time in milliseconds for the packet to reach the destination and return.

If the ping command shows no response, it indicates that the target host may be unreachable, or there may be a network issue between the two hosts.

  • Diagnosing with traceroute

When ping indicates a connectivity issue, the traceroute command can help you determine where the connection is failing. traceroute maps the path that packets take from your system to the destination, showing each hop along the way.

  • Example Command: bash traceroute example.com
  • Expected Output: bash traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets 1 192.168.1.1 (192.168.1.1) 1.001 ms 1.005 ms 1.002 ms 2 10.0.0.1 (10.0.0.1) 9.002 ms 9.005 ms 9.003 ms 3 93.184.216.34 (93.184.216.34) 10.002 ms 10.004 ms 10.003 ms
  • Explanation:
    • Each line represents a hop from your system to the destination.
    • The IP addresses in parentheses are the routers or gateways the packet passed through.
    • The times represent how long it took for the packet to travel to that hop and back.

If traceroute fails at a certain hop, it suggests that the issue may be with that specific router or network segment.

  1. Checking Network Configuration with ifconfig and ip:

These commands allow you to view and configure the network interfaces on your Linux system. They provide critical information about IP addresses, subnet masks, and the status of each network interface.

  • Example Command (ifconfig): bash ifconfig
  • Expected Output: bash eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe3e:7f00 prefixlen 64 scopeid 0x20<link> ether 08:00:27:3e:7f:00 txqueuelen 1000 (Ethernet) RX packets 1042 bytes 1023498 (1.0 MB) TX packets 543 bytes 46352 (46.3 KB)

  • Explanation:

    inet: Shows the IPv4 address assigned to the interface.

    netmask: Displays the subnet mask.

    flags: Indicates the current status of the interface (e.g., UP means the interface is active).

    RX and TX packets: Show the number of packets received and transmitted.

  • Example Command (ip): bash ip addr show

  • Expected Output: bash 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default link/ether 08:00:27:3e:7f:00 brd ff:ff:ff:ff:ff:ff inet 192.168.1.100/24 brd 192.168.1.255 scope global dynamic eth0 valid_lft 86377sec preferred_lft 86377sec inet6 fe80::a00:27ff:fe3e:7f00/64 scope link valid_lft forever preferred_lft forever

  • Explanation:

    inet 192.168.1.100/24: The IPv4 address and subnet mask in CIDR notation.

    link/ether: The MAC address of the interface.

    scope global: Indicates that the IP address is accessible across the network.

  1. Using netstat and ss:

netstat and ss are tools that provide detailed information about network connections, listening ports, and routing tables. These tools help you understand what connections are active and can aid in diagnosing network issues related to specific ports or services.

  • Example Command (netstat): bash netstat -tuln
  • Expected Output: bash Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN udp 0 0 0.0.0.0:68 0.0.0.0:* udp6 0 0 :::123 :::*

  • Explanation:

    Proto: The protocol in use (TCP or UDP).

    Local Address: The IP address and port on the local machine.

    Foreign Address: The IP address and port on the remote machine.

    State: The status of the connection (e.g., LISTEN indicates that the service is waiting for incoming connections).

  • Example Command (ss): bash ss -tuln

  • Expected Output: bash State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:80 [::]:*
  • Explanation: Similar to netstat, but ss is faster and provides more detailed socket information. It shows active listening ports and the associated services.

Diagnosing Application Issues in Linux

Applications can sometimes encounter issues that lead to crashes, slow performance, or other unexpected behavior. Diagnosing and troubleshooting these problems is essential to ensure that applications run smoothly and reliably. Here are several techniques and tools that can help you identify and resolve application issues effectively.

Troubleshooting Application Problems

  • Using strace:

The strace command is a powerful tool that traces the system calls made by a program. System calls are the way programs interact with the kernel to perform tasks like reading files, writing to disk, or communicating over the network. By tracing these calls, strace can provide deep insights into what an application is doing and where it might be encountering problems.

  • Example Command: bash strace -o output.txt program_name
  • Expected Output: bash open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdf12345000 read(3, "Hello, World!", 13) = 13 write(1, "Hello, World!\n", 13) = 13
  • Explanation: Each line shows a system call made by the program, including the function called, its parameters, and the return value. In the example, the program opens files, maps memory, reads data, and writes output.

Usage Tips: - -o output.txt: Saves the trace output to a file called output.txt for easier analysis. - Use strace to identify where a program might be failing, such as failing to open a file or receiving an unexpected response from a system call.

  • Checking Application Logs:

Many applications generate logs that provide detailed information about their operations, errors, and warnings. These logs are invaluable for troubleshooting, as they often contain clues about what might be going wrong.

  • Example Command: bash sudo less /var/log/apache2/error.log
  • Expected Output: bash [Mon Aug 23 14:32:15.123456 2024] [mpm_prefork:notice] [pid 1234] AH00163: Apache/2.4.41 [Mon Aug 23 14:32:15.123456 2024] [core:notice] [pid 1234] AH00094: Command line: [Mon Aug 23 14:35:48.678901 2024] [php7:error] [pid 1235] [client 192.168.1.100:50000] script

  • Explanation:

    The logs show timestamps, severity levels (e.g., notice, error), and messages describing the application’s activity and errors.

    In the example, an error is logged indicating that a PHP script was not found, which could be the source of an issue with the web server.

Usage Tips: - Use less or tail -f to view and monitor log files in real-time. - Look for keywords like error, warning, or fail to quickly identify issues.

  • Debugging with gdb:

For more advanced troubleshooting, gdb (GNU Debugger) is an essential tool that allows you to debug applications by inspecting the state of a program, its memory, and variables. gdb is particularly useful when dealing with complex issues like segmentation faults or memory leaks.

  • Example Command: bash gdb program_name
  • Expected Output: bash GNU gdb (GDB) 10.1 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. ... For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from program_name... (gdb) run

  • Explanation:

    gdb loads the program and allows you to execute it under the debugger’s control.

    You can set breakpoints, step through code, and inspect variables to understand how the program behaves at runtime.

  • Usage Tips:

  • Setting Breakpoints: Use the break command to set breakpoints at specific lines or functions. For example:

    bash break main - Stepping Through Code: Use step to step into functions and next to move to the next line of code. - Inspecting Variables: Use the print command to inspect the values of variables:

    bash print variable_name

Effective Application Troubleshooting

By understanding and using these tools, you can effectively diagnose and resolve application-related issues in a Linux environment:

  • strace provides a detailed view of system calls, helping you understand what an application is doing at a low level and where it might be encountering problems.
  • Application Logs are essential for tracking the behavior of applications, identifying errors, and understanding the context in which issues occur.
  • gdb offers powerful debugging capabilities, allowing you to dive deep into an application’s execution, inspect its state, and identify the root cause of complex issues.
$ try it — a real Linux shell, running in your browser

Boots a Buildroot Linux kernel client-side with v86, a 32-bit x86 emulator compiled to WebAssembly. Nothing you type leaves this tab. First boot fetches a ~10 MB kernel; it then runs offline.