18.3 Logging States

In this section, we'll summarize the above examples and other logs into a somewhat coherent picture of what you might expect to see in a logfile. This summary is in part based on Tina Bird's post to her log-analysis mailing list (see the "References" section) and the discussion that ensued, which was contributed to by one of this book's authors.

Some of the events that computers can be set to log are as follows :

• System or software startup, shutdown, restart, and abnormal termination (crash)

• Various thresholds being exceeded or reaching dangerous levels, such as disk space full, memory exhausted, or processor load too high

• Hardware health messages that the system can troubleshoot or at least detect and log

• User access to the system, such as remote (telnet, SSH, etc.) and local login and network access (FTP) initiated to and from the system ”both failed and successful

• User access privilege changes such as the su command ”both failed and successful

• User credentials and access right changes, such as account updates, creation, and deletion ”both failed and successful

• System configuration changes and software updates ”both failed and successful

• Access to system logs for modification, deletion, and maybe even reading

This intimidating list of events is what might end up in the system logs as available for analysis. Your daunting task is to attempt to answer the question "What happened ?" using all of these potentially complex records.