Log analysis

Narasing Jaya Bharath Reddy — Thu, 15 Sep 2022 05:44:08 +0000

Write down top 10 events in Windows and identify their event ID

ANS:
app error --- 1000
app hang---1002
bsod ---1001
wer--1001
emet -- 1or 2
account lockouts ---4740
security enables group modification ---4735
successful user account login ---4624
failed user account logout ---4625
user added to privileged group ---4728/4732/4756

Write down top 10 events in Linux and identify their pattern and log linux

2019-05-14 15:53:16.109 EDT [609] LOG: received fast shutdown request
2019-05-14 15:53:16.131 EDT [609] LOG: aborting any active transactions
2019-05-14 15:53:16.143 EDT [609] LOG: background worker "logical replication launcher" (PID 754) exited with exit code 1
2019-05-14 15:53:16.147 EDT [748] LOG: shutting down
2019-05-14 15:53:16.215 EDT [609] LOG: database system is shut down

Identify the log file in linux which log service start|stop|enable|disable

cpupower.service disabled

crond.service enabled
Stopped foo.service
Started foo.service

Identify the log file in linux which log process running or killed.

pkill sleep //var/log/messages from there we can see the killed process
ps -ef

Identify the log file of apache and find out list of VERB and count of each using linux command

Apache access log (success - code 200):¶
192.168.2.20 - - [28/Jul/2006:10:27:10 -0300] "GET /cgi-bin/try/ HTTP/1.0" 200 3395
127.0.0.1 - - [28/Jul/2006:10:22:04 -0300] "GET / HTTP/1.0" 200 2216
Apache access log (failure - code 4xx):¶
127.0.0.1 - - [28/Jul/2006:10:27:32 -0300] "GET /hidden/ HTTP/1.0" 404 7218
Apache unnacepted request methods (caused by TortoiseSVN):¶
x.x.x.90 - - [13/Sep/2006:07:01:53 -0700] "PROPFIND /svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:01:51 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/2.5 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND /svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:00:21 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:59:53 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/2.5 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:59:50 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND /svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587
Apache error log:¶
[Fri Dec 16 01:46:23 2005] [error] [client 1.2.3.4] Directory index forbidden by rule: /home/test/
[Fri Dec 16 01:54:34 2005] [error] [client 1.2.3.4] Directory index forbidden by rule: /apache/web-data/test2
[Fri Dec 16 02:25:55 2005] [error] [client 1.2.3.4] Client sent malformed Host header
[Mon Dec 19 23:02:01 2005] [error] [client 1.2.3.4] user test: authentication failure for "/~dcid/test1": Password Mismatch
Apache error log (startup) 3 examples:¶
** Normal (v2.x)
[Sat Aug 12 04:05:51 2006] [notice] Apache/1.3.11 (Unix) mod_perl/1.21 configured -- resuming normal operations
[Thu Jun 22 14:20:55 2006] [notice] Digest: generating secret for digest authentication ...
[Thu Jun 22 14:20:55 2006] [notice] Digest: done
[Thu Jun 22 14:20:55 2006] [notice] Apache/2.0.46 (Red Hat) DAV/2 configured -- resuming normal operations

** Restart by HUP signal (optional suEXEC)
[Sat Aug 12 04:05:49 2006] [notice] SIGHUP received. Attempting to restart
[Sat Aug 12 04:05:51 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/sbin/suexec)

** after 'unclean' shutdown (left over PID file)
[Sat Jun 24 09:06:22 2006] [warn] pid file /opt/CA/BrightStorARCserve/httpd/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Sat Jun 24 09:06:23 2006] [notice] Apache/2.0.46 (Red Hat) DAV/2 configured -- resuming normal operations
[Sat Jun 24 09:06:22 2006] [notice] Digest: generating secret for digest authentication ...

Understanding Datadog Agent

Narasing Jaya Bharath Reddy — Tue, 13 Sep 2022 10:04:05 +0000

What is Datadog agent? The Datadog Agent is software that runs on your hosts. It collects events and metrics from hosts and sends them to Datadog, where you can analyze your monitoring and performance data. The Datadog Agent is open source and its source code is available on GitHub at DataDog/datadog-agent. It collects the information like disk, cpu, memory,uptime.

2.Type of Datadog Agent?
Agent check
DogStatsD
Datadog’s HTTP API

Ports used to in Datadog agent?
PORT DESCRIPTION
5000 Exposes runtime metrics about the Agent.
5001 Used by the Agent CLI and GUI to send commands and pull information from the running Agent.
5002 Serves the GUI server on Windows and OSX.
8125 Used for the DogStatsD server to receive external metrics.
Top 5 commands with simple explanation troubleshooting Datadog agent?
startsrc datadog-agent
systemctl restart httpd

systemctl status apache2
datadog-agent configcheck

Locate how to enable Logs monitoring in datadog.yaml To enable log collection, set logs_enabled to true in your datadog.yaml file.
5 techniques for troubleshooting Datadog?
IF you are unable to change the .txt file to ppk format go to folder change the permissions, click on Veiwoptions, select change folder and search option. A new window will be opened and there select View tab then uncheck the Hide extensions for know file types.

If you are unable to open the yaml file from the folder , right click the folder select properties and click on security the click on advance button then click on continue give the full premission to the users.
Verify API token (datadog.yaml)
Datadog Agent is running or not under services
check if logs enabled under config file

Debug School: Narasing Jaya Bharath Reddy

Log analysis

Understanding Datadog Agent