Final Call ... XenServer Boot Media

DustinB3403

@BRRABill said in Final Call ... XenServer Boot Media:

Wasn't the XS logging. I pointed it at my Splunk install and it immediately worked.

So something in Graylog broke.

I wonder what...

BRRABill

Still nothing being written.

(At least in /var/log)

So, it actually worked!

Tue Sep  6 12:40:35 EDT 2016
[root@xenserver-test-reinstall log]# ls -l -t
total 113832
-rw-r--r-- 1 root root 38273316 Sep  6 11:25 lastlog
-rw-rw-r-- 1 root utmp    43776 Sep  6 11:25 wtmp
-rw------- 1 root utmp      768 Sep  6 11:21 btmp
drwxr-xr-x 2 root root     4096 Sep  6 11:20 blktap
-rw-r--r-- 1 root root      792 Sep  6 11:16 ovs-xapi-sync.log
-rw-r--r-- 1 root root     2628 Sep  6 11:15 ovs-ctl.log
-rw-r--r-- 1 root root     1784 Sep  6 11:14 restoreeswitchcfg.log
-rw-r--r-- 1 root root      348 Sep  6 11:14 interface-rename.log
-rw-r--r-- 1 root root      128 Sep  6 11:14 xenstored.log
-rw-r--r-- 1 root root    11212 Sep  6 11:14 boot.log

BRRABill

Is there an easy way in Linux to see what files have been written to today?

stacksofplates

@BRRABill said in Final Call ... XenServer Boot Media:

Is there an easy way in Linux to see what files have been written to today?

You could do a find at the root level

find / -path /proc -prune -o -type f -mtime -1

That searches for all files modified in less than a day excluding the /proc directory.

BRRABill

@stacksofplates said in Final Call ... XenServer Boot Media:

find / -path /proc -prune -o -type f -mtime -1

Holy cow that listed a LOT of files.

JaredBusch

@BRRABill said in Final Call ... XenServer Boot Media:

@stacksofplates said in Final Call ... XenServer Boot Media:

find / -path /proc -prune -o -type f -mtime -1

Holy cow that listed a LOT of files.

You rebooted this morning. That would be pretty normal.

BRRABill

@JaredBusch said

You rebooted this morning. That would be pretty normal.

Yeah that's what I was thinking (hoping?) ...

I'll run it again tomorrow and see...

BRRABill

@stacksofplates said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

Is there an easy way in Linux to see what files have been written to today?

You could do a find at the root level

find / -path /proc -prune -o -type f -mtime -1

That searches for all files modified in less than a day excluding the /proc directory.

Another quick Linux question...

How does one create a file out of that? It went too far for my Putty window to handle.

JaredBusch

@BRRABill said in Final Call ... XenServer Boot Media:

@stacksofplates said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

Is there an easy way in Linux to see what files have been written to today?

You could do a find at the root level

find / -path /proc -prune -o -type f -mtime -1

That searches for all files modified in less than a day excluding the /proc directory.

Another quick Linux question...

How does one create a file out of that? It went too far for my Putty window to handle.

pipe it to a file >> files.txt

DustinB3403

@BRRABill

It should be as simple as

 find / -path /proc -prune -o -type f -mtime -1 > output.txt

BRRABill

Ah, ML peeps always around to help me navigate Linux!

JaredBusch

@BRRABill said in Final Call ... XenServer Boot Media:

Ah, ML peeps always around to help me navigate Linux!

http://askubuntu.com/a/731237

BRRABill

@JaredBusch said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

Ah, ML peeps always around to help me navigate Linux!

http://askubuntu.com/a/731237

Ah, ML peeps always around to help me navigate Linux even further!

BRRABill

@BRRABill said in Final Call ... XenServer Boot Media:

@DustinB3403 said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

What log server are you using to collect the logs?

What changes did you make to the config file for the logs?

I was using Graylog, which was working before. However now it is NOT working.

Trying to reinstall GrayLog.

I figured out why Graylog wasn't "working".

It installs with a timezone of straight UTC. I set my timezone to America/New_York and rebooted. And VOILA! It is now working again.

BRRABill

Still good!

-rw-r--r-- 1 root root 38273316 Sep  6 11:25 lastlog
-rw-rw-r-- 1 root utmp    43776 Sep  6 11:25 wtmp
-rw------- 1 root utmp      768 Sep  6 11:21 btmp
drwxr-xr-x 2 root root     4096 Sep  6 11:20 blktap
-rw-r--r-- 1 root root      792 Sep  6 11:16 ovs-xapi-sync.log
-rw-r--r-- 1 root root     2628 Sep  6 11:15 ovs-ctl.log
-rw-r--r-- 1 root root     1784 Sep  6 11:14 restoreeswitchcfg.log
-rw-r--r-- 1 root root      348 Sep  6 11:14 interface-rename.log
-rw-r--r-- 1 root root      128 Sep  6 11:14 xenstored.log
-rw-r--r-- 1 root root    11212 Sep  6 11:14 boot.log

scottalanmiller

@BRRABill said in Final Call ... XenServer Boot Media:

@scottalanmiller said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

@DustinB3403 said in Final Call ... XenServer Boot Media:

I would still assume based on what you've presented that you need to comment out the local storage folders on both XS6.5 and XS7 to disable logging locally.

The . (at the very end) what purpose does that server?

No idea.

And I wonder if we really NEED those logs.

It's just to disable defaults. It's meaningless given the remote command that you've added. Feel free to comment it out or delete it as you have overridden it already.

So, you don't think there are also things that might not get sent to the remote syslog server? I guess we could test that as well.

Didn't say that.

scottalanmiller

@BRRABill said in Final Call ... XenServer Boot Media:

@Dashrender said in Final Call ... XenServer Boot Media:

awesome.. where are you sending the logs? to an ELK or Greylog server?

Graylog.

However, my Graylog server that was working two weeks ago is now longer no longer working.

So, trying to remedy that.

DId you use the appliance?

Dashrender

@BRRABill said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

@DustinB3403 said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

What log server are you using to collect the logs?

What changes did you make to the config file for the logs?

I was using Graylog, which was working before. However now it is NOT working.

Trying to reinstall GrayLog.

I figured out why Graylog wasn't "working".

It installs with a timezone of straight UTC. I set my timezone to America/New_York and rebooted. And VOILA! It is now working again.

what about it wasn't working? your time based searches were off? or because the time zones didn't match, it didn't work?

BRRABill

@Dashrender said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

@DustinB3403 said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

What log server are you using to collect the logs?

What changes did you make to the config file for the logs?

I was using Graylog, which was working before. However now it is NOT working.

Trying to reinstall GrayLog.

I figured out why Graylog wasn't "working".

It installs with a timezone of straight UTC. I set my timezone to America/New_York and rebooted. And VOILA! It is now working again.

what about it wasn't working? your time based searches were off? or because the time zones didn't match, it didn't work?

I was searching for traffic from, say, the past 30 minutes, and nothing was showing up.

BRRABill

@scottalanmiller said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

@scottalanmiller said in Final Call ... XenServer Boot Media:

@BRRABill said in Final Call ... XenServer Boot Media:

@DustinB3403 said in Final Call ... XenServer Boot Media:

I would still assume based on what you've presented that you need to comment out the local storage folders on both XS6.5 and XS7 to disable logging locally.

The . (at the very end) what purpose does that server?

No idea.

And I wonder if we really NEED those logs.

It's just to disable defaults. It's meaningless given the remote command that you've added. Feel free to comment it out or delete it as you have overridden it already.

So, you don't think there are also things that might not get sent to the remote syslog server? I guess we could test that as well.

Didn't say that.

Do you think any of those things are needed/useful?

I mean, again, the ML recommendation is to use USB. If it's the wrong recommendation or we have no idea what it is doing, perhaps it should be amended.