Lab - Getting Familiar with the Linux

Introduction
In this lab, you will use the Linux command line to manage files and folders, and perform some basic
administrative tasks.
Part 1: Shell Basics
Part 2: Text Editors
Part 3: Copying, Deleting, and Moving Files
Part 4: Log Files Overview
Part 5: Monitoring Log Files in Real Time

Recommended Equipment
• CyberOps Workstation virtual machine

Instructions

Part 1: Shell Basics

The shell is the term used to refer to the command interpreter in Linux. Also known as Terminal, Command
Line and Command Prompt, the shell is very powerful way to interact with a Linux computer.

Step 1: Access the Command Line

a. Log on to the CyberOps Workstation VM as the analyst using the password cyberops. The account
analyst is used as the example user account throughout this lab.
b. To access the command line, click the terminal icon located in the Dock, at the bottom of VM screen.
The terminal emulator opens.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Step 2: Display Manual Pages from the command line.

You can display command line help using the man command. A man page, short for manual page, is a built-
in documentation of the Linux commands. A man page provides detailed information about a given command
and all its available options.
a. To learn more about the man page, type:
[analyst@secOps ~]$ man man
Question:

Name a few sections that are included in a man page.

- NAME
- SYNOPSIS
- DESCRIPTION
- EXAMPLES
- DEFAULTS
- OPTIONS
- EXIT STATUS
- ENVIRONMENT
- FILES
- SEE ALSO
- HISTORY
- BUGS

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

- OVERVIEW
b. Type q to exit the man page.
c. Use the man command to learn more about the cp command:
[analyst@secOps ~]$ man cp
Question:

What is the function of the cp command?

- The cp command copies files or directories to another location.

Step 3: Directory Operation

In this step, you will use the change directory (cd), make directory (mkdir), and list directory (ls) commands.
Note: A directory is another word for folder. The terms directory and folder are used interchangeably
throughout this lab.
Type pwd at the prompt. What is the current directory?

a. Navigate to the /home/analyst directory if it is not your current directory. Type cd /home/analyst
[analyst@secOps ~]$ cd /home/analyst

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

b. Type ls -l at the command prompt to list the files and folders that are in the current folder. Standing for
list, the -l option displays file size, permissions, ownership, date of creation and more.
[analyst@secOps ~]$ ls -l
total 20
drwxr-xr-x 2 analyst analyst 4096 Mar 22 2018 Desktop
drwxr-xr-x 3 analyst analyst 4096 Apr 2 14:44 Downloads
drwxr-xr-x 9 analyst analyst 4096 Jul 19 2018 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 21 2018 second_drive
-rw-r--r-- 1 analyst analyst 255 Apr 17 16:42 space.txt

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

c. In the current directory, use the mkdir command to create one new folder with the format:
yourname_lab_files
[analyst@secOps ~]$ mkdir abcfullname_lab_files
[analyst@secOps ~]$

d. Type ls -l to verify that the folders have been created:

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

[analyst@secOps ~]$ ls -l

Change the directory to the newly created folder. What is the current directory path are you in now?

- The current directory path displayed would be: /home/analyst/LePhamMyDuyen_lab_files

Note: $ (dollar sign) indicates regular user privilege. If a ‘#’ (hashtag or pound sign) is displayed at the
prompt, it indicates elevated privilege (root user).
Note: While these symbols, conventions and main concepts remain the same, the prompt of a terminal
window is highly customizable in Linux. Therefore, the prompt structure seen in the CyberOps
Workstation VM will likely differ from the prompt in other Linux installations.
Type your answers here.

Up to this point, we have been using full or absolute paths. Absolute path is the term used when referring to
paths that always start at the root (/) directory. It is also possible to work with relative paths. Relative paths
reduce the amount of text to be typed. To understand relative paths, we must understand the . and .. (dot
and double dot) directories. From the abcfullname_lab_files directory, issue a ls –la:
The -a option tells ls to show all files. Notice the . and .. listings shown by ls. These listings are used by
the operating system to track the current directory (.) and the parent directory (..) You can see the use of
the . and .. when using the cd command to change directories. Using the cd command to change the
directory to the . directory incurs no visible directory change as the . points to the current directory itself.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

e. Navigate back to parent directory of the folder created in step c using the relative path. Create the
chained directories with this path: /home/analyst/child1_folder/subchild2_folder.

f. Use the ls -l command to verify the folder creation.ls

analyst@secOps ~]$ ls –l /home/analyst/child1_folder/subchild2_folder

Step 4: Redirect Outputs. (Optional)

Another powerful command line operator in Linux is known as redirect. Represented by the > symbol, this
operator allows the output of a command to be redirected to some location other the current terminal window
(the default).
a. Use the cd command to change to the /home/analyst/ (~) directory:
[analyst@secOps /]$ cd /home/analyst/
[analyst@secOps ~]$

b. Use the echo command to echo a message. Because no output was defined, echo will output to the
current terminal window:
analyst@secOps ~]$ echo This is a message echoed to the terminal by echo.
This is a message echoed to the terminal by echo.

c. Use the > operator to redirect the output of echo to a text file instead of to the screen:
analyst@secOps ~]$ echo This is a message echoed to the terminal by echo. >
some_text_file.txt

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

No output was shown.

Question:

Is that expected? Explain.

- Yes, this is expected.
- Because the > operator redirects the output of echo to a file some_text_files.txt, so nothing is
displayed on the screen.

d. Notice, that even though the some_text_file.txt file did not exist, prior to the echo command, it was
automatically created to receive the output generated by echo. Use the ls -l command to verify if the
file was really created:
[analyst@secOps ~]$ ls –l some_text_file.txt
-rw-r--r-- 1 analyst analyst 50 Feb 24 16:11 some_text_file.txt

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

e. Use the cat command to display the contents of the some_text_file.txt text file:
[analyst@secOps ~]$ cat some_text_file.txt
This is a message echoed to the terminal by echo.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

f. Similar to the > operator, the >> operator also allows for redirecting data to files. The difference is that
>> appends data to the end of the referred file, keeping the current contents intact. To append a
message to the some_text_file.txt, issue the command below:
[analyst@secOps ~]$ echo This is another line of text. It will be APPENDED to
the output file. >> some_text_file.txt

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

g. Once again, use the cat command to display the contents of the some_text_file.txt text file:
[analyst@secOps ~]$ cat some_text_file.txt
This is a DIFFERENT message, once again echoed to the terminal by echo.
This is another line of text. It will be APPENDED to the output file.
Question:

What happened to the text file? Explain.

- The new content was added to the end of the file because >> operator appends data without
overwriting existing content.

Part 2: Text Editors

In Linux, everything is treated as a file, including the memory, the disks, the monitor output, the files, and the
directories. From the operating system standpoint, everything is a file. It should be no surprise that the system
itself is configured through files. Users with proper permission levels use text editors to change the contents
of such configuration files. After the changes are made, the file is saved and can be used by the related
service or application There are some available graphical text editors like Gedit or SciTE, which are available
in the provided VM.
While graphical text editors are convenient and easy to use, command line-based text editors are very
important in Linux computers. The main benefit of command line-based text editors is that they allow for text
file editing from a remote shell on a remote computer.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Consider the following scenario. A user must perform administrative tasks on a Linux computer but is not
sitting in front of that computer. Using SSH, the user starts a remote shell to the aforementioned computer.
Under the text-based remote shell, the graphical interface may not be available which makes it impossible to
rely on graphical text editors. In this type of situation, text-based text editors are crucial.
This course focuses on nano. Another extremely popular text editor is called vi. While the learning curve for
vi is considered steep, vi is a very powerful command line-based text editor. It is included by default in almost
all Linux distributions and its original code was first created in 1976. An updated version of vi is named vim
which stands for vi-improved. Today most vi users are actually using the updated version, vim.

Step 1: Getting familiar with nano

Due to the lack of graphical support, nano (or GNU nano) can be controlled solely through the keyboard.
CTRL+O saves the current file; CTRL+W opens the search menu. GNU nano uses a two-line shortcut bar at
the bottom of the screen, where a number of commands for the current context are listed. After nano is open,
press CTRL+G for the help screen and a complete list.
a. In the terminal window, type nano space.txt to open the text file created in Part 1.
[analyst@secOps ~]$ nano space.txt

b. nano will launch and automatically load the space.txt text file. While the text may seem to be truncated
or incomplete, it is not. Because the text was created with no return characters and line wrapping is not
enabled, by default, nano is displaying one long line of text.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Use the Home and End keyboard keys to quickly navigate to the beginning and to the end of a line,
respectively.
What character does nano use to represent that a line continues beyond the boundaries of the screen?
- Nano uses the character
c. As shown on the bottom shortcut lines, CTRL+X can be used to exit nano. nano will ask if you want to
save the file before exiting (‘Y’ for Yes, or N for ‘No’). If ‘Y’ is chosen, you will be prompted to press enter
to accept the given file name, or change the file name, or provide a file name if it is a new unnamed
document.
d. To control nano, you can use CTRL, ALT, ESCAPE or the META keys. The META key is the key on the
keyboard with a Windows or Mac logo, depending on your keyboard configuration.
Navigation in nano is very user friendly. Use the arrows to move around the files. Page Up and Page
Down can also be used to skip forward or backwards entire pages. Spend some time with nano and its
help screen. To enter the help screen, press CTRL+G. Press q to quit the help screen and return to
document editing in nano.

Step 2: Working with configuration files

While configuration files related to user applications are conventionally placed under the user’s home
directory, configuration files relating to system-wide services are place in the /etc directory, by convention.
Web services, print services, ftp services, and email services are examples of services that affect the entire
system and of which configuration files are stored under /etc. Notice that regular users do not have writing
access to /etc. This is important as it restricts the ability to change the system-wide service configuration to
the root user only.
a. List the contents of the /etc directory

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

b. Display the contents of the bash.bashrc file. What is the purpose of this file, if the user wants to
customize, can they edit the file directly?

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

- Purpose: The bash.bashrc file configures system-wide settings for Bash.

- Users can edit it directly with root permission, but it’s better to customize their own ~/.bashrc file for
personal settings.
c. Using nano, update file ~/.bashrc, with the line starting with PS1, to this:
PS1='\[\e[1;37m\][\u@\h \W] Your_studentID Shell \$\[\e[0m\] '

Note: locate 32 and replace it with 37. 32 is the color code for green, while 37 represents white. In
addition, append the text with format “your_student_id Shell” to between the ] and \$ symbols

d. Entering the command bash, and observe the change, it should be expected be like below screenshot:

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Step 3: Editing Configuration Files for Services

System-wide configuration files are not very different from the user-application files. nginx is a lightweight
web server that is installed in the Cisco CyberOPS Workstation VM. nginx can be customized by changing
its configuration file, which is located in /etc/nginx.
a. First, open nginx’s configuration file in a nano. The configuration file name used here is
custom_server.conf. Notice below that the command is preceded by the sudo command. After typing
nano include a space and the -l switch to turn on line-numbering.
[analyst@secOps ~]$ sudo nano -l /etc/nginx/custom_server.conf
Note: Conventionally, .conf extensions are used to identify configuration files.

b. While the configuration file has many parameters, we will configure only two: the port nginx listens on for
incoming connections, and the directory it will serve web pages from, including the index HTML
homepage file.
c. Notice that at the bottom of the window, above the nano commands, the line number is highlighted and
listed. On line 39, change the port number from 81 to 8080. This will tell nginx to listen to HTTP requests
on port TCP 8080.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 16 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

d. Next, move to line 47 and change the path from /usr/share/nginx/html/ to

/usr/share/nginx/html/text_ed_lab/
Note: Be careful not to remove the semi-colon at the end of the line or nginx will throw an error on
startup.

e. Press CTRL+X to save the file. Press Y and then ENTER to confirm and use the custom_server.conf as
the filename.
f. Type the command below to execute nginx using the modified configuration file:
[analyst@secOps ~]$ sudo nginx -c custom_server.conf

g. Click the web browser icon on the Dock to launch Firefox.

h. On the address bar, type 127.0.0.1:8080 to connect to a web server hosted on the local machine on port
8080. A page related to this lab should appear.

i. After successfully opening the nginx homepage, look at the connection message in the terminal window.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 17 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Question:

What is the error message referring to?

j. To shut down the nginx webserver, press ENTER to get a command prompt and type the following
command in the terminal window:
[analyst@secOps ~]$ sudo pkill nginx

Part 3: Copying, Deleting, and Moving Files

Step 1: Copying Files
a. The cp command is used to copy files around the local file system. When using cp, a new copy of the
file is created and placed in the specified location, leaving the original file intact. The first parameter is
the source file and the second is the destination. Issue the command below to copy some_text_file.txt
from the home directory to the yourname_folder2 folder (you may need to create the file with random
content if you didn’t follow step 4 in part 1.)
[analyst@secOps ~]$ cp some_text_file.txt yourname_folder2/

Identify the parameters in the cp command above.

- Source file: some_text_file.txt
- Destinatiom: LePhamMyDuyen_folder2/

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 18 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Question:

What are the source and destination files? (use full paths to represent the parameters)
- Source file: /home/analyst/some_text_file.txt
- Destination file: /home/analyst/LePhamMyDuyen_folder2/
b. Use the ls command to verify that some_text_file.txt is now in cyops_folder2:
[analyst@secOps ~]$ ls cyops_folder2/
some_text_file.txt

c. Use the ls command to verify that some_text_file.txt is also in the home directory:
[analyst@secOps ~]$ ls -l
total 36
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:09 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 19 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Step 2: Deleting Files and Directories

a. Use the rm command to remove files. Issue the command below to remove the file some_text_file.txt
from the home directory. The ls command is then used to show that the file some_text_file.txt has
been removed from the home directory:
[analyst@secOps ~]$ rm some_text_file.txt
[analyst@secOps ~]$ ls -l
total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

b. In Linux, directories are seen as a type of file. As such, the rm command is also used to delete
directories but the -r (recursive) option must be used. Notice that all files and other directories inside a
given directory are also deleted when deleting a parent directory with the -r option. Issue the command
below to delete the cyops_folder1 folder and its contents:
[analyst@secOps ~]$ rm –r cyops_folder1rm
[analyst@secOps ~]$ ls -l
total 28
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 20 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Step 3: Moving Files and Directories

a. Moving files works similarly to copying files. The difference is that moving a file removes it from its
original location. Use the mv commands to move files around the local filesystem. Like the cp
commands, the mv command also requires source and destination parameters. Issue the command
below to move the some_text_file.txt from /home/analyst/cyops_folder2 back to the home directory:
[analyst@secOps ~]$ mv cyops_folder2/some_text_file.txt .
[analyst@secOps ~]$ ls –l cyops_folder2/
total 0
[analyst@secOps ~]$ ls –l /home/analyst/
total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:13 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Question:

What command did you use to accomplish the task?

- I used the following command to move the file some_text_file.txt from the folder
LePhamMyDuyen_folder2 to the current directory.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 21 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Part 4: Log File Overview

Log files (also spelled logfiles), are files used by computers to log events. Software programs, background
processes, services, or transactions between services, including the operating system itself, may generate
such events. Log files are dependent on the application that generates them. It is up to the application
developer to conform to log file convention. Software documentation should include information on its log
files.

Step 1: Web server log file example

Because log files are essentially a way to track specific events, the type of information stored varies
depending of the application or services generating the events.
a. Consider the single log entry below. It was generated by Apache, a popular web server.
[Wed Mar 22 11:23:12.207022 2017] [core:error] [pid 3548:tid 4682351596] [client
209.165.200.230] File does not exist: /var/www/apache/htdocs/favicon.ico

The single log entry above represents a web event recorded by Apache. A few pieces of information are
important in web transactions, including client IP address, time and details of the transaction. The entry
above can be broken down into five main parts:
Timestamp: This part records when the event took place. It is very important that the server clock is
correctly synchronized as it allows for accurately cross-referencing and tracing back events.
Type: This is the type of event. In this case, it was an error.
PID: This contains information about the process ID used by Apache at the moment.
Client: This records the IP address of the requesting client.
Description: This contains a description of the event.
Question:

Based on the log entry above, describe what happened.

- A client with the IP address 209.165.200.230 made a request to the server on March 22, 2017, at
11:23:12.
- The request was for a file located at /var/www/apache/htdocs/favicon.ico.
- However, the file did not exist on the server, resulting in an error, which was recorded by Apache as a
[core:error].
- The process ID (pid) 3548 and thread ID (tid) 4682351596 were logged as part of the event for
further traceability.
b. Use the cat command below to list a web server sample log file. The sample file is located at /var/log:
[analyst@secOps ~]$ cat /var/log/logstash-tutorial.log
83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-
2013/images/kibana-search.png HTTP/1.1" 200 203023
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36"
83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-
2013/images/kibana-dashboard3.png HTTP/1.1" 200 171717
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36"
83.149.9.216 - - [04/Jan/2015:05:13:44 +0000] "GET /presentations/logstash-monitorama-
2013/plugin/highlight/highlight.js HTTP/1.1" 200 26185
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36”

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 22 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

<some output omitted>

Question:

Is the output above still considered a web transaction? Explain why the output of the cat command is in a
different format than the single entry shown in item (a).
- Yes, the output is still considered a web transaction because each line represents a request-response
interaction, including details like IP address, timestamp, HTTP method, requested resource, status
code and user agent.
- The format differs because cat shows all logs entries sequentially, while item (a) displayed a single
extracted log entry for clarity.

Step 2: Operating system log file example

Any software can keep log files, including the operating system itself. Conventionally, Linux uses the /var/log
directory to stores various log files, including operating system logs. Modern operating systems are complex
pieces of software and therefore use several different files to log events. This section takes a quick look at the
/var/log/messages file.
a. Stored under /var/log, the messages file stores various system events. The connection of new USB drive,
a network card becoming available, and too many missed root login attempts, are a few examples of
events logged to the /var/log/messages file. Use the more command to display the contents of the
/var/log/messages file. Unlike the cat command, more allows for a paced navigation through the file.
Press ENTER to advance line-by-line or SPACE to advance an entire page. Press q or CTRL + C to
abort and exit more.
Note: the sudo command is required because the messages file belongs to the root user.
[analyst@secOps ~]$ sudo more /var/log/messages
[sudo] password for analyst:
Mar 20 08:34:40 secOps kernel: [8.280724] work still pending
Mar 20 08:35:16 secOps kernel: [ 44.414695] hrtimer: interrupt took 5346452 ns
Mar 20 14:28:29 secOps kernel: [21239.566409] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:33 secOps kernel: [21243.404646] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:28:35 secOps kernel: [21245.536961] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:43 secOps kernel: [21253.427459] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:28:53 secOps kernel: [21263.449480] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:57 secOps kernel: [21267.500152] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:29:01 secOps kernel: [21271.551499] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:29:05 secOps kernel: [21275.389707] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 22 06:01:40 secOps kernel: [0.000000] Linux version 4.8.12-2-ARCH
(builduser@andyrtr) (gcc version 6.2.1 20160830 (GCC) ) #1 SMP PREEMPT Fri Dec 2
20:41:47 CET 2016
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x001:
'x87 floating point registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x002:
'SSE registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x004:

Notice that the events listed above are very different from the web server events. Because the operating
system itself is generating this log, all recorded events are in relation to the OS itself.
b. If necessary, enter Ctrl + C to exit out of the previous command.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 23 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

c. Log files are very important for troubleshooting. Assume that a user of that specific system reported that
all network operations were slow around 4:20 am on May 19.
Question:

Can you find evidence of that in the log entries shown above? If so, in what lines? Explain.
- Yes, the log file may show evidence.
- Example: May 19 04:20:01 secOps kernel: pcnet32 0000:00:03.0 enp0s3: link down
- This indicates the network link went down at 4:20 am, which could explain the reported slow network
operations.

Part 5: Monitoring Log Files in Real Time

As seen in the previous sections, log files can be displayed with many text-presentation tools. While cat,
more, less, and nano can be used to work with log files, they are not suitable for log file real-time monitoring.
Developers designed various tools that allow for log file real-time monitoring. Some tools are text-based while
others have a graphical interface. This lab focuses on tail, a simple but efficient tool, available in practically
every Unix-based system.
The CyberOps Workstation VM uses a log rotating system to ensure that older logs are archived. By the time
this lab gets used in class, some time will have passed and the log files will likely have been rotated. The
result is that some log files, including the access.log file, could appear empty. To work around this problem
and create some entries in access.log, simply open Firefox in the VM, point it to 127.0.0.1 and reload the
page a few times.
Pre-requisite for this step:
Before looking for nginx files, use the ps and the grep commands to ensure nginx is running in the VM.
Note: Use man to learn more about ps and grep commands.
[analyst@secOps ~]$ ps ax | grep nginx
415 ? Ss 0:00 nginx: master process /usr/bin/nginx -g pid
/run/nginx.pid; error_log stderr;
416 ? S 0:00 nginx: worker process
1207 pts/0 S+ 0:00 grep nginx
The output above confirms that nginx is running. In addition, the output also displays the parameters used
when nginx was started. nginx process ID is being stored in /run/nginx.pid and error messages are being
redirected to the terminal.
Note: If nginx is not running, enter the sudo /usr/sbin/nginx at the prompt to start the service using the default
configuration.
Note: If you need to restart nginx, you can kill the service by using the sudo pkill nginx command. To start
nginx with the custom configuration from a previous lab, run the following command: sudo nginx -c
custom_server.conf, and test the server by opening a web browser and going to URL: 127.0.0.1:8080. If you
wish to start nginx with a default configuration you can start it with the command: sudo /usr/sbin/nginx, and
open a web browser and go to URL: 127.0.0.1.
Because the location to the log files was not specified, the global nginx configuration file should be checked
for the location of the log files.

Step 1: Using the tail command

The tail command displays the end of a text file. By default, tail will display the last ten (10) lines of a text file.
Note: If you do not see any log entries, navigate to 127.0.0.1 in a web browser and refresh the page a few
time.
a. Use the tail command to display the end of the /var/log/nginx/access.log.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 24 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

[analyst@secOps ~]$ sudo tail /var/log/nginx/access.log

[sudo] password for analyst:
127.0.0.1 - - [21/May/2017:15:32:32 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:34 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:41 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:41 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:44 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
[analyst@secOps ~]$

Note: If you do not see any log entries, navigate to 127.0.0.1 in a web browser and refresh the page a few
time.
b. Use the –n option to specify how many lines from the end of a file, tail should display.
[analyst@secOps ~]$ sudo tail -n 5 /var/log/nginx/access.log
127.0.0.1 - - [22/May/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404
169 "-" "Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404
169 "-" "Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
[analyst@secOps ~]$

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 25 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

c. You can use the tail command with the -f option to monitor the nginx access.log in real-time. Short for
follow, -f tells tail to continuously display the end of a given text file. In a terminal window, issue tail with
the –f option:
[analyst@secOps log]$ sudo tail -f /var/log/nginx/access.log
[sudo] password for analyst:
127.0.0.1 - - [21/Mar/2017:15:32:32 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:34 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:41 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:41 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:44 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"

As before, tail displays the last 10 lines of the file. However, notice that tail does not exit after displaying
the lines; the command prompt is not visible, indicating that tail is still running.
Note: Your /var/log/access.log file may be empty due to log rotation. Continue following the lab as an
empty /var/log/access.log file will not impact the lab.

d. With tail still running on the terminal window, click the web browser icon on the Dock to open a web
browser window. Re-size the web browser window in a way that it allows you to see the bottom of the
terminal window where tail is still running.

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 26 of 27 www.netacad.com
Lab - Getting Familiar with the Linux

Note: In the screenshot below, the Enter key was pressed a few times in the terminal window running tail.
This is for visualization only as tail does not process any input while running with –f. The extra empty
lines make it easier to detect new entries, as they are displayed at the bottom of the terminal window.

e. In the web browser address bar, enter 127.0.0.1 and press Enter. This is the address of the VM itself,
which tells the browser to connect to a web server running on the local computer. A new entry should be
recorded in the /var/log/nginx/access.log file. Refresh the webpage to see new entries added to the log.
127.0.0.1 - - [23/Mar/2017:09:48:36 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"

Because tail is still running, it should display the new entry at the bottom of the terminal window. Aside
from the timestamp, your entry should look like the one above.
Note: Firefox stores pages in cache for future use. If a page is already in cache, force Firefox to ignore
the cache and place web requests, reload the page by pressing <CTRL+SHIFT+R>.
f. Because the log file is being updated by nginx, we can state with certainty that /var/log/acess.log is in fact
the log file in use by nginx.
g. Enter Ctrl + C to end the tail monitoring session.Type your answers here.

End of document

© 2018 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 27 of 27 www.netacad.com