CIS120 Linux Fundamentals by Scott Shaper

Log Permissions & Troubleshooting

In a class environment (or on hardened systems), you may not be allowed to read every file under /var/log. That’s normal. The goal is to learn a workflow that still works when some logs are blocked.

When /var/log is blocked, use journal text snapshots

If you cannot read a restricted log file (you may see Permission denied), you can still practice the troubleshooting flow using the provided simulated journal snapshots in ~/playground/chapter9. This is also where sed shines: extract only the important lines.

Practical Examples

# Start in the practice folder
cd ~/playground/chapter9

# Pull out error lines (simulates a "show only errors" view)
sed -n '/ERROR/p' journal_after.txt

# Pull out the specific storage-related message
sed -n '/no space left on device/p' journal_after.txt

# Optional: extract from the pre-built errors file
sed -n '/ERROR/p' journal_after_errors.txt

1) Try a Restricted Log File (expect failure)

Practical Examples

# This may work, but often you will see "Permission denied"
less /var/log/secure 2>/dev/null || echo "Can't read /var/log/secure"

# You can also check permissions (readable info)
ls -l /var/log/secure 2>/dev/null

2) Use journalctl as a Fallback

If a file under /var/log is blocked, switch to journalctl and filter by service/time.

Practical Examples

# Current boot only (often works for non-admin users)
journalctl -b --since "1 hour ago" --no-pager

# Service-specific (replace sshd with your service/unit)
journalctl -u sshd --since "today" --no-pager

# Only errors for that service
journalctl -u sshd -p err..alert --since "today" --no-pager

3) Troubleshooting Flow (small and repeatable)

What you might see (examples of messages)