RHCSA (033): Season 2 - Scenario 8: Regex Log Archiving

Episode 033 Executive Summary

In this Regex Log Archiving RHCSA lab scenario, I start performing the lab after a 6 minute introduction by the podcast hosts. You will get the most out of this lab if you listen to the entire show and then try to practice the lab several times, either along with me or by yourself. We focus on extracting critical system data securely.

Candidates often struggle with combining search tools and archiving utilities under strict file permission constraints. This scenario simulates an audit request where you must filter specific error logs and package them securely for the compliance team.

The core challenge requires leveraging extended regular expressions to isolate authentication failures, redirecting the output correctly, and creating a compressed tarball that preserves original metadata. We will verify the archive contents to ensure the exact requested files are present without extraneous data.

Keywords: rhcsa, rhel 10, regex, tar, system audit, logging

EPISODE 033: Regex Log Archiving
* Season: 2 | Difficulty: High
* Objectives: Primary 1.3, 1.6; Secondary 9.1
* Lab Focus: grep, tar, user management
* URL: https://djere.com/rhcsa-033-season-2-scenario-8-regex-log-archiving.html

***

### 1. SCENARIO BRIEF (THE PROBLEM)
The security compliance team needs a compressed archive of all authentication failures from a custom application log. You must parse the log using regular expressions, save the filtered output, archive it, and ensure it is owned by the newly created audit-admin user.

***

### 2. TASK ANALYSIS (THE "WHY")
* 1.3 (Grep/Regex): Required to accurately isolate specific error patterns from a dense log file without capturing false positives.
* 1.6 (Archive/Tar): Necessary to bundle the extracted data into a portable, compressed format for the compliance team.
* 9.1 (Create Users): Ensures proper access control by assigning the final archive to a dedicated functional account.

***

### 3. SOLUTION STEPS

#### Step 1: Environment Setup (Root Only)
# We use the rpm command to query if tar is installed, and if not, we use dnf with the -y flag to automatically assume yes and install it.
if ! rpm -q tar; then dnf install -y tar; fi

# We use the useradd command to create a new system user named audit-admin who will own the final archive.
useradd audit-admin

# We use the echo command with the -e flag to enable interpretation of backslash escapes, creating a mock log file with sample entries.
echo -e "Jan 12 10:00:01 app-server login: authentication failure\nJan 12 10:05:00 app-server system: normal operation\nJan 12 10:15:23 app-server sshd: Failed password for root\nJan 12 10:20:00 app-server db: connection successful" > /tmp/mock-app.log

#### Step 2: Core Implementation (Execute as root)
# We use grep with the -E flag for extended regular expressions to match lines containing either "failure" or "Failed", redirecting standard output to a new text file.
grep -E "failure|Failed" /tmp/mock-app.log > /tmp/auth-errors.txt

# We use tar with the -c (create), -z (gzip compression), -v (verbose output), and -f (specify filename) flags to create the compressed archive of our text file.
tar -czvf /opt/audit-evidence.tar.gz /tmp/auth-errors.txt

# We use the chown command to change the user and group ownership of the archive to the audit-admin user, satisfying the compliance requirement.
chown audit-admin:audit-admin /opt/audit-evidence.tar.gz

# Technical Breakdown: Extended regular expressions allow us to search for multiple patterns simultaneously, saving time. The tar command bundles the file while gzip reduces its size.
# Pro-Tip: When using tar with absolute paths, it automatically removes the leading slash to prevent accidental overwriting when extracting. Be aware of this behavior on the exam.

#### Step 3: Verification (The "Proof of Work")
# We use tar with the -t (list contents) and -f (specify filename) flags to verify the file was archived without actually extracting it.
tar -tf /opt/audit-evidence.tar.gz
* EXPECTED: tmp/auth-errors.txt

***

### 4. COMPREHENSIVE CLEANUP (ZERO-TRACE)
# We use the rm command with the -f flag to forcefully remove the log file, the text file, and the archive, returning the system to its original state.
rm -f /tmp/mock-app.log /tmp/auth-errors.txt /opt/audit-evidence.tar.gz

# We use the userdel command to remove the audit-admin user account from the system.
userdel audit-admin