Transcript Syslog
Syslogd
Tracking system events
Log servers
• Applications are constantly encountering
events which should be recorded
–
–
–
–
users attempt to login with bad passwords
servers can’t properly start
disk runs out of space
and others
• Many system servers are written to post
messages to a log server for later analysis
Issues of managing a log server
•
•
•
•
•
What messages are stored
How long to store them
Where should they be stored for access
How are the logs backed up / recycled
Should the server function for a network or
a machine
Syslog
• Primarily handles system messages
• Classifies messages according
– to the source
– to the severity
• Stores in files according to a configuration file
• Usually stores in /var/log
• Can redirect messages to
– another machine
– a device like a console
Source subsystems
•
•
•
•
•
•
•
•
auth authpriv,
cron,
daemon,
kern,
lpr,
mail,
mark,
news,
• security (same as
auth),
• syslog,
• user,
• uucp and
• local0 through
local7.
Message priorities
•
•
•
•
•
•
•
•
•
panic (same as emerg),
emerg,
alert,
crit,
err, error (same as err),
warning, warn (same as warning),
notice,
info,
debug
higher
lower
Example scenario
User enters
bad password
syslog.conf
Authentication
server
auth.notice
syslogd
/var/log/messages
# from /etc/syslog.conf
...
auth.info
/var/log/messages
syslog.conf
auth.notice
mail.warn
syslogd
/var/log/mail.warn
/var/log/messages
network
Other scenarios
remote server
syslog.conf format
format
facility.priority
destination
logs this level and higher priority
format
facility.=priority
destination
logs ONLY this level
format
facility.!priority
destination
logs NOT this level and higher priority (but all below)
format
facility.!=priority
destination
logs NOT this level but ALL OTHER LEVELS
syslog.conf example
# Kernel messages are first, stored in the kernel
# file, critical messages and higher ones also go
# to another host and to the console
#
kern.*
/var/adm/kernel
kern.crit
@finlandia
kern.crit
/dev/console
kern.info;kern.!err /var/adm/kernel-info
(info thru warning)
EXAMPLE LOG FILE info -> auth.log
Feb 10 17:24:58 testserver sshd[5616]: Could not reverse map address 192.168.2.2.
Feb 10 17:24:59 testserver sshd[5616]: Accepted password for dgame from 192.168.2.2 port 1186 ssh2
Feb 10 17:25:00 testserver sshd(pam_unix)[5618]: session opened for user dgame by (uid=501)
Feb 10 17:25:05 testserver su(pam_unix)[5655]: session opened for user root by dgame(uid=501)