Part I: Introduction

Download Report

Transcript Part I: Introduction 

Syslog and Log Files
 From logfiles, you can find
 important information
 History
 Errors/warnings
 Logging policies
 Reset log files at periodic intervals
 Rotate log file
 Compress and archive
 Throw away
Syslog and log files
1-1
Syslog and Log files
 Where are the log files?

Random log names scattered across
dirs/filesystems
• Two common places:
– /var/adm
– /var/log

To locate your log file:
• Read the man for individual daemons
• Read the system startup scripts
• Check syslog’s configuration file /etc/syslog.conf
Syslog and log files
1-2
Logs (see P 208 for more)
File
program w
h
e
r
e
f
r
e
q
o contents
w
n
e
r
messages
various
S M R Often the main system log file
syslog
various
S M R Often the main system log file
shutdownlog
shutdo
wn
S M R Reasons for shutdown
sulog
su
H M R Authorizations
wtmp/wtmpx
login
H M R Connect-time accounting
Httpd/*_log
httpd
F
W R Web Server Logs
Acct
kernel
C
D R SysV process accunting (binary)
Syslog and log files
1-3
Syslog
 Is a comprehensive logging system
 Manage the information generated by
• the kernel
• the system utilities

Has two important function
• Liberate programmers
• Put administrators in control of logging

Very flexible
• Sort message by source, importance
• Route the message to
– log file
– users’ terminals,
– Remote machines
• Thus, Centralize the logging for a network
Syslog and log files
1-4
Example

Colossus

Kernel.notice – ufs quota
auth.error – sshd pentential probe of service


/var/log/messages

/etc/syslog.conf

Where is httpd log file?

Where is print log file?




•
•
/var/adm/sulog
/var/log/syslog
/var/log/authlog
/var/log/dmesg
/etc/syslog.conf


/var/adm/messages
Wopr.csl.mtu.edu
•
Lots of sshd messages
Dafinn.cs.mtu.edu
•
•
•
/etc/init.d/httpd
/etc/httpd/conf
– ServerRoot
– ErrorLog
– Symbolic links
/etc/init.d/cups
– /etc/cups/cupsd.conf
– /var/log/cups
Syslog and log files
1-5
Syslog
 Syslog consists of three parts
 The logging daemon:
• syslogd
• config file /etc/syslog.conf


Library routines: openlog et al.
User-level log submit command: logger
 Syslogd
 Is started at the boot time
 Write the messages
• Reads message from special file /dev/log (or others
depending on the system), then
• Consults with the configuration file, then
• Dispatches each message to the appropriate destination
Syslog and log files
1-6
Syslog

Restart syslogd to
• make config change take effect
• truncate or rotate the log

Send a HUP signal
# kill –HUP `/bin/cat /var/run/syslog.pid`
 Configuring
syslogd
• /etc/syslog.conf controls syslogd’s behavior
• The basic format is
Selector <Tab> action
• Selectors identify the program and message’s
severity level with the format
Facility:level
• Facility, level must be kernel ware names
Syslog and log files
1-7
Syslog
• Valid facility names
– Kern
– User
– mail
– Daemon
– Auth
– Lpr
– Cron
– Syslog
– Mark
– local0-7
– ftp
– …
• Valid levels
(descending severity)
– emerg
– alert
– crit
– err
– warning
– notice
– info
– debug
– none
Syslog and log files
1-8
Syslog
• Selectors can be combined
– Separated by semicolon ;
– * to represent all facilities except mark
• Actions:
– Filename
– @hostname
– @ipaddress
– User1, user2, …
– *
• Example:
*.err;kern.debug;daemon.notice;mail.crit
kern.notice
/var/adm/messages
/var/log/kern.notice
*.alert;kern.err;daemon.err
*.alert
operator
root
Syslog and log files
1-9
Syslog
 central logging host
Keep the log one place, easy to check.
 Need a stable server

• What if netloghost is down?
 The
time stamp does not reflect the time on
the originating host
Syslog and log files
1-10
Using syslog from programs
 Functions
 Openlog
 Syslog
 Closelog
 C calls
void openlog(const char *ident, int option, int facility);
void syslog(int priority, const char *format, ...);
void closelog(void);
 Perl calls
Use Sys::Syslog;
Openlog(ident, logopt, facility)
Syslog(priority, message, …)
Closelog()
Syslog and log files
1-11
Logger
 Logger command
Create a log entry
 Debug syslogd’s configuration file

• Example:
– After a new line was added to syslog.conf
Local5.warning /tmp/evi.log
– Run
$ logger –p local5.warning “test message”
– To see if “test message” is written in /tmp/evi.log
Syslog and log files
1-12
Log analyzer
 Get the related info out of lines
 Write up your own scripts
• Check for certain patterns
• Send email to you

Commonly used log postprocessors
• Swatch
• Logcheck
 Couple of things to look for
 Security-related messages
 Disk full
 Messages that are repeated many times
Syslog and log files
1-13