Part I: Introduction
Download
Report
Transcript Part I: Introduction
Syslog and Log Files
From logfiles, you can find
important information
History
Errors/warnings
Logging policies
Reset log files at periodic intervals
Rotate log file
Compress and archive
Throw away
Syslog and log files
1-1
Syslog and Log files
Where are the log files?
Random log names scattered across
dirs/filesystems
• Two common places:
– /var/adm
– /var/log
To locate your log file:
• Read the man for individual daemons
• Read the system startup scripts
• Check syslog’s configuration file /etc/syslog.conf
Syslog and log files
1-2
Logs (see P 208 for more)
File
program w
h
e
r
e
f
r
e
q
o contents
w
n
e
r
messages
various
S M R Often the main system log file
syslog
various
S M R Often the main system log file
shutdownlog
shutdo
wn
S M R Reasons for shutdown
sulog
su
H M R Authorizations
wtmp/wtmpx
login
H M R Connect-time accounting
Httpd/*_log
httpd
F
W R Web Server Logs
Acct
kernel
C
D R SysV process accunting (binary)
Syslog and log files
1-3
Syslog
Is a comprehensive logging system
Manage the information generated by
• the kernel
• the system utilities
Has two important function
• Liberate programmers
• Put administrators in control of logging
Very flexible
• Sort message by source, importance
• Route the message to
– log file
– users’ terminals,
– Remote machines
• Thus, Centralize the logging for a network
Syslog and log files
1-4
Example
Colossus
Kernel.notice – ufs quota
auth.error – sshd pentential probe of service
/var/log/messages
/etc/syslog.conf
Where is httpd log file?
Where is print log file?
•
•
/var/adm/sulog
/var/log/syslog
/var/log/authlog
/var/log/dmesg
/etc/syslog.conf
/var/adm/messages
Wopr.csl.mtu.edu
•
Lots of sshd messages
Dafinn.cs.mtu.edu
•
•
•
/etc/init.d/httpd
/etc/httpd/conf
– ServerRoot
– ErrorLog
– Symbolic links
/etc/init.d/cups
– /etc/cups/cupsd.conf
– /var/log/cups
Syslog and log files
1-5
Syslog
Syslog consists of three parts
The logging daemon:
• syslogd
• config file /etc/syslog.conf
Library routines: openlog et al.
User-level log submit command: logger
Syslogd
Is started at the boot time
Write the messages
• Reads message from special file /dev/log (or others
depending on the system), then
• Consults with the configuration file, then
• Dispatches each message to the appropriate destination
Syslog and log files
1-6
Syslog
Restart syslogd to
• make config change take effect
• truncate or rotate the log
Send a HUP signal
# kill –HUP `/bin/cat /var/run/syslog.pid`
Configuring
syslogd
• /etc/syslog.conf controls syslogd’s behavior
• The basic format is
Selector <Tab> action
• Selectors identify the program and message’s
severity level with the format
Facility:level
• Facility, level must be kernel ware names
Syslog and log files
1-7
Syslog
• Valid facility names
– Kern
– User
– mail
– Daemon
– Auth
– Lpr
– Cron
– Syslog
– Mark
– local0-7
– ftp
– …
• Valid levels
(descending severity)
– emerg
– alert
– crit
– err
– warning
– notice
– info
– debug
– none
Syslog and log files
1-8
Syslog
• Selectors can be combined
– Separated by semicolon ;
– * to represent all facilities except mark
• Actions:
– Filename
– @hostname
– @ipaddress
– User1, user2, …
– *
• Example:
*.err;kern.debug;daemon.notice;mail.crit
kern.notice
/var/adm/messages
/var/log/kern.notice
*.alert;kern.err;daemon.err
*.alert
operator
root
Syslog and log files
1-9
Syslog
central logging host
Keep the log one place, easy to check.
Need a stable server
• What if netloghost is down?
The
time stamp does not reflect the time on
the originating host
Syslog and log files
1-10
Using syslog from programs
Functions
Openlog
Syslog
Closelog
C calls
void openlog(const char *ident, int option, int facility);
void syslog(int priority, const char *format, ...);
void closelog(void);
Perl calls
Use Sys::Syslog;
Openlog(ident, logopt, facility)
Syslog(priority, message, …)
Closelog()
Syslog and log files
1-11
Logger
Logger command
Create a log entry
Debug syslogd’s configuration file
• Example:
– After a new line was added to syslog.conf
Local5.warning /tmp/evi.log
– Run
$ logger –p local5.warning “test message”
– To see if “test message” is written in /tmp/evi.log
Syslog and log files
1-12
Log analyzer
Get the related info out of lines
Write up your own scripts
• Check for certain patterns
• Send email to you
Commonly used log postprocessors
• Swatch
• Logcheck
Couple of things to look for
Security-related messages
Disk full
Messages that are repeated many times
Syslog and log files
1-13