Syslog explained in detail in this presentation.ppt
- 1. Syslog and log files 1-1 Syslog and Log Files From logfiles, you can find important information History Errors/warnings Logging policies Reset log files at periodic intervals Rotate log file Compress and archive Throw away
- 2. Syslog and log files 1-2 Syslog and Log files Where are the log files? Random log names scattered across dirs/filesystems • Two common places: – /var/adm – /var/log To locate your log file: • Read the man for individual daemons • Read the system startup scripts • Check syslog’s configuration file /etc/syslog.conf
- 3. Syslog and log files 1-3 Logs (see P 208 for more) File program w h e r e f r e q o w n e r contents messages various S M R Often the main system log file syslog various S M R Often the main system log file shutdownlog shutdow n S M R Reasons for shutdown sulog su H M R Authorizations wtmp/wtmpx login H M R Connect-time accounting Httpd/*_log httpd F W R Web Server Logs Acct kernel C D R SysV process accunting (binary)
- 4. Syslog and log files 1-4 Syslog Is a comprehensive logging system Manage the information generated by • the kernel • the system utilities Has two important function • Liberate programmers • Put administrators in control of logging Very flexible • Sort message by source, importance • Route the message to – log file – users’ terminals, – Remote machines • Thus, Centralize the logging for a network
- 5. Syslog and log files 1-5 Example Colossus /var/adm/messages • Kernel.notice – ufs quota • auth.error – sshd pentential probe of service /var/adm/sulog /var/log/syslog /var/log/authlog /var/log/dmesg /etc/syslog.conf Wopr.csl.mtu.edu /var/log/messages • Lots of sshd messages /etc/syslog.conf Dafinn.cs.mtu.edu Where is httpd log file? • /etc/init.d/httpd • /etc/httpd/conf – ServerRoot – ErrorLog – Symbolic links Where is print log file? • /etc/init.d/cups – /etc/cups/cupsd.conf – /var/log/cups
- 6. Syslog and log files 1-6 Syslog Syslog consists of three parts The logging daemon: • syslogd • config file /etc/syslog.conf Library routines: openlog et al. User-level log submit command: logger Syslogd Is started at the boot time Write the messages • Reads message from special file /dev/log (or others depending on the system), then • Consults with the configuration file, then • Dispatches each message to the appropriate destination
- 7. Syslog and log files 1-7 Syslog Restart syslogd to • make config change take effect • truncate or rotate the log Send a HUP signal # kill –HUP `/bin/cat /var/run/syslog.pid` Configuring syslogd • /etc/syslog.conf controls syslogd’s behavior • The basic format is Selector <Tab> action • Selectors identify the program and message’s severity level with the format Facility:level • Facility, level must be kernel ware names
- 8. Syslog and log files 1-8 Syslog • Valid facility names – Kern – User – mail – Daemon – Auth – Lpr – Cron – Syslog – Mark – local0-7 – ftp – … • Valid levels (descending severity) – emerg – alert – crit – err – warning – notice – info – debug – none
- 9. Syslog and log files 1-9 Syslog • Selectors can be combined – Separated by semicolon ; – * to represent all facilities except mark • Actions: – Filename – @hostname – @ipaddress – User1, user2, … – * • Example: *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages kern.notice /var/log/kern.notice *.alert;kern.err;daemon.err operator *.alert root
- 10. Syslog and log files 1-10 Syslog central logging host Keep the log one place, easy to check. Need a stable server • What if netloghost is down? The time stamp does not reflect the time on the originating host
- 11. Syslog and log files 1-11 Using syslog from programs Functions Openlog Syslog Closelog C calls void openlog(const char *ident, int option, int facility); void syslog(int priority, const char *format, ...); void closelog(void); Perl calls Use Sys::Syslog; Openlog(ident, logopt, facility) Syslog(priority, message, …) Closelog()
- 12. Syslog and log files 1-12 Logger Logger command Create a log entry Debug syslogd’s configuration file • Example: – After a new line was added to syslog.conf Local5.warning /tmp/evi.log – Run $ logger –p local5.warning “test message” – To see if “test message” is written in /tmp/evi.log
- 13. Syslog and log files 1-13 Log analyzer Get the related info out of lines Write up your own scripts • Check for certain patterns • Send email to you Commonly used log postprocessors • Swatch • Logcheck Couple of things to look for Security-related messages Disk full Messages that are repeated many times