The intend of this document is to explain the use of syslog for operating systems and applications. System log (Syslog) management is an important need in almost all enterprises. System administrators look at syslogs as a critical source to troubleshoot performance problems on syslog supported systems & devices across the network. The need for a complete sys-log monitoring solution is often underestimated; Efficient event log syslog analysis reduces system downtime, increases network performance, and helps tighten security policies in the enterprise.
syslogd Daemon
syslogd Daemon
- The system daemon used to receive and route system log events from syslog() calls and logger commands
- syslog uses the user datagram protocol (UDP); The UDP port that has been assigned to syslog is 514.
/etc/syslog.conf
- The configuration file used to control the logging and routing of system log events
- A configuration entry in the file consists of two tab separator fields: selector (facility.level) and action
FACILITY Specifies which kinds of messages to log.
LEVEL Specifies the severity or importance of the message.
ACTION Specifies the Destination of the logs.
Let we can see the brief details about the each FACILITY (11 codes)
| Facilities |
Descriptions
|
|---|---|
| kern | Messages generated by the kernel. |
| user | Messages generated by user processes. |
| The mail system. | |
| daemon | System daemons, such as the in.ftpd and the telnetd daemons. |
| auth | The authorization system, including the login and su commands. |
| syslog | Messages generated internally by the syslogd daemon. |
| lpr | The line printer spooling system, such as the lpr and lpc commands. |
| news | Files reserved for the USENET network news system. |
| uucp | (obsolete) The UNIX-to-UNIX copy (UUCP) system does not use the syslog function. |
| cron | The cron and at facilities, including crontab, at, and cron. |
| local0-7 | Eight user-defined codes. |
Let we can see the brief details about the each LEVEL ( 9 levels)
Level
|
Descriptions
| |
|---|---|---|
| 0 | emerg | Panic conditions that are normally broadcast to all users |
| 1 | alert | Conditions that should be corrected immediately, such as a corrupted system database.Only sysadmin of a particular server needs to be informed by mail or paged. |
| 2 | crit | Warnings about critical conditions, such as hard device errors. |
| 3 | err | Errors other than hard device errors |
| 4 | warning | Warning messages, that generally does not interfere with normal operation. |
| 5 | notice | Non-error conditions that might require special handling |
| 6 | info | Purely informational messages (usually does not require any handling) |
| 7 | debug | Messages that are normally used only when debugging a program |
| 8 | none | Messages are not sent from the indicated facility to the selected file |
Let we can see the brief details about the each ACTION (5 Actions)
Action
|
Descriptions
|
|---|---|
| Log to a file or a device | Redirect the system events to the respective files, for Example :- *.debug /var/adm/messages |
| Send a message to a user | Redirect the system events to particular user, for Example :- *.debug user1, user2 |
| Send a message to all users | Redirect the system events to all users, for Example :- *.debug * |
| Pipe the message to a program | the program is specified after the Unix pipe symbol (|), You need to use syslog-ng to achieve that. |
| Send the message to the syslog on another host | Redirect the system events to the host, for Example :- *.debug @LOGHOST |
With the following explanation, understanding the typical syslog.conf configuration file shown earlier becomes easy:
facilities.level Action
NOTE : You must use the tab character between the selector and the action field. If you use a space, it will look the same, but syslog will not read configuration file correctly.
*.alert root # This line will direct ALL system alert logs to root user.
facilities.level Action
*.emerg * # This line will direct ALL system emergencies logs to all users
facilities.level Action
*.debug /var/adm/messages # This line will direct ALL types of events logs to /var/adm/messages
facilities.level Action
auth.info /var/log/authlog # This line will direct Only authentication type of information to /var/log/authlog
facilities.level Action
daemon.notice /var/log/connlog # This line will direct Only daemon type of Notice to /var/log/connlog
By executing the below command, we can identify the TAB and SPACE character
# cat -evt /etc/syslog.conf #ident^I"@(#)syslog.conf^I1.5^I98/12/14 SMI"^I/* SunOS 5.0 */$ #$ # Copyright (c) 1991-1998 by Sun Microsystems, Inc.$ # All rights reserved.$ #$ #$ # This "syslog.conf" file was installed by JASS. This$ # file should be used to log information both locally as$ # well as to a centralized log server (or servers) so that$ # proactive log analysis can be done.$ $ *.err;kern.notice;auth.notice^I/dev/sysmsg$ *.alert^I^I^I^Iroot$ *.emerg^I^I^I^I*$ $ *.debug^I^I^I^I/var/adm/messages$ # *.debug^I^I^I@loghost1$ # *.debug^I^I^I@loghost2$ $ auth.info^I^I^I/var/log/authlog$ daemon.notice^I^I^I/var/log/connlog$ *.debug @syslog$ .....> SPACE Characters^I Represent the TAB characters
Blank Represent the SPACE characters
I hope now you have a better understanding of syslog.
No comments:
Post a Comment