syslog and log files1-1 syslog and log files from logfiles, you can find m important information m...

Syslog and log files 1-1

Syslog and Log Files

From logfiles, you can find important informationHistory Errors/warnings

Logging policiesReset log files at periodic intervalsRotate log file Compress and archiveThrow away


Syslog and Log files

Where are the log files? Random log names scattered across

dirs/filesystems• Two common places:

– /var/adm

– /var/log

To locate your log file:• Read the man for individual daemons • Read the system startup scripts • Check syslog’s configuration file /etc/syslog.conf


Logs (see P 208 for more)File progra

mwhere

freq

owner

contents

messages various S M R Often the main system log file

syslog various S M R Often the main system log file

shutdownlog shutdown

S M R Reasons for shutdown

sulog su H M R Authorizations

wtmp/wtmpx login H M R Connect-time accounting

Httpd/*_log httpd F W R Web Server Logs

Acct kernel C D R SysV process accunting (binary)


Syslog

Is a comprehensive logging system Manage the information generated by

• the kernel• the system utilities

Has two important function• Liberate programmers• Put administrators in control of logging

Very flexible• Sort message by source, importance• Route the message to

– log file– users’ terminals,– Remote machines

• Thus, Centralize the logging for a network


Example

Colossus /var/adm/messages

• Kernel.notice – ufs quota• auth.error – sshd pentential probe of service

/var/adm/sulog /var/log/syslog /var/log/authlog /var/log/dmesg /etc/syslog.conf

Wopr.csl.mtu.edu /var/log/messages

• Lots of sshd messages /etc/syslog.conf

Dafinn.cs.mtu.edu Where is httpd log file?

• /etc/init.d/httpd• /etc/httpd/conf

– ServerRoot– ErrorLog– Symbolic links

Where is print log file?• /etc/init.d/cups

– /etc/cups/cupsd.conf– /var/log/cups


Syslog

Syslog consists of three parts The logging daemon:

• syslogd • config file /etc/syslog.conf

Library routines: openlog et al. User-level log submit command: logger

Syslogd Is started at the boot time Write the messages

• Reads message from special file /dev/log (or others depending on the system), then

• Consults with the configuration file, then• Dispatches each message to the appropriate destination


Syslog

Restart syslogd to • make config change take effect• truncate or rotate the log

Send a HUP signal# kill –HUP `/bin/cat /var/run/syslog.pid`

Configuring syslogd• /etc/syslog.conf controls syslogd’s behavior• The basic format is

Selector <Tab> action• Selectors identify the program and message’s

severity level with the format Facility:level

• Facility, level must be kernel ware names


Syslog

• Valid facility names– Kern

– User

– mail

– Daemon

– Auth

– Lpr

– Cron

– Syslog

– Mark

– local0-7

– ftp

– …

• Valid levels (descending severity)

– emerg

– alert

– crit

– err

– warning

– notice

– info

– debug

– none


Syslog• Selectors can be combined

– Separated by semicolon ;– * to represent all facilities except mark

• Actions:– Filename– @hostname– @ipaddress– User1, user2, …– *

• Example:

*.err;kern.debug;daemon.notice;mail.crit /var/adm/messageskern.notice /var/log/kern.notice

*.alert;kern.err;daemon.err operator*.alert root


Syslog

central logging host Keep the log one place, easy to check. Need a stable server

• What if netloghost is down? The time stamp does not reflect the time on

the originating host


Using syslog from programs

Functions Openlog Syslog Closelog

C calls void openlog(const char *ident, int option, int facility); void syslog(int priority, const char *format, ...); void closelog(void);

Perl callsUse Sys::Syslog;Openlog(ident, logopt, facility)Syslog(priority, message, …)Closelog()


Logger

Logger command Create a log entry Debug syslogd’s configuration file

• Example:– After a new line was added to syslog.conf

Local5.warning /tmp/evi.log

– Run

$ logger –p local5.warning “test message”

– To see if “test message” is written in /tmp/evi.log


Log analyzer

Get the related info out of lines Write up your own scripts

• Check for certain patterns• Send email to you

Commonly used log postprocessors• Swatch• Logcheck

Couple of things to look for Security-related messages Disk full Messages that are repeated many times

syslog and log files1-1 syslog and log files from logfiles, you can find m important information m...

Documents