Syslog Howto
From LinodeWiki
Contents |
[edit] Syslog Overview
What gets logged by syslogd and where it goes is controlled by /etc/syslog.conf. A modern system uses syslog to centralize logging.
Here's how it works: A developer uses the syslog API function (or uses the logger program in shell scripts) to send log messages to syslogd. The information passed to syslogd includes the source of the log message (called a facility) and the priority of the log message.
syslogd then matches the facility and priority against selectors (combinations of facilities and priorities) in its configuration file. For the selector(s) that match the messages is sent to the corresponding destination(s).
Note that many PAM modules send log messages to syslogd. Also, some systems have a separate log daemon for the kernel, klogd, that you may need to configure.
Most log files go under /var/log directory. Besides the more specific log files, there is a general system log file usually called messages. Other important log files to monitor include: boot.log, dmesg (also the dmesg command), maillog, secure, wtmp (examine with the last command).
Log files contain sensitive information! You must protect these files by setting permisions carefully!
[edit] syslog.conf Syntax
Aside from blank lines and comment lines, syslog.conf has lines with two parts:
- The selector says what messages to log: Facilities and Priorities
- The action says what to do with them: Files, Users, Pipes (i.e., where the message goes)
Each log message is matched against the selectors. For each matching selector, the associated action is done.
[edit] Syslog Selectors
The source of a log message is referred to as a facility. For example any email related program that sends a log message uses the mail facility no matter what the name of the program actually was.
[edit] Facilities
There is no way to define your own facilities but there are many predefined ones:
| Facility | Description |
|---|---|
| auth | The authorization system. Ex.: login, su, ftpd, rshd |
| authpriv | User access messages use this |
| cron | Used by the cron facility |
| daemon | Other daemon programs without a facility of their own |
| ftp | Used by ftp applications |
| kern | Kernel messages |
| lpr | The line printer spooling system |
| Used by mail applications | |
| mark | Used by syslogd to produce timestamps in log files |
| news | Used by news applications |
| security | Same as auth. Should not be used anymore. |
| syslog | |
| user | Messages generated by random user processes. Default. |
| uucp | UUCP messages |
| local0 – local7 | Reserved for local use. |
| * | For all |
Note that syslog trusts the software to use the correct facility when sending a log message.
Due to the limited number of facilities available, it is inevitable that some services will wind up using the same facility for their log messages. Syslog allows programs to supply an identifying string, known as a tag, that syslog will prepend to each line of the log messages. This permits easy selection using grep or other tools, to filter only the log messages of interest.
[edit] Priorities
The priority defines the severity of the message and is one of the following eight levels, which are ranked in order from high to low priority:
| Security Level | Priority | Keyword | Description |
|---|---|---|---|
| 0 | emergencies | emerg, panic | A panic condition. This is normally broadcast to all users |
| 1 | alerts | alert | Inmmediate action required. e.g.: Corrupted system database |
| 2 | critical | crit | Critical condition. e.g.: Hard device errors |
| 3 | errors | err, error | Error conditions |
| 4 | warning | warning, warn | Warning conditions |
| 5 | notifications | notice | Normal but significant conditions that need attention |
| 6 | informational | info | Informational messages |
| 7 | debugging | debug | Debugging messages |
The keywords error, warn and panic are deprecated and should not be used anymore. When specifying a priority, all higher priorities are selected too. The keyword none may be used to disable a facility
A selector is one or more facilities (separated by commas), a dot, then the priority.
Some example selectors:
| Selector | Description |
|---|---|
| mail.* | mail facility, any priority |
| mail.debug | mail facility, debug or higher priority (same as *) |
| mail,news.* | all messages from mail or news |
| auth.warning | all security messages of warning or higher priority |
| *.info | all messages from any facility except debug msgs |
| *.=info | any facility, info msgs only (and not higher) |
| *.!err | any facility, pri <= err only |
| *.!=alert | any facility, any priority except alert |
| *.info;mail,news,authpriv.none | all msgs with info or higher priority except mail, news, and authpriv |
That last one is tricky. Using multiple selectors on a single line this way allows you to specify a general category first, then for the matching log messages you can specify exceptions. Always go from most general selector to most specific or your setup may not log what you think it should!
[edit] Syslog Actions
- files
- users
- pipes
Log messages don't only have to go to files, you can direct them to user terminals, run them through other programs (with a pipe, to email, pager, or just a log file analyzer), or send them to another host running syslogd.
(This last is handy if you have a network of computers you must monitor. Besides consolidating many log files, there is great security in using a remote log server that has no other services on it. This is because when a server is hacked the attacker usually destroys the log files. This scheme protects against disk crashes too.)
Here's the syntax for the actions:
| Action | Description |
|---|---|
| /complete/path/of/some/file | Messages logged to a file |
| /dev/console | This is a link to the system console |
| -/complete/path/of/some/file | Don't flush file each time; better performance but risks loss of some log info |
| username1[,username2 ...] | Users that will get the message |
| * | All logged in users get the message |
| @remotehost | Log to remote host. Start the remote syslogd with "-r" option |
| |/path/to/named/pipe | To send output to a command you must create a named pipe, say /var/lib/cmd.pipe with the mkfifo command. Then start the command with cmd </var/lib/cmd.pipe |
[edit] logger
Using logger
logger [-p facility.priority] [-t tag] message
The default selector is user.info, and the default tag is logger.
Original Link:
Syslog and Log File Rotation Tutorial
References:
