10.1. System Logging

Logging is the process of recording events as they transpire. All operating systems generate events based on a system administrator's (or a default) configuration. Fortunately, both FreeBSD and OpenBSD give us a good starting point, with pretty reasonable default configurations. Applications installed on the operating system often also generate events and log them using the operating system's logging mechanism or in their own logfiles.

Logs help administrators diagnose problems with applications, provide instant warning and alert capability (which can be hooked into something that sends an email or page), and serve as fodder for forensic analysis. They help answer both trivial questions such as, "What errors did my application produce?" and help solve far more complex mysteries. It might take several logfiles, for example, to follow a user who logged into one system and, through some sequence of events, managed to gain escalated privileges on another.

The process of analyzing (often) disparate logfiles to determine how one event A eventually leads to another event Z is called auditing. The set of interrelated events that you identify between A and Z in the analysis is the audit trail. These audit trails don't really exist without a question you are trying to answer: it is the person or piece of data whose progress through systems you are trying to trace that defines these audit trails. Building these requires that you have set up logging appropriately on your system.

Logging, despite being a fairly well-understood concept, is frequently overlooked by administrators. Most administrators of Unix-based operating systems either minimally configure the logging functionality or they leave the default configuration intact. FreeBSD and OpenBSD administrators expect to find their maillog, messages log, and other logfiles in /var/log, and some choose not to adjust the logging configuration. Unfortunately, without carefully examining the way your system and installed applications are set up to create logs, you probably will not have the information you need to build an audit trail when you need one.

As promised in Chapter 3, we revisit the topic of configuring syslogd(8) in this chapter. We explore some of the places we can send logfiles, and look at the factors that affect our decision-making process. Of course, no discussion about logging is complete without covering log rotation and retention. Finally, we examine some of the popular automated log-checking and system-monitoring tools available for the BSD operating systems.