Configure the syslog Daemon


syslog is the Linux system s default logging daemon. The default location for syslog s configuration file is /etc/syslog.conf. The syslog daemon is configurable and allows you to specify exactly where you want each type of system message to go. First, we will look at a format for a single line of syslog.conf since they all follow the same formatting. Then we will look at the whole syslog configuration file. A syslog configuration line looks like this:

 mail.*                                         /var/log/mail 

This line consists of two parts . First there is a selector or selectors, which in this case is mail . The selector section is followed by some white space and then an activity section, which in this case is

 /var/log/mail 

The Selector Component

The selector component itself is broken into two parts separated by a period. The first piece is a facility and the second is a priority.

The selector is really a category for the message type. This helps you separate the kinds of messages into different places. syslog s configuration supports more than one selector on a line as long as they are separated by a semicolon. In our example there is only the one selector mail . In the next section, we show the whole syslog configuration and there are several examples of lines with multiple selectors. Table 12-1 lists the selectors recognized in most flavors of the Linux operating system.

Table 12-1: Selector Components

Facility

Description

Symbol in sys/syslog.h

syslog Number

kern

Kernel messages

LOG_KERN

user

User processes

LOG_USER

1

mail

Mail

LOG_MAIL

2

daemon

Background processes

LOG_DAEMON

3

authpriv

Authorization

LOG_AUTH

4

syslog

System logging

LOG_SYSLOG

5

lpr

Printing messages

LOG_LPR

6

news

Usenet news

LOG_NEWS

7

uucp

Unix-to-Unix copy program

LOG_UUCP

8

       

cron

Cron scheduled tasks

LOG_CRON

9

local0-local7

Local use

LOG_LOCALn

16 “23

*

Wildcard for any facility

   

Priorities

Priorities are the second part of a selector. Priorities are urgency rankings for the message. The programmer of an application decides in advance what the level of urgency is for any application message, so you must live with the priority any given message has unless you want to start recompiling your system applications. Table 12-2 shows the possible priorities in increasing level of severity.

Table 12-2: Priorities

Priority

Meaning

Symbol in syslog.h

syslog Number

debug

Debug level “ verbose

LOG_DEBUG

7

info

Informational messages

LOG_INFO

6

none

Log none of the messages

Not Defined

 

notice

Normal yet important messages

LOG_NOTICE

5

warning

Warning messages

LOG_WARNING

4

err

Error messages

LOG_ERR

3

crit

Important messages

LOG_CRIT

2

alert

Urgent messages

LOG_ALERT

1

emerg

Emergency messages

LOG_EMERG

Priorities are different from facilities because they are on a continuum. When an unmodified selector is used, it really means the minimum threshold and all increasingly urgent message types. So, if the priority warning is used in a selector it actually includes warning , err , crit , alert , and emerg .

Priority Modifiers

syslog s configuration permits you to modify priorities through the use of the three specifiers: the asterisk ( * ), the equal sign ( = ), and the exclamation mark ( ! ). If you understand regular expressions, these modifiers will be familiar and intuitive.

The asterisk ( * ) means that all messages for the facility are sent to the activity component. Just like when it s used in a regular expression, the asterisk means everything. In the example line mail.* this is exactly what is happening ”all possible priorities are sent to the action. Using a specifier of * is exactly the same as using a specifier of debug , because a specifier means the minimum plus the rest.

The equal sign ( = ) limits only the specified priority to be sent to the activity. You might use this to send only debug messages without sending the increasingly urgent messages, which is a decent approach with production applications. The equal sign is used to single out an individual message priority. As in its use in programming, the equal sign means equivalence.

The exclamation mark ( ! ) is another way to limit the priorities sent to the activity using an exception. It is a form of negation. For instance, this syslog line

 mail.*;mail.!info          /var/adm/mail 

would send all mail messages except the info ones to the logfile /var/adm/mail. This is because mail.* sends all the messages, but mail.!info blocks the info ones. As in its use in programming, the exclamation mark means not.

The Activity Component

Logged information can be divided among multiple files, sent to named pipes, to programs, and even to other machines, as explained in the next section. The syslog configuration file is straightforward and easy to read and work with. The information in the comments is useful and you should be sure to read it. This next code listing shows the default syslog.conf from SUSE. The default syslog.conf from Red Hat is

very similar and a little shorter. (Comment lines start with # .)

 # /etc/syslog.conf - Configuration file for syslogd(8) # # For info about the format of this file, see "man syslog.conf".   # # print most on tty10 and on the xconsole pipe   # kern.warn;*.err;authpriv.none     /dev/tty10   kern.warn;*.err;authpriv.none    /dev/xconsole   *.emerg                 * # enable this, if you want that root is informed   # immediately, e.g. of logins  #*.alert                 root   # # all email-messages in one file   # mail.*                -/var/log/mail   # # all news-messages   # # these files are rotated and examined by "news.daily" news.crit            -/var/log/news/news.crit   news.err            -/var/log/news/news.err news.notice            -/var/log/news/news.notice   # enable this, if you want to keep all news messages   # in one file   #news.*                -/var/log/news.all   # # Warnings in one file   # *.=warn;*.=err            -/var/log/warn   *.crit                 /var/log/warn   # # save the rest in one file   # *.*;mail.none;news.none        -/var/log/messages   # # enable this, if you want to keep all messages   # in one file   #*.*                -/var/log/allmessages   # # Some foreign boot scripts require local7   # local0,local1.*            -/var/log/localmessages   local2,local3.*            -/var/log/localmessages   local4,local5.*            -/var/log/localmessages   local6,local7.*            -/var/log/localmessages 
Heads Up  

If the syslog daemon needs to write to a logfile it can often have implications on performance. A hyphen ( - ) in front of a logfile name as shown in the previous example tells syslogd not to sync the file system for the messages written to that particular logfile. This will reduce the load on the server, but it reduces the integrity of the system logging.

The downside of waiting to sync the logfiles is that if the system crashes, some log messages may be lost. When you want to know exactly what is going on at all times, you need everything to be written to log as soon as it happens. Of course this depends on the amount of activity on your system and may not be practical if there are several activities per second or many thousand activities per day. You need to determine what is reasonable for yourself since the way things are set up will alter how syncing affects your situation. The way to have immediate logging influence your server the least is to have the logs on a partition serviced by a separate controller and hard drive from the controller and hard drive running the applications and operating system.




Hardening Linux
Hardening Linux
ISBN: 0072254971
EAN: 2147483647
Year: 2004
Pages: 113

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net