Hack 58. Tune Up Your Asterisk Logs
How much log detail is too much? That depends on whom you ask. Asterisk's log output can be pretty granular, which is bad for disk utilization and good for troubleshooting.
Log analysis should be the core of your daily system monitoring and security activities. Like other softPBX servers, Asterisk supports flexible logging, providing several levels of logging detail in several different files. It also supports using syslog.
You configure Asterisk logging in the /etc/asterisk/logger.conf file, which Asterisk reads at boot time or whenever it is started. The first section of the file is [general], where you can assign a value to the dateformat option to specify what date format to use in Asterisk's logs. To figure out the syntax of the data formats, read the manpage for strftime( ) by running man strftime.
The next section, [logfiles], describes which files should be used for logging output and how detailed each should be. The syntax for this section is:
filename => level,level,level…
Consider the following logging configuration:
[general] [logfiles] messages.log => notice,warning,error debug.log => notice,warning,error,debug,verbose
In this example, messages.log will contain a digest version of Asterisk's logging output, and debug.log will get everything in minute detail. Be careful with logs, thoughAsterisk won't start once the logfiles reach 2 GB in size. On a busy system, a file like the preceding debug.log would hit that size pretty quickly, so make sure your logfile rotation includes Asterisk.
If you use console as a logfile name, Asterisk will assume you mean the console device, not an actual logfile. So, if you add this to the [logfiles] section, the desired level of logging will be output to the console session where Asterisk is launched:
[logfiles] console => warning,error
Some attackers cover their tracks by removing commonly used logfiles that could contain evidence of their tampering with the system. So it's generally a good idea to keep logfiles in a nondefault place. That way, if an attacker uses an automated program to remove logfiles, the program will be less likely to find and destroy Asterisk.
To change Asterisk's default log location, edit /etc/asterisk/asterisk.conf and change the astlogdir directive to a path of your choosing. (Then make sure that path has appropriate permissions to allow Asterisk to write files in whichever path you choose.) A sample asterisk.conf follows:
[directories] astetcdir => /etc/asterisk astmoddir => /usr/lib/asterisk/modules astvarlibdir => /var/lib/asterisk astlogdir => /var/log/asterisk astagidir => /var/lib/asterisk/agi-bin astspooldir => /var/spool/asterisk astrundir => /var/run/asterisk
Syslog can be a target for Asterisk logging output, too. To enable it, use a syslog keyword in the [logfiles] section, similar to the console keyword:
syslog.local0 => warning,error