CIS 238 Syslog - PowerPoint PPT Presentation

About This Presentation
Title:

CIS 238 Syslog

Description:

Logrotate automation UNIX ... Office Theme CIS 238 Syslog Syslog Syslog Syslog Logrotate Logrotate automation Logwatch Logwatch files Security today ... – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0
Slides: 10
Provided by: RRDo5
Learn more at: https://www.oakton.edu
Category:
Tags: cis | automation | syslog

less

Transcript and Presenter's Notes

Title: CIS 238 Syslog


1
CIS 238Syslog
  • System logging and monitoring

2
Syslog
  • (r)syslog is a utility for tracking and logging
    all manner of system messages from the merely
    informational to the extremely critical. Sysogs
    stored in
  • In LINUX, system logs are stored in /var/log.
    System messages are recorded in
    /var/log/messages. Other OSes may use different
    files in different directories (e.g. /var/adm).
  • Each system message sent to the syslog server has
    two descriptive labels associated with it that
    makes the message easier to handle.
  • - The first describes the function (facility)
    of the application that generated it. For
    example, applications such as mail and cron
    generate messages with easily identifiable
    facilities named mail and cron.
  • - The second describes the degree of severity of
    the message.

3
Syslog
  • Severity Level Keyword Description
  • 0 emergencies System unusable
  • 1 alerts Immediate action required
  • 2 critical Critical condition
  • 3 errors Error conditions
  • 4 warnings Warning conditions
  • 5 notifications Normal but significant conditions
  • 6 informational Informational messages
  • 7 debugging Debugging messages

4
Syslog
  • The files to which syslog writes each type of
    message received is set in the /etc/rsyslog.conf
    configuration file. In older versions of Fedora,
    this file was named /etc/syslog.conf.
  • This file consists of two columns. The first
    lists the facilities and severities of messages
    to expect and the second lists the files to which
    they should be logged. By default,
    RedHat/Fedora's /etc/rsyslog.conf file is
    configured to put most of the messages in the
    file /var/log/messages.
  • Example
  • .infomail.noneauthpriv.nonecron.none
    /var/log/messages
  • Note other services may record messages in other
    files (e.g. sendmail)
  • Syslog is also a network service. A common
    implementation is to forward system info to a
    common syslog server. See /etc/rsyslog.conf for
    client /server options
  • Logs compressed, ,stored and optionally e-mailed
    by the logrotate function. Definitions stored in
    /etc/logrotate.conf and /etc/logrotate.d

5
Logrotate
  • Log management for LINUX and UNIX
  • Basic config file is /etc/logrotate.conf
  • Individual package package config files
    in/etc/logrotate.d usually configured during
    package installation
  • Each config file specifies logfile list, rotate
    interval, rotation count, log size, compression
    options, postrotate command to perform a function
    after the log has been copied.

6
Logrotate automation
  • UNIX systems require use of a specific CRON job
  • LINUX automatically includes logrotate in
    ANACRON.
  • ANACRON is an automatic CRON list created for
    system functions such as logtotate or tripwire.
    It is an extension of CRON.
  • See /etc files anacron, cron.daily, cron.weekly,
    cron.monthly. Also /var/spool/anacron

7
Logwatch
  • Default freeware log monitoring tool
  • Runs in Perl
  • Numerous other pay for play tools
  • Logrobot
  • Nagios
  • Logstash
  • Graybar

8
Logwatch files
  • System specific config /etc/logwatch
  • Default config /usr/share/logwatch/default.conf/
  • Distro specific config /usr/share/logwatch/distro
    .conf/
  • Directories
  • conf /.conf, conf/logfiles, conf/services
  • scripts/services
  • Always copy default, distro files to local
    /etc/logwatch for modification
  • Priority sequence
  • - /etc/logwatch
  • - /usr/share/logwatch/distro.conf
  • - /usr/share/logwatch/default.conf

9
Security today
  • Governement regulations
  • HIPAA
  • PCI-DSS
  • SOX
  • No clear text applications FTP, TELNET, NFS,
    RCP, RCMD, HTTP
  • Restricted access, minimum to do the job
  • Most legacy 3rd party apps are now commercial
    products
  • - ssh
  • - Nagios
  • - Tripwire
  • - PGP
  • Some have freeware equivalents, but fewer over
    time.
Write a Comment
User Comments (0)
About PowerShow.com