syslog and log files

1
syslog and log files

• Ameera Jaradat

2

• One integral part of any UNIX system are the
  logging facilities.
• The majority of logging in Linux is provided by
  two main programs, sysklogd and klogd, the first
  providing logging services to programs and
  applications, the second providing logging
  capability to the Linux kernel.
• Klogd actually sends most messages to the syslogd
  facility but will on occasion pop up messages at
  the console (i.e. kernel panics).
• Sysklogd actually handles the task of processing
  most messages and sending them to the appropriate
  file or device, this is configured from within
  /etc/syslog.conf.
• By default most logging to files takes place in
  /var/log/.

3
Rotating log files
A common way to keep logging information for a
fixed period is rotation. You keep backup files
that are one day old, two days old, and so on.
Each day a script or utility program renames the
files to push older data toward the end of the
chain. e.g ) rotation policy if log file is
called logfile !/bin/sh cd /var/log mv
logfile.2 logfile.3 mv logfile.1 logfile.2 mv
logfile logfile.1 cat /dev/null gt logfile chmod
600 logfile every day logfile.7 is lost as
logfile.6 overwrites it.
4
Linux log files

• For the most part, linux packages send their
  logging information to files in the /var/log
  directory. On some distribution logs are also
  stored in /var/adm.
• Special log files
• /var/log/wtmp contains a record of users
  logins and logouts, entries that indicate when
  the system was rebooted or shut down. Should be
  rotated .
• /var/log/lastlog it records only the time of
  last login for each user. Is binary file, indexed
  by UID. No need to be rotated because its size
  stay constant unless new users log in.
• checksecurity utility runs every day (from
  etc/cron.daily/standard) to enumerate the systems
  complement of setuid programs( setuid.changes,
  setuid.today, setuid.yesterday).

5
Managing Your Log Files
One common problem is figuring out what to do
with all of the log messages. If you do a lot of
logging (particularly if everything is sent to a
central server), you can fill up your filesystem
faster than you think. The most obvious and
direct solution is to remove them after a
specific length of time or when they reach a
particular size. As its name implies, the goal of
the logrotate program is to "rotate" log files.
This could be as simple as moving a log file to a
different name and replacing the original with an
empty file.
6
Logrotate manage log files
A logrotate configuration file consists of a
series of specifications for groups of logfiles
to be managed.
Example log rotation policy errors
sa-book_at_admin.com rotate 5 weekly /var/log/message
s postrotate /bin/kill HUP cat
/var/run/syslogd.pid endscript /var/log/samba/
.log notifempty copytruncate sharedscripts po
strotate /bin/kill HUP cat /var/run/syslogd.pid
endscript
7
syslog the system event logger

• syslog, is a comprehensive logging system.
  consists of 3 parts
• Syslogd, the logging daemon( along with its
  config file, /etc/syslog.conf)
• Openlog, library routines that submit messages to
  syslogd.
• Logger, a user level command that submits log
  entries from the shell.

8
syslog the system event logger

• Syslogd Started at boot time and runs
  continuously
• Syslogd reads messages from /dev/log, consults
  its configuration file, and dispatches each
  message to the appropriate destinations.
• Klogd is responsible for retrieving messages from
  the kernels internal log buffer and forwarding
  them to syslogd.
• A hangup signal (HUP, signal 1) causes syslogd to
  close log files, reread its configuration file,
  and start logging again.
• A TERM signal causes syslogd to exit.
• Syslogd writes its process ID to the file
  /var/run/syslogd.pid

9
Configuring syslogd
The configuration file /etc/syslog.conf controls
syslogds behavior. Basic format is Selector
lttabgt action Mail.info /var/log/mailing
Causes messages from the email system to be
saved in the file /var/log/maillog. Within the
selector, mail is the facility (message
category) and info is the level of priority
/var/log/mailing is the action
10
Facilities
Facilities are simply categories. Supported
facilities in Linux
Syslog Facility Associated Subsystem
authpriv Login authentication
cron cron subsystem
daemon System server processes
kern Linux kernel
lpr Spooling subsystem
mail Mail subsystem
news News subsystem
localN Locally-defined syslog facilities N runs from 0 to 7)
11
priorities
Unlike facilities, which have no relationship to
each other, priorities are hierarchical. Possible
priorities in Linux are (in increasing order of
urgency) debug, info, notice, warning, err,
crit, alert and emerg. As with facilities, the
wildcards and none. A priority may be preceded
by either or both of the modifiers and !.
Severity Level Keyword Description
0 emergencies System unusable
1 alerts Immediate action required
2 critical Critical condition
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant conditions
6 informational Informational messages
7 debugging Debugging messages
12
example
.infomail.noneauthpriv.nonecron.none          /
var/log/messages
In this case, all messages of severity "info" and
above are logged, but none from the mail, cron or
authentication facilities/subsystems.
selector meaning
Mail.info Select mail-related mesg. Of info prio. And higher
Mail. info Select only messages at info priority
Mail.infomail.!err Select only prio. Info, notice and warning
Mail.debug mail.!warning Select all priorities except warning
13
action
In practice, most log messages are written to
files. If you list the full path to a filename as
a line's action in syslog.conf, messages that
match that line will be appended to that file.
(If the file doesn't exist, syslog will create
it.) You can send messages other places too. An
action can be a file, a named pipe, a device
file, a remote host or a user's screen.
Action meaning
Filename Writes the mesg. To file on the local machine
_at_hostname Forward the msg. To syslogd on host name
_at_ipaddress Forward the mesg. To the host at ip address ipaddress
\fifoname Writes the mesg. To the named pipe fifoname
User1,user2, Writes the mesg. To users screen
Writes the mesg. To all users who are logged in
14
Config file examples
stand-alone machine on a small network.
small network syslog.conf file emergencies
tell every one who is logged on .emerge
important messages .warning daemon,
auth.info,user.non /var/log/messages printer
errors ipr.debug /var/log/lpd-errs
15
Config file examples

1. a client machine on a larger network.

emergencies tell everyone who is logged
on .ernerguser.none Forward important
messages to the central logger .warning
lpr,locall.none _at_netloghost daemon,auth.info
_at_netloghost Send local staff to the central
logger too 1ooa12.info local0,local7,debug _at_netl
oghost cardd logs through facility local1 send
to boulder local1.debug _at_boulder.colorado.edu
keeping printer errors local lpr.debug /var/lo
g/lpd-errs sudo logs to local2 keep a copy
here too local2.info /var/log/sudo.log
keeping kernel messages local kern.info /var/
log/kern.log
16
designing logging scheme for your site.
The syslog config file can be customized for each
host. Choose stable machine as your logging
server, one that is well secured and does not
have many logins. Some very large sites may
want to add more levels to the logging hierarchy.
Unfortunately syslog retains the name of the
originating host for only one hop. If a host
client sends some log entries to host server,
which sends them on to host master, master will
see the data coming from server, not from client.
17
Debugging syslog
The logger command is useful for submitting log
entries from shell scripts. If you have just
added the line Local5.warning /tmp/evi.log To
verify that it is working run logger p
local5.warning test message the line
containing test message should be written to
/tmp/evi.log
18
using syslog from programs
the library routines openlog, syslog, and
closelog allow programs to use the syslog system.
Perl interface is described here to import the
definitions of the library routines include this
line at the beginning of your perl script use
Sys Syslog the openlog routine initializes
logging using the facility name openlog(ident,
logopt, facility) openlog(adminscript,pid,cons
, local4)
19
using syslog from programs
the syslogroutine sends a message to syslogd,
which logs it at the specified priority syslog(p
riority, message, ..) syslog(info, Delivery to
s failed after d attempts,user,nAttempts) c
loselog routine closes the logging
channel closelog()
20
References

• Linux Administration Handbook, E. nemeth, G.
  Snyder, T. R. Hein, Ch.11
• Links
• http//www.linuxjournal.com/article.php?sid5476
• http//www.linux-mag.com/1999-11/guru_04.html