Wednesday, 4 September 2019

Linux system logging


  • Linux uses syslog standard for message logging.
  • Uses facilities and priorities to categorize the messages.

Facility code Keyword Description

0 kern          Kernel messages
1 user          User-level messages
2 mail          Mail system
3 daemon  System daemons
4 auth          Security/authentication messages
5 syslog  Messages generated internally by syslogd
6 lpr          Line printer subsystem
7 news  Network news subsystem
8 uucp  UUCP subsystem
9 cron          Clock daemon
10 authpriv  Security/authentication messages
11 ftp           FTP daemon
12 ntp           NTP subsystem
13 security   Log audit
14 console   Log alert
15 solaris-cron Scheduling daemon
16–23 local0 – local7 Locally used facilities


The priorities (in order of severity) are:

Code    Keyword
0            emerg (or panic)
1            alertdebug
2            crit
3            err (or error)
4            warning (or warn)
5            notice
6            info
7            debug

Syslog servers

syslogd
rsyslog
syslog-ng

rsyslog

 /etc/rsyslog.conf:
include /etc/rsyslog.d/*.conf

Logging rules

Consist of two fields: selector field and action field

Example:
#Log anything 'warn' or higher. 
#Exclude authpriv, cron, mail, and news. These are logged elsewhere. 
#Don't log private authentication messages! 
*.warn;\ authpriv.none;cron.none;mail.none;news.none    -/var/log/syslog 

#The authpriv file has restricted 
access. authpriv.* /var/log/secure 

#Log all the mail messages in one place. Use caching mode to improve I/O performance
#- before /var/log/maillog means use caching mode. you may loose some messages if system crash
mail.* -/var/log/maillog     

#Log cron stuff 
cron.* /var/log/cron 

#Everybody gets emergency messages 
*.emerg * 

#Save news errors of level crit and higher in a special file. 
uucp,news.crit /var/log/spooler

Logger command

logger - a shell command interface to the syslog(3) system log module

logger [options] message

Where important options are:
-p  FACILITY.PRIORITY
-t   tag
 
Valid facility names are:
auth
authpriv   for security information of a sensitive nature
cron
daemon
ftp
kern       cannot be generated from userspace process, automatically converted to user
lpr
mail
news
syslog
user
uucp
local0 to local7
security   deprecated synonym for auth

Valid priority names are:

emerg
alert
crit
err
warning
notice
info
debug
panic     deprecated synonym for emerg
error     deprecated synonym for err
warn      deprecated synonym for warning

Logger examples


logger System rebooted
logger -p local0.notice -t HOSTIDM -f /dev/idmc
logger -n loghost.example.com System rebooted
logger -p mail.info -t test-message "Test message here."

No comments: