Network security series of ten six Linux log Management 2

1. Manage Log Services

RHEL the kernel and system log functions of the system are mainly composed of RSYSLOGD Service, the configuration file for the service is " /etc/rsyslog.conf ".

RSYSLOGD the service is installed and running automatically by default. /etc/rsyslog.conf The configuration file can be set up to specify which information needs to be recorded and where it is recorded.

Example: View /etc/rsyslog.conf the primary content in the configuration file.

650) this.width=650; "src=" Http://img1.51cto.com/attachment/201410/30/70821_1414635897t95N.png "/>

/etc/rsyslog.conf each row in the file represents a set value, and the syntax for each setting value is as follows:

Message type Execution Action

The message type specifies which messages need to be logged, and the Execute action tells the Syslog service how to handle the messages.

The message type must specify the kind of message in the following format:

Message Source . Priority Level

A "message source" indicates which subsystem the message was routed from, with the following main sources:

• Authpriv : Messages related to user security and authentication;

• Cron : Messages related to the scheduled tasks;

• Daemon : Information relating to the General Service;

• Kern : Messages from the system kernel;

• Mail : Messages from the mail system;

• Localn : Reserved

The priority is used to indicate the priority of the message, that is, how important the message is. The priority level is as follows (the smaller the number level, the higher the priority, the more important the message):

• 0 Emerg (Emergency): a condition that causes the host system to become unavailable.

• 1 ALERT (warning): A problem that must be taken immediately to resolve.

• 2 Crit (severe): more serious situation.

• 3 ERR (Error): An error occurred while running.

• 4 WARNING (Reminder): May affect system functions, need to remind users of important events.

• 5 NOTICE (note): Events that do not affect normal functionality, but that require attention.

• 6 INFO (Information): General information.

• 7 DEBUG (Debug): Program or system debug information, etc.

In addition, "message source" and "priority" can use asterisks ( * ) on behalf of all, so *.* represents all levels of messages from all subsystems.

The Execute Action field is used to define how the received message is handled, and you can specify several things like:

• /path/filename : Stores the message in the specified file, and the file must be preceded by a slash ( / ) The name of the absolute path at the beginning;

• USERNAME : Sends a message to the specified user who is already logged on;

• @HOSTNAME : Forwards the message to the specified log server;

• * : Sends a message to all users who are already logged on.

Thus setting values in the file:

authpriv.*/var/log/secure

What it means is that all levels of messages related to user security and authentication are stored in the specified file /var/log/secure the.

There are three ways to set the message type:

l ".": Represents" the priority (including that priority) that is higher than the following is recorded "means, for example:Mail.inforepresentative as long as it isMailMessage , and the message priority is higher thanInfo(includingInfoitself), it will be recorded.

l " .= ": The priority required by the rep is the next priority, and the others don't.

l " .! ": Represents a non-equal, that is, a priority other than that priority is recorded.

For example, the following settings:

Mail.info/var/log/maillog_info

show The service produces greater than or equal to info Priority information is recorded in file.

also, if you need to use the same "execute action" for different types of messages , syslog.conf allows you to concatenate multiple messages using semicolons, such as setting values:

*.info;mail.none;authpriv.none;cron.none/var/log/messages

What it means is that all the Info messages above the level (excluding messages from the messaging system that are related to user security, authentication, and scheduled tasks) are stored in the specified file /var/log/messages the.

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Network security series of ten six Linux log Management 2