Configure the Linux Log File

Author: Liu Zhiyong Guo conghui

Logs should also be noted by users. Do not underestimate the importance of log files for network security. Because log files can record various daily events of the system in detail, you can check the causes of errors through log files, or trace the attackers when they are attacked or attacked. Two important roles of logs are review and monitoring. ConfiguredLinuxThe log is very powerful. For Linux systems, all log files are stored in/var/log. By default, Linux Log files do not record FTP activity. You can modify/etc/ftpacess to allow the system to record all FTP activities.

/Etc/syslog. conf format

Linux Log files can be configured. In the previous section, we have introduced how to customize Apache, wu-ftpd, and sendmail log files. The log files in Linux are determined by/etc/syslog. conf. You need to carefully Configure/etc/syslog. conf. The following is an example of/etc/syslog. conf:

# Log all kernel messages to the kernlog.# Logging much else clutters up the screen.kern.*/var/log/kernlog# Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;news.none;authpriv.none;cron.none/var/log/messages*.warning/var/log/syslog# The authpriv file has restricted access.authpriv.* /var/log/secure# Log all the mail messages in one place.mail.*/var/log/maillog# Log cron stuffcron.*/var/log/cron# Everybody gets emergency messages, plus log them on another# machine.*.emerg# Save mail and news errors of level err and higher in a# special file.uucp,news.crit/var/log/spooler# Save boot messages also to boot.loglocal7.*/var/log/boot.log# INNnews.=crit /var/log/news/news.critnews.=err /var/log/news/news.errnews.notice /var/log/news/news.notice

It can be seen that the first field in each row of the configuration file lists the types of information to be recorded, and the second field lists the recorded locations. The first field uses the following format: facility. level [; facility. level…]

Faciity is the system application or tool that generates information, and level is the importance of this information. Levels are important from low to high: Debug (debugging message), Info (general message), notice (noteworthy message), warning (warning), and err (general error), crit (serious error), alert (or emerg, emergency ). Facility includes: AUTH (authentication system, such as login or Su, that is, querying the user name and password), cron (Information sent when the system executes the scheduled task), daemon (syslog of some system daemon, such as by in. ftpd logs), Kern (kernel information), LPR (printer information), mail (information sent by the mail daemon process) mark (time-scale program for scheduled message sending), News (information about the newsgroup Daemon), user (information about the local user's application), and UUCP (information about the uucp subsystem) and "*" (indicating all possible facility ).

　　Record log files to remote hosts

If there is another Linux or UNIX system, you can configure a log file to send messages to another system and record them. This is why all the preceding log files record the host name. To implement this function, specify a record action in the configuration file, followed by a remote system host name starting with "@", for example :*. warn; authpriv. notice; Auth. notice @ bright.hacker.com.cn

In addition, you must set the target system for receiving messages to allow this operation. In this example, the syslogd daemon of the host bright.hacker.com.cn must be started with the-R parameter. If the-R parameter is not used, syslogd of the target host will discard the message to prevent DoS attacks from filling the hard disk with false messages. Make sure that the/etc/service file of the target host must set the UDP port 514 used by the syslog service (which is also the default setting of RedHat Linux ). If the syslogd daemon uses the-R and-H parameters, the parameter-H allows message forwarding. That is to say, if syslogd of system B uses the-H parameter, after system a forwards the message to system B, system B forwards messages from system A and itself to system C.

　　Send warning messages to the console

Syslogd can send any information from the kernel that is critical to Emerg or alert to the console. The console refers to the virtual console or the xterm with the-C parameter added at startup. To implement this function, add a line up and down in the/etc/syslog. conf file: Kern. Emerg/dev/console

In this way, when a message is sent due to an error in the system kernel, the user can immediately know and process the message. If "*" is used, the message is sent to all online users once an error occurs in the kernel. However, the message can only be seen when the user is logged on. /Etc/syslog modified. after the conf file, you must restart the syslogd daemon to make the configuration change take effect. Run the following command: #/etc/rc. d/init. d/syslog restart

Related reading:

• Encapsulate the logging module (kency, 2007-2-12)
• Linux Log Analysis (alone, 2007-2-13)
• Linux Log system introduction (alone, 2007-2-13)
• RedHat Linux common log files and Common commands (alone, 2007-2-13)