General format for log file contents
In general, the information generated by the system is recorded in SYSLOGD data, and each piece of information records the following important data:
- The date and time the event occurred;
- The hostname of the event;
- The name of the service that initiated the event (such as samba, xinetd, etc.) or the function name (such as Libpam);
- The actual data content of the information;
Of course, the details of this information can be modified, the following is the information recorded by/var/log/secure:
1Dec - on:Geneva:Wuyilocalhost sshd[5677]: pam_succeed_if (sshd:auth): Requirement"UID >="Not met by user"Root"2Dec - on:Geneva: thelocalhost sshd[5679]: Failed Password forRoot from 122.225.103.103Port4059SSH23Dec - on:Geneva: thelocalhost sshd[5679]: Fatal:read fromsocket failed:connection Reset by peer [PreAuth]4Dec - on:Geneva: Wulocalhost sshd[5677]: Failed Password forRoot from 122.225.103.103Port3787SSH25Dec - on:Geneva: Wulocalhost sshd[5677]: Fatal:write failed:connection Reset by peer [PreAuth]6Dec - -: A: thelocalhost polkitd[877]: Loading Rules fromdirectory/etc/polkit-1/RULES.D7Dec - -: A: thelocalhost polkitd[877]: Loading Rules fromdirectory/usr/share/polkit-1/RULES.D8Dec - -: A: thelocalhost polkitd[877]: finished loading, compiling and executing5rules9Dec - -: A: thelocalhost polkitd[877]: acquired the name org.freedesktop.PolicyKit1 on the system bus
|---date/time---|-------service and Function-------|------------------------information Description--------------------------------
Parse the first article: December 27 1 points 04 minutes 51 seconds in the local host's sshd (PID 5677) came the message, this message has the Pam_succeed module, the information content is requirement "UID >=1000" not met by User "root".
Configuration file for syslogd:/ETC/SYSLOG.COF
/ETC/SYSLOG.COF This document specifies what level of service information and what files or devices need to be recorded in the syntax:
1 service name [. =!] Information level information record of the file or device or host 23#下面以mail这个服务产生的info等级为例:45 mail.info/ var/log/maillog_info67 #这行说明: Messages generated by the mail service that are greater than or equal to the info level are logged to/var/ The Maillog_info file.
SYSLOGD itself has set up some services, mainly the following (can use the man 3 syslog query to the relevant information).
Service type |
Description |
Auth (Authpriv) |
Major certification-related mechanisms, such as: LOGIN,SSH,SU, etc. need account/password |
Cron |
Is the routine work scheduling cron/at and other places to generate information logs |
Daemon |
Information about each daemon in the domain |
Kern |
is where the kernel (kernel) generates information |
Lpr |
That is, printing related information |
Mail |
As long as the information records related to the delivery of mail belong to this |
News |
Something about the newsgroup server |
Syslog |
is syslogd the information generated by the program itself. |
User,uucp,local0~lcocal7 |
Some information about the UNIX like machine itself |
These are syslog-customized service names that the software can use to record the information they generate by invoking the service names described above. such as: SendMail and Postfix and dovecot are mail-related software, these software in the design of the log is the active invocation of the mail service name in SYSLOGD (Log_mail), So the information generated by the above software is syslogd recorded in the Maillog file.
Information level
The information generated by the same service is different, there are general information (information) that only notifies the system at startup, which does not affect the normal operation of the warning message (warn), and the Critical Problem information (error, etc.) that arises when serious errors occur in the system hardware. The syslog divides the information into 7 main levels.
Grade |
Rank name |
Description |
1 |
Info |
Just a few basic information notes |
2 |
Notice |
Some things to note besides info |
3 |
Warning (warn) |
Warning information may be problematic, but it will not affect the information that a daemon is running; Basically, the three messages are all about the basic information and should not cause some system problems. |
4 |
ERR (Error) |
Some significant error messages, such as a description of the information that the service cannot start due to certain settings of the configuration file, are usually informed by ERR's error and should be able to understand the problem that the service cannot start |
5 |
Crit |
The error message that is more serious than err, this crit is a critical point (critical) abbreviation, this error is very serious |
6 |
Aiert |
Warning, it's already a problem, more serious than crit. |
7 |
Emerg (Panic) |
"Pain" level, refers to the system almost freezes the state, very serious error message. This is usually the case when a hardware problem causes the entire kernel to run smoothly. |
In addition to these levels there are two special classes, debug (Error detection level) and none (no record level required). These two levels are available when we want to do some error detection or ignore the information for some services.
Level information before [. =!] The meaning of the representation is:
“.” Represents a higher rank (including this level) than the back, and is recorded.
"=" represents the desired level, which is the next level.
“! "The representation is not equal to, that is, other grades other than that level are to be recorded."
The file name or device or host of the information record
This tells SYSLOGD where to record the information, usually a record file, but it can also be output to a device, such as a printer. Can also be recorded on a different host. Here are some common places to place:
- The absolute path to the file: it's usually put in/var/log.
- Printer or other: For example/dev/lp0 this printer device.
- User name: Displayed to the user.
- Remote host: For example @www.vbird.tsai, of course, requires the support of the other host.
- *: Represents the owner of the current online, similar to wall this command.
Security settings for log files
You can increase the hidden properties of log files by chattr setting a, so that log files can only be added and cannot be deleted. However, the file name of the log file cannot be moved while the log file is being replaced, and it needs to be resolved by using the Logrotate configuration file.
1 [[email protected] ~]# chattr +a/var/log/messages23# Add a messages file to a hidden property 45 [email protected] ~]# chattr-a/var/log/Messages 67 #删除隐藏属性
SYSLOGD: Logging Service for log files