Syslog. conf

1: Introduction to syslog. conf

For different types of UNIX, standard unixlog system settings, except for some different keywords, the system's syslog. conf format is the same. Syslog uses a configurable and unified system registration program to receive log requests from all over the system at any time, and then according to/etc/syslog. pre-configured in conf to write log information into the corresponding file, mail it to a specific user, or send it directly to the console as a message. It is worth noting that, in order to prevent intruders from modifying or deleting the record information in messages, printer records or attempts to defeat intruders can be used.

The syslogd and klogd daemon are responsible for recording and sending information generated by the system or tool. The configuration files of both are/etc/syslog. conf. when the system kernel or tool generates information, it sends the information to the syslogd or klogd daemon by calling related functions. the syslogd and klogd daemon will follow/etc/syslog. configuration Information in conf to process the Message destination

2: syslog. conf format

See man [5] syslog. conf. Here is a brief introduction to syslog. conf.

/Etc/syslog. A configuration record in the conf file consists of two parts: "selector" and "action". The two parts are separated by tab tabs (the space interval is invalid ). The "option" is composed of one or more reserved fields in the format of "type. Level". Each reserved field is separated by a semicolon. The following lines are shown:

Type. level [; type. level] 'tab' action

2.1 Type

The "type" in the reserved field indicates the source of information generation, which can be:

Auth authentication system, that is, asking for the user name and password

Information issued by the cron system during scheduled task execution

Daemon Syslog of some system daemon programs, such as logs generated by in. ftpd

Syslog information of the Kern Kernel

Syslog information of the LPR printer

Syslog information of the Mail System

The timer program for Mark to send messages at a scheduled time

Syslog information of the news system

User Local User Application syslog Information

Syslog information of uucp Subsystem

The SYSLOG information of 7 Local types can be defined by the user.

* Represents the above devices

Level 2.2

The "level" in the reserved field indicates the importance of the information, which can be:

Emerg is in the panic status. Generally, it should be broadcast to all users;

Alert alert. The current status must be corrected immediately. For example, the system database crashes;

Crit critical status warning. For example, hardware faults;

Other err errors;

Warning warning;

Notice Note: Non-error reports, but should be specially handled;

Info notification information;

Information about the debug program;

None is usually used for program debugging, indicating that information generated with the none level does not need to be sent. For example, *. debug; mail. None indicates that all information except the mail information is sent during debugging.

Action 2.3

Action)

The action determines where the syslogd and klogd daemon send log messages. The following options are available:

A common file uses the absolute path of the file to specify the location of the log file, for example,/var/log/cron.

The terminal device can be/dev/tty0 ~ /Dev/tty6, or/dev/console.

For example, if the user list is "root hackbutter", the message is written to the computer screen of the User Root and hackbutter.

The remote host sends information to the syslogd daemon of other hosts in the network. The format is "@ hostname ". the @ symbol can be followed by an IP address or a domain name. By default, the loghost alias in the/etc/hosts file has been specified to the local machine.

User1 and user2 specify the user. If the specified user has logged on, the user will receive the message;

* All users. All logged-on users will receive the message.

3: specific instance

Let's take a look at the instances in the/etc/syslog. conf file:

NTP-SERVER:/# vi/etc/syslog. conf

# Log all kernel messages to the console.

# Logging much else clutters up to mess up the screen.

# Kern. */dev/console

 

# Log anything (could t mail) of level info or higher.

# Don't log private authentication to prove messages!

*. Info; mail. None; authpriv. None; cron. None/var/log/messages

Send info or more advanced messages to/var/log/messages, except for mail, authpriv, and cron.

// * Is a wildcard, indicating any device. None indicates that no information of any level is recorded.

# The authpriv file has restricted access.

Authpriv. */var/log/secure

# This is mainly information related to permission usage.

 

# Log all the mail messages in one place.

Mail. */var/log/maillog

 

# Log cron stuff

Cron. */var/log/cron

This is mainly related to the tasks that are periodically executed in the system.

# Everybody gets emergency messages

*. Emerg *

// Send emerg (system unavailable) information of any device to all users on the system.

 

# Save news errors of level crit and higher in a special file.

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

# Kern. */dev/console

# Log anything (could t mail) of level info or higher.

# Don't log private authentication messages!

*. Info; mail. None; authpriv. None; cron. None/var/log/messages

 

# The authpriv file has restricted access.

Authpriv. */var/log/secure

 

# Log all the mail messages in one place.

Mail. */var/log/maillog

 

# Log cron stuff

Cron. */var/log/cron

 

# Everybody gets emergency messages

*. Emerg *

 

# Save news errors of level crit and higher in a special file.

Uucp, news. crit/var/log/Spooler

 

# Save boot messages also to boot. Log

Local7. */var/log/boot. Log

// Record information related to system startup to the/var/log/boot. log file.

 

Configuration File Syntax description
(1) * when used as a device or priority, all devices or priorities can be matched.
(2) * send messages to all logged-on users as actions.
(3) Multiple selectors can be separated by semicolons in the same row, and the following ones will overwrite previous ones, such as uucp, news. crit.
(4) When the keyword none is used as the priority, all messages from the specified device are blocked.
(5) by using the same selector and different actions, the same message can be recorded in multiple locations.
(6) The configuration lines in the syslog. conf file do not overwrite the previous configuration lines. each row of the specified action operates independently.

Syslog. conf