Syslog programming and Configuration

1. foreword syslog is a log record method (rfc00004) provided in Unix systems. syslog itself is a server. All information recorded using syslog in the program will be sent to this server, the server determines whether to record the information based on the configuration, whether to record the information to the disk file or other places, so that all applications in the system can record the log in a unified manner, it facilitates unified audit of system logs. 2. log format the syslog log format is month-day hour: minute: Second host name flag log Content 3. syslog programming is used to record logs. Three functions are usually used: openlog (3), syslog (3), closelog (3), openlog (3), and closelog (3, if openlog (3) is not available, logs are recorded by default. # Include <syslog. h> void openlog (char * Ident, int option, int facility) void syslog (INT priority, char * format ,...) void closelog (void) openlog (3) has three parameters. The first parameter is the flag string, that is, the 5th fields in the log. If it is not set, the program name is used by default; the second parameter is an option, which is a combination of the following flags:
Log_cons: the log information is printed to the terminal while being written to the log server.
Log_ndelay: logs are recorded immediately.
Log_perror: outputs the log information to the standard error stream.
Log_pid: record the PID value of the process in the flag field. The third parameter describes the Log Type and defines the following types (you can check or guess the meaning of each type, ):
Log_auth
Log_authpriv
Log_cron
Log_daemon
Log_kern
Log_local0 through log_local7
Log_lpr
Log_mail
Log_news
Log_syslog
Log_user (default)
The log_uucp syslog (3) function mainly uses the first parameter priority. The following parameters are used in the same way as the printf (3) function. The priority value indicates the log level, the log level is divided into eight levels. The order from high to low is:
Log_emerg
Log_alert
Log_crit
Log_err
Log_warning
Log_notice
Log_info
Log_debug if facility is not specified in openlog (3), you can set the value of facility to priority, for example (log_auth | log_info. Closelog (3). Close logging. 4. the configuration file of the syslog server is/etc/syslog. the conf and syslog (3) functions send the log information to the log server, but whether the log is recorded in the file or sent to the remote server, this is determined by the configuration file, which tells the log server to record the types and levels of logs, how to record and other information. The configuration file is a text file. Each line is configured with two fields. The first field indicates the type of logs to be recorded, and the second field indicates the log storage location, either a local file or a remote server. Field 1:
The basic format of the first field is "facility. Priority". Multiple fields can be defined at the same time, separated by commas (,) or semicolons.
The facility name is the lower case of the preceding facility value, such as news, mail, Kern, and cron. You can also use "*" to indicate all facility types;
The priority name is the lower case of the preceding priority value, such as emerg, alert, err, and info. You can also use "*" to indicate all priority types, logs with a higher level are automatically recorded, and none is used to indicate that the logs are not recorded. For example:
Kern. *: All levels of kernel type logs
Mail. Err: if the mail type logs with errors or higher levels do not record a certain level of logs, add "!" before the level, For example:
Auth.info; Auth .! Err: The second field of the err-level auth log is not included in the info and info-level logs:
The second field is divided into two categories: local files and remote servers.
Local file: the file name of the local file, such as/var/log/messages. Generally, log information is immediately written to the file, but the system efficiency is reduced. You can add or subtract the "-" sign before the file name to cache the information and write it to the file at a time, this improves the efficiency;
Remote Server: in the format of "@ address" and "@", logs are remotely recorded and sent to the remote log server. The port of the log server is udp514, and the address can be an IP address, it can also be a domain name example: # Send all levels of kernel logs to the terminal
Kern. */dev/console # record all types of logs to the/var/log/messages File
*. */Var/log/messages # All info-level or above information, excluding all mail-type and authpriv-type err-level information. # the/var/log/messages file is recorded, do not write now
*. Info; mail. None; authpriv .! Err-/var/log/messages # Send all levels of kernel logs to the remote Syslog Server
Kern. * @ 1.1.1.1 5. the syslog server provides the sysklogd syslog server implementation in Linux. It can record local logs, receive syslogd-r options, and forward syslogd-H options) logs from outside. Sysklogd contains two programs: klogd and syslogd. klogd is used to receive kernel logs and then send them to syslogd. syslogd can directly receive applications and remote logs. syslogd uses a domain socket (af_unix) the syslog () function logs are sent to the socket in this domain, and the socket file is/dev/log. The syslog (3) function adds the type and level information before the log information sent to the syslogd server. The specific format is "<x>", and "X" is a 0 ~ 255 of the number, 8 bits, 3 bits low indicate the log level, so a total of 8 bits, 5 bits high indicate the log type, a maximum of 32 types, but currently not so much, you can check/usr/include/sys/syslog. h. To generate the log information, syslogd is the front information of the log: month, day, minute: Second host name sign, and then spliced with the log content information. The date is ctime (3) function retrieval hides the first four bytes of the week and the information of the next year, and finally generates the date format you see. To be honest, the code is ugly. 6. Conclusion syslog facilitates the recording of program information, and the audit is also convenient due to the use of unified format records. To record logs, in addition to using the syslog (3) function in the application, you must configure the/etc/syslog. conf file correctly so that the server can correctly record the logs you want to record.