Let's take Cisco as an example to recognize that some important information about routers can be used as a router log on UNIX hosts on the internal network via the syslog mechanism. During the operation of the router, the router sends the log information including link building failure information, packet filtering information and so on, by logging into the log host, the network administrator can understand the log events, analyze the log files, and can help the administrator to locate, troubleshoot and manage the network security.
Understanding the Syslog Device
First, the syslog device, which is the standard UNIX tracking mechanism, allows syslog to record local events or to record events on another host over the network, and then write that information to a file or device or send a message to the user.
The syslog mechanism is based mainly on two important files:/etc/syslogd (daemon) and/etc/syslog.conf configuration file, and syslogd control is done by/etc/syslog.conf. The syslog.conf file indicates the behavior that the SYSLOGD program logs a router log failure, which queries the syslog.conf configuration file at startup.
The file consists of a single entry for different programs or message classifications, each of which occupies one row. Provides a selection domain and an action field for each type of message. These fields are separated by tab (Note: You can only use the TAB key to separate, you cannot use the SPACEBAR), where the selection field indicates the type and priority of the message; The Action field indicates the action taken by the SYSLOQD when it receives a message that matches the selection criteria.
Each option is made up of devices and priorities. That means the first column says "Under what circumstances" and "to what extent." Then use the TAB key to jump to the next column and continue to write "what to do after qualifying." When a priority is indicated, SYSLOGD records two messages with the same or higher priority. The action field for each row indicates where the selection should be sent when a given message is selected. The first column contains what the situation is and how far the middle is separated by a decimal point. The detailed setting is as follows:
1. Under what circumstances is the record
A variety of different situations are determined by the following woo-strings:
Auth on system security and user authentication;
Cron about System automatic sort execution (crontable);
Daemon on background implementation procedures;
Ken about the core of the system;
IPR about printers;
MAI1 about email;
News about the press discussion area;
Syslog regarding the system record itself;
User about the user;
UUCP about UNIX interlock (UUCP).
2. To what extent is the record
For example, if you want the system to record info level events, then notice, err, warning, crit, alert, Emerg, etc. above the info level will also be recorded together. Combining the 1 and 2 above with a decimal point is a complete "What to record" writing.
For example, Mail.info represents general information about an e-mail delivery system. Auth.emerg is a very serious information about system security. Ipr.none indicates that information about the printer is not recorded (usually used in combination when there are multiple record conditions). There are three other special symbols to apply:
Asterisk (*): represents all items in a detail. For example, Mail.* said that as long as the mail, regardless of the extent to be recorded. And *.info will record all the INFN events.
Equal sign (=): Indicates that only the current level is recorded and the rank on it is not recorded. For example, the above example, usually write down the info level, will also be located in the info level above the notice.err.warning, Crit, Alert, Emerg and other grades also recorded. But if you write =info, you only have to record info this level.
Exclamation point (!): Indicates that you do not record the current level and the rank on it.
3. Record the location of storage
SYSLOQD provides the following ways for you to record events that occur on your system: General files, which is the most common way. You can specify a good file path and file name, but you must start with the directory symbol "/" before the system knows it is a file. For example,/var/adm/maillog indicates that a file called Maillog is logged to the/var/adm below. If this file is not previously, the system will automatically generate one.