Instructions for using syslog under Linux

Syslog System Log Application
1) Overview
Syslog is the default log daemon for Linux systems. The default syslog configuration file is the/etc/syslog.conf file. Programs, daemons, and kernels provide log information for accessing the system. Therefore, any program that wants to generate log information can generate this information to a syslog interface call.
Almost all network devices can pass the Syslog protocol, the log information is transmitted to the remote server by the User Datagram Protocol (UDP), the remote receiving log server must listen to UDP port 514 through SYSLOGD, and according to The configuration in the syslog.conf configuration file handles this machine, receives the log information of the access system, writes the specified event to a specific file, and is used by the backend database for administration and response. means that any event can be logged on to one or more servers in case the backend database uses the off-line (offline) method to analyze the events of the remote device.
Normally, Syslog accepts information from various functions of the system, each of which includes important levels. The/etc/syslog.conf file notifies syslogd how to report information based on device and information importance levels.

2) etc/syslog.conf
The/etc/syslog.conf file uses the following format:
Facility.level Action
Facility.level the selection criteria itself into two fields, separated by a decimal (.). tab is used between action and Facility.level. The previous field is a service, and the latter field is a priority. The choice condition is actually a sort of message type, which makes it easy for people to send different types of messages to different places. More than one selection condition is allowed on the same syslog configuration line, but you must separate them with semicolons (;). The activity represented by the action field has a lot of flexibility, and in particular, the use of name pipes can make SYSLOGD post-processing information.
Feature Analysis:
facility Specifies the Syslog functionality, which mainly includes the following:
Kern kernel information, first pass through KLOGD;
User process;
mail messages;
Daemon background process;
Authpriv authorization information;
syslog system log;
LPR printing information;
news newsgroup information;
UUCP information generated by UUCP
Cron Schedule and task information.
Mark Syslog internal function for generating timestamps
Local0----LOCAL7 used with custom programs, such as SSH with LOCAL5
* Wildcards represent all functions except mark

Level specifies the Syslog priority:
The syslog level is as follows: (all possible priorities are listed in the order of severity from highest to lowest.) ）
Emerg or panic the system is not available (most urgent message)
Alert needs to be modified immediately (emergency message)
Crit error conditions that prevent some tools or subsystem functionality from being implemented (important messages)
Err condition (Error message) for blocking tool or some subsystem partial functionality implementation
Warning Alert information (warning message)
Notice general conditions of importance (common but important messages)
Message (Informational message) for info
Debug does not contain additional information about a function condition or problem (debug level-most information)
None has no important level and is usually used for troubleshooting (no log messages are logged)
* All levels, except none

Action

1./var/log/lastlog: Records the time each user recently checked in to the system, so when the user checks in, the time of their last check-in is displayed, and you should be aware that this is not the time that you last checked in, indicating that your account may have been compromised. This file can be read with the/usr/bin/lastlog instruction.

2./var/run/utmp: Record the time each user checks in the system, who, users, finger and other instructions will check this file.

3./var/log/wtmp: Record the time each user checks in and check out, last this command will check the file. This file also records the movements of shutdown and reboot.

4./var/log/secure: Login System Information

5./var/log/maillog: Record sendmail and pop and other related information.

6./var/log/cron: Record information about crontab, timer

7./VAR/LOG/DMESG:/BIN/DMESG will show this file, it is the screen message when the boot.

8./var/log/xferlog: Log those addresses to FTP to fetch those files.

9./var/log/messages: Most of the system's messages are recorded here, including login, check password, failed login, FTP, SU, etc.
Level defined in application:
0:log_emerg, emergency situation.
1:log_alert,high-priority failures, such as database crashes
2:log_crit,critical errors, such as hardware failures
3:log_err,Error
4:log_warning,Warning
5:log_notice,special cases to be aware of
6:log_info,General Information
7:log_debug,Debugging Information
Define level in kernel (use PRINTK function to set level):
0:kern_emerg, the system cannot be used
1:kern_alert, must be done immediately
2:kern_crit, anxious State
3:kern_err, wrong state
4:kern_warning, warning state
5:kern_notice, normal and very important.
6:kern_info, Report
7:kern_debug, Debug-level messages

Example:

where * is a wildcard and represents any device; none indicates that no level of information is logged.

*.info;mail.none;news.none;authpriv.none;cron.none/var/log/messages

Record any level of information in the Authpriv to the/var/log/secure file, which is primarily information related to recognition and permission usage.

authpriv.*/var/log/secure

Log any level of information in the mail device to the/var/log/maillog file, which is primarily information related to e-mail.

Mail.*-/var/log/maillog

Log any level of information from the cron device to the/var/log/cron file, which is primarily information about the tasks that are performed regularly in the system.

Cron.*/var/log/cron

The Emerg level of information for any device is sent to all users on the system.

*.emerg *

Log the crit level of information from the UUCP and news devices to the/var/log/spooler file.

Uucp,news.crit/var/log/spooler

Logs information related to the system startup to the/var/log/boot.log file.

local7.*/var/log/boot.log

"Mail.*" will send all the messages, "mail.! Info "excludes message priority messages.
mail.*;mail.! Info/var/log/mail
The following rules specify that facility writes/var/log/mail.err files to mail,severity for the above level of err, and that the following levels of err are ignored:
Mail.err/var/log/mail.err
Facility and level can use wildcard characters, or you can specify multiple, separated by commas:
auth,authpriv.*/var/log/auth.log
Facility and level can be a combination of multiple, separated by semicolons, the file preceded by a minus sign that the log is not immediately written to the file, but in the buffer to accumulate a certain condition to write again, this can improve performance, but when the machine may lose data:
*.*;auth,authpriv.none-/var/log/syslog

Syslog messages can be sent over UDP to port 514 on the syslog server:
*.err @192.168.0.1
When an error occurs, on the console, hit the screen:
*.err/dev/console

Linux Log Management:
Files such as/var/log/messages, SYSLOGD, KLOGD, core information
Other information, SYSLOGD,/var/log/messages and other documents
Syslog configuration file,/etc/syslog.conf

3) Call the SYSLOGD daemon
The syslog daemon is called by the/etc/rc.d/init.d/syslog script at run Level 2, and the option is not used by default. But there are two options-R and-H are useful.
If you are going to use a log server, you must call Syslogd-r. By default, Syslog does not accept information from remote systems. When the-r option is specified, SYSLOGD will listen to UDP packets coming in on port 514.
If you also want the log server to be able to send log information, you can use the-H flag. By default, SYSLOGD ignores/etc/syslog.conf entries that make it transfer log information from one remote system to another system.

4) Klogd Daemon
The KLOGD daemon obtains and logs the Linux kernel information. Typically, SYSLOGD records all the information that klogd came from, however, if you call Klogd with the-f filename variable, KLOGD records all the information in the filename instead of passing it to syslogd. When a different file is specified for logging, Klogd writes all levels or priorities to the file. There are no configuration files similar to/etc/syslog.conf in KLOGD. The advantage of using KLOGD to avoid using SYSLOGD is that you can find a large number of errors. If someone invades the kernel, use KLOGD to modify the error.

5) Configure a central log server
1. Edit the/etc/sysconfig/syslog file.
Add the "-r" option on the "Syslogd_options" line to allow incoming log messages to be accepted. You can also add the "-X" option if you do not want the central log server to resolve the FQDN of other machines because the DNS record entries for other machines are not complete or other reasons. In addition, you may want to change the default timestamp flag message (--mark--) frequency to a more meaningful value, such as 240, which indicates that a timestamp message is added to the log file every 240 minutes (6 times a day). The "--mark--" message in the log file lets you know that the syslog daemon on the central log server is not idle. The configuration lines written in the explanations above should look like this:
Syslogd_options= "-r-x-m240"
2. Restart the syslog daemon.

      modifications will not take effect until the syslog daemon restarts. If you only want to restart the syslog daemon instead of the entire system, execute one of the following two commands:
/etc/rc.d/init.d/syslog stop;  /etc/rc.d/init.d/syslog start
/etc/rc.d/init.d/syslog restart 
3.  If a iptables firewall or tcpwrappers is running on this machine, make sure that they allow connections on port No. 514 to pass. The syslog daemon will use port No. 514.  
4.  Configure each client machine for a central log server
       It is not difficult for a client to send log messages to a central log server. Edit the/etc/syslog.conf file on the client computer, and point to the central log server with an "@" character in the Action action section of the configuration line, as follows:
authpriv . *@192.168.1.40
      Machine, and then make the following modifications to the client's syslog configuration file (The advantage of this approach is that when you replace the central log server with another machine, you do not have to modify the Syslog configuration file on each client computer)

authpriv.* @loghost
Next, restart the syslog daemon on the client for the changes to take effect. It is still necessary for the client to continue logging locally while sending a log message to the central log server, at least when debugging the client without having to log in to the central log server, which can help with debugging when the central log server is in trouble.

6) functions related to the system log:
Openlog, Syslog, Closelog is a set of system log write interfaces.
The sample code for the use of the program is as follows: SYSLOG.C

[C-sharp] View Plain Copy Print ?

2. SYSLOG.C

4. #include .h>   

6. int Main (int argc, char **argv)

8. {

10. Openlog ("Mymsgmark", Log_cons |  Log_pid, 0);

12. Syslog (Log_emerg,

14. "This was a syslog test message generated by program '%s '/n",

16. Argv[0]);

18. Closelog ();

20. return 0;

22. }

Compile run:

[Email protected] liuxltest]# gcc-o syslog syslog.c

[Email protected] liuxltest]#./syslog

[Email protected] liuxltest]#
Message from [e-mail protected] at Tue 24 13:24:34 2009 ...
localhost mymsgmark[16467]: This was a syslog test message generated by program './syslog '

At the same time, you can also see the following information in/var/log/messages:

Feb 13:24:34 localhost mymsgmark[16467]: This was a syslog test message generated by program './syslog '

Function Description:
The Openlog function is prototyped as follows:
void Openlog (const char *ident, int option, int facility);
This function is used to open a connection to the system logger, which can then be used to add information to the system log using a syslog or Vsyslog function.
Parameter description:
Ident: is a token, the string represented by ident will be fixed to the front of each line of the log to identify the log, usually written as the name of the current program to be marked.
Option: The following values are the result of the operation: Log_cons, Log_ndelay, log_nowait, Log_odelay,

Log_perror, Log_pid, please refer to the man Openlog manual for each value:
Log_cons
Write directly to System console if there are an error while sending to systemLogger.
Log_ndelay
Open the connection immediately (normally, the connection is opened when theFirst message is logged).
Log_perror
(not in SUSv3.) Print to stderr as well.
Log_pid
Include PID with each message.
Facility: Indicates the type of program that logs the log.
The Closelog function is prototyped as follows:
void Closelog (void)
This function is used to close the Openlog open connection.
The Syslog function prototype is as follows:
void syslog (int priority, const char *format, ...);
This function is used to send log messages to the System program syslogd to record.
Parameter description:
Priority: is the emergency level of the message;
Format: Is the formatting of the message, followed by the parameter of the format. is used just like the printf function.
Application:
If our program wants to use the system log function, we just need to use the Openlog function to connect the SYSLOGD program when the program starts, and then write the log with the Syslog function at any time.
In addition, the new generation of tools as an alternative to syslog is that Syslog-ng,syslog-ng has a strong network capability to easily save logs on multiple machines to a central log server.

This article from "Tangjilinux" blog, declined reprint!

Instructions for using syslog under Linux