Introduction to syslog and syslog
Application of Syslog in Network Management
Syslog is an industrial standard protocol that can be used to record device logs. In UNIX systems, routers, switches, and other network devices, System logs record System events at any time. Administrators can view system records to keep abreast of system conditions. UNIX system logs use syslogd to record system-related event records and Application Operation events. Through proper configuration, we can also implement inter-machine communication that runs the syslog protocol. By analyzing these network behavior logs, we can track the status of devices and networks.
Install syslog in ubuntu Apt-get install Inetutils-syslogd
Here, the three functions openlog, syslog, and closelog are a set of system log writing interfaces. In addition, the vsyslog and syslog functions the same, but the parameter format is different.
Generally, the syslog daemon reads record messages in three formats. This daemon reads a configuration file at startup. Generally, the file name is/etc/syslog. conf, which determines where different types of messages should be sent. For example, an emergency message can be sent to the system administrator (if logged on) and displayed on the console. A warning message can be recorded in a file. This mechanism provides syslog functions. The Calling format is as follows:
# Include<Syslog. h>
Void openlog (char * ident, int option, int facility );
Void syslog (int priority, char * format ,......)
Void closelog ();
Openlog is optional. If openlog is not called, openlog is automatically called when syslog is called for the first time. You can also choose to call closelog, which only disables the descriptor used for communicating with the syslog daemon. By calling openlog, we can specify an ident. Later, this ident will be added to each recorded message. Ident is generally the program name (for example, cron, ine, etc)
The sample code for program usage is as follows:
# Include<Syslog. h>
Int main (int argc, char ** argv)
{
Openlog ("MyMsgMARK", LOG_CONS | LOG_PID, 0 );
Syslog (LOG_DEBUG,
"This is a syslog test message generated by program '% s' \ n ",
Argv [0]);
Closelog ();
Return 0;
}
After an executable program is compiled and generated, a line of information will be added to the/var/log/message file once the program runs as follows:
Feb 12 08:48:38 localhost MyMsgMARK [7085]: This is a syslog test message generated by program './a. out'
Syslog functions and Parameters
The syslog function is used to send log messages to the system program syslogd for record. The prototype of this function is:
Void syslog (int priority, const char * format ,...);
The first parameter is the urgency level of the message, the second parameter is the message format, and the second parameter is the parameter corresponding to the format. It is used like the printf function.
If our program needs to use the system log function, we only need to use the openlog function when the program starts to connect to the syslogd program. Then we can use the syslog function to write logs at any time.
The following describes how to configure redhat and ubuntu:
Ubuntu and Red Hat are often used and managed through the/etc/rsyslog. conf file. The file contains many specified special system logs: Console logs, files logs, and other hosts.
First, we need to load appropriate TCP and UDP plug-ins to support receiving system logs. Add the following code to the rsyslog. conf header:
$ Modload imtcp
$ Modload imudp
$ Inputtcpserverexecute 10514
$ UDPServerRun 514
The loaded two modules support listening to TCP and UDP ports, and specify which port to accept the event. In this case, use TCP port 10514 and UDP port 514. You need to check the local firewall (the firewall between your host and the central system log server)
Next, we need to specify rules to tell rSyslog where input events are stored. If you do not add any rules, the input events are processed according to the local rules and intertwined with the events on the local host. We need to specify this rule correctly after adding the section above and before processing system logs locally. For example:
If $ fromhost-ip isequal '192. 168.0.2 'then/var/log/192.168.0.2.log
&~
Every system log from 192.168.0.2 should be stored in the/var/log/192.168.0.2.log file. &~ This symbol is very important because it tells rSyslog to stop processing messages. If you forget to write it, the message will go beyond the next rule and continue processing. There are other variables in this rule. For example:
If $ fromhost-ip startswith '2017. 192. 'then/var/log/192.168.log
&~
Here we use 192. 168. * to replace all IP addresses starting with this and write them to the/var/log/192.168.log file. You can also see some other filters.
You will need to restart the rsyslog service to activate our new configuration:
$ Sudo service rsyslog restart
Now, for the sender's host, we also need to make some changes to the file rsyslog. conf. In the file header, add the following line:
*. * @ 192.168.0.1: 10514
This is all events sent, from all source code and all important levels (with *. *), and transmitted to port 10514 with the IP address 192.168.0.1 through the TCP protocol. You can replace the IP address with the address of your environment. To enable this configuration, You need to restart rSyslog on the host.
You can send your system logs through SSL/TLS. If you transmit system logs over the Internet or other networks, there is no harm. You may find this simple description.
Now, if you add this configuration to your Configuration Management System (if you do not use this configuration, you can try Puppet or Cfengine). Then, you can use appropriate system logs to effectively configure each host to ensure that your logs are sent to the central system log server.