Linux Log Management advanced: instance details syslog (1)

BKJIA exclusive report: syslog has been adopted by many log functions and is used in many protection measures. Any program can use syslog to record events. Syslog can record system events, write to a file or device, or send a message to users. It can record local events or events on another host over the network.

1. syslog Introduction

Syslog is an industrial standard protocol that can be used to record device logs. In UNIX systems, routers, switches, and other network devices, System logs record System events at any time. Administrators can view system records to keep abreast of system conditions. UNIX system logs use syslogd to record system-related event records and Application Operation events. Through proper configuration, we can also implement inter-machine communication that runs the syslog protocol. By analyzing these network behavior logs, we can track the status of devices and networks.

2. syslog configuration file

The syslog device depends on two important files: the/etc/syslogd daemon and the/etc/syslog. conf configuration file. Generally, most syslog information is written to the/var/adm or the information file (messages. *) in the/var/log directory .*). A typical syslog record includes the name of the generated program and a text message. It also includes a device and a priority range.

By using the syslog. conf file, you can flexibly configure the location of the generated log and its related information. This configuration file specifies the log behavior recorded by the syslogd daemon, which queries the configuration file at startup. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by tabs:

• Select a domain to specify the Message Type and priority;
• The action field specifies the action that syslogd performs when it receives a message that matches the selection criteria.

The basic syntax of syslog. conf is as follows:

Message type. Priority Action domain

Each selection domain consists of the Message Type and priority. When a priority is specified, syslogd records a message with the same or higher priority. In Linux, some major message types are shown in table 2. Table 3 lists some priority information:

Table 2 syslog message types

Message Type	Message Source
Kern	Kernel
User	User Program
Damon	System daemon
Mail	Email System
Auth	Security-related commands
Lpr	Printer
News	News group information
Uucp	Uucp Program
Cron	Record information of each user currently logged on
Wtmp	A permanent record of the entry and exit times of a user upon each login
Authpriv	Authorization information

Table 3 common syslog priorities

Priority	Description
Emerg	Highest degree of emergency
Alert	Emergency
Cirt	Important information
Warning	Warning
Err	Critical status
Notice	Something unusual
Info	General Message
Debug	Debug level information
None	No log information is recorded

Different service types have different priorities. A larger value has a smaller priority. If only one priority is given for a selection condition without any priority qualifier, messages corresponding to this priority and all more urgent message types will be included. For example, if the priority in a selection condition is "warning ", it will actually include "warning", "err", "crit", "alert", and "emerg.

Syslog allows you to use three delimiters to modify the priority: asterisks (*), equal signs (=), and exclamation points (!) :

• The asterisk (*) indicates that all log messages generated by this service are sent to the location specified by the operation. Just as it acts in Rule expressions, asterisks represent "everything ". In the preceding example, "mail. *" sends all priority messages to the/var/log/mail file specified by the operation. The effect of using the "*" qualifier is exactly the same as that of using the "debug" priority. The latter will also send all types of messages to the specified location.
• The equal sign (=) indicates that only log messages of this priority generated by this service are sent to the location specified by the operation. For example, you can use the "=" qualifier to send only debugging messages, instead of other more urgent messages (this reduces the burden on the application ). When you only need to send a message with a specific priority, you need to use the equal sign qualifier.
• Exclamation point (!) The meaning is that all log messages generated by this service are sent to the location specified by the Operation action, but messages with this priority are not included.

Therefore, based on the knowledge described above, we will give the following example as an example:

(1) If \ "crit \" is specified, all messages marked as crit, alert, and emerg will be recorded. The action fields in each row indicate where to send a specified message to the selected domain. For example, if you want to record all mail messages to a file, as shown below:

#Log all the mail messages in one placemail.* /var/log/maillog

(2) Other devices also have their own logs. UUCP and news devices can produce many external messages. It stores these messages in its own logs (/var/log/spooler) and limits the level to \ "err \" or higher. For example:

# Save news errors of level crit and higher in a special file.uucp,news.crit /var/log/spooler

(3) When an emergency message arrives, all users may want to get it. You may also want to receive and save your own logs.

#Everybody gets emergency messages， plus log them on anther machine*.emerg **.emerg @linuxaid.com.cn

(4) Sometimes syslogd will generate a large number of messages. For example, the kernel (\ "kern \" device) may be lengthy and difficult to understand, so you may want to record kernel messages to/dev/console. The following example shows that the kernel log is commented out:

#Log all kernel messages to the console#Logging much else clutters up the screen#kern.* /dev/console

(5) You can specify all devices in one row. In the following example, messages of info or higher level are sent to/var/log/messages, except for mail. Level \ "none \" disables a device:

#Log anything(except mail)of level info or higher#Don\'t log private authentication messages!*.info:mail.none;autHPriv.none /var/log/messages