Solaris Study Notes: Solaris syslog mechanism

Article Title: Solaris Study Notes: About the Solaris syslog mechanism. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
The syslog mechanism is responsible for sending and recording the information generated by the system kernel and tools. It consists of the syslog () call, the syslogd daemon process, and the configuration file/etc/syslog. conf. When the system kernel and tool generate information, send the information to syslogd by calling syslog (), and then syslogd according to/etc/syslog. the Configuration Requirements in conf are as follows:
1. Record to system logs;
2. output to the system console;
3. forward data to a specified user;
4. syslogd is forwarded to other hosts through the network.
With the syslog. conf configuration, We can flexibly control the transmission and storage of information.
　　
The syslogd process is started by/etc/rc2.d/S74syslog at system startup. To manually start or stop syslogd, run the following command:
#/Etc/init. d/syslog start | stop
　　
A configuration record in the/etc/syslog. conf file consists of "selector" and "action", which are separated by tabs. The "option" is composed of one or more reserved fields in the format of "type. Level". Each reserved field is separated by a semicolon.
　　
The "type" in the reserved field indicates the source of information generation, which can be:
Kern information generated by the kernel;
Information generated by user processes. For information generated by programs or tools not listed here, the default type is "user ";
Information generated by the mail system;
Daemon system daemon information, such as in. ftpd and telnetd;
Auth information generated during identity authentication by login, su, and getty;
Syslogd internal information;
The lpr line prints the spooling system information;
News USENET information of the network news system;
Uucp UUCP system information;
Cron and at tool information;
The local0-7 is reserved for local use;
Timestamp information generated inside mark syslogd;
* All types except mark (this symbol cannot represent all levels ).
　　
The "level" in the reserved field indicates the importance of the information, which can be:
Emerg is in the Panic status. Generally, it should be broadcast to all users;
Alert. The current status must be corrected immediately. For example, the system database crashes;
Crit critical status warning. For example, hardware faults;
Other err errors;
Warning;
Notice Note: Non-error reports, but should be specially handled;
Info notification information;
Information about the debug program;
None is usually used for program debugging, indicating that information generated with the none level does not need to be sent. For example, *. debug; mail. none indicates that all information except the mail information is sent during debugging.
　　
The action field indicates the destination of the message. It can be:
/Filename log file. The file name specified by the absolute path. This file must be created in advance;
@ Host remote host;
User1 and user2 specify the user. If the specified user has logged on, the user will receive the message;
* All users. All logged-on users will receive the message.
　　
Let's take a look at the instances in the/etc/syslog. conf file:
......
*. Err; kern. debug; daemon. notice; mail. crit/var/adm/messages
......
　　
The "action" in this line is the/var/adm/messages file that we often care about. The source "selector" output to it is:
*. Err-all common error messages;
Kern. debug-debugging information generated by the core;
Daemon. notice-daemon precautions;
Mail. crit-critical warning information of the mail System
　　
So we have a rough idea about how to get something in/var/adm/messages. Let's look at the following (ignore the comment "#"):
......
# If a non-loghost machine chooses to have authentication messages
# Sent to the loghost machine, un-comment out the following line:
# Auth. notice ifdef ('loghost',/var/log/authlog, @ LOGHOST)
......
　　
This involves the loghost and m4 macro interpreter under Solaris. Loghost is easy to understand, that is, specify one of multiple SUN machines in the LAN as the loghost. syslogd will be filled with water. The specific who is loghost is defined in/etc/hosts:
......
192.168.1.11 host1 loghost
192.168.1.22 host2
......
　　
M4 is responsible for interpreting ifdef, and its deeds will not be further investigated here (the brothers and sisters who want to take the test of SA can look at it and have questions). The above ifdef means: if the local machine is loghost, the information is sent to/var/log/authlog; otherwise, it is sent to the host after.
　　
The following example shows how to use the syslog mechanism to record telnet logon.
Many network services such as Telnet and ftp are provided through inetd. Therefore, first check the types and levels of syslog calls used by inetd:
　　
# Man inetd
......
-T Instructs inetd to trace the incoming
Connections for all of its TCP services. It does this
Logging the client's IP address and TCP port number,
Along with the name of the service, using the syslog (3)
Facility. UDP services can not be traced. When tracing is
Enabled, inetd uses the syslog facility code '''daemon''
And ''notice'' priority level.
......
　　
That is to say, when the inetd with the-t option is started, it will call syslog to record the details of the TCP Service. The type is daemon and the level is notice. So first modify the inetd STARTUP script/etc/init. d/inetsvc, find the inetd line, and change it:
/Usr/sbin/inetd-s-t &
　　
As shown above, daemon. notice is included in syslog. conf, and the action is/var/adm/messages. If you do not want to change the action, you do not need to modify it.
　　
Restart syslogd:
#/Etc/init. d/syslog stop
#/Etc/init. d/syslog start
　　
Restart inetd:
#/Etc/init. d/inetsvc stop
#/Etc/init. d/inetsvc start
　　
Test the result. Open a window to check whether there are new messages:
# Tail-f/var/adm/messages
　　
Telnet or ftp from another machine. The preceding monitoring window should contain output (^ C termination monitoring ):
......
Jun 18 12:08:42 host1 inetd [755]: [ID 317013 daemon. notice] ftp [759] from 192.168.1.88 1082
Jun 18 12:09:13 host1 inetd [755]: [ID 317013 daemon. notice] telnet [760] from 192.168.1.88 1083
Jun 18 12:11:22 host1 inetd [755]: [ID 317013 daemon. notice] ftp [771] from 192.168.1.88 1084
　　
For software developers, you can refer to relevant information about syslog () to make appropriate syslog () calls to the information in your software to output it to the desired place.