Sysklogd system Logger

Article Title: Sysklogd system logger. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Overview

The importance of logs to the system is self-evident. For example, for fault diagnosis and intrusion detection, it is almost impossible to use logs. The most popular logger in Linux is Sysklogd. The latest version is 1.5.

The Sysklogd logger consists of two daemon (klogd syslogd) and one configuration file (syslog. conf. Klogd does not use the configuration file. It intercepts kernel messages and can be used independently or run as the syslogd client. Syslogd uses/etc/syslog. conf as the configuration file by default. It intercepts application messages and can also intercept kernel messages forwarded to klogd. Supports the internet/unix domain sockets feature so that these two tools can be used to record local and remote logs.

Important information

The syslogd daemon does not receive any messages from the syslog/udp port by default, unless the "-r" option is used on the command line. In addition, you should take a closer look at the "-l" and "-s" command line options.

By default, the syslogd daemon does not forward any messages from remote hosts. This is to avoid infinite log loops. You can enable the "-h" option.

Syslogd removes the local domain information in each message from the host in the same domain range. If you use a log analysis program, keep this feature in mind.

Syslogd does not change the attributes of any files, so the files created by it will be globally readable. If you do not want this (for example, "auth. *" is recorded), you must manually create these files and set the relevant permissions.

If some programs send a large number of log messages and make the hard disk very busy, you can consider disabling the fsync () feature after each line. However, this may cause some log messages to be lost after the system crashes.

If you use init to directly start klogd or syslogd, you need to use the "-n" option on the command line.

If the System. map file exists and "-k" is used on the klogd command line, it can decode the EIP address. This feature is useful for diagnosing System crashes, but you must ensure that the System. map File is correct.

Both daemon try to delete their. pid file when receiving the exit signal. However, if the system crashes or the process is terminated by "kill-9", it may be too late to clean up. In this way, you may obtain the same pid as the process number in the previous residual. PID file at the next startup, resulting in a process number conflict ). The best solution to this problem is the system startup script (rc. *) You can perform these operations at the beginning of the system startup. clear the pid file (usually the/var/run directory ).

Large file support (logs larger than 2 GB can be written) is not a syslogd function, but a glibc function (called using different kernel APIs ). To enable support for large files, you must cancel the corresponding comments in Makefile (one of the two rows containing "-D_FILE_OFFSET_BITS ).

Console Log Level of the kernel

The Log Level of the kernel console controls which kernel messages will be displayed on the console. There are two ways to modify this level. However, we recommend that you use sysctl to control the level. This setting is usually located in/etc/sysctl. conf. For example:

Kernel/printk = 4 4 1 7

Installation notes

Reading README and man page carefully reduces your pain points. All documents are currently in man page.

Modify the Makefile as needed and then compile it. If you do not take the first step seriously, you may compile unqualified binary programs.

FSSTND (Linux File System Standard) requires that the binary file and its configuration file must be in different directories. This package complies with the FSSTND Convention by default. You can modify the location of the configuration file by modifying the Makefile file and source code.

We recommend that the two daemon processes run as root. For more information about security, see man page.

The following is an excerpt from the beginning of the Makefile file. This part may need to be modified during installation:

CC = gcc

SKFLAGS = $ (RPM_OPT_FLAGS)-O3-DSYSV-fomit-frame-pointer-Wall-fno-strength-reduce

# Enable support for large files, depending on whether your system is 32-bit or 64-bit

#-D_FILE_OFFSET_BITS = 64-D_LARGEFILE_SOURCE

#-D_FILE_OFFSET_BITS = 64-D_LARGEFILE64_SOURCE

# $ (Shell getconf LFS_SKFLAGS)

LDFLAGS =-s

# Specify the location of the install program

INSTALL =/usr/bin/install

# Installation directory

BINDIR = $ (prefix)/usr/sbin

MANDIR = $ (prefix)/usr/share/man

# A bug reported that a connection to libresolv. a must be explicitly specified on a pure ELF system.

# If you fail to connect to syslogd, try to cancel the comment below.

# LIBS =/usr/lib/libresolv.

# If you fail to connect to the ALPHA platform, try to cancel the comment below.

# LIBS =$ {LIBS}-linux

# Canceling the following annotations can enable klogd to implement startup latency, which is useful when klogd and syslogd start in parallel or when the startup sequence is very close.

# KLOGD_START_DELAY =-DKLOGD_DELAY = 5

# The following definition indicates that the file location complies with the FSSTND standard.

FSSTND =-DFSSTND

# The following Definition specifies the host and permission of man page.

MAN_USER = root

MAN_GROUP = root

Man_permilliseconds = 644

# The following Definition specifies the. pid File Name of the syslogd daemon,

# The default file name in the source code (paths. h) is "syslog. pid", but many people think it should be "syslogd. pid ".

# You can specify your preferred name here.

SYSLOGD_PIDNAME =-DSYSLOGD_PIDNAME = \ "syslogd. pid \"

Syslog. conf

Syslog. conf is the configuration file of syslogd process. It will be read when the program starts. The default location is/etc/syslog. conf. It specifies a series of logging rules. The rule format is as follows:

Facility. level action

The blank lines in the configuration file and the lines starting with "#" are ignored. The "facility. level" section is also called the selector ). Seletor and action are separated by one or more spaces.

[1] [2] [3] [4] Next page