160 likes | 306 Views
Log files. Cosc 4750. Logging policies. Throw away all data immediately Reset log files at periodic intervals Rotate logs files, keeping data for a fixed time Compress and archive logs to tape or other permanent media. Throwing away logs. Not recommended
E N D
Log files Cosc 4750
Logging policies • Throw away all data immediately • Reset log files at periodic intervals • Rotate logs files, keeping data for a fixed time • Compress and archive logs to tape or other permanent media
Throwing away logs • Not recommended • Needed for tuning/fixing the system • Keeping no logs, or turning off logs • linking log files to /dev/null • UNIX version of the trash can
Rotating log files • Standard practice and default for installs • A log file is used for a specific time or until goes to a specific amount. • Then the log is renamed to logfile.1 • usually, between 2 and 4 rotates • logfile, logfile.1,logfile.2, logfile.3, and logfile.4 • When a log files reaches it last “rotate” it then removed/deleted
Archiving logs • The logs are usually compressed at certain times (or rotated logs) • probably with gzip or compress • Then stored on tape or other permanent media, off-line
Log files • Commonly found in /var/log or /var/adm (sgi) • messages (SYSLOG or syslog) • Main system log, much of the system logs are found here • secure: network connections and auth logs • maillog: sendmail logs • xferlog: the ftp log • boot.log: output from the rc scripts • dmesg: kernel and init boot output • many others
syslog/messages • syslogd is the logging daemon, configured with /etc/syslog.conf • It can be configured to write logs to any number of files as well as duplicate log files • default it writes to SYSLOG/messages
syslogd.conf # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Everybody gets emergency messages, plus log them on another # machine *.emerg *
Syslog severity levels • emerg = Panic situations • alert = Urgent • crit = critical condition • err = other error conditions • warnings = warnings messages • notice = might merit investigation • info = information messages • debug = for debugging only
Other software uses syslog • ftpd, halt/reboot, inetd, login/rlogind • named, passwd, popper (mail), sendmail, • cron, vmunix (kernel)
logrotate command • uses configuration files to figure out when to rotate logs • /etc/logrotate.conf is a generic config • general info, when to rotate, compress, etc. • contains /var/log/wtmp rotate info • /etc/logrotate.d/ contains files for specific configures actions for logs rotations.
syslog rotate file • /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { • sharedscripts • postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true • endscript • }
Viewing log files • Most UNIX/linux log files contain lots of information. • Sometimes too much for people. • Besides cat’ing the logs in /var/log • There is a logviewer (system-logviewer) • redhat-logviewer on older redhat systems • There are many “logviewers” created by the OpenSource community.
logwatch • A program installed by default on Redhat/Fedora systems. • E-mails "important" logs information to the root account daily. • Configured in /etc/log.d directory • logwatch.conf is general configurations • services/* contains configuration files for varying services log files • logfiles/* contains config's for non-services log files • scripts/shared/*, scripts/services/* scripts/logfiles/* vary filters for services and non-services log files.
logSentry • Similar to logwatch, but driven by security concerns, where as logwatch is summary of the logs. • Filters out messages that are not security threats, then categorizes messages that could represent a threat and e-mails. • Active System Attack Alters • Security Violations • Unusual system events.
Q A &