190 likes | 462 Views
Syslog and Log Files. From logfiles, you can find important information History Errors/warnings Logging policies Reset log files at periodic intervals Rotate log file Compress and archive Throw away. Syslog and Log files. Where are the log files?
E N D
Syslog and Log Files • From logfiles, you can find • important information • History • Errors/warnings • Logging policies • Reset log files at periodic intervals • Rotate log file • Compress and archive • Throw away Syslog and log files
Syslog and Log files • Where are the log files? • Random log names scattered across dirs/filesystems • Two common places: • /var/adm • /var/log • To locate your log file: • Read the man for individual daemons • Read the system startup scripts • Check syslog’s configuration file /etc/syslog.conf Syslog and log files
Logs (see P 208 for more) Syslog and log files
Syslog • Is a comprehensive logging system • Manage the information generated by • the kernel • the system utilities • Has two important function • Liberate programmers • Put administrators in control of logging • Very flexible • Sort message by source, importance • Route the message to • log file • users’ terminals, • Remote machines • Thus, Centralize the logging for a network Syslog and log files
Example • Colossus • /var/adm/messages • Kernel.notice – ufs quota • auth.error – sshd pentential probe of service • /var/adm/sulog • /var/log/syslog • /var/log/authlog • /var/log/dmesg • /etc/syslog.conf • Wopr.csl.mtu.edu • /var/log/messages • Lots of sshd messages • /etc/syslog.conf • Dafinn.cs.mtu.edu • Where is httpd log file? • /etc/init.d/httpd • /etc/httpd/conf • ServerRoot • ErrorLog • Symbolic links • Where is print log file? • /etc/init.d/cups • /etc/cups/cupsd.conf • /var/log/cups Syslog and log files
Syslog • Syslog consists of three parts • The logging daemon: • syslogd • config file /etc/syslog.conf • Library routines: openlog et al. • User-level log submit command: logger • Syslogd • Is started at the boot time • Write the messages • Reads message from special file /dev/log (or others depending on the system), then • Consults with the configuration file, then • Dispatches each message to the appropriate destination Syslog and log files
Syslog • Restart syslogd to • make config change take effect • truncate or rotate the log • Send a HUP signal # kill –HUP `/bin/cat /var/run/syslog.pid` • Configuring syslogd • /etc/syslog.conf controls syslogd’s behavior • The basic format is Selector <Tab> action • Selectors identify the program and message’s severity level with the format Facility:level • Facility, level must be kernel ware names Syslog and log files
Valid facility names Kern User mail Daemon Auth Lpr Cron Syslog Mark local0-7 ftp … Valid levels (descending severity) emerg alert crit err warning notice info debug none Syslog Syslog and log files
Syslog • Selectors can be combined • Separated by semicolon ; • * to represent all facilities except mark • Actions: • Filename • @hostname • @ipaddress • User1, user2, … • * • Example: *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages kern.notice /var/log/kern.notice *.alert;kern.err;daemon.err operator *.alert root Syslog and log files
Syslog • central logging host • Keep the log one place, easy to check. • Need a stable server • What if netloghost is down? • The time stamp does not reflect the time on the originating host Syslog and log files
Using syslog from programs • Functions • Openlog • Syslog • Closelog • C calls void openlog(const char *ident, int option, int facility); void syslog(int priority, const char *format, ...); void closelog(void); • Perl calls Use Sys::Syslog; Openlog(ident, logopt, facility) Syslog(priority, message, …) Closelog() Syslog and log files
Logger • Logger command • Create a log entry • Debug syslogd’s configuration file • Example: • After a new line was added to syslog.conf Local5.warning /tmp/evi.log • Run $ logger –p local5.warning “test message” • To see if “test message” is written in /tmp/evi.log Syslog and log files
Log analyzer • Get the related info out of lines • Write up your own scripts • Check for certain patterns • Send email to you • Commonly used log postprocessors • Swatch • Logcheck • Couple of things to look for • Security-related messages • Disk full • Messages that are repeated many times Syslog and log files