© David Morgan 2004-2011
syslog
syslog
-
-
centralized logging
centralized logging
David Morgan
A logging system
A logging system
Conforming programs emit categorized messages
Messages are candidates for logging
syslog handles the logging
– performed by syslogd – per /etc/syslog.conf
© David Morgan 2004-2011
syslog
syslog
architecture
architecture
remote log console fifo user host file programs syslogd /etc/syslog.conf message flow
Historical rationale
Historical rationale
-
-
Then
Then
Some programs logged messages to one file
Some programs logged to another
Some programs logged to STDERR
© David Morgan 2004-2011
Historical rationale
Historical rationale
-
-
Now
Now
Programs themselves don’t log messages
They write them to syslog instead
syslog manages logging centrally
– decides which messages to log – decides where to log them to
Programs emit messages...
Programs emit messages...
…
…
you read them
you read them
API calls to standard library functions
– openlog( ) - identifies this program and its “facility” at program start
– syslog( ) - provides a message, tagged with a “priority” – closelog( ) - closes logging before program terminates
or “logger,” equivalent access from shell
Of direct concern only to programmers
© David Morgan 2004-2011
Programs emit messages...
Programs emit messages...
…
…
examples
examples
“Normally, dhcpd will log all output using the syslog
(3) function with the log facility set to
LOG_DAEMON.” man page for dhcpd (8) dynamic host
configuration protocol daemon
Messages from /var/log/messages
– Jul 24 13:19:25 brain kernel: eth1: NE2000 found at 0x300, using IRQ 3 – Aug 3 15:33:03 brain PAM_pwdb[25812]: (login) session opened for
user david by (uid=0)
– Jul 31 20:23:31 brain ftpd[16423]: FTP LOGIN REFUSED (access denied) FROM cras1p66.navix.net [207.91.10.69], anonymous – Jul 26 17:01:23 brain httpd: httpd shutdown succeeded
/etc/
/etc/
syslog.conf
syslog.conf
<facility>.<priority> <action>
SELECTOR ACTION
Entries, called rules, determine messages’ handling Rule format:
© David Morgan 2004-2011
/etc/
/etc/
syslog.conf
syslog.conf
<facility>.<priority> <action> auth authpriv cron daemon kern lpr mail news syslog user uucp local0 - local7 * debug info notice warning err crit alert emerg * none write to a file write to a terminal by tty device by user
write to a remote syslog (via UDP to port 514)
h ig h er p ri o ri ty
/etc/
/etc/
syslog.conf
syslog.conf
rule example
rule example
mail.info /var/adm/info
The disposition of any messages issued - by programs whose facility is “mail,” - as having priority “info” or higher
shall be to write those messages into the file /var/adm/info.
© David Morgan 2004-2011
Standard /etc/
Standard /etc/
syslog.conf
syslog.conf
kern.* /dev/console *.info;mail,news,authpriv.none /var/log/messages authpriv.* /var/log/secure *.emerg * uucp,news.crit /var/log/messages
What happens?
What happens?
Each message is tested against every rule
For each rule
– does the message’s facility match the rule’s?
– does the message’s priority match or exceed the rule’s? – if so, “log” the message as defined by rule’s action
© David Morgan 2004-2011
Syntax wrinkles
Syntax wrinkles
* all facilities or all priorities
= makes priority restrictive/single
! makes priority inverse/ignored
none no priority
Multiple selectors, facilities
Multiple selectors, facilities
*.=info ; mail, news.none <action>
“Log all messages of priority ‘info,’ but not if their facility is ‘mail’ or ‘news’ ”
- separate selectors with ; - separate facilities with ,
- selectors overwrite their predecessors
S E L E C T O R S
© David Morgan 2004-2011
Action (logging) destinations
Action (logging) destinations
/var/log/messages that file
/dev/tty6 that terminal
root,bclinton terminals where those users are logged in
@loghost syslog daemon on machine loghost
klogd
klogd
-
-
a
a
syslogd
syslogd
client
client
remote log console fifo user host file programs syslogd kernel klogd log file
© David Morgan 2004-2011
Important log files in /
Important log files in /
var
var
/log
/log
cron
dmesgboot messages
lastloguser logins
log.smb
maillog mail traffic
messages genl purpose
news
secure login attempts
sendmail
uucp
wtmpcurrent activity
xferlogftp transfers
Viewing log files dynamically
Viewing log files dynamically
© David Morgan 2004-2011
Logfile
Logfile
rotation and management
rotation and management
cron – /etc/crontab /etc/cron.daily – /etc/cron.daily/logrotate logrotate – /etc/logrotate.conf /etc/logrotate.d
Syslog
Syslog
shortcomings
shortcomings
syslog accepts over network from all-or-none
multi-hop forwards sourced to most recent hop
messages are in cleartext
configuration is inflexible
© David Morgan 2004-2011
Alternative replacements for
Alternative replacements for
syslog
syslog
two primary projects
– syslog-ng – rsyslog
rsyslog
seek to add new capabilities and features
seek to seamlessly drop in
– retain default-config compatility with stock syslog
Distributions adopting
Distributions adopting
rsyslog
rsyslog
fedora 8
debian
ubuntu
© David Morgan 2004-2011
Adoption rationale
Adoption rationale
–
–
fedora*
fedora*
“why not syslog-ng?”
– code complexity – performance issues – incompatible format
– dual licensing model where adding features
available in the other version might cause friction with upstream.
*per http://fedoraproject.org/wiki/Releases/FeatureRsyslog
Adoption rationale
Adoption rationale
((vsvssyslogsyslog--ngng))–
–
ubuntu
ubuntu
*
*
licensing and software features
truly reliable message delivery
compliance with IETF regarding reliable TCP transport
native support for traffic encryption
SNMP support
BSD-style hostname and program name blocks
on-disk message spooling
include config files
© David Morgan 2004-2011 $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log
/etc/
/etc/
rsyslog.conf
rsyslog.conf
rsyslog specific
syntax-compatible with stock syslog
Multiple system trans
Multiple system trans
-
-
net
net
logging model
© David Morgan 2004-2011 ...
...
# Provides UDP syslog reception $ModLoad imudp.so
$UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerRun 61514 ... ... ... ... ...
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @@remote-host:514
... ...
/etc/
/etc/
rsyslog.conf
rsyslog.conf
for transfor trans--net loggingnet loggingMakes host receive from network