syslog

(1)

-

centralized logging

David Morgan

A logging system

Conforming programs emit categorized messages

Messages are candidates for logging

syslog handles the logging

– performed by syslogd – per /etc/syslog.conf

(2)

syslog

architecture

remote log console fifo user host file programs syslogd /etc/syslog.conf message flow

Historical rationale

-

Then

Some programs logged messages to one file

Some programs logged to another

Some programs logged to STDERR

(3)

Historical rationale

-

Now

Programs themselves don’t log messages

They write them to syslog instead

syslog manages logging centrally

– decides which messages to log – decides where to log them to

Programs emit messages...

…

you read them

API calls to standard library functions

– openlog( ) - identifies this program and its “facility” at program start

– syslog( ) - provides a message, tagged with a “priority” – closelog( ) - closes logging before program terminates

or “logger,” equivalent access from shell

Of direct concern only to programmers

(4)

Programs emit messages...

…

examples

“Normally, dhcpd will log all output using the syslog

(3) function with the log facility set to

LOG_DAEMON.” man page for dhcpd (8) dynamic host

configuration protocol daemon

Messages from /var/log/messages

– Jul 24 13:19:25 brain kernel: eth1: NE2000 found at 0x300, using IRQ 3 – Aug 3 15:33:03 brain PAM_pwdb[25812]: (login) session opened for

user david by (uid=0)

– Jul 31 20:23:31 brain ftpd[16423]: FTP LOGIN REFUSED (access denied) FROM cras1p66.navix.net [207.91.10.69], anonymous – Jul 26 17:01:23 brain httpd: httpd shutdown succeeded

/etc/

syslog.conf

SELECTOR ACTION

Entries, called rules, determine messages’ handling Rule format:

(5)

/etc/

syslog.conf

<facility>.<priority> <action> auth authpriv cron daemon kern lpr mail news syslog user uucp local0 - local7 * debug info notice warning err crit alert emerg * none write to a file write to a terminal by tty device by user

write to a remote syslog (via UDP to port 514)

h ig h er p ri o ri ty

/etc/

syslog.conf

rule example

mail.info /var/adm/info

The disposition of any messages issued - by programs whose facility is “mail,” - as having priority “info” or higher

shall be to write those messages into the file /var/adm/info.

(6)

Standard /etc/

syslog.conf

kern.* /dev/console *.info;mail,news,authpriv.none /var/log/messages authpriv.* /var/log/secure *.emerg * uucp,news.crit /var/log/messages

What happens?

Each message is tested against every rule

For each rule

– does the message’s facility match the rule’s?

– does the message’s priority match or exceed the rule’s? – if so, “log” the message as defined by rule’s action

(7)

Syntax wrinkles

* all facilities or all priorities

= makes priority restrictive/single

! makes priority inverse/ignored

none no priority

Multiple selectors, facilities

*.=info ; mail, news.none <action>

“Log all messages of priority ‘info,’ but not if their facility is ‘mail’ or ‘news’ ”

- separate selectors with ; - separate facilities with ,

- selectors overwrite their predecessors

S E L E C T O R S

(8)

Action (logging) destinations

/var/log/messages that file

/dev/tty6 that terminal

root,bclinton terminals where those users are logged in

@loghost syslog daemon on machine loghost

klogd

-

a

syslogd

client

remote log console fifo user host file programs syslogd kernel klogd log file

(9)

Important log files in /

var

/log

cron

dmesgboot messages

lastloguser logins

log.smb

maillog mail traffic

messages genl purpose

news

secure login attempts

sendmail

uucp

wtmpcurrent activity

xferlogftp transfers

Viewing log files dynamically

(10)

Logfile

rotation and management

cron – /etc/crontab /etc/cron.daily – /etc/cron.daily/logrotate logrotate – /etc/logrotate.conf /etc/logrotate.d

Syslog

shortcomings

syslog accepts over network from all-or-none

multi-hop forwards sourced to most recent hop

messages are in cleartext

configuration is inflexible

(11)

Alternative replacements for

syslog

two primary projects

– syslog-ng – rsyslog

rsyslog

seek to add new capabilities and features

seek to seamlessly drop in

– retain default-config compatility with stock syslog

Distributions adopting

rsyslog

fedora 8

debian

ubuntu

(12)

Adoption rationale

–

fedora*

“why not syslog-ng?”

– code complexity – performance issues – incompatible format

– dual licensing model where adding features

available in the other version might cause friction with upstream.

*_{per http://fedoraproject.org/wiki/Releases/FeatureRsyslog}

Adoption rationale

((vsvssyslogsyslog--ngng))

–

ubuntu

*

licensing and software features

truly reliable message delivery

compliance with IETF regarding reliable TCP transport

native support for traffic encryption

SNMP support

BSD-style hostname and program name blocks

on-disk message spooling

include config files

(13)

$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log

/etc/

rsyslog.conf

rsyslog specific

syntax-compatible with stock syslog

Multiple system trans

-

net

logging model

(14)

...

# Provides UDP syslog reception $ModLoad imudp.so

$UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerRun 61514 ... ... ... ... ...

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @@remote-host:514

... ...

/etc/

rsyslog.conf

for transfor trans--net loggingnet logging

Makes host receive from network