To quote Mick Bauer:
Whatever else you do to secure a Linux system,
it must have comprehensive, accurate, and carefully watched logs...they
provide valuable early warning signs of system abuse. Third, after all
else fails...system compromise..., logs can provide us with crucial
forensic data.
Unix and Linux log messages come from all sort of places: the kernel itself, running daemons and services, the authentication subsystem, the email service, from the boot sequence... For the most part these messages are stored in files under
/var/log/ # all unices?
/var/adm/ # Solaris uses this too.
Almost every unix-like OS comes with Syslog. Sometimes this service is implemented by one daemon, syslogd; on Linux the service is implemented by two, syslogd and klogd — messages from the kernel are treated separately.
(Linux also separates out boot messages via the bootlogd service.)
Syslog is started at boot time in the usual way, by one or more init scripts:
/etc/init.d/sysklogd #
/etc/init.d/klogd # ...Linux
/etc/init.d/syslog # ...Solaris
Syslog is configured by one file, /etc/syslog.conf. A simple example, based on that which comes installed on a Debian box is given below. Some documentation is provided by the comments within; for more see the manpage: syslog.conf(5). N.B. The whitespace between columns consists of TABS.
# For more information see syslog.conf(5) manpage.
#
# -- All logs, split two ways (syslog contains everything, except for
# authorisation-related messages which might contain passwords) :
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
# ...the "-" means don't sync, i.e., buffer output: this is for busy
# log files, but can lead to missing or inconsistent messages.
# -- Log by facility (messages can be split by facility: auth, auth-priv,
# cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp and
# local{0-7}) :
#
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
# -- Log by priority (each message has a priority: debug, info, notice,
# warning, err, crit, alert, emerg) : "debug", usually commented out,
# grabs all (*) messages of priority (=) debug (except
# authorisation-related messages); "messages" gets all low priority
# messages (info, notice, warn, except debug), except those from cron
# and daemon :
#
#*.=debug;\
# auth,authpriv.none -/var/log/debug
#
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none -/var/log/messages
# -- Emergencies are sent to everybody logged in (all screens/ptys).
#
*.emerg *
# -- The above are pretty standard; these are more sys-admin-personal:
# send messages to a virtual console (tty8 --- CTRL-ALT-F8 or ttysnoop);
# send messages to /dev/xconsole (the pipe used by the xconsole utilitye) :
#
daemon,mail.*;\
news.=crit;news.=err;news.=notice;\
*.=debug;*.=info;\
*.=notice;*.=warn /dev/tty8
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
# -- Copy logs to a couple of remote servers:
#
*.info @130.88.200.230
*.info @130.88.200.231
Logs should be N.B. The whitespace between the fields in syslog.conf is made up of tabs, not spaces. After creating the entries it is necessary to restart the Syslog daemon.
| ...previous | up (conts) | next... |