See this page as a slide show
CT320 Logging
Chapter 11: Logging
Original slides from Dr. James Walden at Northern Kentucky University.
Overview
- Linux daemons, kernel, utilities, and services
continually emit status information that is logged.
- Logfiles contain valuable clues about the state of the
system, including failures.
- The main source of data about the system is the
syslogd daemon.
- Most logfiles are plain text, so normal tools such
cat,
grep, head, and tail can parse them. vim & less
transparently read compressed files!
- The syslog contains events from multiple sources, as listed above.
- Some sites have a centralized logging server that aggregates
logs from multiple systems.
Finding logfiles
- Even within Linux, different distributions store
logfiles in different places in the filesystem.
- Most logfiles stored in one of the following directories:
/var/log
/var/log/syslog
/var/adm
- Most logfiles require root privileges to access, but
it is possible to make them world readable.
- Logfiles are notorious for consuming space and filling up disks.
Finding logfiles (cont’d)
| File | Program | Freq | Contents |
|---|
acpid | acpid | - | power related events |
boot.log | rc scripts | monthly | system startup scripts |
cron | cron | weekly | cron execution and errors |
cups | CUPS | weekly | printing related messages |
dmesg | kernel | - | kernel message buffer |
faillog | login | weekly | unsuccessful login attempts |
/etc/httpd | httpd | daily | Apache HTTP server logs |
lastlog | login | - | last login time per user |
mail | mailers | weekly | mail facility messages |
Finding logfiles (cont’d)
| File | Program | Freq | Contents |
|---|
messages | various | weekly | main system log |
samba/* | smbd | weekly | Samba file sharing |
secure | sshd | monthly | private authorization messages |
sulog | su | - | successes and failures |
syslog | various | weekly | main system logfile |
warn | various | weekly | warning and error messages |
syslog: system event logger
- Enforces a comprehensive logging policy and puts
administrators in control of logfiles.
- Allows sorting of messages by source and severity
and routing to various destinations.
- The architecture of
syslog has three parts:
syslogd: logging daemon and its config file /etc/syslog.conf
openlog: library routines that submit messages to syslogd
logger: user-level command to submit log entries from shell
- Can modify the config file to cause messages from
various systems to be saved in specific files:
- mail.info
/var/log/maillog
syslog: facility names
| Facility | Programs that use it |
|---|
| auth | authorization commands |
| cron | cron |
| daemon | system daemons |
| ftp | ftpd |
| kern | kernel |
| lpr | line printer spooling |
| mail | sendmail |
| syslog | syslogd |
| user | user processes |
syslog: severity levels
| Level | Meaning |
|---|
| emerg | panic situations |
| alert | urgent situations |
| crit | critical conditions |
| err | other error conditions |
| warning | warning messages |
| notice | might merit investigation |
| info | information messages |
| debug | for debugging only |
syslog: action field
| Action | Meaning |
|---|
| filename | append message to local file |
@hostname | forward to syslogd on hostname |
@ipaddress | forward to syslogd at ipaddress |
|fifoname | write to named pipe |
| user₁,user₂,… | write to screens of listed users |
* | write to screens of all users |
syslog: config examples
# emergencies: tell everyone who is logged in
*.emerg *
# warnings: store them in message log
*.warning /var/log/messages
# kernel: store them in local log
kern.info /var/log/kern.log
# send to network logger
auth.info @netloghost
logrotate
- Utility to manage log management policies;
standard on Linux distributions.
- Has a configuration file,
/etc/logrotate.conf that specifies
how to manage groups of logfiles:
- compress: compresses noncurrent logfiles (what program, options)
- daily, weekly, monthly: rotate logfiles on schedule
- missingok: does not complain if logfile does not exist
- size logsize: rotates if logfile size > logsize
/etc/logrotate.d/*
Logging Policies
- Questions that affect logging policies:
- How many systems and applications will be included?
- Type and size of storage infrastructure that is required?
- How long must the logging information be retained?
- What types of events are important to the organization?
- Many of these questions come down to security!
- Also need to consider resources available.
- Automation is critical to being successful.
- Most sites today are trending towards a central
approach to log collection and analysis.
