See this page as a slide show
Chapter 11: Logging
Original slides from Dr. James Walden at Northern Kentucky University.
- Linux daemons, kernel, utilities, and services
continually emit status information that is logged.
- Logfiles contain valuable clues about the state of the
system, including failures.
- The main source of data about the system is the
- Most logfiles are plain text, so normal tools such
tail can parse them.
transparently read compressed files!
- The syslog contains events from multiple sources, as listed above.
- Some sites have a centralized logging server that aggregates
logs from multiple systems.
- Even within Linux, different distributions store
logfiles in different places in the filesystem.
- Most logfiles stored in one of the following directories:
- Most logfiles require root privileges to access, but
it is possible to make them world readable.
- Logfiles are notorious for consuming space and filling up disks.
Finding logfiles (cont’d)
|-||power related events|
|rc scripts||monthly||system startup scripts|
|weekly||cron execution and errors|
|CUPS||weekly||printing related messages|
|kernel||-||kernel message buffer|
|weekly||unsuccessful login attempts|
|daily||Apache HTTP server logs|
|-||last login time per user|
|mailers||weekly||mail facility messages|
Finding logfiles (cont’d)
|various||weekly||main system log|
|weekly||Samba file sharing|
|monthly||private authorization messages|
|-||successes and failures|
|various||weekly||main system logfile|
|various||weekly||warning and error messages|
syslog: system event logger
- Enforces a comprehensive logging policy and puts
administrators in control of logfiles.
- Allows sorting of messages by source and severity
and routing to various destinations.
- The architecture of
syslog has three parts:
syslogd: logging daemon and its config file
openlog: library routines that submit messages to
logger: user-level command to submit log entries from shell
- Can modify the config file to cause messages from
various systems to be saved in specific files:
syslog: facility names
|Facility||Programs that use it|
|lpr||line printer spooling|
syslog: severity levels
|err||other error conditions|
|notice||might merit investigation|
|debug||for debugging only|
syslog: action field
|filename||append message to local file|
|forward to syslogd on hostname|
|forward to syslogd at ipaddress|
|write to named pipe|
|user₁,user₂,…||write to screens of listed users|
|write to screens of all users|
syslog: config examples
# emergencies: tell everyone who is logged in
# warnings: store them in message log
# kernel: store them in local log
# send to network logger
- Utility to manage log management policies;
standard on Linux distributions.
- Has a configuration file,
/etc/logrotate.conf that specifies
how to manage groups of logfiles:
- compress: compresses noncurrent logfiles (what program, options)
- daily, weekly, monthly: rotate logfiles on schedule
- missingok: does not complain if logfile does not exist
- size logsize: rotates if logfile size > logsize
- Questions that affect logging policies:
- How many systems and applications will be included?
- Type and size of storage infrastructure that is required?
- How long must the logging information be retained?
- What types of events are important to the organization?
- Many of these questions come down to security!
- Also need to consider resources available.
- Automation is critical to being successful.
- Most sites today are trending towards a central
approach to log collection and analysis.