Configuring Log Files
syslogd
Logging on a Linux system that uses init is usually handled by the syslogd daemon. Instead of
each daemon maintaining its own individual log file, most of your Linux services are configured
to write log entries to /dev/log by default. This device file is maintained by the syslogd daemon.
When a service writes to this socket, the input is captured by syslogd.
The syslogd daemon then uses the entries in the
/etc/syslog.conf file
shown in Figure 17-16, to determine where the information should go.
The syntax for the syslog.conf file is
facility.priority file
A facility refers to a subsystem that provides a message. Each process on your Linux system that
uses syslog for logging is assigned to one of the following facilities:
• authpriv
Facility used by all services associated with system security or authorization
• cron
Facility that accepts log messages from cron and at
• daemon
Facility that can be used by daemons that do not have their own facility
• kern
Facility used for all kernel log messages
• lpr
Facility that handles messages from the printing system
• mail
Facility for log messages from the mail MTA (such as postfix or sendmail)
• news
Facility for log messages from the news daemon
• syslog
Facility for internal messages from the syslog daemon itself
• user
Facility for user-related log messages (such as failed login attempts)
• uucp
Facility for log messages from the uucp daemon
• local0–local7
Facilities you can use to capture log messages from your own applications
that you develop
In addition to facilities, the syslogd daemon also provides priorities that you can use to customize how logging occurs on your system. Prioritization is handled by the klogd daemon on most
distributions, which runs as a client of syslogd. You can use the following priorities with syslogd:
• debug
All information
• info
Informational messages
• notice
Issues of concern, but not yet a problem
• warn
Noncritical errors
• err
Serious errors
• crit, alert, or emerg
Critical errors
For example, in [Figure 17-16, p 675] the
syslog.conf
file directs messages of all priority levels (*) from the cron facility to the
/var/log/cron
file. If desired, you could customize your syslog.conf file to split messages of different priority levels to different files.
Your Linux distribution should also include a utility named
logrotate
The logrotate utility is run daily, by default, by the cron daemon on your system.
You can customize how your log files are rotated using the
/etc/logrotate.conf
file.
[Figure 17-17, p 674]
/etc/logrotate.conf
This file contains default global parameters used by logrotate to determine how and when
log files are rotated.
However, these defaults can be overridden for specific daemons using the configuration files located in the
/etc/logrotate.d/
directory.
For example, in [Figure 17-18, p 676] the
/etc/logrotate.d/apache2
file is used to customize logging for the apache2 daemon.
In this figure, the /var/log/apache2/access_log file will be compressed. It can have a maximum
age of 365 days, after which it will be removed (maxage 365). Old versions of the file will be
archived using a date extension (dateext). The log file will go through 99 rotations before being
removed (rotate 99). If the file grows larger than 4096KB, it will be rotated (size=+4096k). The
file will not be rotated if it is empty (notifempty). No error message will be generated if the file
is missing (missingok). The file will be created with 644 permissions, will have the root user as
owner, and will be owned by the root group (create 644 root root). After a log file is rotated, the
/etc/init.d/apache2 reload command will be run (postrotate /etc/init.d/apache2 reload).
One of the cool features of the syslogd daemon is that it supports logging to a remote host.
Moving your log files from the local system to a different computer on the network can be a
very valuable administrative and security measure. For example, you could redirect all logging by
Linux systems on your network to a single log host. Then, if a user calls with a problem, you have
instant access to their log files on the log host.
In addition, remote logging increases the security of your systems. Inexperienced intruders
tend to leave footprints all over in your log files. However, savvy intruders will try to erase their
tracks by altering the log files after accessing the system, making it very difficult to detect the
intrusion. If you redirect your logging, however, the intruder can’t cover their tracks nearly so
easily. To redirect logging, complete the following:
1.Open a terminal session and su – to root.
2.Open /etc/syslog.conf in a text editor.
3.Add the following line to the beginning of the file:
*.* @IP_address_of_loghost
For example, to redirect all messages to a log server host with an IP address of
192.168.1.10, you would enter
*.* @192.168.1.10
4. Save the file and exit your editor.
5. Restart the syslogd daemon.
6. To configure the log server host to receive log messages from the other systems, complete
the following:
a.In a text editor, open /etc/sysconfig/syslog.
b. Locate to the SYSLOGD_PARAMS directive.
c. Set the value of the SYSLOGD_PARAMS directive to –r
d. Save the changes and exit the file.
e. Restart syslogd.
LX0-104 Exam Objectives (O)
No comments:
Post a Comment