Chapter 11 Syslog and Log Files Computer Center
- Slides: 21
Chapter 11 Syslog and Log Files
Computer Center, CS, NCTU 2 Log files q Execution information of each services • sshd log files • httpd log files • ftpd log files q Purpose • For post tracking • Like insurance
Computer Center, CS, NCTU Logging Policies q Common schemes • Throw away all log files • Rotate log files at periodic intervals • Archiving log files #!/bin/sh /usr/bin/cd /var/log /bin/mv logfile. 2. gz logfile. 3. gz /bin/mv logfile. 1. gz logfile. 2. gz /bin/mv logfile. 1 /usr/bin/touch logfile /bin/kill –signal pid /usr/bin/gzip logfile. 1 0 3 * * * /usr/bin/tar czvf /backup/logfile. `/bin/date +%Y%m%d`. tar. gz /var/log 3
Computer Center, CS, NCTU 4 Finding Log Files q Ways and locations • Common directory Ø /var/log, /var/adm • Read software configuration files Ø Ex: /usr/local/etc/apache 22/httpd. conf Transfer. Log /home/www/logs/access. log • See /etc/syslog. conf
Computer Center, CS, NCTU Under /var/log in Free. BSD (1) q You can see that under /var/log … chbsd [/var/log] -chwong- ls Xorg. 0. log cron. 1. bz 2 Xorg. 0. log. old cron. 2. bz 2 auth. log cron. 3. bz 2 auth. log. 0. bz 2 cvsup-all. log auth. log. 1. bz 2 debug. log auth. log. 2. bz 2 dmesg. today auth. log. 3. bz 2 dmesg. yesterday auth. log. 4. bz 2 installworld. log auth. log. 5. bz 2 lastlog auth. log. 6. bz 2 lpd-errs auth. log. 7. bz 2 maillog cron maillog. 0. bz 2 cron. 0. bz 2 maillog. 1. bz 2 Lots of logs 5 maillog. 2. bz 2 maillog. 3. bz 2 maillog. 4. bz 2 maillog. 5. bz 2 maillog. 6. bz 2 maillog. 7. bz 2 messages. 0. bz 2 messages. 1. bz 2 messages. 2. bz 2 messages. 3. bz 2 messages. 4. bz 2 mount. today mount. yesterday pf. today ppp. log security sendmail. st. 0 sendmail. st. 10 sendmail. st. 2 sendmail. st. 3 sendmail. st. 4 sendmail. st. 5 sendmail. st. 6 sendmail. st. 7 sendmail. st. 8 sendmail. st. 9 setuid. today setuid. yesterday slip. log userlog wtmp. 0 wtmp. 1 wtmp. 2 wtmp. 3 xferlog
Computer Center, CS, NCTU 6 Under /var/log in Free. BSD (2) q Logs – because of syslogd chbsd [/var/log] -chwong- cat /etc/syslog. conf *. err; kern. warning; auth. notice; mail. crit /dev/console *. notice; authpriv. none; kern. debug; lpr. info; mail. crit; news. err /var/log/messages security. * /var/log/security auth. info; authpriv. info /var/log/auth. log mail. info /var/log/maillog lpr. info /var/log/lpd-errs ftp. info /var/log/xferlog cron. * /var/log/cron *. =debug /var/log/debug. log *. emerg *
Computer Center, CS, NCTU 7 Under /var/log in Free. BSD (3) q Logs are rotated – because newsyslog facility • In crontab chbsd [/etc] -chwong- grep newsyslog /etc/crontab 0 * * root newsyslog • newsyslog. conf chbsd [/etc] -chwong- cat /etc/newsyslog. conf # logfilename [owner: group] mode count /var/log/all. log 600 7 /var/log/amd. log 644 7 /var/log/auth. log 600 7 /var/log/console. log 600 5 /var/log/cron 600 3 /var/log/daily. log 640 7 /var/log/debug. log 600 7 /var/log/maillog 640 7 /var/log/messages 644 5 /var/log/monthly. log 640 12 /var/log/security 600 10 /var/log/sendmail. st 640 10 size * 100 100 * 100 * when @T 00 * * @T 00 * $M 1 D 0 * 168 flags [/pid_file] [sig_num] J J JC JN JC JC JC JN JC B
Computer Center, CS, NCTU 8 Vendor Specifics q Free. BSD • newsyslog utility • /etc/newsyslog. conf q Red Hat • logrotate utility • /etc/logrotate. conf, /etc/logrotate. d directory linux 1 [/etc/logrotate. d] -chwong- cat aptitude /var/log/aptitude { rotate 6 monthly compress missingok notifempty }
Computer Center, CS, NCTU 9 Files Not to Manage q You can manage most log files yourself, except… • /var/log/lastlog (/var/adm/lastlog) Ø Record of each user’s last login • /var/run/utmp (/etc/utmp) Ø Record of each user that is currently logged in
Syslog
Computer Center, CS, NCTU Syslog – The system event logger (1) q Two main functions • To release programmers from the tedious of writing log files • To put administrators in control of logging q Three parts: • syslogd, /etc/syslog. conf Ø The logging daemon and configure file • openlog(), syslog(), closelog() Ø Library routines to use syslogd • logger Ø A user command that use syslogd from shell 11
Computer Center, CS, NCTU 12 Syslog – The system event logger (2) /var/run/log chbsd [/var/run] -chwong- ls -l /var/run/log srw-rw-rw- 1 root wheel 0 Nov 4 11: 45 /var/run/log
Computer Center, CS, NCTU 13 Configuring syslogd (1) q Basic format • selector <Tab> action Ø Selector: program. level – Program: the program that sends the log message – Level: the message severity level Ø Action: tells what to do with the message • Ex: Ø mail. info /var/log/maillog
Computer Center, CS, NCTU Configuring syslogd (2) q selector • Syntax: facility. level Ø Facility and level are predefined (see next page) • Combined selector Ø facility. level Ø facility 1, facility 2. level Ø facility 1. level; facility 2. level Ø *. level • Level indicate the minimum importance that a message must be logged • A message matching any selector will be subject to the line’s action 14
Computer Center, CS, NCTU 15 Configuring syslogd (3)
Computer Center, CS, NCTU Configuring syslogd (4) q Action • filename Ø Write the message to a local file • @hostname Ø Forward the message to the syslogd on hostname • @ipaddress Ø Forwards the message to the host at that IP address • user 1, user 2 Ø Write the message to the user’s screen if they are logged in • * Ø Write the message to all user logged in 16
Computer Center, CS, NCTU Configuring syslogd (5) q Ex: *. emerg *. err; kern, mark. debug; auth. notice; user. none *. info; kern, user, mark, auth. none *alert; kern. crit; local 0, local 1, local 2. info lpr. err /var/adm/console. log @loghost 17 /dev/console /var/adm/console. log @loghost root
Computer Center, CS, NCTU 18 Configuring syslogd (6) q Output of syslogd Aug Aug Sep Sep Sep 28 28 28 30 30 30 1 3 3 3 3 20: 00 20: 01: 45 20: 01: 47 20: 07: 15 20: 07: 17 09: 47: 49 22: 02 22: 05: 13 14: 50: 11 13: 16: 29 13: 18: 40 13: 25: 06 13: 27: 09 13: 27: 14 15: 27: 05 15: 27: 10 15: 27: 25 chbsd chbsd chbsd chbsd chbsd newsyslog[37324]: logfile turned over due to size>100 K sshd[37338]: error: PAM: authentication error for root from 204. 16. 125. 3 sshd[37376]: error: PAM: authentication error for root from 204. 16. 125. 3 sudo: chwong : TTY=ttyp 4 ; PWD=/usr/home/chwong ; USER=root ; COMMAND= kernel: arp: 140. 113. 215. 86 moved from 00: d 0: b 7: b 2: 5 d: 89 to 00: 04: e 2: 10: kernel: arp: 140. 113. 215. 86 moved from 00: 04: e 2: 10: 11: 9 c to 00: d 0: b 7: b 2: kernel: arplookup 0. 0 failed: host is not on local network sudo: chwong : TTY=ttyp 4 ; PWD=/usr/ports ; USER=root ; COMMAND=/usr/b sudo: chwong : TTY=ttyp 4 ; PWD=/usr/ports ; USER=root ; COMMAND=/usr/l kernel: arp: 140. 113. 215. 86 moved from 00: d 0: b 7: b 2: 5 d: 89 to 00: 04: e 2: 10: kernel: arp: 140. 113. 215. 86 moved from 00: 04: e 2: 10: 11: 9 c to 00: d 0: b 7: b 2: sudo: chwong : TTY=ttyp 4 ; PWD=/usr/ports ; USER=root ; COMMAND=/usr/l
Computer Center, CS, NCTU 19 Software that use syslog
Computer Center, CS, NCTU 20 Free. BSD Enhancement (1) q Facility name • Free. BSD allows you to select messages based on the name of the program !named *. * q Severity level /var/log/named. log
Computer Center, CS, NCTU 21 Free. BSD Enhancement (2) q Restriction log messages from remote hosts • syslogd –a *. csie. nctu. edu. tw –a 140. 113. 209. 0/24 • rc. conf syslogd_enable="YES" syslogd_flags="-a 140. 113. 209. 0/24: * -a 140. 113. 17. 0/24: *"
Ncic restricted files list
Ncic hosts restricted files and non-restricted files
Dot powai files are binary files
Log 3 = 0 477 dan log 2 = 0 301 nilai log 18 = .... *
Pengertian logaritma
1+3 3 log 30
Jika log 2 = 0 301 dan log 3 = 0 477 maka log 72 =
Jika log 2=0 301 nilai log 32 adalah
³log243=
Jika log 3=0 477 dan log 5=0 699 maka log 45 adalah
Pertidaksamaan logaritma
Security onion
Arcsight syslog connector
Syslog server架設
Mrtg syslog
Log file stata
Power law log log plot
Power law log log plot
How do you get rid of ln
Log m - log n
Log k = log a - ea/rt
Exponential
