Chapter 11 Syslog and Log Files Computer Center
- Slides: 21
Chapter 11 Syslog and Log Files
Computer Center, CS, NCTU 2 Log files q Execution information of each services • sshd log files • httpd log files • ftpd log files q Purpose • For post tracking • Like insurance
Computer Center, CS, NCTU Logging Policies q Common schemes • Throw away all log files • Rotate log files at periodic intervals • Archiving log files #!/bin/sh /usr/bin/cd /var/log /bin/mv logfile. 2. gz logfile. 3. gz /bin/mv logfile. 1. gz logfile. 2. gz /bin/mv logfile. 1 /usr/bin/touch logfile /bin/kill –signal pid /usr/bin/gzip logfile. 1 0 3 * * * /usr/bin/tar czvf /backup/logfile. `/bin/date +%Y%m%d`. tar. gz /var/log 3
Computer Center, CS, NCTU 4 Finding Log Files q Ways and locations • Common directory Ø /var/log, /var/adm • Read software configuration files Ø Ex: /usr/local/etc/apache 22/httpd. conf Transfer. Log /home/www/logs/access. log • See /etc/syslog. conf
Computer Center, CS, NCTU Under /var/log in Free. BSD (1) q You can see that under /var/log … chbsd [/var/log] -chwong- ls Xorg. 0. log cron. 1. bz 2 Xorg. 0. log. old cron. 2. bz 2 auth. log cron. 3. bz 2 auth. log. 0. bz 2 cvsup-all. log auth. log. 1. bz 2 debug. log auth. log. 2. bz 2 dmesg. today auth. log. 3. bz 2 dmesg. yesterday auth. log. 4. bz 2 installworld. log auth. log. 5. bz 2 lastlog auth. log. 6. bz 2 lpd-errs auth. log. 7. bz 2 maillog cron maillog. 0. bz 2 cron. 0. bz 2 maillog. 1. bz 2 Lots of logs 5 maillog. 2. bz 2 maillog. 3. bz 2 maillog. 4. bz 2 maillog. 5. bz 2 maillog. 6. bz 2 maillog. 7. bz 2 messages. 0. bz 2 messages. 1. bz 2 messages. 2. bz 2 messages. 3. bz 2 messages. 4. bz 2 mount. today mount. yesterday pf. today ppp. log security sendmail. st. 0 sendmail. st. 10 sendmail. st. 2 sendmail. st. 3 sendmail. st. 4 sendmail. st. 5 sendmail. st. 6 sendmail. st. 7 sendmail. st. 8 sendmail. st. 9 setuid. today setuid. yesterday slip. log userlog wtmp. 0 wtmp. 1 wtmp. 2 wtmp. 3 xferlog
Computer Center, CS, NCTU 6 Under /var/log in Free. BSD (2) q Logs – because of syslogd chbsd [/var/log] -chwong- cat /etc/syslog. conf *. err; kern. warning; auth. notice; mail. crit /dev/console *. notice; authpriv. none; kern. debug; lpr. info; mail. crit; news. err /var/log/messages security. * /var/log/security auth. info; authpriv. info /var/log/auth. log mail. info /var/log/maillog lpr. info /var/log/lpd-errs ftp. info /var/log/xferlog cron. * /var/log/cron *. =debug /var/log/debug. log *. emerg *
Computer Center, CS, NCTU 7 Under /var/log in Free. BSD (3) q Logs are rotated – because newsyslog facility • In crontab chbsd [/etc] -chwong- grep newsyslog /etc/crontab 0 * * root newsyslog • newsyslog. conf chbsd [/etc] -chwong- cat /etc/newsyslog. conf # logfilename [owner: group] mode count /var/log/all. log 600 7 /var/log/amd. log 644 7 /var/log/auth. log 600 7 /var/log/console. log 600 5 /var/log/cron 600 3 /var/log/daily. log 640 7 /var/log/debug. log 600 7 /var/log/maillog 640 7 /var/log/messages 644 5 /var/log/monthly. log 640 12 /var/log/security 600 10 /var/log/sendmail. st 640 10 size * 100 100 * 100 * when @T 00 * * @T 00 * $M 1 D 0 * 168 flags [/pid_file] [sig_num] J J JC JN JC JC JC JN JC B
Computer Center, CS, NCTU 8 Vendor Specifics q Free. BSD • newsyslog utility • /etc/newsyslog. conf q Red Hat • logrotate utility • /etc/logrotate. conf, /etc/logrotate. d directory linux 1 [/etc/logrotate. d] -chwong- cat aptitude /var/log/aptitude { rotate 6 monthly compress missingok notifempty }
Computer Center, CS, NCTU 9 Files Not to Manage q You can manage most log files yourself, except… • /var/log/lastlog (/var/adm/lastlog) Ø Record of each user’s last login • /var/run/utmp (/etc/utmp) Ø Record of each user that is currently logged in
Syslog
Computer Center, CS, NCTU Syslog – The system event logger (1) q Two main functions • To release programmers from the tedious of writing log files • To put administrators in control of logging q Three parts: • syslogd, /etc/syslog. conf Ø The logging daemon and configure file • openlog(), syslog(), closelog() Ø Library routines to use syslogd • logger Ø A user command that use syslogd from shell 11
Computer Center, CS, NCTU 12 Syslog – The system event logger (2) /var/run/log chbsd [/var/run] -chwong- ls -l /var/run/log srw-rw-rw- 1 root wheel 0 Nov 4 11: 45 /var/run/log
Computer Center, CS, NCTU 13 Configuring syslogd (1) q Basic format • selector <Tab> action Ø Selector: program. level – Program: the program that sends the log message – Level: the message severity level Ø Action: tells what to do with the message • Ex: Ø mail. info /var/log/maillog
Computer Center, CS, NCTU Configuring syslogd (2) q selector • Syntax: facility. level Ø Facility and level are predefined (see next page) • Combined selector Ø facility. level Ø facility 1, facility 2. level Ø facility 1. level; facility 2. level Ø *. level • Level indicate the minimum importance that a message must be logged • A message matching any selector will be subject to the line’s action 14
Computer Center, CS, NCTU 15 Configuring syslogd (3)
Computer Center, CS, NCTU Configuring syslogd (4) q Action • filename Ø Write the message to a local file • @hostname Ø Forward the message to the syslogd on hostname • @ipaddress Ø Forwards the message to the host at that IP address • user 1, user 2 Ø Write the message to the user’s screen if they are logged in • * Ø Write the message to all user logged in 16
Computer Center, CS, NCTU Configuring syslogd (5) q Ex: *. emerg *. err; kern, mark. debug; auth. notice; user. none *. info; kern, user, mark, auth. none *alert; kern. crit; local 0, local 1, local 2. info lpr. err /var/adm/console. log @loghost 17 /dev/console /var/adm/console. log @loghost root
Computer Center, CS, NCTU 18 Configuring syslogd (6) q Output of syslogd Aug Aug Sep Sep Sep 28 28 28 30 30 30 1 3 3 3 3 20: 00 20: 01: 45 20: 01: 47 20: 07: 15 20: 07: 17 09: 47: 49 22: 02 22: 05: 13 14: 50: 11 13: 16: 29 13: 18: 40 13: 25: 06 13: 27: 09 13: 27: 14 15: 27: 05 15: 27: 10 15: 27: 25 chbsd chbsd chbsd chbsd chbsd newsyslog[37324]: logfile turned over due to size>100 K sshd[37338]: error: PAM: authentication error for root from 204. 16. 125. 3 sshd[37376]: error: PAM: authentication error for root from 204. 16. 125. 3 sudo: chwong : TTY=ttyp 4 ; PWD=/usr/home/chwong ; USER=root ; COMMAND= kernel: arp: 140. 113. 215. 86 moved from 00: d 0: b 7: b 2: 5 d: 89 to 00: 04: e 2: 10: kernel: arp: 140. 113. 215. 86 moved from 00: 04: e 2: 10: 11: 9 c to 00: d 0: b 7: b 2: kernel: arplookup 0. 0 failed: host is not on local network sudo: chwong : TTY=ttyp 4 ; PWD=/usr/ports ; USER=root ; COMMAND=/usr/b sudo: chwong : TTY=ttyp 4 ; PWD=/usr/ports ; USER=root ; COMMAND=/usr/l kernel: arp: 140. 113. 215. 86 moved from 00: d 0: b 7: b 2: 5 d: 89 to 00: 04: e 2: 10: kernel: arp: 140. 113. 215. 86 moved from 00: 04: e 2: 10: 11: 9 c to 00: d 0: b 7: b 2: sudo: chwong : TTY=ttyp 4 ; PWD=/usr/ports ; USER=root ; COMMAND=/usr/l
Computer Center, CS, NCTU 19 Software that use syslog
Computer Center, CS, NCTU 20 Free. BSD Enhancement (1) q Facility name • Free. BSD allows you to select messages based on the name of the program !named *. * q Severity level /var/log/named. log
Computer Center, CS, NCTU 21 Free. BSD Enhancement (2) q Restriction log messages from remote hosts • syslogd –a *. csie. nctu. edu. tw –a 140. 113. 209. 0/24 • rc. conf syslogd_enable="YES" syslogd_flags="-a 140. 113. 209. 0/24: * -a 140. 113. 17. 0/24: *"
- Ncic restricted files list
- Ncic hosts restricted files and non-restricted files
- Dot powai files are binary files
- Log 3 = 0 477 dan log 2 = 0 301 nilai log 18 = .... *
- Pengertian logaritma
- 1+3 3 log 30
- Jika log 2 = 0 301 dan log 3 = 0 477 maka log 72 =
- Jika log 2=0 301 nilai log 32 adalah
- ³log243=
- Jika log 3=0 477 dan log 5=0 699 maka log 45 adalah
- Pertidaksamaan logaritma
- Security onion
- Arcsight syslog connector
- Syslog server架設
- Mrtg syslog
- Log file stata
- Power law log log plot
- Power law log log plot
- How do you get rid of ln
- Log m - log n
- Log k = log a - ea/rt
- Exponential