The
/var/log directory contains a number of different log files. Many of these logs are generated by
syslogd, which accepts log messages from programs and routes them to log files, the screen, and remote log monitors.
The file /etc/syslog.conf configures message routing. This is the file as shipped in Fedora 7:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern. /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv. /var/log/secure
# Log all the mail messages in one place.
mail. -/var/log/maillog
# Log cron stuff
cron. /var/log/cron
# Everybody gets emergency messages
*.emerg
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7. /var/log/boot.log
This file consists of comment lines, which start with #, and routing lines, which consist of a message specification and a destination. The message specification consists of one or more selectors, which specify a pattern of facilities and levels separated by a period.
The facility indicates the origin of the log entry. Possible values are authpriv, cron, daemon, ftp, kern, local0 through local7, lpr, mail, news, syslog, user, and uucp. The level is a priority value and may be (in order of increasing severity) debug, info, notice, warning, err, crit, alert, or emerg.
In selectors, a level written by itself selects messages of that level or highers, a level preceeded by an equal sign indicates messages only of that level, a prepended exclaimation mark means "not", and an asterisk matches anything. The dummy level none is equivalent to !* and is used to prevent all matches with a particular facility. A semi-colon is used to AND multiple selectors, and a comma is used to OR facilities or levels within a selector.
Interpreting the default syslog.conf file, we see that all messages of info level and higher except those from the mail, authpriv (authentication), and cron systems are placed into /var/log/messages. Messages from authpriv are placed in /var/log/secure (because they may reveal sensitive information and require more restrictive read permissions on the log file), messages from mail are placed in /var/log/maillog (the leading - indicates that the file's buffers are not flushed after each write), and messages from cron are placed in /var/log/cron. Emergency (and higher) messages are written to all open terminals (*), critical messages from uucp and news are additionally placed in /var/log/spooler, and boot messages (local7) are placed in /var/log/boot.log.
It's often useful to log your own sysadmin activity in /var/log/messages. Since these are interleaved with messages from system processes, it's easy to determine the the sequence of events. You can create log entries from the command line or in a script by using the logger program; it is perhaps most convenient to define an alias to do this:
$ alias note="logger -p local4.notice"
$ note Edited httpd.conf to create a virtual host for fedorabook.com
You can execute the note alias with a some text any time you want to create an entry in the log file.
It can be useful to collect messages from a group of machines (or virtual machines) into one log file. This centralizes your logs for easy examination, and it makes it harder for an intruder to hide their tracks by altering the log file (since they need to compromise the log server in addition to the primary attack target). To configure the log server to accept messages from remote machines, add -r to the SYSLOGD_OPTIONS line in /etc/sysconfig/syslog, open up UDP port 514 on the server's firewall, and restart syslog with the command service syslog restart
To configure a client system to send messages to a log server, add a line to /etc/syslog.conf with a destination of @logserver, where logserver is the hostname of the system accepting log messages (make sure the hostname is resolvable by placing it in /etc/hosts). Here is an example, which logs all messages of priority notice and higher to the host logmaster:
*.notice @logmaster
Many LAN devices such as routers and networked printers can also be configured to send messages to a log server.
Warning: It is possible to cause a denial-of-service condition--intentionally or accidentally--by flooding a log server with so many messages that the filesystem storing the logs overflows. It is a good idea to use a separate filesystem for /var/log/messages on a log server so that excessive log entries do not interfere with the normal operation of that system.
|
An enhanced version of syslog named syslog-ng is available in the Fedora repositories. Fedora 8 will introduce rsyslog, which supports encrypted and authenticated log message forwarding, message rewriting, filtering based on message content, and the use of MySQL as a message store (enabling advanced reporting using SQL queries).
