Sunday, 7 April 2013

The intend of this document is to explain the use of syslog for operating systems and applications. System log (Syslog) management is an important need in almost all enterprises. System administrators look at syslogs as a critical source to troubleshoot performance problems on syslog supported systems & devices across the network. The need for a complete sys-log monitoring solution is often underestimated; Efficient event log syslog analysis reduces system downtime, increases network performance, and helps tighten security policies in the enterprise.

syslogd Daemon 
  • The system daemon used to receive and route system log events from syslog() calls and logger commands
  • syslog uses the user datagram protocol (UDP); The UDP port that has been assigned to syslog is 514.
/etc/syslog.conf 
  •  The configuration file used to control the logging and routing of system log events
  •  A configuration entry in the file consists of two tab separator fields: selector (facility.level) and action

FACILITY    Specifies which kinds of messages to log.
LEVEL         Specifies the severity or importance of the message.
ACTION      Specifies the Destination of the logs.

Let we can see the brief details about the each FACILITY (11 codes)

Facilities
Descriptions
kernMessages generated by the kernel.
userMessages generated by user processes.
mailThe mail system.
daemonSystem daemons, such as the in.ftpd and the telnetd daemons.
authThe authorization system, including the login and su commands.
syslogMessages generated internally by the syslogd daemon.
lprThe line printer spooling system, such as the lpr and lpc commands.
newsFiles reserved for the USENET network news system.
uucp(obsolete) The UNIX-to-UNIX copy (UUCP) system does not use the syslog function.
cronThe cron and at facilities, including crontab, at, and cron.
local0-7 Eight user-defined codes.

Let we can see the brief details about the each  LEVEL ( 9 levels)

Level

Descriptions
0emerg Panic conditions that are normally broadcast to all users
1alert Conditions that should be corrected immediately, such as a corrupted system database.Only sysadmin of a particular server needs to be informed by mail or paged.
2crit Warnings about critical conditions, such as hard device errors.
3err Errors other than hard device errors
4warning Warning messages, that generally does not interfere with normal operation.
5noticeNon-error conditions that might require special handling
6info Purely informational messages (usually does not require any handling)
7debug Messages that are normally used only when debugging a program
8none Messages are not sent from the indicated facility to the selected file


Let we can see the brief details about the each ACTION (5 Actions)

Action
Descriptions
Log to a file or a deviceRedirect the system events to the respective files, for Example :- *.debug /var/adm/messages
Send a message to a userRedirect the system events to particular user, for Example :- *.debug user1, user2
Send a message to all usersRedirect the system events to all users, for Example :- *.debug *
Pipe the message to a programthe program is specified after the Unix pipe symbol (|), You need to use syslog-ng to achieve that.
Send the message to the syslog on another hostRedirect the system events to the host, for Example :- *.debug @LOGHOST

With the following explanation, understanding the typical syslog.conf configuration file shown earlier becomes easy:

facilities.level        Action
*.alert    root        # This line will direct ALL system alert logs to root user.

facilities.level        Action
*.emerg     *           # This line will direct ALL system emergencies logs to all users 

facilities.level               Action
*.debug  /var/adm/messages  # This line will direct ALL types of events logs to /var/adm/messages

facilities.level                 Action
auth.info /var/log/authlog  # This line will direct Only authentication type of information to /var/log/authlog

facilities.level                  Action
daemon.notice /var/log/connlog  # This line will direct Only daemon type of Notice to /var/log/connlog

NOTE : You must use the tab character between the selector and the action field. If you use a space, it will look the same, but syslog will not read configuration file correctly.

By executing the below command, we can identify the TAB and SPACE character
# cat -evt /etc/syslog.conf
#ident^I"@(#)syslog.conf^I1.5^I98/12/14 SMI"^I/* SunOS 5.0 */$
#$
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.$
# All rights reserved.$
#$
#$
# This "syslog.conf" file was installed by JASS.  This$
# file should be used to log information both locally as$
# well as to a centralized log server (or servers) so that$
# proactive log analysis can be done.$
$
*.err;kern.notice;auth.notice^I/dev/sysmsg$
*.alert^I^I^I^Iroot$
*.emerg^I^I^I^I*$
$
*.debug^I^I^I^I/var/adm/messages$
# *.debug^I^I^I@loghost1$
# *.debug^I^I^I@loghost2$
$
auth.info^I^I^I/var/log/authlog$
daemon.notice^I^I^I/var/log/connlog$
*.debug      @syslog$  .....> SPACE Characters
^I     Represent the TAB characters
Blank   Represent the SPACE characters 

I hope now you have a better understanding of syslog.

Thank you for reading this article and Please leave a comments If you enjoyed with this.