|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
|
|
One of the most typical weaknesses of a typical enterprise Unix/Linux server installation is usage of default syslog configuration file. It just does not make sense to use default syslog configuration file in any environment as a lot of messages in it are junk. It always should be customized. That's number one rule for any system administrator who respects his time.
It is important to remember that for any severity level specified, messages are generated for that and all less-severe levels. For example, kern.warning causes warning-, err-, crit-, alert-, and emerg-level messages from the kernel service to be written to particular log.
|
|
Wild card notation can be also used in syslog notation. For example, *.err means severity level err messages from all facilities (except the mark facility).
syslog configuration consists of routing error messages from various facilities (and at various severity levels) to one or more of the following destinations:
Logfiles anywhere on the system
Another computer running syslog with its own syslog configuration
Active users on the system
The notation for syslog.conf messages is selector <tab> action (note that the character between selector and action must be a tab and must not be one or more spaces). Action consists of a system name, pathname, or userid. Selector consists of one or more semicolon-separated facility-severity pairs taking the form facility.level[;facility.level].
Some ideas can borrows from the following examples
#; #; /etc/syslog.conf #; Recommended syslog configuration. #; #; +----------------------------------------------------+ #; | Author: DePaul University Computer Security Team | #; | WWW: <http://security.depaul.edu/> | #; | SMTP: <[email protected]> | #; +----------------------------------------------------+ #; #; Copyright (c) 2003. DePaul University. All Rights Reserved. #; #; #; Platform: Tested on the following platforms: #; OpenBSD 3.1, 3.2, 3.3, 3.4, 3.5 #; FreeBSD 4.4, 4.5, 4.6 #; Solaris 2.6, 2.7 #; #; Notes: Syslog requires TAB delimitation between facility and #; destination. Log files MUST exist prior to the start of #; syslogd. This file will be reread by sending a SIGHUP to #; syslogd. #; #; Recommended file permissions: #; #; 0640 /var/log/messages #; 0640 /var/log/daemon.log #; 0640 /var/log/cron.log #; 0600 /var/log/auth.log #; 0600 /var/log/critical.log #; #; If you do not audit your logs, the time spent putting this #; in place will be wasted. Audit logs regularly!! #; #; Revised: $Id: syslog.conf,v 1.2 2004/04/29 20:49:31 epancer Exp $ #; #; Send general messages to the console. *.err;kern.debug /dev/console auth.notice;authpriv.none /dev/console #; The "Readers Digest" version of critical system failures that #; management staff, at least, should pay attention to. *.err;*.crit;*.emerg /var/log/critical.log #; Next, we define where most daemons and applications *.notice /var/log/messages #; Do not log auth/authpriv messages here; rather log them to #; a separate file for processing by security staff. auth,authpriv.none /var/log/messages auth,authpriv.debug /var/log/auth.log cron.info /var/log/cron.log news,kern,lpr,daemon,ftp,mail.info /var/log/daemon.log #; For more critical errors tell root. Keep user-land messages out of #; the way. *.err;user.none root #; In emergencies, wall the users. Note we restrict user-land messages #; from being able to do this as it might annoy those logged in. *.emerg;user.none * #; The definition of "loghost" should be placed in /etc/hosts to #; prevent DNS spoofing. A sample entry of this follows. #; #; 10.197.213.1 loghost.depaul.edu loghost #; #; Send all informational messages, critical warnings and emergency #; conditions to the remote log server EXCEPT for authpriv messages #; that can be intercepted from the network. #; #; Uncomment out the following if you have a loghost defined and #; wish to log to such a location. Note that messages sent over the #; network MAY EXPOSE sensitive information or data. Beware. #*.err;*.emerg;*.crit;auth,authpriv.debug @loghost #; # vim: ts=8 sw=8 nowrap #;
The configuration will be different for each site, but here is what Greg Earle recommends as the lines for the "news.*" related part. Remember that most syslog's require tabs, not spaces. Greg's canonical SunOS 4.1.x INN-related syslog.conf entries (which can be merged into your current configuration): # # INN stuff # ## Send critical messages to everyone who is logged in and to the console. news.crit * news.crit /dev/console ## Log news messages to separate files. ## Note that each level includes all of the above it. ## =()<news.crit @<_PATH_MOST_LOGS>@/news.crit>()= news.crit /var/log/news/news.crit ## =()<news.err @<_PATH_MOST_LOGS>@/news.err>()= news.err /var/log/news/news.err ## =()<news.notice @<_PATH_MOST_LOGS>@/news.notice>()= news.notice /var/log/news/news.notice If you don't want /var/log/messages to be crowded by messages from news add the following to the line, where /var/log/messages get logged: news.none so that the line reads (as an example): *.err;kern.debug;auth.notice;mail.crit,news.none /dev/console On some systems you can add a flag to some entries in order to instruct syslog not to sync after each write. This might help raising throughput. Or else move the logs from busy file systems if that flag is not available.
# $FreeBSD$ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manual page. *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron *.err root *.notice;news.err root *.alert root *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log # console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log #*.* /var/log/all.log # uncomment this to enable logging to a remote log host named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log
This is an example of the /etc/syslog.conf file
NOTE: Do not use the space bar for /etc/syslog.conf, you must use tabs!
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages ### TCP Wrappers local3.info /var/adm/tcpdlog *.alert;kern.err;daemon.err operator *.alert root *.emerg * ### Syslog server *.info @marge # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * )
3.5 configure logging
vi /etc/syslog.conf (convert all spaces to tabs)
syslog,auth,local7,local5.debug;daemon.notice;local6.info;user.none /dev/console
*.alert;auth.debug;kern.err;daemon.err;user.none operator
kern.notice /var/log/kern.messages
daemon.debug /var/log/daemon.messages
user.debug /var/log/user.messages
cron.emerg /var/log/cron.messages
auth.info /var/log/auth.messages
news.debug /var/log/news.messages
mail.info /var/log/mail.messages
uucp.notice /var/log/uucp.messages
lpr.debug /var/log/lpr.messages
local0.info /var/log/local0.messages
local1.debug /var/log/local1.messages
local2.debug /var/log/local2.messages
local3.debug /var/log/local3.messages
local4.debug /var/log/local4.messages
local5.debug /var/log/local5.messages
local6.debug /var/log/local6.messages
local7.debug /var/log/local7.messages
debug @loghost2
create the logfiles under /var/log (touch)
kill -1 <syslog pid>
touch /var/adm/loginlog
chmod o-w /var/{log,adm}/* /var/log/sysidconfig.log
- To: <[email protected]>
- Subject: SUMMARY: configuring syslog
- From: mark_conroy at em.fcnbd.com
- Date: Mon, 19 Oct 1998 14:55:01 -0600
- Sender: [email protected]
To the group, I wish to thank all of the people who have responded and have helped out. I really appreciate everyone's time. The following is what I have discovered: -about a dozen people responded with "make sure you use tabs and not spaces". That one I did have correct. My final /etc/syslog.conf configuration included: cron.info userid,userid cron.info /home/userid/cron.out local0.debug userid,userid local0.debug /home/userid/local0.out Then kill syslogd with a HUP, to reread the conf file I used the logger utility(this was provided by Michael Kriss) that allowed me to test out these entries by issuing the following: logger -p local0.debug "this is a test" logger -p cron.info " this is a test" I checked the above log files, and sure enough, these test entries were in there. I had originally used the "LOG_CRON" and "LOG_LOCAL0" entries, but it was pointed out to me by Michael Hill that these are used by the users program to send the messages to syslogd, where syslogd then takes it and checks the facility and level, and then forwards it to the file or users console. I am waiting for the user to test this with his program. The only other issue that was brought to my attention was by Chris Marble, and that was cron won't work, and that the man pages lied. I will have to address that when I come to it, but thanks Chris, for the info. Mark Conroy
Modify the /etc/inetd.conf and /etc/syslog.conf files to activate the use of tcpd (tcp wrapper) and log its activity.
/etc/inetd.conf
For any TCP based connection, tcpd can be used to examine the incoming connection's address and decide whether to accept or reject it based on the hosts.allow and hosts.deny files. This only occurs if you configure inetd to actually use tcpd. On each TCP based entry in inetd.conf, you insert the wrapper as the daemon which inetd will invoke, and pass to the wrapper the name of the actual daemon and any options which you would pass to it. For example:
ftp stream tcp nowait root /etc/uva/tcp_wrapper/tcpd ftpd -u 022
This configures the wrapper to be invoked for an incoming ftp connection.After you set up the inetd.conf file, you must signal inetd (kill -HUP pid, where pid is inetd's process id) to reread its configuration and activate the changes you made.
/etc/syslog.conf
ITC's tcpd includes logging through syslogd, using one of the local info message categories. You should add an entry to /etc/syslog.conf which looks like this:
local1.info /etc/uva/tcp_wrapper/logThe second parameter is where you want the log written. You can use /var/log on Solaris, /etc/uva/tcp_wrapper on any AIX, Irix, or Solaris system with the ITC tcpd implementation, or wherever you prefer to keep the log.
After editing the syslog.conf file, you must signal syslogd (kill -HUP pid, where pid is syslogd's process id).
This is an example of the /etc/syslog.conf file NOTE: Do not use the space bar for /etc/syslog.conf, you must use tabs!
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages ### TCP Wrappers local3.info /var/adm/tcpdlog *.alert;kern.err;daemon.err operator *.alert root *.emerg * ### Syslog server *.info @marge # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * )
From: [email protected]
Date: Mon Oct 19 1998 - 15:55:01 CDT
- Next message: Rick Flower: "SUMMARY: How does "shutdown" in Solaris 2.6 notify users of impending shutdown?"
- Previous message: Ryan Matteson: "SUMMARY: Sendmail MX Loopback"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To the group,
I wish to thank all of the people who have responded and have helped out. I
really appreciate everyone's time. The following is what I have discovered: about a dozen people responded with "make sure you use tabs and not
spaces". That one I did have correct.
My final /etc/syslog.conf configuration included:
cron.info userid,userid
cron.info /home/userid/cron.out
local0.debug userid,userid
local0.debug /home/userid/local0.out
Then kill syslogd with a HUP, to reread the conf file
I used the logger utility(this was provided by Michael Kriss) that
allowed me to test out these entries by issuing the following:
logger -p local0.debug "this is a test"
logger -p cron.info " this is a test"
I checked the above log files, and sure enough, these test entries were in
there.
I had originally used the "LOG_CRON" and "LOG_LOCAL0" entries, but it was
pointed out to me by Michael Hill that these are used by the users program to
send the messages to syslogd, where syslogd then takes it and checks the
facility and level, and then forwards it to the file or users console.
I am waiting for the user to test this with his program. The only other issue
that was brought to my attention was by Chris Marble, and that was cron won't
work, and that the man pages lied. I will have to address that when I come to
it, but thanks Chris, for the info.
Mark Conroy
______________________________ Reply Separator _________________________________
Subject: configuring syslog
Author: <[email protected]> at INTERNET
Date: 10/15/1998 10:57 AMTo the group,
I tried to go to the archives regarding my problem, but I am receiving an error
on the server. So I thought I would post my question.I am trying to configure syslog.conf for two items:
1) The user wants to have any messages(informational and up) to be logged to a
file under tmp. I tried to set up syslog.conf, but it did not work, and I don't
feel that, after reviewing the man pages, that it is correct. I added to
/etc/syslog.conf:LOG_CRON userid,userid,/tmp/gaitir
2) the second item they wanted was to allow any user assigned to their group to
log to a file. Again I was thinking of the configuration:LOG_LOCAL0 userid,userid,/tmp/allgaitir
Neither are working. I did kill syslogd with a HUP.
Any thoughts would be appreciated.
Thanks in advance.
Mark Conroy
syslogd.conf. #ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages *.alert;kern.err;daemon.err operator *.alert root *.emerg * # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * ) user.info /var/opt/SUNWut/log/messages local1.info /var/opt/SUNWut/log/admin_log
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: July 28, 2019
