See this page as a slide show

CT 320: Network and System Administration

Chapter 11: Logging

Original slides from Dr. James Walden at Northern Kentucky University.

Overview

• Linux daemons, kernel, utilities, and services continually emit status information that is logged.
• Logfiles contain valuable clues about the state of the system, including failures.
• The main source of data about the system is the syslogd daemon.
• Most logfiles are plain text, so normal tools such cat, grep, head, and tail can parse them. vim & less can transparently read compressed files!
• The syslog contains events from multiple sources, as listed above.
  • Some sites have a centralized logging server that aggregates logs from multiple systems.

Finding logfiles

• Even within Linux, different distributions store logfiles in different places in the filesystem.
• Most logfiles stored in one of the following directories:
  • /var/log
  • /var/log/syslog
  • /var/adm
• Most logfiles require root privileges to access, but it is possible to make them world readable.
• Logfiles are notorious for consuming space and filling up disks.

Finding logfiles (cont’d)

File	Program	Freq	Contents
acpid	acpid	-	power related events
boot.log	rc scripts	monthly	system startup scripts
cron	cron	weekly	cron execution and errors
cups	CUPS	weekly	printing related messages
dmesg	kernel	-	kernel message buffer
faillog	login	weekly	unsuccessful login attempts
/etc/httpd	httpd	daily	Apache HTTP server logs
lastlog	login	-	last login time per user
mail	mailers	weekly	mail facility messages

Finding logfiles (cont’d)

File	Program	Freq	Contents
messages	various	weekly	main system log
samba/*	smbd	weekly	Samba file sharing
secure	sshd	monthly	private authorization messages
sulog	su	-	successes and failures
syslog	various	weekly	main system logfile
warn	various	weekly	warning and error messages

syslog: system event logger

• Enforces a comprehensive logging policy and puts administrators in control of logfiles.
• Allows sorting of messages by source and severity and routing to various destinations.
• The architecture of syslog has three parts:
  • syslogd: logging daemon and its config file /etc/syslog.conf
  • openlog: library routines that submit messages to syslogd
  • logger: user-level command to submit log entries from shell
• Can modify the config file to cause messages from various systems to be saved in specific files:
  • mail.info /var/log/maillog

syslog: facility names

Facility	Programs that use it
auth	authorization commands
cron	cron
daemon	system daemons
ftp	ftpd
kern	kernel
lpr	line printer spooling
mail	sendmail
syslog	syslogd
user	user processes

syslog: severity levels

Level	Meaning
emerg	panic situations
alert	urgent situations
crit	critical conditions
err	other error conditions
warning	warning messages
notice	might merit investigation
info	information messages
debug	for debugging only

syslog: action field

Action	Meaning
filename	append message to local file
@hostname	forward to syslogd on hostname
@ipaddress	forward to syslogd at ipaddress
|fifoname	write to named pipe
user₁,user₂,…	write to screens of listed users
*	write to screens of all users

syslog: config examples

    # emergencies: tell everyone who is logged in
    *.emerg *
    # warnings: store them in message log
    *.warning /var/log/messages
    # kernel: store them in local log
    kern.info /var/log/kern.log
    # send to network logger
    auth.info @netloghost

logrotate

• Utility to manage log management policies; standard on Linux distributions.
• Has a configuration file, /etc/logrotate.conf that specifies how to manage groups of logfiles:
  • compress: compresses noncurrent logfiles (what program, options)
  • daily, weekly, monthly: rotate logfiles on schedule
  • missingok: does not complain if logfile does not exist
  • size logsize: rotates if logfile size > logsize
  • /etc/logrotate.d/*

Logging Policies

• Questions that affect logging policies:
  • How many systems and applications will be included?
  • Type and size of storage infrastructure that is required?
  • How long must the logging information be retained?
  • What types of events are important to the organization?
• Many of these questions come down to security!
• Also need to consider resources available.
• Automation is critical to being successful.
• Most sites today are trending towards a central approach to log collection and analysis.