syslog and log files Ameera Jaradat

One integral part of any UNIX system are the logging facilities. The majority of logging in Linux is provided by two main programs, sysklogd and klogd, the first providing logging services to programs and applications, the second providing logging capability to the Linux kernel. Klogd actually sends most messages to the syslogd facility but will on occasion pop up messages at the console (i.e. kernel panics). Sysklogd actually handles the task of processing most messages and sending them to the appropriate file or device, this is configured from within /etc/syslog.conf. By default most logging to files takes place in /var/log/.

Rotating log files A common way to keep logging information for a fixed period is “rotation”. You keep backup files that are one day old, two days old, and so on. Each day a script or utility program renames the files to push older data toward the end of the chain. e.g ) rotation policy: if log file is called logfile #!/bin/sh cd /var/log mv logfile.2 logfile.3 mv logfile.1 logfile.2 mv logfile logfile.1 cat /dev/null > logfile chmod 600 logfile every day logfile.7 is lost as logfile.6 overwrites it.

Linux log files For the most part, linux packages send their logging information to files in the /var/log directory. On some distribution logs are also stored in /var/adm. Special log files /var/log/wtmp contains a record of users’ logins and logouts, entries that indicate when the system was rebooted or shut down. Should be rotated . /var/log/lastlog it records only the time of last login for each user. Is binary file, indexed by UID. No need to be rotated because its size stay constant unless new users log in. checksecurity utility runs every day (from etc/cron.daily/standard) to enumerate the systems complement of setuid programs( setuid.changes, setuid.today, setuid.yesterday).

Managing Your Log Files One common problem is figuring out what to do with all of the log messages. If you do a lot of logging (particularly if everything is sent to a central server), you can fill up your filesystem faster than you think. The most obvious and direct solution is to remove them after a specific length of time or when they reach a particular size. As its name implies, the goal of the logrotate program is to "rotate" log files. This could be as simple as moving a log file to a different name and replacing the original with an empty file.

Logrotate: manage log files: A logrotate configuration file consists of a series of specifications for groups of logfiles to be managed. # Example log rotation policy errors sa-book@admin.com rotate 5 weekly /var/log/messages{ postrotate /bin/kill –HUP ‘cat /var/run/syslogd.pid endscript } /var/log/samba/*.log{ notifempty copytruncate sharedscripts

syslog: the system event logger syslog, is a comprehensive logging system. consists of 3 parts: Syslogd, the logging daemon( along with its config file, /etc/syslog.conf) Openlog, library routines that submit messages to syslogd. Logger, a user level command that submits log entries from the shell.

syslog: the system event logger Syslogd Started at boot time and runs continuously; Syslogd reads messages from /dev/log, consults its configuration file, and dispatches each message to the appropriate destinations. Klogd is responsible for retrieving messages from the kernel’s internal log buffer and forwarding them to syslogd. A hangup signal (HUP, signal 1) causes syslogd to close log files, reread its configuration file, and start logging again. A TERM signal causes syslogd to exit. Syslogd writes its process ID to the file /var/run/syslogd.pid

Configuring syslogd The configuration file /etc/syslog.conf controls syslogd’s behavior. Basic format is: Selector <tab> action Mail.info /var/log/mailing Causes messages from the email system to be saved in the file /var/log/maillog. Within the selector, “mail” is the facility (message category) and “info” is the level of priority /var/log/mailing is the action

Facilities Facilities are simply categories. Supported facilities in Linux: Syslog Facility Associated Subsystem authpriv Login authentication cron cron subsystem daemon System server processes kern Linux kernel lpr Spooling subsystem mail Mail subsystem news News subsystem localN Locally-defined syslog facilities N runs from 0 to 7)

priorities Unlike facilities, which have no relationship to each other, priorities are hierarchical. Possible priorities in Linux are (in increasing order of urgency): debug, info, notice, warning, err, crit, alert and emerg. As with facilities, the wildcards * and none. A priority may be preceded by either or both of the modifiers = and !. Severity Level Keyword Description emergencies System unusable 1 alerts Immediate action required 2 critical Critical condition 3 errors Error conditions 4 warnings Warning conditions 5 notifications Normal but significant conditions 6 informational Informational messages 7 debugging Debugging messages

example: .info;mail.none;authpriv.none;cron.none /var/log/messages In this case, all messages of severity "info" and above are logged, but none from the mail, cron or authentication facilities/subsystems. selector meaning Mail.info Select mail-related mesg. Of info prio. And higher Mail. = info Select only messages at info priority Mail.info;mail.!err Select only prio. Info, notice and warning Mail.debug; mail.!=warning Select all priorities except warning

action In practice, most log messages are written to files. If you list the full path to a filename as a line's action in syslog.conf, messages that match that line will be appended to that file. (If the file doesn't exist, syslog will create it.) You can send messages other places too. An action can be a file, a named pipe, a device file, a remote host or a user's screen. Action meaning Filename Writes the mesg. To file on the local machine @hostname Forward the msg. To syslogd on host name @ipaddress Forward the mesg. To the host at ip address ipaddress \fifoname Writes the mesg. To the named pipe fifoname User1,user2,… Writes the mesg. To user’s screen * Writes the mesg. To all users who are logged in

Config file examples stand-alone machine on a small network. #small network syslog.conf file #emergencies: tell every one who is logged on *.emerge * # important messages *.warning; daemon, auth.info,user.non /var/log/messages # printer errors ipr.debug /var/log/lpd-errs

Config file examples a client machine on a larger network. # emergencies tell everyone who is logged on *.ernerg;user.none * # Forward important messages to the central logger *.warning; lpr,locall.none @netloghost daemon,auth.info @netloghost # Send local staff to the central logger too 1ooa12.info; local0,local7,debug @netloghost #cardd logs through facility local1 – send to boulder local1.debug @boulder.colorado.edu # keeping printer errors local lpr.debug /var/log/lpd-errs #sudo logs to local2 – keep a copy here too local2.info /var/log/sudo.log # keeping kernel messages local kern.info /var/log/kern.log

designing logging scheme for your site. The syslog config file can be customized for each host. Choose stable machine as your logging server, one that is well secured and does not have many logins. Some very large sites may want to add more levels to the logging hierarchy. Unfortunately syslog retains the name of the originating host for only one hop. If a host “client” sends some log entries to host “server”, which sends them on to host “master,” master will see the data coming from server, not from client.

Debugging syslog The logger command is useful for submitting log entries from shell scripts. If you have just added the line Local5.warning /tmp/evi.log To verify that it is working run % logger –p local5.warning “test message” the line containing test message should be written to /tmp/evi.log

using syslog from programs the library routines openlog, syslog, and closelog allow programs to use the syslog system. Perl interface is described here: to import the definitions of the library routines include this line at the beginning of your perl script: use Sys :: Syslog; the openlog routine initializes logging using the facility name: openlog(ident, logopt, facility); openlog(“adminscript”,”pid,cons”, “local4”);

using syslog from programs the syslogroutine sends a message to syslogd, which logs it at the specified priority: syslog(priority, message, ..) syslog(“info”, “Delivery to %s failed after %d attempts”,$user,$nAttempts); closelog routine closes the logging channel: closelog();

References: “Linux Administration Handbook”, E. nemeth, G. Snyder, T. R. Hein, Ch.11 Links: http://www.linuxjournal.com/article.php?sid=5476 http://www.linux-mag.com/1999-11/guru_04.html