CENT 305 Information Systems Security Overview of System Logging syslog 1

System Logging (syslog) Services Central service for system logging provided by Linux/UNIX. ◦ The syslog service provides the system logging function. ◦ Many services log activities in their own logs, or use the system log. System logs, in /var/log/ directory track system-level events. ◦ Used for troubleshooting and auditing. ◦ Security measure: review logs! syslog is used by many services to log events. ◦ The new syslog program is now syslog-ng ◦ The related configuration files are:  /etc/sysconfig/syslog  /etc/syslog-ng/syslog-ng.conf ◦ The syslog service accepts messages from system services and logs them. 2

/etc/sysconfig/syslog File (man syslog.conf)‏ General parameters applicable to syslog-ng as well as the traditional syslog service. ◦ These parameters are evaluated by the startup script: /etc/init.d/syslog 3

syslog-ng.conf File (man 5 syslog-ng.conf)‏ 4 kinds of entries ◦ source definitions  defines sources for system log messages  default is internal() which gets messages from the syslog process  we won't focus on the sources ◦ filter definitions (need to know)  defines the rules for what actions should be logged ◦ destination definitions (need to know)  defines where to send the logged information  file, pipe, tcp host, udp host, etc. ◦ Log paths (need to know) Rules that link a message source, filter and destination Global options entry ◦ sets default options for all logs 4

Syslog Parameters Parameters common to both syslog and syslog-ng configuration are: ◦ Facilities (or categories) ◦ Priorities (or levels) 5

syslog Facilities (man syslog)‏ Facility ◦ the subsystem that provides the message. ◦ each program is assigned to a category or facility. ◦ Used in filter definitions 6

syslog Priorities Designates the urgency of message. listed below from lowest priority to highest. ◦ lower priority levels produce more log entries! Used in filter definitions 7

Sources (man 5 syslog-ng.conf)‏ Source driver definitions ◦ Collect messages using a given method ◦ Used to gather log messages from a particular “source” # 'src' is our main source definition. you can add more source driver definitions to it, or define # your own sources, i.e.: #source my_src {.... }; # source src { # # include internal syslog-ng messages # note: the internal() source is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: # #udp(ip(" ") port(514)); }; 8

Filter Definitions (man 5 syslog-ng.conf)‏ Boolean expressions that are applied to messages and evaluated as true or false. Example: filter f_iptables { facility(kern) and match("IN=" and match("OUT=") }; Syntax: filter name { boolean expression; }; Things you can test for: ◦ Facility - facility(facility name)‏ ◦ Priority or Level - level(level)‏ ◦ Match contents of message - match(regexp)‏ ◦ Another filter - filter(filtername)‏ 9

Destinations (man 5 syslog-ng.conf)‏ Destinations define where messages can be logged. Example: destination firewall { file( "/var/log/firewall" ); }; Syntax: destination destname { dest_definition; }; Destinations you can use include: ◦ Files - file (filename)‏ ◦ Pipes - pipe(filename)‏ ◦ Users, if logged in - usertty("username")‏ ◦ TCP hosts - tcp(tcp_hostname)‏ ◦ UDP hosts - udp(udp_hostname)‏ 10

Log Path Definitions (man 5 syslog-ng.conf)‏ Log Paths link a message source with a specified filter and a specified destination. Example: log { source(src); filter( f_iptables ); destination( firewall ); Syntax: log { source( src_name ); filter (filtername); dest(destname); }; 11

System Log File /var/log/messages ◦ Default system log ◦ Used by many services ◦ tail -f /var/log/messages Other daemons also store messages in other files in /var/log/ directory 12

Examples of System and Custom Log Files 13 Samba SMB server logs/var/log/samba CUPS print service errors/var/log/cups/error_log CUPS print service transactions/var/log/cups/access_log Web Server error log/var/log/httpd/error_log Web Server transaction log/var/log/httpd/access_log FTP server transaction log/var/log/xferlog System log file for sensitive information (e.g., authentication)‏ /var/log/secure Default system log file/var/log/messages PurposeLog File Name

logger Utility Allows administrators to generate log messages. ◦ Used for syslog debugging and testing ◦ Used for reporting conditions within shell scripts. Syntax:logger [-is] [-p pri] [-t tag] message Switches ◦ -iIncludes the PID with the message ◦ -sDuplicate the message to standard error ◦ -p priSpecify a facility.priority pair. Default is user.notice ◦ -t tagShort label to include with message, such as the name of application Example: logger -is -p syslog.notice -t SYSLOG syslog test 14