Ch11: Syslog and Logfiles Presented by: Apichana Thiantanawat 06/11/02.

Slides:



Advertisements
Similar presentations
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
Advertisements

Operating-System Structures
11 BACKING UP AND RESTORING DATA Chapter 4. Chapter 4: BACKING UP AND RESTORING DATA2 CHAPTER OVERVIEW Describe the various types of hardware used to.
NetComm Wireless Logging Architecture Feature Spotlight.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
Xinwen Fu Linux Logging Mechanisms Computer & Network Forensics.
Detecting Intruders from log files and traces Special Intruder Detection Systems (IDS) are now a market niche, and there are many products on the market.
CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.
Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.
Chapter 11 Syslog and Log Rotate. Computer Center, CS, NCTU 2 Log files  Execution information of each services sshd log files httpd log files ftpd log.
Chapter 11 Monitoring and Analyzing the Web Environment.
Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.
Unix Network Programming Chapter 13: Daemon processes and the inetd superserver Jani Peusaari.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
Linux+ Guide to Linux Certification, Second Edition
Syslog and Log files Haiying Bao June 15, Outline Log files –What need to be logged –Logging policies –Finding log files Syslog: the system event.
Backup and Recovery Part 1.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Logging.
NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.
AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.
Security Guidelines and Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Syslog and log files Ameera Jaradat.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.
CIS 218 Advanced UNIX 1 User and System Information CIS 218.
System Monitoring and Automation CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
1. There are different assistant software tools and methods that help in managing the network in different things such as: 1. Special management programs.
ITI-481: Unix Administration Meeting 5. Today’s Agenda Network Information Service (NIS) The Cron Program Syslogd and Logging.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Linux Operations and Administration
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
System logging and monitoring
System Monitoring and Automation. 2 Section Overview Automation of Periodic Tasks Scheduling and Cron Syslog Accounting.
TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:
Day 11 SAMBA NFS Logs Managing Users. SAMBA Implements the ability for a Linux machine to communicate with and act like a Windows file server. –Implements.
Backups, Logging, Troubleshooting. Dates for Last Week of Class Homework 7 – Due Tuesday 5/1 by midnight Labs 7 & 8 – 8 is extra credit – Due Thursday.
CIS 290 LINUX Security Tripwire file integrity and change management tool and log monitoring.
Guide to Linux Installation and Administration, 2e1 Chapter 10 Managing System Resources.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 3: Operating-System Structures System Components Operating System Services.
Generating Reports and Analyzing Logs 黃雁亭 陳麗雯 廖榆恬 1.
CENT 305 Information Systems Security Overview of System Logging syslog 1.
Security monitoring boxes Andrew McNab University of Manchester.
1 Periodic Processes and the cron Daemon The cron daemon is where all timed events are initiated. The cron system is serviced by the cron daemon. What.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
Syslog and Log Rotate. Computer Center, CS, NCTU 2 Log files  Execution information of each services sshd log files httpd log files ftpd log files 
Cosc 4750 Log files Logging policies Throw away all data immediately Reset log files at periodic intervals Rotate logs files, keeping data for a fixed.
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
COP 4343 Unix System Administration
Cosc 4750 Log files.
APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008
ITIS 3110 IT Infrastructure II
Chapter 2: System Structures
Syslog and Log Rotate yihshih arr. by pschiu.
Log management AfNOG 2008 Rabat, Morocco.
Syslog and Log Rotate yihshih.
Chapter 11 Syslog And Log Files
Syslog and Log Files Chapter 11.
Chapter 2: Operating-System Structures
CIT 485: Advanced Cybersecurity
CIT 470: Advanced Network and System Administration
Periodic Processes Chapter 9.
Syslog and Log Rotate.
Syslog and Log Rotate.
Chapter 2: Operating-System Structures
Working in The IITJ HPC System
Topics Today Capability Efficiency Troubleshooting
Presentation transcript:

Ch11: Syslog and Logfiles Presented by: Apichana Thiantanawat 06/11/02

What are log files? Useful information about a system Usage of data Who, What, When, How Warnings and errors Two kinds of logs System logs Application logs

Why logs? We can monitor a system Misuses and abnormalities can be investigated from logs Logs are all evidences when a system has been compromised.

Unix’s Log Files Generated by many of Unix system processes Log files grow without bounds Eventually, you will run out disk space What to do? manage log files

Logging Policies Throw away log files Reset log files Rotate log files Archive log files

Throwing away log files Not recommend since accounting and logged data are useful in detection of: Break-ins or other questionable activity altering hardware and software problems Should keep for some time (1month) since you may not realize immediately that there is a problem.

Reset log files When log files get too big then reset the file to zero Pro You have data for troubleshooting Con Loose all history after deletion What if you reset the log file, then find a problem? You have no data to look at Average disk usage may be higher

Rotating log files Keep backup log files for fix time (daily,weekly, etc.) Store each day’s log on separate files ( logfile.1, logfile.2,..., logfile.7) Use script to rename the files to push older data toward the end of chain. The oldest log are deleted. Compress older files – using compress or other utilities

Example script for 3 day rotation #! /bin/sh cd/var/log mv logfile.2 logfile.3 mv logfile.1 logfile.2 mv logfile logfile.1 cat /dev/null > logfile Rotating log files (cont.)

Caution !! Some daemons keep log files open all time, which cause: Log data will disappear instead of going to the recreated log file. The older (original) log file still alive even after we delete it and create a new log with the same name. To install a new log file, such daemons must be signaled or killed and restarted. Rotating log files (cont.)

An example script for both compression and signals: #!/bin/sh cd /var/log mv logfile.2.gz logfile.3.gz mv logfile.1.gz logfile.2.gz mv logfile logfile1.gz cat /dev/null > logfile kill – signal pid gzip logfile.1 Rotating log files (cont.)

Archiving log files Compress and archive files to backup media All accounting data and log files may be archived usually for audit purposes First rotate to disk and then write to tape or other permanent media – faster access, reduces frequency of tape backups Can use normal backup or separate tapes. Note: may need to keep for longer than backups

Locations of log files Very inconsistent over vendors and daemons. Usually at /var/log, /var/adm, or /usr/adm To locate log file read system’s startup scripts (/etc/rc*, /etc/rc.d/*, or /etc/init.d/*) to see if logging is on and what file is used the locations of log files are usually given in /etc/syslog.conf

An example of log file acct: system accounting file, keeps a record for every process username who ran the command name of the command CPU time used completion timestamp of the process flag indicating completion status see table 11.1 p.208 for more examples of log files

Files not to manage /var/adm/lastlog records user's last login and is on sparse file format which will grow alarmingly if copied. Don’t copy it! /etc/utmp keeps a record of current logged in users

SYSLOG: a comprehensive logging system Used to manage the information generated by the kernel and the system utilities Two important functions: Liberates programmers from mechanics of writing log files Allows administrators to control logging effectively SYSLOG allows: Messages to be sorted by their important (severity) level Messages to be routed to log files, users’ terminals, or other machines

SYSLOG (cont.) Syslog consists of three parts: syslogd and /etc/syslog.conf : the daemon that does logging and its configuration file openlog, syslog, closelog: library routines that programmers use to send data to syslog logger: a user-level command for submitting log entries

Startup and configuration of Syslog Started up in the early stages of multi-user bootup. Runs as a daemon named syslogd /etc/syslog.conf contains syslog’s configurations and rules Facility names Severity levels Actions Modify /etc/syslog.conf must send a hangup signal to syslogd to make changes take effect

Syslog facilities Define in syslog.conf Facilities identify the program that is sending a log message: kern: message generated by kernel not by users user: message generated by user processes mail: the mail system local0-7: local machine

Identify in the syslog.conf Indicate the minimum importance that a message must have in order to be logged Syslog severity levels

LevelApproximate meaning emerg alert crit err warning notice info debug Panic situations Urgent situations Critical conditions Other error conditions Warning messages Might merit investigation Informational messages For debugging only

Syslog actions Filename : write the message to a file on the local send the message to the syslogd on : send the message to the host at address ipaddress user1,user2,... : write the message to users’ screens if they are logged in * : write the message to all users logged in

Configuring syslogd Basic format: selector action Selector: identify the facility and severity level facility.level action for example: mail.infor /var/log/maillog

Designing a logging scheme Small site keep logfiles on each machine Large network central logging host Information manageable should be a secure host other host sends most info to logging host

Debugging syslog Use logger to test changes in syslogd’s configuration files (syslog.conf) An example local5.warning /tmp/evi.log % logger –p local5.warning “test message”

Using syslog from programs The library routines openlog, syslog, and closelog allow programs to use the syslog system. Openlog initializes logging Syslog sends a message to syslogd Closelog closes the logging channel

Condensing log files Looking through logfiles, you’re likely to miss important data Solution: use some tools to filter Swatch Logcheck Promptly review Security-related messages Messages about disks Messages that are repeated many times

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.