Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


System logs

  • Deamon rsyslogd (syslogd on older systems) recieves info from running services about their status and stores it in log files. What they log and where is defined in config file /etc/rsyslog.d/50-default.conf (/etc/syslog.conf on older systems): 
    auth,authpriv.*	        /var/log/auth.log
*.*;auth,authpriv.none	-/var/log/syslog
#cron.*	                /var/log/cron.log
daemon.*               -/var/log/daemon.log
kern.*	              -/var/log/kern.log
lpr.*                 -/var/log/lpr.log
mail.*                -/var/log/mail.log
user.*                -/var/log/user.log

mail.info            -/var/log/mail.info
mail.warn            -/var/log/mail.warn
mail.err              /var/log/mail.err

news.crit             /var/log/news/news.crit
news.err              /var/log/news/news.err
news.notice          -/var/log/news/news.notice

daemon.*;mail.*;\
	news.err;\
	*.=debug;*.=info;\
	*.=notice;*.=warn  |/dev/xconsole

  • The first colomn specifies the facility and priority level.
    The facility is one of the following keywords:
    auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0 -- local7.
    The priority is one of the following keywords, in ascending order:
    debug, info, notice, warning, err, error, crit, alert, emerg.
  • The second colomn specifies where the logs are directed. The two colomns are separated by < TAB >
  • Every time when /etc/rsyslog.d/50-default.conf (or /etc/syslog.conf) is modified, syslog daemon should re-read the configuration: 
    killall -HUP rsyslogd
    or 
    killall -HUP syslogd
    Alternatively 
    service rsyslog reload


    • Take me to the Course Website