Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


System logs

  • Deamon rsyslogd (syslogd on older systems) recieves info from running services about their status and stores it in log files. What they log and where is defined in config file /etc/rsyslog.d/50-default.conf (/etc/syslog.conf on older systems):
    auth,authpriv.*	        /var/log/auth.log
    *.*;auth,authpriv.none	-/var/log/syslog
    #cron.*	                /var/log/cron.log
    daemon.*               -/var/log/daemon.log
    kern.*	              -/var/log/kern.log
    lpr.*                 -/var/log/lpr.log
    mail.*                -/var/log/mail.log
    user.*                -/var/log/user.log
    
    mail.info            -/var/log/mail.info
    mail.warn            -/var/log/mail.warn
    mail.err              /var/log/mail.err
    
    news.crit             /var/log/news/news.crit
    news.err              /var/log/news/news.err
    news.notice          -/var/log/news/news.notice
    
    daemon.*;mail.*;\
    	news.err;\
    	*.=debug;*.=info;\
    	*.=notice;*.=warn  |/dev/xconsole
    

  • The first colomn specifies the facility and priority level.
    The facility is one of the following keywords:
    auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0 -- local7.
    The priority is one of the following keywords, in ascending order:
    debug, info, notice, warning, err, error, crit, alert, emerg.
  • The second colomn specifies where the logs are directed. The two colomns are separated by < TAB >
  • Every time when /etc/rsyslog.d/50-default.conf (or /etc/syslog.conf) is modified, syslog daemon should re-read the configuration:
    killall -HUP rsyslogd 
    
    or
    killall -HUP syslogd 
    
    Alternatively
    service rsyslog reload
    



  • Take me to the Course Website