Syslog and Log Files
This contains links to information used in the lectures.
Logging Policies
- Throw away all data immediately
- Reset log files at periodic intervals
- Rotate log files - keep data for fixed time
- Compress and archive files to backup media
- Throw away all data immediately or delete files periodically
Not recommended since accounting (logged) information useful in
detection of
- break-ins or other questionable activity
- hardware and software problems
Should keep for some time (2 months) since you may not realize
immediately that there is a problem. Allowing log files to grow
until bothersome then deleting not a good practice, since you lose
all history after deletion.
- Rotate log files - keep data for fixed time
This is most common practice.
- Store each day's log on separate file
- Rotate files keeping (usually a week) of files for example
logfile.1, logfile.2,..., logfile.7 etc.
- Each day logfile.7 will be lost
- Perhaps compress older files - using compress or other
utility.
- Example script for 3 day rotation:
#!/bin/sh
cd /var/log
mv logfile.2 logfile.3
mv logfile.1 logfile.2
mv logfile logfile.1
cat /dev/null > logfile
- May need to run rotation script from cron as log files'
owner
- Log files may also be date specific (logfile.thurs or
logfile.mar7) - harder to implement in scripts
- Caution: some daemons keep log files open. If the script above
is used the data will disappear instead of going to the new log file.
This is because deleting a file with open file descriptor does not
cause the contents to be deleted until the file descriptor is closed.
Such daemons must be signaled or killed and restarted.
- Example with compression and signal:
#!/bin/sh
cd /var/log
mv logfile.2.Z logfile.3.Z
mv logfile.1.Z logfile.2.Z
mv logfile logfile.1
cat /dev/null > logfile
kill -signal pid
compress logfile.1
- Logging for all machines on a net can be done centrally on a
NFS mounted partition (/var/log/ for example). Note that if the
machine with this disk is down or unreachable this may cause problems.
- Compress and archive files to backup media
- All accounting data and log files may be archived - usually for audit
purposes
- Should really rotate to disk first - faster access, less frequent
backups
- Can use normal backup or separate tapes. Note: may need to keep
for longer than backups.
Location of Log Files
Very inconsistent over vendors and daemons. Note this can be a problem,
if one you are unaware of grows indefinitely.
The log files may be specified:
- as command line options
- in configuration files
- configured at compile time
- hardcoded in programs
To locate log files read startup scripts to see if logging is on and,
possibly, what file is used. In some cases there is a dedicated file,
in other cases syslog is used - the location of logging is
usually given in /etc/syslog.conf.
Some general points:
- Many log files are in /var/adm
- Log files have mode 644, but some sites reduce to 600
- Never give write permission except to owner
- sulog, authlog, sudo.log should have mode 600
- mqueue/syslog and pacct could also be restricted
Do NOT manage
Do not manage /usr/adm/lastlog or /etc/utmp.
/usr/adm/lastlog records user's last login
and is on sparse file format which will grow
alarmingly if copied.
utmp attempts to keep a record of logged in users.
Vendor Specific Locations
HP-UX 9.XX
On HP-UX 9.XX log files are in
/usr/adm.
The files nettl.LOG00 and nettl.LOG01 are network control and statistics
files.
The diag
directory contains files in binary format, the
secure directory the secure password files, and
acct
the fiscal accounting files/directories.
SunOS
On SunOS most log files are in
/var/adm.
The
secure directory the secure password files, and
acct
the fiscal accounting files/directories.
HP-UX 10.XX
On HP-UX 10.XX most log files are in
/var/adm.
SYSLOG - the system event logger
Syslog used by many vendor to log information generated by kernel and
system utilities. Syslog is intended to
- liberate programmers from mechanics of writing log files
- allow administrators to control logging more efectively
Syslog allows:
- messges to sorted by source and severity level
- messages to be routed to log files, users' terminals, other machines.
The ability to centralize logging is one of its most useful functions.
Syslog consists of:
- syslogd and /etc/syslog.conf - the daemon that does
logging and its configuration file
- openlog, syslog, closelog - library routines that programmers
use to send data to syslog
- logger - a user-level command for submitting log entries
syslogd is in /etc on HP-UX, /usr/etc on
SunOS and in /usr/sbin on some systems. logger is
in /usr/bin on HP-UX and /usr/ucb on SunOS.
The syslog routines are part of the standard C library.
syslogd
syslogd is started at boot time and runs continuously.
Programs write log entries using the library routines to
the special file /dev/log. In HP-UX,
syslogd collects messages from the UNIX domain socket /dev/log.un, an
Internet domain socket specified in /etc/services, and from the named
pipe /dev/log. By default, local programs calling syslog() send log
messages to the UNIX domain socket (see syslog(3C)). If UNIX domain
sockets are not configured on the system, they write to the named pipe
instead. If INET domain sockets are not configured, syslogd does not
receive messages forwarded from other hosts, nor does it forward
messages.
The syslogd command reads and logs messages into a set of files
described by the configuration file /etc/syslog.conf.
syslogd creates the file syslog.pid containing
a single line with its process ID. This can be used to kill or
reconfigure syslogd. It is in /var/run/ on HP-UX 10.XX,
/etc on HP-UX 9.XX and SunOS.
To kill syslogd, send it a terminate signal:
kill `cat /var/run/syslog.pid`
To make syslogd, re-read its configuration file, send it a HANGUP
signal:
kill -HUP `cat /var/run/syslog.pid`
Do not try to compress or rotate log files that syslog has open.
Some vendors supply a skeletal rotation script - another rotz
is on the CD.
Configuring syslogd
/etc/syslog.conf is a text file.
Each message is one line. A message can contain a priority code,
marked by a number in angle braces at the beginning of the line.
Priorities are defined in the header file .
Lines in the configuration file consist of a selector
to determine the message priorities to which the line applies and an
action. The action field is separated from the selector by one or
more tabs.
selector<TAB>action
For example:
mail.info /var/log/maillog
Note that separators must be <TAB>s not blanks. Note also that cutting
and pasting using X converts <TAB>s to blanks thus introducing
invisible errors which may be difficult to detect.
Selectors are semicolon separated lists of priority specifiers. Each
priority has a facility indicating the subsystem that generated the
message, a dot, and a level indicating the severity of the message.
Symbolic names can be used. An asterisk selects all facilities. All
messages of the specified level or higher (greater severity) are
selected. More than one facility can be selected, using commas to
separate them. For example:
*.emerg;mail,daemon.crit
selects all facilities at the emerg level and the mail and daemon
facilities at the crit level.
The
additional facility mark has a message at priority LOG_INFO sent to it
every 20 minutes (this can be changed with the -m flag).
This can be useful when trying to determine when a machine has crashed
at night.
The mark
facility is not enabled by a facility field containing an asterisk.
The level none can be used to disable a particular facility.
For example,
*.debug;mail.none
selects all messages except mail messages.
In general, selectors are ORed together. However selectors with
a level of none excludes the listed facilties regardless of
other selectors.
The known facilities and levels recognized by syslogd are those listed
in syslog(3C)
converted to lowercase without the leading LOG_.
The second part of each line describes where the message is to be
logged if this line is selected. There are four forms:
- A file name (beginning with a leading slash). The file is
opened in append mode. If the file does not exist, it is
created.
- A host name preceded by an @ character. Selected messages are
forwarded to the syslogd on the named host. The hostname
must be resolvable to an IP address using DNS or NIS.
- A comma-separated list of users. Selected messages are
written to those users' terminals if they are logged in.
- An asterisk. Selected messages are written to the terminals
of all logged-in users.
Blank lines and lines beginning with a # character are ignored.
For example, the configuration file:
kern,mark.debug /dev/console
mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root,eric,kridle
*.emerg *
*.emerg @admin
logs all kernel messages and 20 minute marks onto the system console,
all mail system messages to /var/adm/syslog/mail.log, and all messages
at info and above, except mail messages, to the file
/var/adm/syslog/syslog.log. Messages at alert and above are logged to
the console and to the users root, eric, and kridle if they are logged
in. emerg messages are written to all logged-in users' terminals, and
forwarded to the host admin.
Only a superuser can invoke syslogd.
Designing a Logging Scheme
- At small site log locally
- On large net log centrally
Hopefully makes logs unavailable to hackers. Can still be spoofed.
- Choose a stable machine for logging server.
Physically secure. Few logins. Use generic syslog.conf elsewhere.
- Log to system administrators screens, possibly using pseudo-login
with restricted shell.
Software that uses Syslog
See Table 12.5 in book.
Debugging syslog
Using syslog in programs
See book for examples.
Paul A. Farrell
Thu Mar 7 15:10:34 EST 1996