|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
For any severity level specified, messages are generated for that and all less-severe levels. For example, lpr.warning causes warning-, err-, crit-, alert-, and emerg-level messages from the lpr service to be generated.
Wild card notation is used in syslog notation. For example, *.err means severity level err messages from all facilities (except the mark facility).
syslog configuration consists of routing error messages from various facilities (and at various severity levels) to one or more of the following destinations:
Logfiles anywhere on the system
Another computer running syslog with its own syslog configuration
Active users on the system
The notation for syslog.conf messages is selector <tab> action (note that the character between selector and action must be a tab and must not be one or more spaces). Action consists of a system name, pathname, or userid. Selector consists of one or more semicolon-separated facility-severity pairs taking the form facility.level[;facility.level]. facility consists of one or more comma-separated facilities. Here are examples of complete entries.
All debug (and higher) messages in the mail system are written to the file /var/log/mail.debug.log.
mail.debug /var/log/mail.debug.log
Crit messages from all facilities are sent to the users root and adm if they are logged in.
*.crit root,adm
syslog is configured in the /etc/syslog.conf file. A typical syslog.conf file follows. First, several comment lines appear.
#ident "@(#)syslog.conf 1.4 96/10/11 SMI" /* SunOS 5.0 */
#
# Copyright (c) 1991-1993, by Sun Microsystems, Inc.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (' ') names
# that match m4 reserved words. Also, within ifdef's, arguments
# containing commas must be quoted.
#
The next line directs severity err messages from all facilities (*) and severity notice messages from the kern and auth facilities to be directed to the device /dev/console.
*.err;kern.notice;auth.notice /dev/console
The next line directs severity err messages from all facilities, severity debug messages from the kern facility, severity notice from the daemon facility, and severity crit from the mail facility to all be directed to the /var/adm/messages file.
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
The next line directs severity alert messages from all facilities and severity err messages from the kern and daemon facilities to be directed to the user operator.
*.alert;kern.err;daemon.err operator
The next line directs severity alert messages
from all facilities to the user root.
*.alert root
The next line directs severity emerg messages from all facilities to all logged-in users.
*.emerg *
# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice ifdef('LOGHOST', /var/log/authlog, @loghost)
The next line directs all severity debug
messages from the mail facility to the file /var/log/syslog
if the local system is named loghost ;
otherwise it directs them to the machine loghost as defined in
/etc/hosts, DNS, or NIS.
#/etc/hosts 127.0.0.1 localhost 149.46.23.16 1pserver loghost
mail.debug ifdef('LOGHOST', /var/log/syslog, @loghost)
#
The next set of lines directs messages from the user facility to the console, to the file /var/adm/messages, and to the user's root and operator only if the local system is named loghost.
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef('LOGHOST', ,
user.err /dev/console
user.err /var/adm/messages
user.alert 'root, operator'
user.emerg *
)
syslog Pretty elaborate configuration...
#; #; /etc/syslog.conf #; Recommended syslog configuration. #; #; +----------------------------------------------------+ #; | Author: DePaul University Computer Security Team | #; | WWW: <http://security.depaul.edu/> | #; | SMTP: <security@infosec.depaul.edu> | #; +----------------------------------------------------+ #; #; Copyright (c) 2003. DePaul University. All Rights Reserved. #; #; #; Platform: Tested on the following platforms: #; OpenBSD 3.1, 3.2, 3.3, 3.4, 3.5 #; FreeBSD 4.4, 4.5, 4.6 #; Solaris 2.6, 2.7 #; #; Notes: Syslog requires TAB delimitation between facility and #; destination. Log files MUST exist prior to the start of #; syslogd. This file will be reread by sending a SIGHUP to #; syslogd. #; #; Recommended file permissions: #; #; 0640 /var/log/messages #; 0640 /var/log/daemon.log #; 0640 /var/log/cron.log #; 0600 /var/log/auth.log #; 0600 /var/log/critical.log #; #; If you do not audit your logs, the time spent putting this #; in place will be wasted. Audit logs regularly!! #; #; Revised: $Id: syslog.conf,v 1.2 2004/04/29 20:49:31 epancer Exp $ #; #; Send general messages to the console. *.err;kern.debug /dev/console auth.notice;authpriv.none /dev/console #; The "Readers Digest" version of critical system failures that #; management staff, at least, should pay attention to. *.err;*.crit;*.emerg /var/log/critical.log #; Next, we define where most daemons and applications *.notice /var/log/messages #; Do not log auth/authpriv messages here; rather log them to #; a separate file for processing by security staff. auth,authpriv.none /var/log/messages auth,authpriv.debug /var/log/auth.log cron.info /var/log/cron.log news,kern,lpr,daemon,ftp,mail.info /var/log/daemon.log #; For more critical errors tell root. Keep user-land messages out of #; the way. *.err;user.none root #; In emergencies, wall the users. Note we restrict user-land messages #; from being able to do this as it might annoy those logged in. *.emerg;user.none * #; The definition of "loghost" should be placed in /etc/hosts to #; prevent DNS spoofing. A sample entry of this follows. #; #; 10.197.213.1 loghost.depaul.edu loghost #; #; Send all informational messages, critical warnings and emergency #; conditions to the remote log server EXCEPT for authpriv messages #; that can be intercepted from the network. #; #; Uncomment out the following if you have a loghost defined and #; wish to log to such a location. Note that messages sent over the #; network MAY EXPOSE sensitive information or data. Beware. #*.err;*.emerg;*.crit;auth,authpriv.debug @loghost #; # vim: ts=8 sw=8 nowrap #;
(7.17) What's a decent syslog.conf configuration
The configuration will be different for each site, but here is what Greg Earle recommends as the lines for the "news.*" related part. Remember that most syslog's require tabs, not spaces. Greg's canonical SunOS 4.1.x INN-related syslog.conf entries (which can be merged into your current configuration): # # INN stuff # ## Send critical messages to everyone who is logged in and to the console. news.crit * news.crit /dev/console ## Log news messages to separate files. ## Note that each level includes all of the above it. ## =()<news.crit @<_PATH_MOST_LOGS>@/news.crit>()= news.crit /var/log/news/news.crit ## =()<news.err @<_PATH_MOST_LOGS>@/news.err>()= news.err /var/log/news/news.err ## =()<news.notice @<_PATH_MOST_LOGS>@/news.notice>()= news.notice /var/log/news/news.notice If you don't want /var/log/messages to be crowded by messages from news add the following to the line, where /var/log/messages get logged: news.none so that the line reads (as an example): *.err;kern.debug;auth.notice;mail.crit,news.none /dev/console On some systems you can add a flag to some entries in order to instruct syslog not to sync after each write. This might help raising throughput. Or else move the logs from busy file systems if that flag is not available.
Configuration Files 11.10.3.1 syslog.conf syslog.conf is the configuration file for the syslogd(8) program. It indicates which types of syslog messages are logged to particular log files.
# $FreeBSD$ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manual page. *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron *.err root *.notice;news.err root *.alert root *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log # console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log #*.* /var/log/all.log # uncomment this to enable logging to a remote log host named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log
This is an example of the /etc/syslog.conf file
NOTE: Do not use the space bar for /etc/syslog.conf, you must use tabs!
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages ### TCP Wrappers local3.info /var/adm/tcpdlog *.alert;kern.err;daemon.err operator *.alert root *.emerg * ### Syslog server *.info @marge # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * )
Solaris Firewall, Example Installation & Configuration
3.5 configure logging
vi /etc/syslog.conf (convert all spaces to tabs)
syslog,auth,local7,local5.debug;daemon.notice;local6.info;user.none /dev/console
*.alert;auth.debug;kern.err;daemon.err;user.none operator
kern.notice /var/log/kern.messages
daemon.debug /var/log/daemon.messages
user.debug /var/log/user.messages
cron.emerg /var/log/cron.messages
auth.info /var/log/auth.messages
news.debug /var/log/news.messages
mail.info /var/log/mail.messages
uucp.notice /var/log/uucp.messages
lpr.debug /var/log/lpr.messages
local0.info /var/log/local0.messages
local1.debug /var/log/local1.messages
local2.debug /var/log/local2.messages
local3.debug /var/log/local3.messages
local4.debug /var/log/local4.messages
local5.debug /var/log/local5.messages
local6.debug /var/log/local6.messages
local7.debug /var/log/local7.messages
debug @loghost2
create the logfiles under /var/log (touch)
kill -1 <syslog pid>
touch /var/adm/loginlog
chmod o-w /var/{log,adm}/* /var/log/sysidconfig.log
- To: <sun-managers@sunmanagers.ececs.uc.edu>
- Subject: SUMMARY: configuring syslog
- From: mark_conroy@em.fcnbd.com
- Date: Mon, 19 Oct 1998 14:55:01 -0600
- Sender: owner-sun-managers@sunmanagers.ececs.uc.edu
To the group, I wish to thank all of the people who have responded and have helped out. I really appreciate everyone's time. The following is what I have discovered: -about a dozen people responded with "make sure you use tabs and not spaces". That one I did have correct. My final /etc/syslog.conf configuration included: cron.info userid,userid cron.info /home/userid/cron.out local0.debug userid,userid local0.debug /home/userid/local0.out Then kill syslogd with a HUP, to reread the conf file I used the logger utility(this was provided by Michael Kriss) that allowed me to test out these entries by issuing the following: logger -p local0.debug "this is a test" logger -p cron.info " this is a test" I checked the above log files, and sure enough, these test entries were in there. I had originally used the "LOG_CRON" and "LOG_LOCAL0" entries, but it was pointed out to me by Michael Hill that these are used by the users program to send the messages to syslogd, where syslogd then takes it and checks the facility and level, and then forwards it to the file or users console. I am waiting for the user to test this with his program. The only other issue that was brought to my attention was by Chris Marble, and that was cron won't work, and that the man pages lied. I will have to address that when I come to it, but thanks Chris, for the info. Mark Conroy
Instructions for Configuring inetd.conf and syslog.conf for tcpd
Modify the /etc/inetd.conf and /etc/syslog.conf files to activate the use of tcpd (tcp wrapper) and log its activity.
/etc/inetd.conf
For any TCP based connection, tcpd can be used to examine the incoming connection's address and decide whether to accept or reject it based on the hosts.allow and hosts.deny files. This only occurs if you configure inetd to actually use tcpd. On each TCP based entry in inetd.conf, you insert the wrapper as the daemon which inetd will invoke, and pass to the wrapper the name of the actual daemon and any options which you would pass to it. For example:
ftp stream tcp nowait root /etc/uva/tcp_wrapper/tcpd ftpd -u 022
This configures the wrapper to be invoked for an incoming ftp connection.After you set up the inetd.conf file, you must signal inetd (kill -HUP pid, where pid is inetd's process id) to reread its configuration and activate the changes you made.
/etc/syslog.conf
ITC's tcpd includes logging through syslogd, using one of the local info message categories. You should add an entry to /etc/syslog.conf which looks like this:
local1.info /etc/uva/tcp_wrapper/log
The second parameter is where you want the log written. You can use /var/log on Solaris, /etc/uva/tcp_wrapper on any AIX, Irix, or Solaris system with the ITC tcpd implementation, or wherever you prefer to keep the log.After editing the syslog.conf file, you must signal syslogd (kill -HUP pid, where pid is syslogd's process id).
This is an example of the /etc/syslog.conf file NOTE: Do not use the space bar for /etc/syslog.conf, you must use tabs!
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages ### TCP Wrappers local3.info /var/adm/tcpdlog *.alert;kern.err;daemon.err operator *.alert root *.emerg * ### Syslog server *.info @marge # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * )
1998 SUMMARY
configuring syslog
From: mark_conroy@em.fcnbd.com
Date: Mon Oct 19 1998 - 15:55:01 CDT
- Next message: Rick Flower: "SUMMARY: How does "shutdown" in Solaris 2.6 notify users of impending shutdown?"
- Previous message: Ryan Matteson: "SUMMARY: Sendmail MX Loopback"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To the group,
I wish to thank all of the people who have responded and have helped out. I
really appreciate everyone's time. The following is what I have discovered: about a dozen people responded with "make sure you use tabs and not
spaces". That one I did have correct.
My final /etc/syslog.conf configuration included:
cron.info userid,userid
cron.info /home/userid/cron.out
local0.debug userid,userid
local0.debug /home/userid/local0.out
Then kill syslogd with a HUP, to reread the conf file
I used the logger utility(this was provided by Michael Kriss) that
allowed me to test out these entries by issuing the following:
logger -p local0.debug "this is a test"
logger -p cron.info " this is a test"
I checked the above log files, and sure enough, these test entries were in
there.
I had originally used the "LOG_CRON" and "LOG_LOCAL0" entries, but it was
pointed out to me by Michael Hill that these are used by the users program to
send the messages to syslogd, where syslogd then takes it and checks the
facility and level, and then forwards it to the file or users console.
I am waiting for the user to test this with his program. The only other issue
that was brought to my attention was by Chris Marble, and that was cron won't
work, and that the man pages lied. I will have to address that when I come to
it, but thanks Chris, for the info.
Mark Conroy
______________________________ Reply Separator _________________________________
Subject: configuring syslog
Author: <mark_conroy@em.fcnbd.com> at INTERNET
Date: 10/15/1998 10:57 AMTo the group,
I tried to go to the archives regarding my problem, but I am receiving an error
on the server. So I thought I would post my question.I am trying to configure syslog.conf for two items:
1) The user wants to have any messages(informational and up) to be logged to a
file under tmp. I tried to set up syslog.conf, but it did not work, and I don't
feel that, after reviewing the man pages, that it is correct. I added to
/etc/syslog.conf:LOG_CRON userid,userid,/tmp/gaitir
2) the second item they wanted was to allow any user assigned to their group to
log to a file. Again I was thinking of the configuration:LOG_LOCAL0 userid,userid,/tmp/allgaitir
Neither are working. I did kill syslogd with a HUP.
Any thoughts would be appreciated.
Thanks in advance.
Mark Conroy
syslogd.conf. #ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages *.alert;kern.err;daemon.err operator *.alert root *.emerg * # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * ) user.info /var/opt/SUNWut/log/messages local1.info /var/opt/SUNWut/log/admin_log
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008