Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Syslog Configuration Examples

News Syslog Configuration Recommended Links Rsyslog Configuration How to set variables in rsyslog Replacing syslog-ng with rsyslog in SLES
Messages Classification Syslog-ng Syslog Tools Syslog configuration debugging logger utility Loghost server and remote syslog
Log rotation AIX syslog Syslog for Windows Troubleshooting SFU 3.5 syslog Etc

Introduction

One of the most typical weaknesses of a typical enterprise Unix/Linux server installation is usage of default syslog configuration file. It just does not make sense to use default syslog configuration file in any environment as a lot of messages in it are junk.  It always should be customized. That's number one rule for any system administrator who respects his time.

It is important to remember that for any severity level specified, messages are generated for that and all less-severe levels. For example, kern.warning causes warning-, err-, crit-, alert-, and emerg-level messages from the kernel service to be written to particular log.

Wild card notation can be also used in syslog notation. For example, *.err means severity level err messages from all facilities (except the mark facility).

syslog configuration consists of routing error messages from various facilities (and at various severity levels) to one or more of the following destinations:

The notation for syslog.conf messages is selector <tab> action (note that the character between selector and action must be a tab and must not be one or more spaces). Action consists of a system name, pathname, or userid. Selector consists of one or more semicolon-separated facility-severity pairs taking the form facility.level[;facility.level].

Some ideas for creation of your own syslog.conf file
 in 8 elaborate examples

Some ideas can borrows from the following examples

Example 1: syslog Pretty elaborate configuration... from DePaul University Computer Security Team

#;
#; /etc/syslog.conf
#; Recommended syslog configuration.
#;
#; +----------------------------------------------------+
#; | Author:   DePaul University Computer Security Team |
#; |           WWW:  <http://security.depaul.edu/>      |
#; |           SMTP: <security@infosec.depaul.edu>      |
#; +----------------------------------------------------+
#;
#; Copyright (c) 2003. DePaul University. All Rights Reserved.
#;
#;
#; Platform: Tested on the following platforms:
#;              OpenBSD 3.1, 3.2, 3.3, 3.4, 3.5
#;              FreeBSD 4.4, 4.5, 4.6
#;              Solaris 2.6, 2.7
#;
#; Notes:    Syslog requires TAB delimitation between facility and
#;           destination. Log files MUST exist prior to the start of
#;           syslogd. This file will be reread by sending a SIGHUP to
#;           syslogd.
#;
#;           Recommended file permissions:
#;
#;              0640  	/var/log/messages
#;              0640 	/var/log/daemon.log
#;              0640 	/var/log/cron.log
#;              0600    /var/log/auth.log
#;              0600    /var/log/critical.log
#;
#;           If you do not audit your logs, the time spent putting this
#;           in place will be wasted. Audit logs regularly!!
#;
#; Revised:  $Id: syslog.conf,v 1.2 2004/04/29 20:49:31 epancer Exp $     
#;

#; Send general messages to the console.
*.err;kern.debug				/dev/console
auth.notice;authpriv.none			/dev/console

#; The "Readers Digest" version of critical system failures that
#; management staff, at least, should pay attention to.
*.err;*.crit;*.emerg				/var/log/critical.log

#; Next, we define where most daemons and applications
*.notice					/var/log/messages

#; Do not log auth/authpriv messages here; rather log them to
#; a separate file for processing by security staff. 
auth,authpriv.none				/var/log/messages
auth,authpriv.debug				/var/log/auth.log

cron.info					/var/log/cron.log
news,kern,lpr,daemon,ftp,mail.info		/var/log/daemon.log

#; For more critical errors tell root. Keep user-land messages out of
#; the way.
*.err;user.none					root

#; In emergencies, wall the users. Note we restrict user-land messages
#; from being able to do this as it might annoy those logged in.
*.emerg;user.none				*

#; The definition of "loghost" should be placed in /etc/hosts to
#; prevent DNS spoofing. A sample entry of this follows.
#;
#; 10.197.213.1		loghost.depaul.edu	loghost
#;
#; Send all informational messages, critical warnings and emergency
#; conditions to the remote log server EXCEPT for authpriv messages 
#; that can be intercepted from the network.
#;
#; Uncomment out the following if you have a loghost defined and
#; wish to log to such a location. Note that messages sent over the
#; network MAY EXPOSE sensitive information or data. Beware.
#*.err;*.emerg;*.crit;auth,authpriv.debug		@loghost

#; 
# vim: ts=8 sw=8 nowrap
#; 

Example 2: What's a decent syslog.conf configuration Greg Earle  recommendations

The configuration will be different for each site, but here is what
Greg Earle recommends as the lines for the "news.*" related part.
Remember that most syslog's require tabs, not spaces.

Greg's canonical SunOS 4.1.x INN-related syslog.conf entries (which can
be merged into your current configuration):

#
# INN stuff
#
##  Send critical messages to everyone who is logged in and to the console.
news.crit               *
news.crit               /dev/console

##  Log news messages to separate files.
##  Note that each level includes all of the above it.
## =()<news.crit        @<_PATH_MOST_LOGS>@/news.crit>()=
news.crit               /var/log/news/news.crit
## =()<news.err         @<_PATH_MOST_LOGS>@/news.err>()=
news.err                /var/log/news/news.err
## =()<news.notice      @<_PATH_MOST_LOGS>@/news.notice>()=
news.notice             /var/log/news/news.notice

If you don't want /var/log/messages to be crowded by messages from news
add the following to the line, where /var/log/messages get logged:
news.none so that the line reads (as an example):

*.err;kern.debug;auth.notice;mail.crit,news.none       /dev/console

On some systems you can add a flag to some entries in order to instruct 
syslog not to sync after each write. This might help raising throughput.
Or else move the logs from busy file systems if that flag is not
available.

Example 3: Configuration Files from FreeBSD 11.10.3.1 syslog.conf syslog.conf is the configuration file for the syslogd(8) program. It indicates which types of syslog messages are logged to particular log files.

# $FreeBSD$
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manual page.
*.err;kern.debug;auth.notice;mail.crit          /dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.*                                      /var/log/security
mail.info                                       /var/log/maillog
lpr.info                                        /var/log/lpd-errs
cron.*                                          /var/log/cron
*.err                                           root
*.notice;news.err                               root
*.alert                                         root
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
# console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote log host named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice
!startslip
*.*                                             /var/log/slip.log
!ppp
*.*                                             /var/log/ppp.log

Example 4: Example from Sun Microsystems

This is an example of the /etc/syslog.conf file

NOTE: Do not use the space bar for /etc/syslog.conf, you must use tabs!

#ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   /* SunOS 5.0 */
#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

### TCP Wrappers
local3.info                                    /var/adm/tcpdlog

*.alert;kern.err;daemon.err                     operator
*.alert                                         root

*.emerg                                         *

### Syslog server
*.info                                          @marge

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)

mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)

Example 5: Solaris Firewall, Example Installation & Configuration

3.5 configure logging
    vi /etc/syslog.conf (convert all spaces to tabs)
      syslog,auth,local7,local5.debug;daemon.notice;local6.info;user.none /dev/console
      *.alert;auth.debug;kern.err;daemon.err;user.none        operator
      kern.notice     /var/log/kern.messages
      daemon.debug    /var/log/daemon.messages
      user.debug      /var/log/user.messages
      cron.emerg      /var/log/cron.messages
      auth.info       /var/log/auth.messages
      news.debug      /var/log/news.messages
      mail.info       /var/log/mail.messages
      uucp.notice     /var/log/uucp.messages
      lpr.debug       /var/log/lpr.messages
      local0.info     /var/log/local0.messages
      local1.debug    /var/log/local1.messages
      local2.debug    /var/log/local2.messages
      local3.debug    /var/log/local3.messages
      local4.debug    /var/log/local4.messages
      local5.debug    /var/log/local5.messages
      local6.debug    /var/log/local6.messages
      local7.debug    /var/log/local7.messages
      debug    @loghost2
    create the logfiles under /var/log (touch)
    kill -1 <syslog pid>
    touch /var/adm/loginlog 
    chmod o-w /var/{log,adm}/* /var/log/sysidconfig.log

Example 6: SUMMARY configuring syslog by mark_conroy at em.fcnbd.com


To the group,

I wish to thank all of the people who have responded and have helped out.  I 
really appreciate everyone's time.

The following is what I have discovered:

        -about a dozen people responded with "make sure you use tabs and not 
spaces".  That one I did have correct.

        My final /etc/syslog.conf configuration included:

        cron.info               userid,userid
        cron.info               /home/userid/cron.out

        local0.debug            userid,userid           
        local0.debug            /home/userid/local0.out

        Then kill syslogd with a HUP, to reread the conf file

        I used the logger utility(this was provided by Michael Kriss) that 
allowed me to test out these entries by issuing the following:

        logger -p local0.debug "this is a test"
        logger -p cron.info " this is a test"

I checked the above log files, and sure enough, these test entries were in 
there. 

       I had originally used the "LOG_CRON" and "LOG_LOCAL0" entries, but it was
pointed out to me by Michael Hill that these are used by the users program to 
send the messages to syslogd, where syslogd then takes it and checks the 
facility and level, and then forwards it to the file or users console.

I am waiting for the user to test this with his program.  The only other issue 
that was brought to my attention was by Chris Marble, and that was cron won't 
work, and that the man pages lied.  I will have to address that when I come to 
it, but thanks Chris, for the info.

Mark Conroy

Example 7: Instructions for Configuring inetd.conf and syslog.conf for tcpd (tcp wrapper)

Modify the /etc/inetd.conf and /etc/syslog.conf files to activate the use of tcpd (tcp wrapper) and log its activity.

/etc/inetd.conf

For any TCP based connection, tcpd can be used to examine the incoming connection's address and decide whether to accept or reject it based on the hosts.allow and hosts.deny files. This only occurs if you configure inetd to actually use tcpd. On each TCP based entry in inetd.conf, you insert the wrapper as the daemon which inetd will invoke, and pass to the wrapper the name of the actual daemon and any options which you would pass to it. For example:

ftp stream tcp nowait root /etc/uva/tcp_wrapper/tcpd ftpd -u 022

This configures the wrapper to be invoked for an incoming ftp connection.

After you set up the inetd.conf file, you must signal inetd (kill -HUP pid, where pid is inetd's process id) to reread its configuration and activate the changes you made.

/etc/syslog.conf

ITC's tcpd includes logging through syslogd, using one of the local info message categories. You should add an entry to /etc/syslog.conf which looks like this:

local1.info /etc/uva/tcp_wrapper/log 

The second parameter is where you want the log written. You can use /var/log on Solaris, /etc/uva/tcp_wrapper on any AIX, Irix, or Solaris system with the ITC tcpd implementation, or wherever you prefer to keep the log.

After editing the syslog.conf file, you must signal syslogd (kill -HUP pid, where pid is syslogd's process id).

Example 8: example with TCP Wrappers logs

This is an example of the /etc/syslog.conf file NOTE: Do not use the space bar for /etc/syslog.conf, you must use tabs!

#ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   /* SunOS 5.0 */
#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

### TCP Wrappers
local3.info                                    /var/adm/tcpdlog

*.alert;kern.err;daemon.err                     operator
*.alert                                         root

*.emerg                                         *

### Syslog server
*.info                                          @marge

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)

mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)

Example 9: 1998 SUMMARY configuring syslog

From: mark_conroy@em.fcnbd.com
Date: Mon Oct 19 1998 - 15:55:01 CDT


To the group,

I wish to thank all of the people who have responded and have helped out. I
really appreciate everyone's time. The following is what I have discovered: about a dozen people responded with "make sure you use tabs and not
spaces". That one I did have correct.

My final /etc/syslog.conf configuration included:

cron.info userid,userid
cron.info /home/userid/cron.out

local0.debug userid,userid
local0.debug /home/userid/local0.out

Then kill syslogd with a HUP, to reread the conf file

I used the logger utility(this was provided by Michael Kriss) that
allowed me to test out these entries by issuing the following:

logger -p local0.debug "this is a test"
logger -p cron.info " this is a test"

I checked the above log files, and sure enough, these test entries were in
there.

I had originally used the "LOG_CRON" and "LOG_LOCAL0" entries, but it was
pointed out to me by Michael Hill that these are used by the users program to
send the messages to syslogd, where syslogd then takes it and checks the
facility and level, and then forwards it to the file or users console.

I am waiting for the user to test this with his program. The only other issue
that was brought to my attention was by Chris Marble, and that was cron won't
work, and that the man pages lied. I will have to address that when I come to
it, but thanks Chris, for the info.

Mark Conroy

______________________________ Reply Separator _________________________________
Subject: configuring syslog
Author: <mark_conroy@em.fcnbd.com> at INTERNET
Date: 10/15/1998 10:57 AM

To the group,

I tried to go to the archives regarding my problem, but I am receiving an error
on the server. So I thought I would post my question.

I am trying to configure syslog.conf for two items:

1) The user wants to have any messages(informational and up) to be logged to a
file under tmp. I tried to set up syslog.conf, but it did not work, and I don't
feel that, after reviewing the man pages, that it is correct. I added to
/etc/syslog.conf:

LOG_CRON userid,userid,/tmp/gaitir

2) the second item they wanted was to allow any user assigned to their group to
log to a file. Again I was thinking of the configuration:

LOG_LOCAL0 userid,userid,/tmp/allgaitir

Neither are working. I did kill syslogd with a HUP.

Any thoughts would be appreciated.

Thanks in advance.

Mark Conroy

Example 10: logging and monitoring


Top updates

Bulletin Latest Past week Past month
Google Search


NEWS CONTENTS

Old News ;-)




Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: June 28, 2014