Kenneth: Created page with "==Syslog== Linux system logging. ===Settings=== [facility].[priority];[...] [log file] /etc/syslog.conf: *.info;mail.none;authpriv.none;cron.none -/var/log/messages The "-" indicates that the message should not be buffered. ===Facilities=== The facility is one of the following keywords: :auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, and local0 through local7. ===Priorities=== The pr..."

2025-01-01T22:46:41Z

Created page with "==Syslog== Linux system logging. ===Settings=== [facility].[priority];[...] [log file] /etc/syslog.conf: *.info;mail.none;authpriv.none;cron.none -/var/log/messages The "-" indicates that the message should not be buffered. ===Facilities=== The facility is one of the following keywords: :auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, and local0 through local7. ===Priorities=== The pr..."

New page

==Syslog==
Linux system logging.

===Settings===
[facility].[priority];[...] [log file]

/etc/syslog.conf:
*.info;mail.none;authpriv.none;cron.none -/var/log/messages

The "-" indicates that the message should not be buffered.

===Facilities===
The facility is one of the following keywords:
:auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, and local0 through local7.

===Priorities===
The priority is one of the following keywords, in ascending order:
:debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg).

===Force a log message===
Log a message:
logger <message>

===MARK===
The default interval between "-- MARK --" is 20 minutes.

To change /etc/sysconfig/syslog:
# -m 0 disables 'MARK' messages.
SYSLOGD_OPTIONS="-m 60"

-m interval
The syslogd logs a mark timestamp regularly. The default inter-
val between two -- MARK -- lines is 20 minutes. This can be
changed with this option. Setting the interval to zero turns it
off entirely.

NOTE: "syslogd doesn't bother to write a mark if something else causes it to write a log entry during the interval you specified" [http://aplawrence.com/Blog/B935.html]

=== Remote logging ===

On the receiving server /etc/sysconfig/syslog:
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
SYSLOGD_OPTIONS="-r -m 20"

Open firewall:
# /etc/services
syslog 514/udp

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

On client /etc/syslog.conf:
# partial remote logging:
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
*.info;mail.none;authpriv.none;cron.none @10.161.101.70

# full remote logging:
*.* @10.10.10.3

Remote Syslog:
*http://www.snort.org/docs/faq/1Q05/node50.html
*http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/logging.htm
*http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog
*http://linux.die.net/man/5/syslog.conf
*http://librenix.com/?inode=2831

---

Send a remote syslog: [http://linux.byexamples.com/archives/412/syslog-sending-log-from-remote-servers-to-syslog-daemon/]
nc -w0 -u [SERVER] 514 <<< "logging from remote"

To assign your message a PRI, you need to specified PRI’s value in numeric. User.Info’s PRI value is: (1 << 3 ) + 6 = 8 + 6 = 14. ( refers back the numerical code of facility and severity )
nc -w0 -u 192.168.1.1 514 <<< "<14>User Info msg from remote"

If your rsyslogd are listening to TCP port, just ignore -w0 and -u:
nc 192.168.1.1 514 <<< "<14>User Info msg from remote through TCP."

== keywords ==

[[Category:Linux]]

Syslog - Revision history