Syslog
Syslog
Linux system logging.
Settings
[facility].[priority];[...] [log file]
/etc/syslog.conf:
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
The "-" indicates that the message should not be buffered.
Facilities
The facility is one of the following keywords:
- auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, and local0 through local7.
Priorities
The priority is one of the following keywords, in ascending order:
- debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg).
Force a log message
Log a message:
logger <message>
MARK
The default interval between "-- MARK --" is 20 minutes.
To change /etc/sysconfig/syslog:
# -m 0 disables 'MARK' messages. SYSLOGD_OPTIONS="-m 60"
-m interval The syslogd logs a mark timestamp regularly. The default inter- val between two -- MARK -- lines is 20 minutes. This can be changed with this option. Setting the interval to zero turns it off entirely.
NOTE: "syslogd doesn't bother to write a mark if something else causes it to write a log entry during the interval you specified" [1]
Remote logging
On the receiving server /etc/sysconfig/syslog:
# -m 0 disables 'MARK' messages. # -r enables logging from remote machines SYSLOGD_OPTIONS="-r -m 20"
Open firewall:
# /etc/services syslog 514/udp
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
On client /etc/syslog.conf:
# partial remote logging: *.info;mail.none;authpriv.none;cron.none -/var/log/messages *.info;mail.none;authpriv.none;cron.none @10.161.101.70
# full remote logging: *.* @10.10.10.3
Remote Syslog:
- http://www.snort.org/docs/faq/1Q05/node50.html
- http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/logging.htm
- http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog
- http://linux.die.net/man/5/syslog.conf
- http://librenix.com/?inode=2831
---
Send a remote syslog: [2]
nc -w0 -u [SERVER] 514 <<< "logging from remote"
To assign your message a PRI, you need to specified PRI’s value in numeric. User.Info’s PRI value is: (1 << 3 ) + 6 = 8 + 6 = 14. ( refers back the numerical code of facility and severity )
nc -w0 -u 192.168.1.1 514 <<< "<14>User Info msg from remote"
If your rsyslogd are listening to TCP port, just ignore -w0 and -u:
nc 192.168.1.1 514 <<< "<14>User Info msg from remote through TCP."