Syslog

From Omnia
Revision as of 22:46, 1 January 2025 by Kenneth (talk | contribs) (Created page with "==Syslog== Linux system logging. ===Settings=== [facility].[priority];[...] [log file] /etc/syslog.conf: *.info;mail.none;authpriv.none;cron.none -/var/log/messages The "-" indicates that the message should not be buffered. ===Facilities=== The facility is one of the following keywords: :auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, and local0 through local7. ===Priorities=== The pr...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Syslog

Linux system logging.

Settings

[facility].[priority];[...]   [log file]

/etc/syslog.conf:

*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

The "-" indicates that the message should not be buffered.

Facilities

The facility is one of the following keywords:

auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, and local0 through local7.

Priorities

The priority is one of the following keywords, in ascending order:

debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg).

Force a log message

Log a message:

logger <message>

MARK

The default interval between "-- MARK --" is 20 minutes.

To change /etc/sysconfig/syslog:

# -m 0 disables 'MARK' messages.
SYSLOGD_OPTIONS="-m 60"
-m interval
   The syslogd logs a mark timestamp regularly.  The default inter-
   val between two -- MARK -- lines is 20  minutes.   This  can  be
   changed with this option.  Setting the interval to zero turns it
   off entirely.

NOTE: "syslogd doesn't bother to write a mark if something else causes it to write a log entry during the interval you specified" [1]

Remote logging

On the receiving server /etc/sysconfig/syslog:

# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
SYSLOGD_OPTIONS="-r -m 20"

Open firewall:

# /etc/services
syslog		514/udp
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

On client /etc/syslog.conf:

# partial remote logging:
*.info;mail.none;authpriv.none;cron.none                -/var/log/messages
*.info;mail.none;authpriv.none;cron.none                @10.161.101.70
# full remote logging:
*.*		@10.10.10.3

Remote Syslog:

---

Send a remote syslog: [2]

nc -w0 -u [SERVER] 514 <<< "logging from remote"

To assign your message a PRI, you need to specified PRI’s value in numeric. User.Info’s PRI value is: (1 << 3 ) + 6 = 8 + 6 = 14. ( refers back the numerical code of facility and severity )

nc -w0 -u 192.168.1.1 514 <<< "<14>User Info msg from remote"

If your rsyslogd are listening to TCP port, just ignore -w0 and -u:

nc 192.168.1.1 514 <<< "<14>User Info msg from remote through TCP."

keywords