Understanding Logs in Linux
Whatever else you do to secure a linux system, it must have a comprehensive, accurate and carefully watched logs. Logs server several purposes. First they help us to troubleshoot virtually all kind of system and application problems. Second, they provide valuable early warnings signs of system abuse. And third, when all else fails(whether that means a system crashes or a system compromises), logs provides us with crucial forensic data. Syslog accepts log data from the kernel by the way of klogd (daemon), for any and all the local processes. It is flexible as well and allowing you to determine what gets logged in and where. A prefigured syslog installation is the part of the base operating system in virtually all the variants of UNIX and LINUX.
The syslog daemon receives a log message from kernel and acts based on the message's type or priority. The mapping of the syslog actions is listed in
/etc/syslog.conf
Each line in this file specifies on or more facility/priority selector followed by an action. A selector consists of a facility or facilities and a single priority.
For example, consider the following line from the same file:
mail.notice /var/log/mail
or
*.* /var/log/new
This means that service type is mail and priority is notice, and for this type of situation logs will be created in /var/log/mail file.
In the above situation ;
the * before the dot stands for the facilities.
the * after the dot stands for the priorities
and the location at the right is the location where file will be created.
Types of facilities:
Facilities are simply categories. Supported facilities in linux are :
auth: used for many security events
authpriv: used for the access control related messages
daemon: used for system processes and other daemons
kern: used for kernel messages
mark: messages generated by syslogd itself
user: the default facility when none is specified by an application or in a selector
local7: boot messages
* : wild card stands for any and all.
The syslog daemon receives a log message from kernel and acts based on the message's type or priority. The mapping of the syslog actions is listed in
/etc/syslog.conf
Each line in this file specifies on or more facility/priority selector followed by an action. A selector consists of a facility or facilities and a single priority.
For example, consider the following line from the same file:
mail.notice /var/log/mail
or
*.* /var/log/new
This means that service type is mail and priority is notice, and for this type of situation logs will be created in /var/log/mail file.
In the above situation ;
the * before the dot stands for the facilities.
the * after the dot stands for the priorities
and the location at the right is the location where file will be created.
Types of facilities:
Facilities are simply categories. Supported facilities in linux are :
auth: used for many security events
authpriv: used for the access control related messages
daemon: used for system processes and other daemons
kern: used for kernel messages
mark: messages generated by syslogd itself
user: the default facility when none is specified by an application or in a selector
local7: boot messages
* : wild card stands for any and all.
Types of priorities:
Unlike facilities, which have no relationship between each other, priorities are hierarchical. Possible priorities in linux are:
In increasing order of urgency:
Debug
Info
Notice
Warning
Err
Crit
Alert
Emerg
In practice, most log messages are written to files. If you list full path of the filename as a line's action in syslog.conf, messages that match that line will be appended to that file. If the file doesn't exists, syslog will create it.
Unlike facilities, which have no relationship between each other, priorities are hierarchical. Possible priorities in linux are:
In increasing order of urgency:
Debug
Info
Notice
Warning
Err
Crit
Alert
Emerg
In practice, most log messages are written to files. If you list full path of the filename as a line's action in syslog.conf, messages that match that line will be appended to that file. If the file doesn't exists, syslog will create it.
For example:
Open the configuration file using vim
# vim /etc/syslog.conf
At the top of the file write:
kern.* /var/log/iptables.log
save the file and exit.
restart the syslog service.
# /etc/init.d/syslogd restart
Run any iptable rules and check the log file as:
# iptables -A INPUT -J LOG -log-level 4
# tailf /var/log/iptables.log
# vim /etc/syslog.conf
At the top of the file write:
kern.* /var/log/iptables.log
save the file and exit.
restart the syslog service.
# /etc/init.d/syslogd restart
Run any iptable rules and check the log file as:
# iptables -A INPUT -J LOG -log-level 4
# tailf /var/log/iptables.log
No comments:
Post a Comment