标签:Linux 日志 syslog.conf 详解 抵岸科技
NAME
syslog.conf - syslogd(8) configuration file
DESCRIPTION
The syslog.conf file is the main configuration file for the sys-
logd(8) which logs system messages on *nix systems. This file
specifies rules for logging. For special features see the
sysklogd(8) manpage.
syslog.conf文件是对syslogd程序的主要配置文件,syslogd程序是unix记录系统登录信息的程序。这个文件为登录配置规则,更多特征请查看syslogd程序的manpage。
Every rule consists of two fields, a selector field and an
action field. These two fields are separated by one or more
spaces or tabs. The selector field specifies a pattern of
facilities and priorities belonging to the specified action.
每个规则包含两个条目,一个选择条目,一个动作条目。这两个条目被一个或者更多的空格和tabs键隔断。选择条目规定了指定的服务样式和特殊动作的优先权。
Lines starting with a hash mark (‘‘#’’) and empty lines are
ignored.
忽略空行和以#开头的行。
This release of syslogd is able to understand an extended syn-
tax. One rule can be divided into several lines if the leading
line is terminated with an backslash (‘‘’’).
这个版本的syslogd能够理解扩展语句。如果首行以结束,一个规则能被分成多个行,
SELECTORS
The selector field itself again consists of two parts, a facil-
ity and a priority, separated by a period (‘‘.’’). Both parts
are case insensitive and can also be specified as decimal num-
bers, but don’t do that, you have been warned. Both facilities
and priorities are described in syslog(3). The names mentioned
below correspond to the similar LOG_-values in /usr/include/sys-
log.h.
选择条目又分成两个部分,服务和优先权,服务和优先权被句点(‘‘.’’)隔开。这两部分都有不够友好的实例也能被十进制数字定义,但是不建议你那么做,你已接到警告。在syslog里描述了服务和优先权。这些被提及的名字在相当于类似在/usr/include/sys-log.h里的LOG_-values。
The facility is one of the following keywords: auth, authpriv,
cron, daemon, kern, lpr, mail, mark, news, security (same as
auth), syslog, user, uucp and local0 through local7. The key-
word security should not be used anymore and mark is only for
internal use and therefore should not be used in applications.
Anyway, you may want to specify and redirect these messages
here. The facility specifies the subsystem that produced the
message, i.e. all mail programs log with the mail facility
(LOG_MAIL) if they log using syslog.
服务是下列关键字的一种:auth, authpriv,cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp 和 从local0 到local7.关键字应该还没被使用 ,只在内部做标记使用。因此,应该没被在任何程序里使用。不管怎样,你应该在这里指定或者改变这些信息。服务定义了产生messages的子系统。举个例子,如果mail程序登录使用syslog,所有的mail登录信息都在LOG_MAIL里。
The priority is one of the following keywords, in ascending
order: debug, info, notice, warning, warn (same as warning),
err, error (same as err), crit, alert, emerg, panic (same as
emerg). The keywords error, warn and panic are deprecated and
should not be used anymore. The priority defines the severity
of the message
优先权是下列关键字之一,按照从不重要到重要的顺序排列是:debug, info, notice, warning, warn (和warning一样。),err, error (和err一样。), crit, alert, emerg, panic (和emerg一样。). 不提倡使用关键字error, warn 和 panic,在任何情况下都不提倡。优先权表示了message的严重程度。
The behavior of the original BSD syslogd is that all messages of
the specified priority and higher are logged according to the
given action. This syslogd(8) behaves the same, but has some
extensions.
原始的BSD syslogd行为是根据给定的动作,记录所有的优先权及更高优先权的信息。syslogd具有相同机制,但是还有些扩展。
In addition to the above mentioned names the syslogd(8) under-
stands the following extensions: An asterisk (‘‘*’’) stands for
all facilities or all priorities, depending on where it is used
(before or after the period). The keyword none stands for no
priority of the given facility.
除了以上提及的在syslogd中的名字,syslogd还有下面一些扩展:星号*表示所有的服务或优先权。依赖*在句点的前面或后面而定。关键字none表示不记录给定服务的优先权。
You can specify multiple facilities with the same priority pat-
tern in one statement using the comma (‘‘,’’) operator. You may
specify as much facilities as you want. Remember that only the
facility part from such a statement is taken, a priority part
would be skipped.
可以使用‘‘,’’操作符来为同一优先权的不同服务指定信息。你想定义多少服务就可以定义多少服务。注意只有指定的服务部分才被采用,优先权部分被跳过。
Multiple selectors may be specified for a single action using
the semicolon (‘‘;’’) separator. Remember that each selector in
the selector field is capable to overwrite the preceding ones.
Using this behavior you can exclude some priorities from the
pattern.
可以使用‘‘;’’操作符来为多重服务指定到一个动作里。注意多重服务里的每一个服务会覆盖先前定义的服务。使用这个行为你可以在样式里排除一些优先权。
This syslogd(8) has a syntax extension to the original BSD
source, that makes its use more intuitively. You may precede
every priority with an equation sign (‘‘=’’) to specify only
this single priority and not any of the above. You may also
(both is valid, too) precede the priority with an exclamation
mark (‘‘!’’) to ignore all that priorities, either exact this
one or this and any higher priority. If you use both extensions
than the exclamation mark must occur before the equation sign,
just use it intuitively.
对原始的BSD代码来说,syslogd(8)有一些语句的扩展,,这可以让syslogd(8)使用起来更直观。你可以使用‘‘=’’预先定义一些优先权。只要这个特定的优先权而不要其他的优先权。你也可以使用感叹号‘‘!’’来预先定义一些优先权,忽略所有的优先权,只要除了这一个的其他更高的优先权。如果你使用这两个扩展语句,感叹号语句必须在等号之前运行。使用起来非常直观。
ACTIONS 动作
The action field of a rule describes the abstract term ‘‘log-
file’’. A ‘‘logfile’’ need not to be a real file, btw. The
syslogd(8) provides the following actions.
一个规则的动作条目描述抽象词语‘‘log-file’’。一个‘‘logfile’’不需要是一个真实文件,顺便说一下,syslogd(8)给出了下面几种动作。
Regular File 规则文件
Typically messages are logged to real files. The file has to be
specified with full pathname, beginning with a slash ‘‘/’’.
典型信息被记录到真实文件中去,此文件必须有完整路径,开始与符号‘‘/’’。
You may prefix each entry with the minus ‘‘-’’ sign to omit
syncing the file after every logging. Note that you might lose
information if the system crashes right behind a write attempt.
Nevertheless this might give you back some performance, especially if you run programs that use logging in a very verbose
manner.
你可以在完整路径的前缀上加上减号‘‘-’’,用来在每次登录之后省略同步的文件。注意如果系统在企图写入后失败,你可能会丢失信息。然而,这可以给你返回一些执行信息,尤其是你运行了一个阬长的程序。
Named Pipes
This version of syslogd(8) has support for logging output to
named pipes (fifos). A fifo or named pipe can be used as a des-
tination for log messages by prepending a pipe symbol (‘‘|’’) to
the name of the file. This is handy for debugging. Note that
the fifo must be created with the mkfifo(1) command before sys-
logd(8) is started.
Terminal and Console
If the file you specified is a tty, special tty-handling is
done, same with /dev/console.
Remote Machine
This syslogd(8) provides full remote logging, i.e. is able to
send messages to a remote host running syslogd(8) and to receive
messages from remote hosts. The remote host won’t forward the
message again, it will just log them locally. To forward mes-
sages to another host, prepend the hostname with the at sign
(‘‘@’’).
Using this feature you’re able to control all syslog messages on
one host, if all other machines will log remotely to that. This
tears down administration needs.
List of Users
Usually critical messages are also directed to ‘‘root’’ on that
machine. You can specify a list of users that shall get the
message by simply writing the login. You may specify more than
one user by separating them with commas (‘‘,’’). If they’re
logged in they get the message. Don’t think a mail would be
sent, that might be too late.
Everyone logged on
Emergency messages often go to all users currently online to
notify them that something strange is happening with the system.
To specify this wall(1)-feature use an asterisk (‘‘*’’).
EXAMPLES
Here are some example, partially taken from a real existing site
and configuration. Hopefully they rub out all questions to the
configuration, if not, drop me (Joey) a line.
# Store critical stuff in critical
#
*.=crit;kern.none /var/adm/critical
This will store all messages with the priority crit in the file
/var/adm/critical, except for any kernel message.
# Kernel messages are first, stored in the kernel
# file, critical messages and higher ones also go
# to another host and to the console
#
kern.* /var/adm/kernel
kern.crit @finlandia
kern.crit /dev/console
kern.info;kern.!err /var/adm/kernel-info
The first rule direct any message that has the kernel facility
to the file /var/adm/kernel.
The second statement directs all kernel messages of the priority
crit and higher to the remote host finlandia. This is useful,
because if the host crashes and the disks get irreparable errors
you might not be able to read the stored messages. If they’re
on a remote host, too, you still can try to find out the reason
for the crash.
The third rule directs these messages to the actual console, so
the person who works on the machine will get them, too.
The fourth line tells the syslogd to save all kernel messages
that come with priorities from info up to warning in the file
/var/adm/kernel-info. Everything from err and higher is
excluded.
# The tcp wrapper loggs with mail.info, we display
# all the connections on tty12
#
mail.=info /dev/tty12
This directs all messages that uses mail.info (in source
LOG_MAIL | LOG_INFO) to /dev/tty12, the 12th console. For exam-
ple the tcpwrapper tcpd(8) uses this as it’s default.
# Store all mail concerning stuff in a file
#
mail.*;mail.!=info /var/adm/mail
This pattern matches all messages that come with the mail facil-
ity, except for the info priority. These will be stored in the
file /var/adm/mail.
# Log all mail.info and news.info messages to info
#
mail,news.=info /var/adm/info
This will extract all messages that come either with mail.info
or with news.info and store them in the file /var/adm/info.
# Log info and notice messages to messages file
#
*.=info;*.=notice;
mail.none /var/log/messages
This lets the syslogd log all messages that come with either the
info or the notice facility into the file /var/log/messages,
except for all messages that use the mail facility.
# Log info messages to messages file
#
*.=info;
mail,news.none /var/log/messages
This statement causes the syslogd to log all messages that come
with the info priority to the file /var/log/messages. But any
message coming either with the mail or the news facility will
not be stored.
# Emergency messages will be displayed using wall
#
*.=emerg *
This rule tells the syslogd to write all emergency messages to
all currently logged in users. This is the wall action.
# Messages of the priority alert will be directed
# to the operator
#
*.alert root,joey
This rule directs all messages with a priority of alert or
higher to the terminals of the operator, i.e. of the users
‘‘root’’ and ‘‘joey’’ if they’re logged in.
*.* @finlandia
This rule would redirect all messages to a remote host called
finlandia. This is useful especially in a cluster of machines
where all syslog messages will be stored on only one machine.
CONFIGURATION FILE SYNTAX DIFFERENCES
Syslogd uses a slightly different syntax for its configuration
file than the original BSD sources. Originally all messages of
a specific priority and above were forwarded to the log file.
The modifiers ‘‘=’’, ‘‘!’’ and ‘‘-’’ were added to make
the
syslogd more flexible and to use it in a more intuitive manner.
The original BSD syslogd doesn’t understand spaces as separators
between the selector and the action field.
FILES
/etc/syslog.conf
Configuration file for syslogd
BUGS
The effects of multiple selectors are sometimes not intuitive.
For example ‘‘mail.crit,*.err’’ will select ‘‘mail’’ facility
messages at the level of ‘‘err’’ or higher, not at the level of
‘‘crit’’ or higher.
SEE ALSO
sysklogd(8), klogd(8), logger(1), syslog(2), syslog(3)
AUTHORS
The syslogd is taken from BSD sources, Greg Wettstein
([email protected]) performed the port to Linux, Martin
Schulze ([email protected]) made some bugfixes and added some new
features.
//将info或更高级别的消息送到/var/log/messages,除了mail以外。
//其中*是通配符,代表任何设备;none表示不对任何级别的信息进行记录。
*.info;mail.none;authpriv.none /var/log/messages
//将authpirv设备的任何级别的信息记录到/var/log/secure文件中,这主要是一些和认、权限使用相关的信息。
authpriv.* /var/log/secure
//将mail设备中的任何级别的信息记录到/var/log/maillog文件中,这主要是和电子邮件相关的信息。
mail.* /var/log/maillog
//将cron设备中的任何级别的信息记录到/var/log/cron文件中,这主要是和系统中定期执行的任务相关的信息。
cron.* /var/log/cron
//将任何设备的emerg级别的信息发送给所有正在系统上的用户。
*.emerg *
//将uucp和news设备的crit级别的信息记录到/var/log/spooler文件中。
uucp,news.crit /var/log/spooler
//将和系统启动相关的信息记录到/var/log/boot.log文件中。
local7.* /var/log/boot.log
日志文件按/etc/syslog.conf 配置文件中的描述进行组织。下图是/etc/syslog.conf 文件的内容:
[root@localhost ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
syslog.conf 行的基本语法是:
[ 消息类型] [ 处理方案]
注意:中间的分隔符必须是Tab 字符!
消息类型是由" 消息来源" 和" 紧急程度" 构成,中间用点号连接。例如上图中,news.crit 表示来自news 的“ 关键” 状况。在这里,news 是消息来源,crit 代表关键状况。通配符* 可以代表一切消息来源。
说明:
第一条语句*.info ,将info 级以上(notice,warning,err,crit,alert 与emerg )的所有消息发送到相应日志文件。
日志文件类别(按重要程度分类)日志文件可以分成八大类,下面按重要性从大到下列出:
-------------------------------------------------------
[emerg emergency , 紧急] [alert ,警报] [crit critical , 关键] [errerror ,错误] [warning, 警告]
[notice ,通知] [info ,信息] [debug ,调试]
-------------------------------------------------------
简单列一下消息来源:
auth 认证系统,如login 或su ,即询问用户名和口令
cron 系统执行定时任务时发出的信息
daemon 某些系统的守护程序的 syslog ,如由in.ftpd 产生的log
kern 内核的信息
lpr 打印机的信息
mail 处理邮件的守护进程发出的信息
mark 定时发送消息的时标程序
news 新闻组的守护进程的信息
user 本地用户的应用程序的信息
uucp uucp 子系统的信息local0~local7 系统预留
* 表示所有可能的信息来源----------------------------------------------------------
处理方案
" 处理方案" 选项可以对日志进行处理。可以把它存入硬盘,转发到另一台机器或显示在管理员的终端上。
处理方案一览:
文件名 写入某个文件,要注意绝对路径。
@ 主机名 转发给另外一台主机的syslogd 程序。
@IP 地址 同上,只是用IP 地址标识而已。
/dev/console 发送到本地机器屏幕上。
* 发送到所有用户的终端上。
| 程序 通过管道转发给某个程序。
例如:
kern.emerg /dev/console( 一旦发生内核的紧急状况,立刻把信息显示在控制台上)
说明:
如果想修改syslogd 的记录文件,首先你必须杀掉syslogd 进程,在修改完毕后再启动syslogd 。攻击者进入系统后通常立刻修改系统日志,因 此作为网管你应该用一台机器专门处理日志信息,其他机器的日志自动转发到它上面,这样日志信息一旦产生就立刻被转移,这样就可以正确记录攻击者的行为。
将日志文件记录到远程主机 。
说到这远程主机就是我们本文要配置的syslog 服务器。----------------------------------------------------------------
2.syslog 服务器配置实践步骤
例如: 10.0.0.1 为syslog 服务器 10.0.0.2 为客户机
步骤: 1. 服务端配置
vi /etc/sysconfig/syslog
sysLOGD_OPTIONS = “-r –m 0” ## -r 意思是接受远程的日志
重起syslog 服务 /etc/rc.d/init.d/syslog restart
2. 客户端配置
vi /etc/syslog.conf
在消息去向处添加 @10.0.0.1
例如:*.info;mail.none;authpriv.none;cron.none @10.0.0.1
存盘退出重起服务
/etc/rc.d/init.d/syslog restart
( 知识点:直接查看日志尾部: tail /var/log/messages 或者tail /var/log/boot 这样就可以看到syslog 重起) --------------------------------------------------------------------
注意:日志服务使用的端口是:514/udp syslog 服务器应该打开这个端口
syslog 日志服务器端不能根据源地址过滤,为了防止外网向日志服务器写垃圾信息要在网络拓扑中解决,网关上做限制外网访问514 端口。
如果服务器比较多的话,这样形成的日志比较大,要做好日志的分析