Syslog

Troubleshooting Linux using syslog.conf

Posted in Linux , Technical by admin on January 11th, 2008

Different Linux packages have their own configuration files for Linux network configuration and troubleshooting. Due to this reason Linux system administration becomes daunting. However most of Linux applications use syslog utility for handling errors and status messages for the files stored in /var/log directory path. Linux troubleshooting for each Linux core like fedora, redhat and ubuntu etc becomes easy using syslog file. It is very useful to know that all applications do not display errors and status messages on computer screen. Linux log server contains Linux syslog file and logrotate utility makes it easier handle computer network troubleshooting same like windows network troubleshooting.
The error messages in syslog could be very helpful in finding malfunctions in the products manuals, items manuals and web searchers documentation. The both syslog and logrotate files relatively easy to configure but it needs some special skills to troubleshoot all Linux applications of which information is included in each Linux system syslog file. Syslog utility is used for tracking and handling all error messages which are critical in Linux system syslog server.
An error message contains tow information first function information which has generated it like applications such as mail and cron which could be identified easily and second is degree of severity of that error message. There are eight messages which could display in syslog file are listed below. Syslog’s configuration file like /etc/syslog.conf could be configured by placing all different facilities.
Table: Syslog facilities details
Severity Level Keyword Description
0 emergencies System not usable
1 alerts Action required immediately
2 critical Critical condition
3 errors Error conditions
4 warnings Warning conditions
5 notifications Significant and Normal conditions
6 informational messages with information
7 debugging Debugging messages

The /etc/syslog.conf File

Each type of message is written to syslog configuration file /etc/syslog.conf and this file contains two columns. First column contains facilities included in syslog and second column contains description of each keyword in syslog file. Redhat and Fedora /etc/syslog.conf file is configured to store all messages in file /var/log/messages like
*info;mail.none;authpriv.nono;cron.none /var/log/messages
In this message all info messages are logged in syslog without mail, cron or facilities. This logging could be more insightful by replacing this line and debug severity and /var/log/messages file. Here is a example
*.debug /var/log/messages

All syslog debug messages excluding auth,news,mail and authpriv are logged to /var/log/ debug file. You can however change configuration syntax in several lines by using slash (/) at the end of every line. Here is example
*.=debug;/
auth,authpriv.none;/
news.none;mail.none -/var/log/debug
/var/log/ messages files is configured to store only info and warning messages only excluding news,mail,auth and authpriv facilites like
*.=info;*=notice;=warn;/
auth.arhtpriv.none;/
mail.news.none -/var/log/messages

There are specific type of messages sent to the screen for all users logged in. File definition is normally replaced using an asterisk like
*.emerg 8

Some specific applications can log to have their own application log files and independent syslog.conf files. Here is example of these files and directories and using them you can make syslog analysis and handle errors.
Files:
/var/log/maillog : Mail information
/var/log/httpd/access_log : Apache web server page access logs

Directories:
/var/log
/var/log/samba : Samba messages
/var/log/mrtg : MRTG messages
/var/log/httpd : Apache webserver messages
Restart syslog.conf using this command.

[root@linux-server tmp]# service syslog restart

To restart syslog in Ubuntu:

root@u-linux-server:~# /etc/init.d/sysklogd restart

 

==================================================

 

日志文件由系统日志和内核日志监控程序syslog
dklogd
 控制,/etc/syslog
.conf
 文件中配置这两个监控程序默认活动。 
日志文件按/etc/syslog .conf 配置文件中的描述进行组织。下图是/etc/syslog .conf 文件的内容:
[root@localhost ~]# cat /etc/syslog .conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log


syslog .conf 行的基本语法是:
[
消息类型]     [ 处理方案]
注意:中间的分隔符必须是Tab 字符!
消息类型是由" 消息来源"" 紧急程度" 构成,中间用点号连接。例如上图中,news.crit 表示来自news 关键 状况。在这里,news 是消息来源,crit 代表关键状况。通配符* 可以代表一切消息来源。
说明:
第一条语句*.info ,将info 级以上(notice,warning,err,crit,alertemerg )的所有消息发送到相应日志文件。
日志文件类别(按重要程度分类)日志文件可以分成八大类,下面按重要性从大到下列出:
emerg
  emergency
 , 紧急
alert    ,          
警报
crit
  critical
 ,   关键
errerror
 ,          错误
warning
             警告
notice               
通知
info
                信息
debug
               调试
-------------------------------------------------------
简单列一下消息来源:
auth
       认证系统,如loginsu ,即询问用户名和口令
cron
       系统执行定时任务时发出的信息
daemon
       某些系统的守护程序的 syslog ,如由in.ftpd 产生的log
kern
       内核的信息
lpr
       打印机的信息
mail
       处理邮件的守护进程发出的信息
mark
       定时发送消息的时标程序
news
       新闻组的守护进程的信息
user
       本地用户的应用程序的信息
uucp
       uucp 子系统的信息
local0~local7   系统预留
*
         表示所有可能的信息来源
----------------------------------------------------------
处理方案
"
处理方案" 选项可以对日志进行处理。可以把它存入硬盘,转发到另一台机器或显示在管理员的终端上。
处理方案一览:
文件名  写入某个文件,要注意绝对路径。
@
主机名 转发给另外一台主机的syslog d 程序。
@IP
地址 同上,只是用IP 地址标识而已。
/dev/console
发送到本地机器屏幕上。
*
发送到所有用户的终端上。
|
程序 通过管道转发给某个程序。
例如:
kern.emerg /dev/console(
一旦发生内核的紧急状况,立刻把信息显示在控制台上)
说明:
如果想修改syslog d 的记录文件,首先你必须杀掉syslog d 进程,在修改完毕后再启动syslog d 。攻击者进入系统后通常立刻修改系统日志,因 此作为网管你应该用一台机器专门处理日志信息,其他机器的日志自动转发到它上面,这样日志信息一旦产生就立刻被转移,这样就可以正确记录攻击者的行为。
将日志文件记录到远程主机 。
说到这远程主机就是我们本文要配置的syslog 服务器。
----------------------------------------------------------------
2.syslog
服务器配置实践步骤
例如: 10.0.0.1syslog 服务器     10.0.0.2 为客户机
步骤: 1. 服务端配置
vi /etc/sysconfig/syslog       
      sysLOG D_OPTIONS = “-r –m 0”   ## -r
意思是接受远程的日志
   
重起syslog 服务 /etc/rc.d/init.d/syslog    restart
    2.
客户端配置
      vi /etc/syslog .conf
      
在消息去向处添加 @10.0.0.1
例如:*.info;mail.none;authpriv.none;cron.none @10.0.0.1
      
存盘退出重起服务
      /etc/rc.d/init.d/syslog restart
    (
知识点:直接查看日志尾部:   tail   /var/log/messages 或者tail /var/log/boot 这样就可以看到syslog 重起)
--------------------------------------------------------------------
注意:日志服务使用的端口是:514/udp syslog 服务器应该打开这个端口
syslog
日志服务器端不能根据源地址过滤,为了防止外网向日志服务器写垃圾信息要在网络拓扑中解决,网关上做限制外网访问514 端口。
如果服务器比较多的话,这样形成的日志比较大,要做好日志的分析


================================================

Fedora Core6中IPtables日志管理技巧

2008-08-23 PChome.net 类型: 转载 来源: 赛迪网 责编: 江海明

Iptables的手册中提到 LOG target这个target是专门用来记录数据包有关信息的。这些信息可能是非法的,那就可以用来除错。LOG会返回包的有关细节,如IP头的大部分和 其他有趣的信息。这个功能是通过内核的日志工具完成的,一般是syslogd。返回的信息可用dmesg阅读,或者可以直接查看syslogd的日志文 件,也可以用其他的什么程序来看。LOG对调试规则有很大的帮助,你可以看到包去了哪里、经过了什么规则的处理,什么样的规则处理什么样的包,等等。下面 我们来实现如何通过内核的日志工具管理IPtables日志。

一、配置syslogd的配置文件/etc/syslog.conf

syslogd默认把日志信息输出到/var/log/messages文件。下面向大家介 绍如何建立一个新的IPtables日志文件/var/log/iptables。修改syslogd的配置文件/etc/syslog.conf,告诉 syslogd IPtables使用哪个记录等级。记录等级的详细信息可以查看文件syslog.conf,一般来说有以下几种,它们的级别依次 是:debug,info,notice,warning,warn,err,error,crit,alert, emerg,panic。其中,error和err、warn和warning、panic和emerg分别是同义词,也就是说作用完全一样的。注意这三 种级别是不被赞成使用的(因为信息量太大)。信息级别说明了被记录信息所反映的问题的严重程度。

IPtables的所有LOG信息可以通过内核的功能被记录。

首先在文件syslog.conf里添加如下内容

# Iptables logging
kern.debug /var/log/iptables

然后再指定iptables的LOG规则使用级别debug(例如:iptables -I INPUT 1 -j LOG --log-prefix '[IPTABLES DROP LOGS]:' --log-level debug),就可以把所有的信息存入文件/var/log/iptables内。

最后重新启动syslog服务或重启计算机。

我用的是FC6,用service syslog restart命令可以很方便地启动syslog服务。

二、使用IPtables滚动日志

所有的日志文件都会随着时间的推移和访问次数的增加而迅速增长,因此必须对日志文件进行定期 清理以免造成磁盘空间的不必要的浪费。FC6下有一个专门的日志滚动处理程序logrotate,logrotate能够自动完成日志的压缩、备份、删除 工作,系统默认把logrotate加入到系统每天执行的计划任务中,这样就省得管理员自己去处理了。

首先查看并确定logrotate的配置文件/etc/logrotate.conf内容如下:

# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.

然后在syslog的滚动日志配置文件/etc/logrotate.d/syslog里面添加IPtables的日志文件/var/log/iptables,详细内容如下:

/var/log/iptables /var/log/messages 
/var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

最后安排logrotate每天执行一次,确定文件/etc/cron.daily/logrotate内容如下:

#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

至此我们就为IPtables创建了单独的滚动日志,可以更好地分析网络攻击信息。


你可能感兴趣的:(Syslog)