• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Sunday, January 26, 2014

    Tutorial for SYSLOG with Examples in Red Hat Linux

    Syslog is one of the most important standards used in Linux as it is the key file which helps you determine the different level of logs which are getting generated and stored every second while you are working on your Linux box. Syslog can be taken as "System Log".

    The main configuration file for syslog is

    For RHEL 5 and older
    /etc/syslog.conf
    For RHEL 6
    /etc/rsyslog.conf

    Benefits of syslog

    • Helps analyze the root cause for any trouble or problem caused
    • Reduce overall downtime helping to troubleshoot issues faster with all the logs
    • Improves incident management by active detection of issues
    • Self-determination of incidents along with auto resolution
    • Simplified architecture with different level of severity like error,info,warning etc


    The syslog.conf file is the main configuration file for the syslogd which logs system messages on *nix Systems.  This file specifies rules for logging. Every rule consists of two fields, a selector field and an action field.  These two fields are separated by one or more spaces or tabs.  The selector field specifies a pattern of facilities and priorities belonging to the specified action.

    Selectors

    The selector field itself again consists of two parts, a facility and a priority, separated by a period (''.'').  Both parts are case insensitive.

    For example
    Kern.none, mail.info etc

    Here
    Kern = Facility
    None = severity or priority

    Facility

    The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.  The keyword security should not be used anymore and mark is only for internal use and therefore should not be used in applications.

    Anyway, you may want to specify and redirect these messages here.  The facility specifies the subsystem that produced the message, i.e. all mail programs log with the mail facility (LOG_MAIL) if they log using syslog.

    Facility Number

    Keyword
    Facility
    Description
    0
    kern
    kernel messages
    1
    user
    user level messages
    2
    mail
    mail system
    3
    daemon
    system daemons
    4
    auth
    security/authorization messages
    5
    syslog
    messages generated internally by syslogd
    6
    lpr
    line printer subsystem
    7
    news
    network news subsystem
    8
    uucp
    UUCP subsystem
    9
    clock daemon

    10
    authpriv
    security/authorization messages
    11
    ftp
    FTP daemon
    12
    -
    NTP susbsystem
    13
    -
    log audit
    14
    -
    log alert
    15
    cron
    clock daemon
    16
    local0
    local use 0 (local0)
    17
    local1
    local use 1 (local1)
    18
    local2
    local use 2 (local2)
    19
    local3
    local use 3 (local3)
    20
    local4
    local use 4 (local4)
    21
    local5
    local use 5 (local5)
    22
    local6
    local use 6 (local6)
    23
    local7
    local use 7 (local7)

    Severity Levels

    The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg).  The keywords error, warn and panic are deprecated and should not be used anymore. The priority defines the severity of the message
    Integer
    Facility
    0
    Emergency: System is unusable
    1
    Alert: Action must be taken immediately
    2
    Critical: critical conditions
    3
    Error: Error conditions
    4
    Warning: Warning conditions
    5
    Notice: Normal but significant conditions
    6
    Informational: Informational messages
    7
    Debug: Debug level messages

    You can specify multiple facilities with the same priority pattern in one statement using the comma ('','') operator.  You may specify as much facilities as you want. Multiple selectors may be specified for a single action using the semicolon ('';'') separator.  Remember that each selector in the selector field is capable to overwrite the preceding ones.  Using this behavior you can exclude some priorities from the pattern.

    Examples

    Log all the critical events on your Linux machine in a separate log file inside /var/log with a name of critical.log
    Append this line inside /etc/syslog.conf
    *.=crit            /var/log/critical.log

    Log all the kernel related messages in separate log file inside /var/log/firewall.log
    Add a new line
    Kern.*       /var/log/firewall.log

    Add a new entry at the end of the below line
    # Log anything (except mail) of level info or higher.
    # don’t log private authentication messages!
    # don’t log kernel related events and messages
    *.info;mail.none;authpriv.none;cron.none;kern.none                /var/log/messages

    Redirect all the error logs to a remote user root and Deepak on their terminals
    # Messages of the priority alert will be directed
    # to the operator
    #
    *.err                      root,deepak

    Log all the firewall warning level messages inside /var/log/firewall-warning.log
    Kern.warn                                           /var/log/firewall-warning.log

    Support for Remote Logging

    These modifications provide network support to the syslogd facility.  Network support means that messages can be forwarded from one node running syslogd to another node running syslogd where they will be actually logged to a disk file.

    The strategy is to have syslogd listen on a unix domain socket for locally generated log messages.  This behavior will allow syslogd to inter-operate with the syslog found in the standard C library.  At the same time syslogd listens on the standard syslog port for messages forwarded from other hosts.  To have this work  correctly the /etc/services file must have the following entry:
    Syslog 514/udp
    If this entry is missing syslogd neither can receive remote messages nor send them, because the UDP port can’t be opened.  Instead syslogd will die immediately, blowing out an error message.

    For example,
    to forward ALL messages to a remote host uses the following syslog.conf entry:
                       # Sample syslogd configuration files to
                       # Messages to a remote host forward all.
                       
    *.*            @hostname

    To forward all kernel messages to a remote host the configuration file would be as follows:
                       # Sample configuration files to forward all kernels
                       # messages to a remote host.

                     
     kern.*         @hostname


    References
    Linux man page for syslogd
    syslog wiki

    Follow the below links for more tutorials

    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    15 tips to enhance security of your Linux machine
    What is a Kernel in Linux?
    How does a DNS query works when you type a URL on your browser?
    How to create password less ssh connection for multiple non-root users
    How to create user without useradd command in Linux
    How to unlink/delete a symbolic in Linux
    How to give normal user root privileges using sudo in Linux/Unix
    How to do Ethernet/NIC bonding/teaming in Red Hat Linux
    How to install/uninstall/upgrade rpm package with/without dependencies
    How to extract files to different directory using tar in Unix/Linux
    How to preserve Symbolic links with tar command in Unix/Linux
    How to give permission to user to run some commands in Linux
    Why is Linux more secure than windows and any other OS
    What is the difference between "su" and "su -" in Linux?

    0 comments:

    Post a Comment