syslog - centralized logging

Transcription

1 syslog - centralized logging David Morgan A logging system Conforming programs emit categorized messages Messages are candidates for logging syslog handles the logging performed by syslogd per /etc/syslog.conf 1

2 syslog architecture programs message flow /etc/syslog.conf syslogd remote log console fifo user host file Historical rationale - Then Some programs logged messages to one file Some programs logged to another Some programs logged to STDERR Some wrote to a pipe 2

3 Historical rationale - Now Programs themselves don t log messages They write them to syslog instead syslog manages logging centrally decides which messages to log decides where to log them to Programs emit messages you read them API calls to standard library functions openlog( ) - identifies this program and its facility at program start syslog( ) - provides a message, tagged with a priority closelog( ) - closes logging before program terminates or logger, equivalent access from shell Of direct concern only to programmers Others write config files and read log file results 3

4 Programs emit messages examples Normally, dhcpd will log all output using the syslog (3) function with the log facility set to LOG_DAEMON. man page for dhcpd (8) dynamic host configuration protocol daemon Messages from /var/log/messages Jul 24 13:19:25 brain kernel: eth1: NE2000 found at 0x300, using IRQ 3 Aug 3 15:33:03 brain PAM_pwdb[25812]: (login) session opened for user david by (uid=0) Jul 31 20:23:31 brain ftpd[16423]: FTP LOGIN REFUSED (access denied) FROM cras1p66.navix.net [ ], anonymous Jul 26 17:01:23 brain httpd: httpd shutdown succeeded /etc/syslog.conf Entries, called rules, determine messages handling Rule format: SELECTOR ACTION <facility>.<priority> <action> 4

5 /etc/syslog.conf <facility>.<priority> <action> auth authpriv cron daemon kern lpr mail news syslog user uucp local0 - local7 debug info notice warning err crit alert emerg * none higher priority write to a file write to a terminal by tty device by user write to a remote syslog (via UDP to port 514) * /etc/syslog.conf rule example mail.info /var/adm/info The disposition of any messages issued - by programs whose facility is mail, - as having priority info or higher shall be to write those messages into the file /var/adm/info. 5

6 Standard /etc/syslog.conf kern.* *.info;mail,news,authpriv.none authpriv.* /dev/console /var/log/messages /var/log/secure *.emerg * uucp,news.crit /var/log/messages What happens? Each message is tested against every rule For each rule does the message s facility match the rule s? does the message s priority match or exceed the rule s? if so, log the message as defined by rule s action 6

7 Syntax wrinkles * =! none all facilities or all priorities makes priority restrictive/single makes priority inverse/ignored no priority Multiple selectors, facilities - separate selectors with ; - separate facilities with, - selectors overwrite their predecessors S E L E C T O R S *.=info ; mail, news.none <action> F A C I L I T I E S Log all messages of priority info, but not if their facility is mail or news 7

8 Action (logging) destinations /var/log/messages /dev/tty6 that file that terminal terminals where those users are logged in syslog daemon on machine loghost klogd - a syslogd client programs kernel klogd syslogd log file remote log console fifo user host file 8

9 Important log files in /var/ var/log cron dmesg boot messages lastlog user logins log.smb maillog mail traffic messages genl purpose news secure login attempts sendmail uucp wtmp current activity xferlog ftp transfers Viewing log files dynamically tail -f <name of log file> 9

10 Logfile rotation and management cron /etc/crontab /etc/cron.daily /etc/cron.daily/logrotate logrotate /etc/logrotate.conf /etc/logrotate.d Syslog shortcomings syslog accepts over network from all-or-none multi-hop forwards sourced to most recent hop messages are in cleartext configuration is inflexible uses connectionless UDP 10

11 Alternative replacements for syslog two primary projects syslog-ng rsyslog rsyslog seek to add new capabilities and features seek to seamlessly drop in retain default-config compatility with stock syslog Distributions adopting rsyslog fedora 8 debian ubuntu SUSE uses syslog-ng 11

12 Adoption rationale fedora* why not syslog-ng? code complexity performance issues incompatible format dual licensing model where adding features available in the other version might cause friction with upstream. * per Adoption rationale (vs licensing and software features truly reliable message delivery vs syslog-ng ng) ubuntu* compliance with IETF regarding reliable TCP transport native support for traffic encryption SNMP support BSD-style hostname and program name blocks on-disk message spooling include config files native support for alerts * per 12

13 /etc/rsyslog.conf $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log rsyslog specific syntax-compatible with stock syslog Multiple system trans-net net logging model 13

14 /etc/rsyslog.conf for trans-net net logging # Provides UDP syslog reception $ModLoad imudp.so $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerRun # remote host is: name/ip:port, e.g :514, port optional Makes host receive from network Makes host emit to network 14