Lesson 11

Date: 4/14/2010
Basics of Linux Security
Linux for Engineering and IT Applications


System logs

  • Deamon syslogd recieves info from running services about their status and stores it in log files; klogd receives info from the kernel. What they log and where is defined in config file /etc/syslog.conf: 
    auth,authpriv.*	        /var/log/auth.log
*.*;auth,authpriv.none	-/var/log/syslog
#cron.*	                /var/log/cron.log
daemon.*               -/var/log/daemon.log
kern.*	              -/var/log/kern.log
lpr.*                 -/var/log/lpr.log
mail.*                -/var/log/mail.log
user.*                -/var/log/user.log

mail.info            -/var/log/mail.info
mail.warn            -/var/log/mail.warn
mail.err              /var/log/mail.err

news.crit             /var/log/news/news.crit
news.err              /var/log/news/news.err
news.notice          -/var/log/news/news.notice

daemon.*;mail.*;\
	news.err;\
	*.=debug;*.=info;\
	*.=notice;*.=warn  |/dev/xconsole

  • The first colomn specifies the facility and priority level.
    The facility is one of the following keywords:
    auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0 -- local7.
    The priority is one of the following keywords, in ascending order:
    debug, info, notice, warning, err, error, crit, alert, emerg.
  • The second colomn specifies where the logs are directed. The two colomns are separated by < TAB >
  • Every time when /etc/syslog.conf is modified, syslogd and klogd should re-read the configuration: 
    killall -HUP syslogd 
killall -HUP klogd
    or 
    /etc/init.d/syslogd reload
/etc/init.d/klogd force-reload


    • Take me to the Course Website