Today we discuss System logging tools available in Linux..
-syslog - an integrated system for log management.
-usually a log entry is a single line of text.
-the same file has entries from multiple sources.
-eg: two consecutive lines might be from totally different events.
-usual location of logs - /var/adm or /var/log.
-usual owner of logs is root.
-/var/log/wtmp contains login,logout info in binary format
-to read it simply type 'last' or 'lastlog' without any parameters.
-syslog consists of three parts:
. syslogd -the syslog daemon - /etc/syslog.conf
. openlog -library routine that submits msgs to syslogd
. logger -user level cmd that submits log entries from shell
-syslogd is started at boot time and runs continuosly. cant be managed by inetd.
-programs send their mesgs to a socket file /dev/log.
-syslogd reads this file /dev/log and routes the msgs to appropriate log files.
-a hangup signal (HUP 1) causes syslog to close its logs
-a TERM signal causes syslog to exit
-syslog pid is stored in /var/run/syslogd.pid
-syslog config file /etc/syslog.conf has the format:
. service.level <tab> action [tab is must, spaces dont work. cause errors]
-eg: mail.info /var/log/maillog
mail.emerg /var/log/messages
-highest level is 'emerg'. lowest level is 'debug'.
-syslog allows remote logging -ie sending log entries to a remote logging server.
-note: if a service is repeatedly referring syslog messages --it can cause denial of service.
linux reduces this risk by not accepting syslog msgs from remote machines unless with '-r' or '-h' flag.
-if the remote logging server is down, the log entries are irretrievably lost.
-alternates to syslog - syslog-ng, rsyslog, sdsc secure syslog etc..
-challenges in kernel logging:
. to create permanent record of boot process without depending on any fs.
. becoming independent of any process/daemon or their loggings.
-dmesg answers the above. it even contains messages generated before init begins.
-dmesg does this by logging the boot messages in a buffer before writing to its log file.
-kernels ongoing logging is handled by a daemon called klogd. it is a superset of dmesg.
-klogd reads kernel buffer and passes them to syslog which stores them in /var/log/messages of /var/log/syslog.
-all boot messages are always sent to the console.
-if they are an annoyance, then after booting, they can be subdued like this:
# sudo dmesg -n 2 level 1 (panic) to level 7 (debug)
-syslog - an integrated system for log management.
-usually a log entry is a single line of text.
-the same file has entries from multiple sources.
-eg: two consecutive lines might be from totally different events.
-usual location of logs - /var/adm or /var/log.
-usual owner of logs is root.
-/var/log/wtmp contains login,logout info in binary format
-to read it simply type 'last' or 'lastlog' without any parameters.
-syslog consists of three parts:
. syslogd -the syslog daemon - /etc/syslog.conf
. openlog -library routine that submits msgs to syslogd
. logger -user level cmd that submits log entries from shell
-syslogd is started at boot time and runs continuosly. cant be managed by inetd.
-programs send their mesgs to a socket file /dev/log.
-syslogd reads this file /dev/log and routes the msgs to appropriate log files.
-a hangup signal (HUP 1) causes syslog to close its logs
-a TERM signal causes syslog to exit
-syslog pid is stored in /var/run/syslogd.pid
-syslog config file /etc/syslog.conf has the format:
. service.level <tab> action [tab is must, spaces dont work. cause errors]
-eg: mail.info /var/log/maillog
mail.emerg /var/log/messages
-highest level is 'emerg'. lowest level is 'debug'.
-syslog allows remote logging -ie sending log entries to a remote logging server.
-note: if a service is repeatedly referring syslog messages --it can cause denial of service.
linux reduces this risk by not accepting syslog msgs from remote machines unless with '-r' or '-h' flag.
-if the remote logging server is down, the log entries are irretrievably lost.
-alternates to syslog - syslog-ng, rsyslog, sdsc secure syslog etc..
-challenges in kernel logging:
. to create permanent record of boot process without depending on any fs.
. becoming independent of any process/daemon or their loggings.
-dmesg answers the above. it even contains messages generated before init begins.
-dmesg does this by logging the boot messages in a buffer before writing to its log file.
-kernels ongoing logging is handled by a daemon called klogd. it is a superset of dmesg.
-klogd reads kernel buffer and passes them to syslog which stores them in /var/log/messages of /var/log/syslog.
-all boot messages are always sent to the console.
-if they are an annoyance, then after booting, they can be subdued like this:
# sudo dmesg -n 2 level 1 (panic) to level 7 (debug)
No comments:
Post a Comment