Interpretation of syslogd and syslog.conf files under Linux

1: Introduction to syslog.conf

For different types of Unix, the settings of the standard UnixLog system are actually the same except for some different keywords. The syslog.conf format of the system is the same. Syslog uses a configurable, unified system registration program to accept log requests from anywhere in the system at any time, and then writes the log information to the corresponding file, mails it to a specific user, or directly sends it to the console as a message according to the pre-set settings in /etc/syslog.conf. It is worth noting that in order to prevent intruders from modifying or deleting the recorded information in messages, you can use a printer to record or use other methods to thwart the intruder's attempts.

2: Format of syslog.conf

Please refer to man [5] syslog.conf. Here is a brief introduction to syslog.conf.

A configuration record in the /etc/syslog.conf file consists of two parts: "option" (selector) and "action" (action), which are separated by a tab character (using spaces is invalid). "Options" are composed of one or more reserved fields in the format of "type.level", and each reserved field is separated by a semicolon. As shown in the following line:

type.level[;type.level] `TAB` action

2.1 Type

The "Type" in the reserved field indicates the source of the information, which can be:

auth authentication system, that is, asking for username and password

Information sent when the cron system timing system executes scheduled tasks

daemon The syslog of some system daemons, such as the log generated by in.ftpd

kern kernel syslog information

lpr printer syslog information

mail mail system syslog information

mark A time stamp program that sends messages at regular intervals

news Syslog information of news system

user syslog information of local user application

uucp uucp subsystem syslog information

local0..7 types of local syslog information, which can be defined by the user

* represents the above devices

2.2 Level

The "level" in the reserved field represents the importance of the information and can be:

emerg Emergency, in Panic state. Normally should be broadcast to all users;

alert Warning, the current status must be corrected immediately. For example, the system database crashes;

crit Warning for critical status. For example, hardware failure;

err other errors;

warning warning;

notice; a report of a non-error condition, but should be handled specially;

info to inform information;

debug information when debugging the program;

none is usually used when debugging a program, indicating that information generated by types with a level of none does not need to be sent. For example, *.debug;mail.none means that all information except email will be sent during debugging.

2.3 Actions

The "Action" field indicates the destination to which the information is sent. It can be:

/filename Log file. The file name indicated by the absolute path. This file must be created in advance;

@host remote host; the @ symbol can be followed by an IP address or a domain name. By default, the alias loghost has been assigned to the local host in the /etc/hosts file.

user1,user2 specify users. If the specified user is logged in, they will receive the message;

* All users. All logged in users will receive the message.

3: Specific Examples

Let's look at an example in the /etc/syslog.conf file:

…

*.err;kern.debug;daemon.notice;mail.crit [TAB] /var/adm/messages

…

The "action" in this line is the /var/adm/messages file we are often concerned about, and the source of information output to it, the "selector", is:

*.err - all general error messages;

kern.debug - debug information generated by the kernel;

daemon.notice - daemon notice information;

mail.crit - Critical warning messages for the mail system

4: syslog.conf content

The log files are controlled by the system log and kernel log daemons syslogd and klogd, which are configured to be active by default in the /etc/syslog.conf file.

The log files are organized as described in the /etc/syslog.conf configuration file. Following is the content of /etc/syslog.conf file:

[root@localhost ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* - /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log

5. Version

The Syslog mechanism is a logging method often used in Unix-like systems. It can record various types of log information during system operation in a combination of multiple levels. For example, kernel running information log, program running output log, etc. When developing for embedded systems, writing some important information of the program runtime into the log is very helpful for program debugging and error diagnosis. Important information includes important variables when the program is running, function running results, error records, etc. For embedded systems, debugging and diagnosis are extremely inconvenient due to limited system resources and cross-development. Using the syslog mechanism can greatly simplify these tasks.

Not all embedded systems can use syslog. First of all, the system uses a Unix-like operating system, the most commonly used one is Linux. Second, in order to support remote logging, network communication must be supported in the system. Fortunately, most embedded systems are currently based on Linux and support the network. The specific implementation is discussed below.

When compiling busybox, select the syslog application and add busybox to the Linux file system. After the embedded system starts, you can configure the syslog client. Depending on the busybox version, the configuration of the syslog service process syslogd is different. Early syslogd ignored the configuration items in the syslog.conf file and directly used command parameters for configuration. The new version of syslogd supports configuration using the syslog.conf file. You can view the help information through syslogd –h to determine the current syslogd version.

When syslog.conf configuration is not supported, use command parameters directly and enter the following command to start syslogd:

syslogd -n -m 0 -L -R 192.190.1.88

The -n option indicates that the process runs in the foreground.

The -m option specifies the loop interval.

The -L option means that local logging is performed while remote logging is performed. Without this option, only remote logging is performed.

-R indicates remote logging, which sends syslog logs to the target server. Here it is assumed that the IP address of the target server is 192.190.1.88. If you do not specify a port, UDP port 514 is used by default. So make sure that the port on the server is not occupied.

After startup, all log information will be sent to the server's UDP port 514.

When syslog.conf configuration is supported, you only need to modify the configuration file. Add the following statement to the file:

*.* @192.190.1.88

The above configuration means that all syslog logs will be sent to the server 192.190.1.88, using the default UDP port. Since the syslog.conf configuration is relatively flexible, you can set it to block some unnecessary information, set a specified port, and so on. Please refer to the relevant commands in syslog.conf and study them on your own. Then start syslogd to perform remote logging.

This article on the interpretation of syslogd and syslog.conf files under Linux is all I want to share with you. I hope it can give you a reference. I also hope that you will support 123WORDPRESS.COM.