1.111.3 Configure and use system log files to meet administrative and security needs Weight 3

Outline

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3
Linux Professional Institute Certification — 102

Nick Urbanik Context Objectives Configuring Syslog Rotating Log Files with logrotate Examining Log Files License Of This Document

Nick Urbanik <nicku@nicku.org>
This document Licensed under GPL—see section 6

Context Objectives Configuring Syslog syslog facility syslog levels syslog actions syslog.conf example

Rotating Log Files with logrotate Configuring logrotate Examining Log Files Log Messages How to search for particular events License Of This Document

Configuring Syslog Rotating Log Files with logrotate Examining Log Files License Of This Document

2005 November

Topic 111 Administrative Tasks [21]
Where we are up to

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives

Description of Objective
1.111.3 Configure and use system log files to meet administrative and security needs [3]

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives

1.111.1 Manage users and group accounts and related system files [4] 1.111.2 Tune the user environment and system environment variables [3] 1.111.3 Configure and use system log files to meet administrative and security needs [3] 1.111.4 Automate system administration tasks by scheduling jobs to run in the future [4] 1.111.5 Maintain an effective data backup strategy [3] 1.111.6 Maintain system time [4]

Configuring Syslog Rotating Log Files with logrotate Examining Log Files License Of This Document

Candidate should be able to configure system logs. This objective includes managing the type and level of information logged, manually scanning log files for notable activity, monitoring log files, arranging for automatic rotation and archiving of logs and tracking down problems noted in logs.

Configuring Syslog Rotating Log Files with logrotate Examining Log Files License Of This Document

Key files, terms, and utilities include:
1.111.3 Configure and use system log files to meet administrative and security needs [3]

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog

/etc/syslog.conf

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog
syslog facility syslog levels syslog actions

/etc/syslog.conf — configuration file for syslogd /var/log/* — where the log files are found logrotate — the program that “rotates” log files tail -f — the best way to watch log files as things happen

Rotating Log Files with logrotate Examining Log Files License Of This Document

syslog.conf example

Each line in /etc/syslog.conf contains comments that start with a ‘#’ or rules of the form: facility . level action

Rotating Log Files with logrotate Examining Log Files License Of This Document

syslog facility
shows where the log message comes from:

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog
syslog facility syslog levels syslog actions syslog.conf example

security threshhold beyond which messages are logged

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives

authpriv — security/authorization messages (private) cron — clock daemon (cron and at) daemon — system daemons without separate facility value ftp — ftp daemon kern — kernel messages local0. . . local7 — reserved for local use lpr — line printer subsystem mail — mail subsystem news — USENET news subsystem syslog — messages generated internally by syslogd user — generic user-level message uucp — UUCP subsystem See $ man 3 syslog ←

in decreasing importance: emerg — system is unusable alert — action must be taken immediately crit — critical conditions err — error conditions warning — warning conditions notice — normal, but significant, condition info — informational message debug — debug-level message

Configuring Syslog
syslog facility syslog levels syslog actions syslog.conf example

Rotating Log Files with logrotate Examining Log Files License Of This Document

Rotating Log Files with logrotate Examining Log Files License Of This Document

syslog actions

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog
syslog facility

syslog.conf example
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context

/dev/console

Objectives Configuring Syslog

Can be: filename (with full pathname), or a hostname preceded with ‘@’, or a comma-separated list of users, or an asterisk ‘*’ meaning all logged in users

syslog levels syslog actions syslog.conf example

# Log anything (except mail) of level info or higher. # Don’t log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* # Log all the mail messages in one place. mail.* # Log cron stuff cron.* # Everybody gets emergency messages *.emerg /var/log/secure

syslog facility syslog levels syslog actions syslog.conf example

Rotating Log Files with logrotate Examining Log Files License Of This Document

Rotating Log Files with logrotate Examining Log Files

/var/log/maillog

License Of This Document

/var/log/cron

*

# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler

syslog.conf example — 2
# Save boot messages also to boot.log local7.*

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives

Rotating Log Files with logrotate

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog

/var/log/boot.log

# Note: the rawhide openldap /etc/init.d/ldap script starts slapd with Configuring Syslog # the -l daemon option, which was confusing. syslog facility # I added the option -l local5 to the (newly created) syslog levels syslog actions # /etc/sysconfig/ldap syslog.conf example local5.* -/var/log/slapd # local4.* # Now I’ve set log-facility local1; in dhcpd.conf local1.* # # INN # news.=crit news.=err news.notice daemon,kern.* /var/log/squid
Rotating Log Files with logrotate Examining Log Files

Log files grow rapidly Can grow to extreme sizes without rotation log rotation renames files and redirects logging to the new file: messages → messages.1 → messages.2 → messages.3 → messages.4 → delete Run logrotate from cron

Rotating Log Files with logrotate
Configuring logrotate

Examining Log Files License Of This Document

/var/log/dhcp-log

License Of This Document

/var/log/news/news.crit /var/log/news/news.err /var/log/news/news.notice /var/log/debug

logrotate configuration
Main configuration file is /etc/logrotate.conf . . . but most configuration belongs to the software packages, which put a file into directory /etc/logrotate.d/
$ cat /etc/logrotate.d/ldap ← # Nick 17 Aug 2003: copied from my /etc/logrotate.conf on ictlab: /var/log/slapd weekly create 0664 ldap ldap rotate 20 #postrotate # /etc/rc.d/init.d/ldap condrestart #endscript notifempty $ cat /etc/logrotate.d/syslog ← /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/debug sharedscripts weekly rotate 60 postrotate /bin/kill -HUP ‘cat /var/run/syslogd.pid 2> /dev/null‘ 2> /dev/null || true endscript

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog Rotating Log Files with logrotate
Configuring logrotate

Examining Log Files

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog

Examining Log Files License Of This Document

Many log files are readable by none but root: Simplest: $ sudo tail -f /var/log/messages ← $ sudo less /var/log/messages ←
within less, press F

Rotating Log Files with logrotate Examining Log Files
Log Messages How to search for particular events

License Of This Document

Using either method, new additions to the log file are shown

Log Messages
Each syslog message contains these fields:

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog Rotating Log Files with logrotate Examining Log Files
Log Messages How to search for particular events

Searching for particular events

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog Rotating Log Files with logrotate Examining Log Files

date and time — in local time on my machine hostname — of the machine that generated the message program or user — that generated the message, e.g., kernel, named, postfix, dhcpd, . . . message text

Can grep for messages relating to a particular program:
$ sudo grep dhcpd /var/log/messages ← Nov 14 06:30:13 nicku dhcpd: DHCPDISCOVER from 00:04:e2:2e:c3:d6 via eth0 Nov 14 06:30:13 nicku dhcpd: DHCPOFFER on 192.168.0.8 to 00:04:e2:2e:c3:d6 via eth0

Log Messages How to search for particular events

License Of This Document

License Of This Document

Topics Covered
Context Objectives Configuring Syslog syslog facility syslog levels syslog actions syslog.conf example Rotating Log Files with logrotate Configuring logrotate Examining Log Files Log Messages How to search for particular events License Of This Document

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog Rotating Log Files with logrotate Examining Log Files
Log Messages How to search for particular events

License Of This Document

1.111.3 Configure and use system log files to meet administrative and security needs Weight 3 Nick Urbanik Context Objectives Configuring Syslog

License Of This Document

Copyright c 2005 Nick Urbanik <nicku@nicku.org> You can redistribute modified or unmodified copies of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation—either version 2 of the License or (at your option) any later version.

Rotating Log Files with logrotate Examining Log Files License Of This Document