Shulou(Shulou.com)06/02 Report--

The content of this article mainly focuses on how to realize the use of syslog under linux. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

Syslog Syslog application

1) Overview

Syslog is the default logging daemon for Linux systems. The default syslog configuration file is the / etc/syslog.conf file. Programs, daemons and kernels provide log information to access the system. Therefore, any program that wants to generate log information can call the syslog interface to generate that information.

Almost all network devices can transmit log information to the remote server in the form of user Datagram Protocol (UDP) through syslog protocol. The remote receiving log server must listen to UDP port 514 through syslogd, process the local machine according to the configuration in the syslog.conf configuration file, receive the log information of the access system, and write the specified events to a specific file for background database management and response. This means that any event can be logged on to one or more servers in case the background database uses the off-line (offline) method to analyze events on remote devices.

Typically, syslog accepts information from a variety of functions of the system, each of which includes an important level. The / etc/syslog.conf file tells syslogd how to report information based on device and information importance.

2) etc/syslog.conf

The / etc/syslog.conf file uses the following format:

Facility.level action

Facility.level is divided into two fields for the selection condition itself, separated by a decimal point (.). Action and facility.level are separated by TAB. The first field is a service, and the second field is a priority. The selection condition is actually a classification of message types, which makes it easy for people to send different types of messages to different places. More than one selection condition is allowed on the same syslog configuration line, but they must be separated by a semicolon (;). The activities represented by the action field have a lot of flexibility, in particular, the role of the name pipeline that you can use is to enable syslogd to generate post-processing information.

Factor analysis:

Facility specifies syslog functions, which mainly include the following:

Kern kernel information, first passed through klogd

User user process

Mail Mail

Daemon background process

Authpriv authorization information

Syslog Syslog

Lpr print information

News newsgroup information

Uucp Information generated by uucp

Cron schedule and task information.

Mark syslog internal function is used to generate timestamps

Local0--local7 is used with custom programs, such as using local5 as a ssh function

* wildcards represent all functions except mark

Level specifies the syslog priority:

The syslog level is as follows: (all possible priorities are listed in order of severity. )

Emerg or panic the system is not available (most urgent message)

Alert conditions that need to be modified immediately (emergency message)

Crit error conditions that prevent the implementation of certain tools or subsystem functions (important messages)

Err blocks error conditions (error messages) for the implementation of tools or some subsystems.

Warning warning message (warning message)

General conditions under which notice is important (ordinary but important messages)

Messages provided by info (notification messages)

Debug does not contain other information about function conditions or problems (debug level-the most informative)

None has no importance and is usually used for troubleshooting (no log messages are logged)

* all levels except none

Action:

1. / var/log/lastlog: record the last time each user checked in to the system, so when the user checked in, it will show the time of his or her last check-in. You should pay attention to this time. If it is not the time of your last check-in, it means that your account may have been stolen. This file can be read with the / usr/bin/lastlog instruction.

2. / var/run/utmp: record the time each user checked into the system, who, users, finger and other instructions will check this file.

3. / var/log/wtmp: record the check-in and check-out time of each user. The last command will check this file. This file also records the actions of shutdown and reboot.

4. / var/log/secure: log in to the system

5. / var/log/maillog: record sendmail, pop and other related information.

6. / var/log/cron: record crontab-related messages and timer information

7. / var/log/dmesg: / bin/dmesg will display this file, which is the screen message at boot time.

8. / var/log/xferlog: record those addresses and ftp to get those files.

9. / var/log/messages: most of the messages of the system are recorded here, including login, check password, failed login, ftp, su and so on.

Level is defined in Application:

0: LOG_EMERG, emergency

1: LOG_ALERT, high priority failure, such as database crash

2: LOG_CRIT, serious error, such as hardware failure

3: LOG_ERR, error

4: LOG_WARNING, warning

5: LOG_NOTICE, special cases to pay attention to

6: LOG_INFO, general information

7: LOG_DEBUG, debugging information

Define level in kernel (use the printk function to set level):

0: KERN_EMERG, the system cannot be used

1: KERN_ALERT must be executed immediately

2: KERN_CRIT, urgent status

3: KERN_ERR, error statu

4: KERN_WARNING, warning statu

5: KERN_NOTICE, normal status and very important

6: KERN_INFO, report

7: KERN_DEBUG, debug-level message

Example:

/ / where * is a wildcard and represents any device; none means that no level of information is recorded.

* .info;mail.none;news.none;authpriv.none;cron.none / var/log/messages

/ / record any level of authpriv information in the / var/log/secure file, which is mainly related to recognition and permission use.

Authpriv.* / var/log/secure

/ / record any level of information in the mail device to the / var/log/maillog file, which is mainly related to e-mail.

Mail.*-/ var/log/maillog

/ / record any level of information in the cron device to the / var/log/cron file, which is mainly related to the tasks performed on the system on a regular basis.

Cron.* / var/log/cron

/ / send emerg-level information on any device to all users on the system.

* .emerg *

/ / record the crit-level information of uucp and news devices in the / var/log/spooler file.

Uucp,news.crit / var/log/spooler

/ / record the information related to system startup in the / var/log/boot.log file.

Local7.* / var/log/boot.log

"mail.*" will send all messages, and "mail.mailinfo" excludes messages with info priority.

Mail.mailstor.mail.info / var/log/mail

The following rule specifies that Facility is a log write / var/log/mail.err file with a level of mail,Severity above err, while logs at a level below err are ignored:

Mail.err / var/log/mail.err

Facility and level can use wildcards, or you can specify multiple, separated by commas:

Auth,authpriv.* / var/log/auth.log

There can be multiple combinations of Facility and level, separated by semicolons, and a minus sign in front of the file indicates that the log is not written to the file immediately, but is rewritten under certain conditions in the buffer, which can improve performance, but may lose data when it crashes:

*. *; auth,authpriv.none-/ var/log/syslog

You can send syslog messages via UDP to port 514 of the syslog server:

* .err @ 192.168.0.1

When an error occurs, hit the screen on the console:

* .err / dev/console

Linux log management:

Kernel information-> klogd-> syslogd-> / var/log/messages and other files

Other information-> syslogd-> / var/log/messages and other files

Syslog profile-> / etc/syslog.conf

3) call the syslogd daemon

The syslog daemon is called by the / etc/rc.d/init.d/syslog script at run level 2, with no options by default. But there are two options-r and-h that are useful.

If you are going to use a log server, you must call syslogd-r. By default, syslog does not accept information from remote systems. When the-r option is specified, syslogd will listen for UDP packets coming in from port 514.

If you also want the log server to deliver log information, you can use the-h flag. By default, syslogd ignores the / etc/syslog.conf entry that causes it to transfer log information from one remote system to another.

4) klogd daemon

The klogd daemon acquires and records Linux kernel information. Normally, syslogd records all information from klogd; however, if you call klogd with the-f filename variable, klogd records all information in filename instead of passing it to syslogd. When you specify another file for logging, klogd writes all levels or priorities to that file. There is no configuration file similar to / etc/syslog.conf in Klogd. The advantage of using klogd instead of syslogd is that you can find a large number of errors. If someone invades the kernel, you can use klogd to correct the error.

5) configure a central log server

1. Edit the / etc/sysconfig/syslog file.

Add the "- r" option to the "SYSLOGD_OPTIONS" line to allow foreign log messages to be accepted. If you don't want the central log server to parse the FQDN of other machines because of insufficient DNS entries for other machines or for other reasons, you can also add the "- x" option. In addition, you may want to change the default frequency of timestamp-marked messages (- MARK-) to a more meaningful value, such as 240, which means adding a line of timestamped messages to the log file every 240 minutes (6 times a day). The "- MARK-" message in the log file lets you know that the syslog daemon on the central log server is not down and lazy. The configuration line written according to the above explanations should look like this:

SYSLOGD_OPTIONS= "- r-x-m240"

two。 Restart the syslog daemon.

The modification will not take effect until the syslog daemon is restarted. If you just want to restart the syslog daemon instead of the entire system, execute one of the following two commands:

/ etc/rc.d/init.d/syslog stop; / etc/rc.d/init.d/syslog start

/ etc/rc.d/init.d/syslog restart

3. If there is an iptables firewall or TCPWrappers running on this machine, make sure they allow connections on port 514 to pass through. The syslog daemon uses port 514.

4. Configure client machines for the central log server

It is not difficult for the client to send log messages to a central log server. Edit the / etc/syslog.conf file on the client, and point to the central log server with an "@" character in the action section about the configuration line, as shown below:

Another way is to define a machine called "loghost" in DNS, and then make the following changes to the client's syslog configuration file (the advantage of this approach is that when you replace the central log server with another machine, you no longer have to modify the syslog configuration file on each client)

Next, restart the syslog daemon on the client for the changes to take effect. It is still necessary for clients to continue logging locally while sending log messages to the central log server, at least not to check logs at the central log server when debugging the client, and to help debug when something goes wrong with the central log server.

6) functions related to Syslog:

Openlog, syslog, closelog are a set of Syslog writing interfaces.

The sample code of the program is as follows: syslog.c

[c-sharp] view plaincopyprint?

/ / syslog.c

# include

Int main (int argc, char * * argv)

{

Openlog ("MyMsgMARK", LOG_CONS | LOG_PID, 0)

Syslog (LOG_EMERG

"This is a syslog test message generated by program'% slotted Association"

Argv [0])

Closelog ()

Return 0

}

Compile and run:

[root@localhost liuxltest] # gcc-o syslog syslog.c

[root@localhost liuxltest] #. / syslog

[root@localhost liuxltest] #

Message from syslogd@ at Tue Feb 24 13:24:34 2009...

Localhost MyMsgMARK [16467]: This is a syslog test message generated by program'. / syslog'

At the same time, you can also see the message in / var/log/messages as follows:

Feb 24 13:24:34 localhost MyMsgMARK [16467]: This is a syslog test message generated by program'. / syslog'

Function description:

The prototype of the openlog function is as follows:

Void openlog (const char * ident, int option, int facility)

This function is used to open a connection to the system logging program, after which you can use the syslog or vsyslog function to add information to the system log.

Parameter description:

Ident: is a token in which the string represented by ident is permanently appended to each line of log to identify the log, usually marked with the name of the current program.

Option: is the result of the following operations: LOG_CONS, LOG_NDELAY, LOG_NOWAIT, LOG_ODELAY

LOG_PERROR, LOG_PID, please refer to the man openlog manual for each value:

LOG_CONS

Write directly to system console if there is an error while sending to system logger.

LOG_NDELAY

Open the connection immediately (normally, the connection is opened when the first message is logged).

LOG_PERROR

(Not in SUSv3.) Print to stderr as well.

LOG_PID

Include PID with each message.

Facility: indicates the type of program that logs.

The prototype of the closelog function is as follows:

Void closelog (void)

This function is used to close connections opened by openlog.

The prototype of the syslog function is as follows:

Void syslog (int priority, const char * format, …)

This function is used to send log messages to the system program syslogd to record.

Parameter description:

Priority: is the emergency level of the message

Format: is the format of the message, followed by the parameters corresponding to the format. It's just the same as the printf function.

Application:

If our program wants to use the Syslog function, we only need to use the openlog function to connect to the syslogd program when the program starts, and then write the log with the syslog function at any time.

In addition, the new generation of tools as an alternative to syslog is that syslog-ng,syslog-ng has a strong network function, which can easily save logs on multiple machines to a central log server.

Thank you for your reading, I believe you have a certain understanding of "how to achieve the use of syslog under linux", go to practice, if you want to know more related knowledge points, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.