Shulou(Shulou.com)06/02 Report--

Currently, linux still uses syslogd as the log monitoring process, while sysklog, the older log server suite, is still used in mainstream linux distributions. As you can see from the previous log, the necessary configuration can reduce a lot of trouble and more effectively monitor the status of the system from the system log. It is particularly important for system administrators to understand and improve the configuration of a syslog.

I. configuration file

Take Red Flag DC Server 5.0 as an example, the default log server is the sysklog suite:

Reference # rpm-qa | grep sysklogd

Sysklogd-1.4.1-26_EL

There are two main configuration files:

Reference / etc/sysconfig/syslog

Here you define the parameters that can be added when the syslog service starts.

Reference / etc/syslog.conf

This is the main configuration file for the syslog service and directs the log information according to the defined rules.

Second, set up the main configuration file

/ etc/syslog.conf defines rules according to the following format:

Quote facility.level action

Equipment. Priority action

The facility.level field is also called seletor (selection condition), and the selection condition and action are separated by a space or tab.

The # sign begins with a comment, and the blank line is skipped automatically.

1 、 facility

Facility defines the scope of log messages, and the key that can be used are:

Reference auth-Certification activity reported by pam_pwdb.

Authpriv-Authentication activity that includes privileged information such as user name

Cron-scheduled task information related to cron and at.

Daemon-background process information related to the inetd daemon.

Kern-Kernel information, which is first passed through klogd.

Lpr-Information related to the printing service.

Mail-Information related to email

The mark-syslog internal function is used to generate timestamps

News-Information from the news server

Syslog-Information generated by syslog

User-Information generated by the user program

Uucp-Information generated by uucp

Local0-local7-use with custom programs

* wildcards represent all functions except mark

In addition to mark for internal use, security is an old key definition, equivalent to auth, and is no longer recommended.

2. Level level

Level defines the urgency of the message. In order of severity, they are as follows:

Reference emerg-the system is not available, equivalent to panic

Alert-conditions that need to be modified immediately

Crit-an error condition that prevents the implementation of certain tools or subsystem functions

Err-an error condition that prevents the implementation of some functions of a tool or some subsystems, equivalent to error

Warning-early warning message, equivalent to warn

Notice-A general condition of importance

Info-message that provides information

Debug-contains no other information about function conditions or problems

None-No importance level, usually used to troubleshoot

* all levels except none

Where panic, error, and warn are old identifiers and are no longer recommended.

When defining level levels, you need to be aware of two points:

Reference 1) priority is determined by the application at programming time, and the priority of the message cannot be changed unless the source code is modified and compiled.

2) the low priority includes the high priority, for example, defining the log orientation of info for an application covers notice, warning, err, crit, alert, emerg, and so on. (unless defined with the = sign)

3. Selector selection conditions

Through the decimal symbol "." Connecting facility and level together becomes selector (selection condition).

You can use the semicolon ";" to define multiple selection criteria at the same time. Three modifiers are also supported:

Reference *-all log information

=-equals, that is, only the log information of this priority is included

!-not equal to, except for this priority log information

4. Action action

The log information defined by the previous selection condition can perform the following actions:

Refer to file- to specify the absolute path to the log file, which is written directly to the disk file by default. However, you can add a "minus sign" before the path, which means put it in the cache first, and then write to disk after reaching a certain number, which can improve performance. However, if there is a problem with the machine during this period, the log data may be lost. Therefore, it is only recommended for log files that have a large number of logs but are not necessary, such as mail.

Terminal or print-sent to a serial or parallel device identifier, such as / dev/ttyS2

@ host-remote log server

Username-send messages in the specified user information window on the local machine, but the user must have logged in to the system

Named pipe-absolute path sent to a FIFO file created in advance with the mkfifo command

Note that logs cannot be directed to other scripts for processing by "| / var/xxx.sh".

5. Give an example

For example:

Quote * .info; mail.none;news.none;authpriv.none;cron.none / var/log/messages

# write all notification messages except mail, newsgroups, authorization information, scheduled tasks, etc., to the messages file.

Mail,news.=info-/ var/adm/info

# write notification-only messages in e-mails and newsgroups to the info file, but not other information; and put them in the cache first, accumulate to a certain extent, and then write to the file.

Mail.mailbilit.Following info / var/adm/mail

# write all email messages except notification messages to the mail file.

Mail.=info / dev/tty12

# send notification messages only to tty12 terminal devices

* .alert root,joey

# if root and joey users have logged in to the system, notify them of all urgent information

*. * @ finlandia

# direct all information to the finlandia host (resolve its IP address through / etc/hosts or dns)

Note: each message goes through all the rules and is not the only match.

That is, assuming that mail.=info information passes through the rules defined in the example above, / var/adm/info, / var/adm/mail, / dev/tty12, and even finalandia hosts will receive the same message. This looks cumbersome, but the advantage it can bring is that it ensures the integrity of the information and can be analyzed in different places.

6. Testing

In some cases, the actual implementation results of the above regulations may differ from the expected results of the definition. At this point, you can use the logger program to assist with the test:

# logger-p user.notice 'Hello Worldwide'

The log shows:

Quote Nov 12 13:40:04 dc5test root: Hello World!

Its meaning is as follows:

Reference the first column: log generation time

Second column: the name of the host that generated this log

Third column: the name of the application or user that generated this log

Fourth column: log information

7. Customize the log level

As mentioned earlier, the log level of the application is determined by the application. Some applications can be configured to define their log levels.

For example, the / etc/ssh/sshd_config file has:

Quote # SyslogFacility AUTH

SyslogFacility AUTHPRIV

# LogLevel INFO

Define the log of sshd at the authpriv.info level. Cooperate with the syslog.conf:

Reference authpriv.* / var/log/secure

The log file is written to the / var/log/secure file.

◎, we modify it to:

Quote SyslogFacility local0

The coordination is added in syslog.conf:

Reference local0.* / var/log/sshd.log

After saving, restart the sshd or syslog service, and then all the logs of the sshd service will be placed in the sshd.log file separately.

3. Set service parameters

By default, the syslog process cannot accept messages from other log servers. By modifying its startup parameters, the large centralization of the log can be realized.

Modify the / etc/sysconfig/syslog file:

Reference-r: turns on the ability to accept foreign log messages, which monitors port 514 UDP

-x: turn off automatically parsing the FQDN information of the other party's log server, which can avoid the trouble caused by incomplete DNS

-m: modify the internal mark message write interval of syslog (0 is off). For example, 240write "--MARK--" information every 240min

-h: by default, syslog does not send messages received from the remote end to other hosts. Using this option, the switch is turned on and all received messages can be forwarded according to the @ host defined in syslog.conf.

More detailed help is available through man syslogd, and the actual configuration file is:

Reference SYSLOGD_OPTIONS= "- r-x-m 0"

After saving, restart the service:

# service syslog restart

At this point, the client can send log information to the server by modifying the syslog.conf and defining the action as @ host or IP.

(when building a centralized log server, be sure to cooperate with ntp time service to ensure the validity of information and avoid unnecessary trouble.)

In addition, the / etc/sysconfig/syslog configuration file defines the startup parameters of the klogd service:

Quote KLOGD_OPTIONS= "- x"

For more help, please refer to man 8 klogd or man klogd.

IV. Reference

Http://www.rhce.com.tw/rhel/syslog/

Http://blog.chinaunix.net/u1/33592/showart_351061.html

Http://server.it168.com/server/2007-10-28/200710281631265_1.shtml

Http://linux.tcpip.com.cn/article/index.php?func=detail&par=3&parentid=2438&start=96&s=0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.