Lesson 13

Date: 7/3/2017
Application security and Intrusion detection
Linux System Administration

System logs

  • Deamon rsyslogd (syslogd on older systems) recieves info from running services about their status and stores it in log files. What they log and where is defined in config file /etc/rsyslog.d/50-default.conf (/etc/rsyslog.conf on CentOS):
    auth,authpriv.*	        /var/log/auth.log
    *.*;auth,authpriv.none	-/var/log/syslog
    #cron.*	                /var/log/cron.log
    daemon.*               -/var/log/daemon.log
    kern.*	              -/var/log/kern.log
    lpr.*                 -/var/log/lpr.log
    mail.*                -/var/log/mail.log
    user.*                -/var/log/user.log
    mail.info            -/var/log/mail.info
    mail.warn            -/var/log/mail.warn
    mail.err              /var/log/mail.err
    news.crit             /var/log/news/news.crit
    news.err              /var/log/news/news.err
    news.notice          -/var/log/news/news.notice
    	*.=notice;*.=warn  |/dev/xconsole

  • The first colomn specifies the facility and priority level.
    The facility is one of the following keywords:
    auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0 -- local7.
    The priority is one of the following keywords, in ascending order:
    debug, info, notice, warning, err, error, crit, alert, emerg.
  • The second colomn specifies where the logs are directed. The two colomns are separated by < TAB >
  • Every time when /etc/rsyslog.d/50-default.conf (or /etc/rsyslog.conf) is modified, rsyslogd daemon should re-read the configuration:
    systemctl restart rsyslog

  • Take me to the Course Website