CENT 305CENT 305Information Systems Information Systems SecuritySecurity

Overview of System Logging

syslog

1

System Logging (syslog) System Logging (syslog) ServicesServicesCentral service for system logging provided by Linux/UNIX.

◦ The syslog service provides the system logging function.◦ Many services log activities in their own logs, or use the

system log.System logs, in /var/log/ directory track system-level

events.◦ Used for troubleshooting and auditing.◦ Security measure: review logs!

syslog is used by many services to log events.◦ The new syslog program is now syslog-ng◦ The related configuration files are:

/etc/sysconfig/syslog /etc/syslog-ng/syslog-ng.conf

◦ The syslog service accepts messages from system services and logs them.

2

/etc/sysconfig/syslog File /etc/sysconfig/syslog File ((man syslog.confman syslog.conf))

General parameters applicable to syslog-ng as well as the traditional syslog service.

◦ These parameters are evaluated by the startup script:/etc/init.d/syslog

3

syslog-ng.conf File syslog-ng.conf File ((man 5 syslog-ng.confman 5 syslog-ng.conf))4 kinds of entries

◦ source definitions defines sources for system log messages default is internal() which gets messages from the

syslog process we won't focus on the sources

◦ filter definitions (need to know) defines the rules for what actions should be

logged◦ destination definitions (need to know)

defines where to send the logged information file, pipe, tcp host, udp host, etc.

◦ Log paths (need to know)• Rules that link a message source, filter and destination

Global options entry◦ sets default options for all logs 4

Syslog ParametersSyslog Parameters

Parameters common to both syslog and syslog-ng configuration are:◦Facilities (or categories)◦Priorities (or levels)

5

syslog Facilities syslog Facilities ((man syslogman syslog))

Facility ◦ the subsystem

that provides the message.

◦ each program is assigned to a category or facility.

◦ Used in filter definitions

6

syslog syslog PrioritiesPriorities Designates the urgency of message. listed below from lowest priority to highest.

◦ lower priority levels produce more log entries! Used in filter definitions

7

Sources (man 5 syslog-ng.conf)Sources (man 5 syslog-ng.conf) Source driver definitions

◦ Collect messages using a given method◦ Used to gather log messages from a particular “source”

# 'src' is our main source definition. you can add more source driver definitions to it, or define

# your own sources, i.e.: #source my_src { .... };#source src { # # include internal syslog-ng messages # note: the internal() source is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network:

# #udp(ip("0.0.0.0") port(514));}; 8

Filter Definitions Filter Definitions (man 5 syslog-ng.conf)(man 5 syslog-ng.conf) Boolean expressions that are applied to messages and

evaluated as true or false.

Example:filter f_iptables { facility(kern) and match("IN=" and

match("OUT=") };

Syntax:

filter name { boolean expression; }; Things you can test for:

◦ Facility - facility(facility name)◦ Priority or Level - level(level)◦ Match contents of message - match(regexp)◦ Another filter - filter(filtername)

9

Destinations (man 5 syslog-Destinations (man 5 syslog-ng.conf)ng.conf)

Destinations define where messages can be logged.

Example:destination firewall { file(

"/var/log/firewall" ); };

Syntax:destination destname { dest_definition; };

Destinations you can use include:

◦ Files - file (filename)

◦ Pipes - pipe(filename)

◦ Users, if logged in - usertty("username")

◦ TCP hosts - tcp(tcp_hostname)

◦ UDP hosts - udp(udp_hostname)10

Log Path Definitions Log Path Definitions (man 5 syslog-ng.conf)(man 5 syslog-ng.conf)

Log Paths link a message source with a specified filter and a specified destination.

Example:

log { source(src); filter( f_iptables ); destination( firewall );

Syntax:

log { source( src_name ); filter (filtername); dest(destname); };

11

System Log FileSystem Log File

/var/log/messages◦ Default system log◦ Used by many

services◦ tail -f

/var/log/messages Other daemons also

store messages in other files in /var/log/ directory

12

Examples of System and Examples of System and Custom Log FilesCustom Log Files

13

Samba SMB server logs/var/log/samba

CUPS print service errors/var/log/cups/error_log

CUPS print service transactions/var/log/cups/access_log

Web Server error log/var/log/httpd/error_log

Web Server transaction log/var/log/httpd/access_log

FTP server transaction log/var/log/xferlog

System log file for sensitive information (e.g., authentication)

/var/log/secure

Default system log file/var/log/messages

PurposeLog File Name

logger Utilitylogger Utility Allows administrators to generate log messages.

◦ Used for syslog debugging and testing◦ Used for reporting conditions within shell scripts.

Syntax: logger [-is] [-p pri] [-t tag] message Switches

◦ -i Includes the PID with the message◦ -s Duplicate the message to standard

error◦ -p pri Specify a facility.priority pair. Default is

user.notice◦ -t tag Short label to include with message, such as

the name of application

Example: logger -is -p syslog.notice -t SYSLOG

syslog test 14