Syslog Description, Handling and Scripts

Spread the love

Logging Differences Among Some Systems

Latest version is assumed, otherwise specified.

FreeBSD

Syntax Excerpt:

*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.*               /var/log/security
auth.info;authpriv.info  /var/log/auth.log
cron.*                   /var/log/cron
  • There is no such syslog log on FreeBSD
  • There is no such kern.log log on FreeBSD
  • daemon.log is disabled by default

 

Ubuntu

Syntax Excerpt:

auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.*                 /var/log/cron.log
#daemon.*              -/var/log/daemon.log
kern.*                 -/var/log/kern.log
  • Ubuntu (since natty 11.04, 2011) no longer uses /var/log/messages, and stores every facility messages (*.*) in /var/log/syslog
  • daemon.log is disabled by default
  • cron.log is disabled by default
  • any other facility log you may enable is actually an extract of /var/log/syslog

 

Debian

I couldn’t find the default configuration for facilities, but one can bet they are the same as for its derivative Ubuntu.

 

Sun Solaris 11

Example configuration:

*.notice             /var/log/notice
mail.info            /var/log/notice
*.crit               /var/log/critical
kern,mark.debug      /dev/console
kern.err             @server
*.emerg              *
*.alert              root,operator
*.alert;auth.warning /var/log/auth
  • Solaris uses different system logs named /var/adm/messages.*
  • It has to be noted that emergency messages are logged everywhere, even on the console
  • auth.log is named auth
  • messages log is found in /var/adm/messages
  • syslog log is found in /dev/sysmsg
  • There is no such kern.log log on Solaris
  • crond do not log anything unless you activate and configure it.

 

IBM AIX 5.1 – 7.1

Important difference: until AIX version 6.1, by default, an AIX system will not do syslogg’ing. For some reason, the default install on an AIX install will not place entry’s in /etc/syslog.conf, and thus, syslogd has no configuration at all. Therefore, any syslogd configuration you may come across is privately hand-made.

Starting with IBM AIX version 6.1, AIX has at least 3 logging facilities and 1 auditing facility. Logging facilities are:

  • syslog
  • errlog
  • alog

Syslogd is not enabled by default. Another daemon is handling error logs: errdemon

  • When syslogd is enabled, there is no rules. You can either follow RFC-5424 or implement your own company policy rules.
  • If using RFC-5424, system logs are handled by syslogd and configuration file is the classic /etc/syslog.conf
  • This may have changed since AIX version 7.2, I am not up to date and IBM is also evolving.

The set of rules bellow is a real world example from a governmental company, and is totally made from scratch, used on versions 5.1 to 6.1:

user.debug     /var/log/user.log
*.warning      /var/log/messages rotate size 50000k time 1w files 2 compress
syslog.notice -/dev/null

# Theauthpriv file has restricted access.
authpriv.debug /var/log/secure
auth.debug     /var/log/auth.log
auth.info      /var/log/auth.log rotate size 50000k time 1w files 20 compress

# Kernel logging
kern.debug     /var/log/kernel/info
kern.warn      /var/log/kernel/warnings
kern.err       /var/log/kernel/errors

# Everybody gets emergency messages
*.emerg *
  • On production servers, notice messages get dumped
  • kern.log actually goes to /var/log/kernel/*
  • messages log actually contains only warning and above level messages
  • crond has its own log under /var/adm/cron/log
  • error logs are handled by another daemon: errdemon, and go to /var/adm/ras/errlog
  • Syslog log files must exist before syslogd will write to them.

 

Conclusion

As you can see, there is a lot of differences between Linux flavors, and among UNIX System V children. IBM AIX is the best example, as they didn’t even mention the syslogd daemon until version 6.1 (2004). Not only that, but also system administrators use their own rules, or the company policy rules, which sometimes diverge from the best practices in the matter. Furthermore, which best practice are we talking about? Even the RFC system has no official seal, nor does it advise about what message should go in which log.

Therefore, the description of the following commonly seen logs in the next sections is purely subjective to the OS chosen, and will depend on what message you can find in these logs.