Syslog Description, Handling and Scripts

Spread the love

Logging Differences Among Some Systems

Latest version is assumed, otherwise specified.

FreeBSD

source: https://www.freebsd.org/doc/handbook/configtuning-syslog.html
system logs handled by syslogd
configuration file: /etc/syslog.conf

Syntax Excerpt:

*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.*               /var/log/security
auth.info;authpriv.info  /var/log/auth.log
cron.*                   /var/log/cron

There is no such syslog log on FreeBSD
There is no such kern.log log on FreeBSD
daemon.log is disabled by default

Ubuntu

source: https://www.freebsd.org/doc/handbook/configtuning-syslog.html
system logs handled by Rsyslogd
configuration file: /etc/rsyslog.conf + /etc/rsyslog.d/*.conf

Syntax Excerpt:

auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.*                 /var/log/cron.log
#daemon.*              -/var/log/daemon.log
kern.*                 -/var/log/kern.log

Ubuntu (since natty 11.04, 2011) no longer uses /var/log/messages, and stores every facility messages (*.*) in /var/log/syslog
daemon.log is disabled by default
cron.log is disabled by default
any other facility log you may enable is actually an extract of /var/log/syslog

Debian

source: https://www.debian.org/doc/manuals/debian-handbook/sect.syslog.en.html
source: https://www.rsyslog.com/doc/v8-stable/configuration/index.html
system logs handled by Rsyslogd
configuration file: /etc/rsyslog.conf + /etc/rsyslog.d/*

I couldn’t find the default configuration for facilities, but one can bet they are the same as for its derivative Ubuntu.

Sun Solaris 11

source: https://docs.oracle.com/cd/E23824_01/html/821-1462/syslogd-1m.html
source: https://docs.oracle.com/cd/E23824_01/html/821-1473/syslog.conf-4.html
http://unixadminschool.com/blog/2013/12/configuring-solaris-syslogd-for-centralized-log-setup/
system logs are handled by syslogd only since the late version 10, and has to be defined by hand.
configuration file: /etc/syslog.conf

Example configuration:

*.notice             /var/log/notice
mail.info            /var/log/notice
*.crit               /var/log/critical
kern,mark.debug      /dev/console
kern.err             @server
*.emerg              *
*.alert              root,operator
*.alert;auth.warning /var/log/auth

Solaris uses different system logs named /var/adm/messages.*
It has to be noted that emergency messages are logged everywhere, even on the console
auth.log is named auth
messages log is found in /var/adm/messages
syslog log is found in /dev/sysmsg
There is no such kern.log log on Solaris
crond do not log anything unless you activate and configure it.

IBM AIX 5.1 – 7.1

source: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.basetrf2/syslog.htm
source: AIX 5L Version 5.3 System Management Guide: Operating System and Devices(2005): https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?CTY=US&FNC=SRX&PBL=SC23-4910-02
source: https://www.unix.com/man-pages.php?query=syslog.conf&apropos=0&section=4&os=opensolaris
source: https://ramses.smeyers.be/varia/aix/syslog/

Important difference: until AIX version 6.1, by default, an AIX system will not do syslogg’ing. For some reason, the default install on an AIX install will not place entry’s in /etc/syslog.conf, and thus, syslogd has no configuration at all. Therefore, any syslogd configuration you may come across is privately hand-made.

Starting with IBM AIX version 6.1, AIX has at least 3 logging facilities and 1 auditing facility. Logging facilities are:

syslog
errlog
alog

Syslogd is not enabled by default. Another daemon is handling error logs: errdemon

When syslogd is enabled, there is no rules. You can either follow RFC-5424 or implement your own company policy rules.
If using RFC-5424, system logs are handled by syslogd and configuration file is the classic /etc/syslog.conf
This may have changed since AIX version 7.2, I am not up to date and IBM is also evolving.

The set of rules bellow is a real world example from a governmental company, and is totally made from scratch, used on versions 5.1 to 6.1:

user.debug     /var/log/user.log
*.warning      /var/log/messages rotate size 50000k time 1w files 2 compress
syslog.notice -/dev/null

# Theauthpriv file has restricted access.
authpriv.debug /var/log/secure
auth.debug     /var/log/auth.log
auth.info      /var/log/auth.log rotate size 50000k time 1w files 20 compress

# Kernel logging
kern.debug     /var/log/kernel/info
kern.warn      /var/log/kernel/warnings
kern.err       /var/log/kernel/errors

# Everybody gets emergency messages
*.emerg *

On production servers, notice messages get dumped
kern.log actually goes to /var/log/kernel/*
messages log actually contains only warning and above level messages
crond has its own log under /var/adm/cron/log
error logs are handled by another daemon: errdemon, and go to /var/adm/ras/errlog
Syslog log files must exist before syslogd will write to them.

Conclusion

As you can see, there is a lot of differences between Linux flavors, and among UNIX System V children. IBM AIX is the best example, as they didn’t even mention the syslogd daemon until version 6.1 (2004). Not only that, but also system administrators use their own rules, or the company policy rules, which sometimes diverge from the best practices in the matter. Furthermore, which best practice are we talking about? Even the RFC system has no official seal, nor does it advise about what message should go in which log.

Therefore, the description of the following commonly seen logs in the next sections is purely subjective to the OS chosen, and will depend on what message you can find in these logs.

Pages: 1 2 3