Interpretation of syslogd and syslog.conf files under linux

1: Introduction to syslog.conf

For different types of Unix, the standard UnixLog system is actually set in the same syslog.conf format, except for a few different keywords.syslog accepts log requests from all parts of the system at any time using a configurable, unified system registration procedure, and then writes log information to the appropriate file, mails it to a specific user, or sends it directly to the console as messages, based on the preset settings in/etc/syslog.conf.It is worth noting that in order to prevent the intruder from modifying or deleting the recorded information in messages, the intruder's attempt can be thwarted by using printer records or by using methods.

2: Format of syslog.conf

You can refer to man [5] syslog.conf.Here is a brief introduction to syslog.conf.

A configuration record in the /etc/syslog.conf file consists of two parts, Options (selector) and Actions (action), separated by the tab tab (space intervals are invalid).Options is composed of one or more reserved fields in the form of Type.Level, separated by semicolons.As shown in the following line:

Type.Level[;Type.Level] `TAB`Action

Type 2.1

The "type" in a reserved field represents the source from which information is generated and can be:

auth authentication system, which asks for user name and password

cron System Timer Information emitted by the system when executing a timed task

daemon Daemon for some systems, such as log produced by in.ftpd

syslog information for the kern kernel

syslog information for lpr printer

syslog Information for mail Mail System

mark Timer Program for Sending Messages Timely

syslog Information for news News System

syslog Information for user Local User Application

syslog information for the uucp uucp subsystem

local0..7 native types of syslog information that can be defined by the user

*On behalf of all the above devices

Level 2.2

Retaining "levels" in a field represents the importance of information and can be:

emerg is in an emergency, Panic state.Usually broadcast to all users;

alert warns that the current status must be corrected immediately.For example, the system database crashes;

Warning for crit critical state.For example, hardware failure;

Other err errors;

warning warning;

notice Note;Report of non-error status, but should be handled specially;

info Notification Information;

debug debugger information;

none is commonly used when debugging programs to indicate that information generated by types with an none level does not need to be sent out.E.g. *.debug;mail.none indicates that all information except mail was sent during debugging.

2.3 Action

The Action field indicates the destination of the message.Can be:

/filename log file.The name of the file indicated by the absolute path, which must be created beforehand;

@host remote host;@The symbol can be followed by either ip or a domain name, and the alias loghost is assigned to this machine by default under the / etc / hosts file.

user1, user2 named user.If the specified user is logged in, they will receive information;

*All users.All logged-in users will receive information.

3: Specific examples

Let's look at the examples in the / etc/syslog.conf file:

...

*.err;kern.debug;daemon.notice;mail.crit [TAB] /var/adm/messages

...

The "action" in this line is the one we are always concerned about. /var/adm/messages file. The source of information output to it is "selector":

*.err - All 1 general error messages;

kern.debug - Debugging information generated by the core;

daemon.notice - Attention information for the daemon;

mail.crit - Key warnings for the mail system

4:syslog.conf Content

The log files are controlled by the system log and the kernel log monitors syslogd and klogd, and the default activities of both monitors are configured in the / etc/syslog.conf file.

The log files are organized as described in the/etc/syslog.conf configuration file.The following is the contents of the/etc/syslog.conf file:

[root@localhost ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log

5. Version

The Syslog mechanism is a common logging method used in unix-like systems.It can record all kinds of log information in the running process of the system in a combination of levels.For example, the information log of the kernel running, the log of the output of the program running, and so on.When developing embedded systems, it is very helpful to write some important information about the running of the program to the log for debugging and error diagnosis of the program.Important information includes important variables when the program runs, results of function runs, error records, and so on.For embedded systems, due to limited system resources and cross-development, debugging and diagnostics and their inconvenience.These tasks can be greatly simplified by using the syslog mechanism.

Not all embedded systems can use syslog.First, the system uses an unix-like operating system, commonly linux.Secondly, in order to support remote logging, network communication must be supported in the system.Fortunately, most embedded systems are based on linux and support networks.The specific implementation is discussed below.

When compiling busybox, select the syslog application and add busybox to the file system of linux.Once the embedded system is started, you can configure the syslog client.Depending on the version of busybox, syslog's service process syslogd is configured differently.Earlier syslogds ignored configuration entries in the syslog.conf file and used command parameters directly to configure it.The new version of syslogd supports configuration using the syslog.conf file.You can check the help information from syslogd h to determine the current version of syslogd.

When the syslog.conf configuration is not supported, start syslogd directly using the command parameters by entering the following command:

syslogd -n -m 0 -L -R 192.190.1.88

The -n option indicates that the process is running in the foreground.

The -m option specifies the cycle interval time.

The -L option indicates that remote logging is done locally as well.If this option is not added, only remote logging is performed.

-R indicates remote logging, sending syslog logs to the target server.This assumes that the target server is an IP address of 192.190.1.88.If no port is specified, UDP port 514 is used by default.So make sure the port is not occupied on the server.

After startup, all log information is sent to the server's UDP port 514.

When the syslog.conf configuration is supported, you only need to modify the configuration file.Add the following statement to the file:

*.* @192.190.1.88

The above configuration means that all syslog logs are sent to server 192.190.1.88 using the default UDP port.Because the syslog.conf configuration is relatively flexible, you can set up a shield for some unnecessary information, set the specified port, and so on.Refer to the relevant commands of syslog.conf for your own research.Then start syslogd to record remotely.