BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Big Scary Daemons

System Logging

05/17/2001

The syslog system is one of the most delightful things about Unix. Unlike some operating systems that force you to use the limited range of logs that they condescend to provide, Unix allows you to log almost anything, at almost any level of detail. While system logging hooks are provided for the most common Unix resources, administrators can choose a logging configuration that meets their needs. My networks usually have a single logging host that handles not only the FreeBSD boxes, but Cisco routers, switches, and any other syslog-speaking systems.

The system logger is actually fairly straightforward. Programs send log entries to the system logging daemon, syslogd. Syslogd compares each submission to the entries in /etc/syslog.conf. When it finds a matching entry, it processes the log entry in the manner described.

/etc/syslog.conf has two columns. The first is the system providing the information to be logged. The second is the action to be taken when a log message matches. The most confusing part is understanding exactly how to specify a logging information source.

The standard method of specifying a logging source is by facility and level. A facility is a log entry source, or a program that sends messages to syslogd. These facilities are described below.


auth

Anything having to do with user authorization, such as login and su.

authpriv

This is identical to auth, except it logs to a file that only selected users can read.

console

Messages that are normally printed to the system console can be captured by using the console facility.

cron

Messages from the system scheduler.

daemon

This is a catch-all for all system daemons that don't have other explicit handlers.

ftp

You can configure your FTP daemon to log its transfers. See /etc/inetd.conf.

kern

This is for messages from the kernel.

lpr

Messages from the printing system

mail

Messages from the mail system

mark

This isn't an actual log from a system; instead, the mark facility puts a notification in your log every 20 minutes. This is useful combined with some other log.

news

Messages from the Internet News daemons.

ntp

Messages from Network Time Protocol

security

Messages from various security systems, such as ipf(8) and ipfw(8).

syslog

Yes, the log service can log to itself. Just don't log when you log logs from the log system, or you'll make yourself dizzy.

user

The catch-all messages facility. If you don't specify a logging facility for user programs, they'll use this.

uucp

Logs from the Unix-to-Unix Copy Protocol. This is a piece of Unix history you'll probably never encounter.

local0 through local7

These are reserved for administrator use. Many programs have an option to set a logging facility; choose one of these if at all possible.

Most systems don't log everything their programs send to syslog; rather, they discard trivial messages and only record the important stuff. One man's trivial is another's vital data. This is where the level comes in.

Pages: 1, 2

Next Pagearrow





Sponsored by: