1 / 9

CIS 238 Syslog

CIS 238 Syslog. System logging and monitoring. Syslog. (r)syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical. Sysogs stored in

Download Presentation

CIS 238 Syslog

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIS 238Syslog System logging and monitoring

  2. Syslog • (r)syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical. Sysogs stored in • In LINUX, system logs are stored in /var/log. System messages are recorded in /var/log/messages. Other OS’es may use different files in different directories (e.g. /var/adm). • Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle. - The first describes the function (facility) of the application that generated it. For example, applications such as mail and cron generate messages with easily identifiable facilities named mail and cron. - The second describes the degree of severity of the message.

  3. Syslog • Severity: Level: Keyword: Description • 0 emergencies System unusable • 1 alerts Immediate action required • 2 critical Critical condition • 3 errors Error conditions • 4 warnings Warning conditions • 5 notifications Normal but significant conditions • 6 informational Informational messages • 7 debugging Debugging messages

  4. Syslog • The files to which syslog writes each type of message received is set in the /etc/rsyslog.conf configuration file. In older versions of Fedora, this file was named /etc/syslog.conf. • This file consists of two columns. The first lists the facilities and severities of messages to expect and the second lists the files to which they should be logged. By default, RedHat/Fedora's /etc/rsyslog.conf file is configured to put most of the messages in the file /var/log/messages. • Example: *.info;mail.none;authpriv.none;cron.none /var/log/messages • Note other services may record messages in other files (e.g. sendmail) • Syslog is also a network service. A common implementation is to forward system info to a common syslog server. • Logs compressed, ,stored and optionally e-mailed by the logrotate function. Definitions stored in /etc/logrotate.conf and /etc/logrotate.d

  5. Logrotate • Log management for LINUX and UNIX • Basic config file is /etc/logrotate.conf • Individual package package config files in/etc/logrotate.d usually configured during package installation • Each config file specifies logfile list, rotate interval, rotation count, log size, compression options, postrotate command to perform a function after the log has been copied.

  6. Logrotate automation • UNIX systems require use of a specific CRON job • LINUX automatically includes logrotate in ANACRON. • ANACRON is an automatic CRON list created for system functions such as logtotate or tripwire. It is an extension of CRON. • See /etc files anacron, cron.daily, cron.weekly, cron.monthly. Also /var/spool/anacron

  7. Logwatch • Default freeware log monitoring tool • Runs in Perl • Numerous other “pay for play” tools: • Logrobot • Nagios • Logstash • Graybar

  8. Logwatch files • System specific config: /etc/logwatch • Default config: /usr/share/logwatch/default.conf/ • Distro specific config: /usr/share/logwatch/distro.conf/ • Directories: conf /*.conf, conf/logfiles, conf/services scripts/services • Always copy default, distro files to local /etc/logwatch for modification • Priority sequence: - /etc/logwatch - /usr/share/logwatch/distro.conf - /usr/share/logwatch/default.conf

  9. Security today • Governement regulations: • HIPAA • PCI-DSS • SOX • No clear text applications – FTP, TELNET, NFS, RCP, RCMD, HTTP • Restricted access, minimum to do the job • Most legacy 3rd party apps are now commercial products: - ssh - Nagios - Tripwire - PGP Some have freeware equivalents, but fewer over time.

More Related