Linux Syslog – Configuring a Logging Server

linux syslogSyslog is an IETF 5424 standard, and it is the most common method used for computer message logging. It is the foundation for most network management systems and security auditing applications. Syslog’s major strength is its support for just about every computing and network device from low-end printers to high-end routers and firewalls. This is what allows syslog to poll and collate common debugging information, error notifications and system alerts from every device on the network. Syslog stores all the messages from every device on the network in a local repository for use by a network management system to give the administrator a network-wide view from a single station.

New to Linux? Take a course at Udemy.com.

Syslog Protocol

Syslog’s architecture is based upon the concept of messages and facility codes. A message is sent labeled with a facility code to differentiate the types of application that sent it. It’s also assigned a severity code. The model is a Client/Server with the clients (logging hosts) sending messages up to a max 1024 bytes to the syslog server using either TCP or UDP on port 514.

Syslog Facility

A message is labeled with an indicator as to which one of the software types generated the message. These are actually simple categories syslog defines to allow it to handle messages differently and specifically for each type. They are identified by keywords: auth, authpriv, cron, daemon, FTP, lpr, kern, mail, news, syslog, user, uucp local0 … local7.

A facility has an ID, for example kern = 0 and cron =9, however these are not consistent across operations systems or syslog implementations.

Syslog Severity Levels

The message severity levels are standard and they are listed in seven levels from debug at level 7 being the least severe up to emergency at level 0.

CodeSeverityDescription
0EmergencySystem is unusable.
1AlertAction must be taken immediately.
2CriticalCritical conditions.
3ErrorError conditions.
4WarningWarning conditions.
5NoticeNormal but significant condition.
6InformationalInformational messages.
7DebugDebug-level messages.

 

Message Format

A Syslog message takes the form: < PRI > HEADER MSG

Length 0 – 1024 bytes

PRI – stands for priority.

<PRI > one byte
Severity level 3 bits  0-7Facility 5 bits

 

The Priority level is calculated by (value of the Facility x 8) + severity level

Example: a facility value of kernel message = 0 x 8 + severity level 1 = priority of <1>

Header

The header contains a timestamp, which is the time the message was generated. It also holds the IP address of the host.

Message

Tag: – The name of the process that generated the message

Content: – The message body

The next section deals with command line configuration.

Learn more about CLI at Udemy.com.

 

Configuring Syslog on Linux

Configuring logging on a Linux system is very important as logs allow administrators to troubleshoot issues both at the application and network layers and without logs (alerts, errors and notifications) they would be working blind.

In order to configure Syslog the /etc/syslog.conf or the later /etc/rsyslog.cong file may need to be configured. It is in this file where the logging levels and preferences are set. Here is an example syslog.conf file:

# Sample syslog.conf file that sorts messages by

# mail, kernel, cron and “other”

# send mail, cron, and kernel/firewall msgs to

# their respective log files

 

mail.*                    -/var/log/mail

kern.*                    -/var/log/kernel_n_firewall

cron.*                    -/var/log/cron

 

# save the rest in one file

*.*;mail.none;authpriv.none;cron.none /var/log/messages

Configuring the Linux Server to Receive Messages from Remote Systems

In order to set up the Linux server to receive and log messages from other systems, the server needs to be configured to accept received messages. Clients also need to be configured to send messages. The server configuration is done first in order to prepare it to receive messages, because it will not accept them as default.

Configure the Server

Syslog checks the /etc/rsyslog.conf file to discover where it should store its logs and it checks the /etc/sysconfig/syslog to determine its operational mode.

# Options to syslogd

# -m 0 disables ‘MARK’ messages.

# -r enables logging from remote machines

# -x disables DNS lookups on messages received with -r

# See syslogd(8) for more details

SYSLOGD_OPTIONS=”-m 0 -r”

# Options to klogd

# -2 prints all kernel oops messages twice; once for klogd to decode, and

#    once for processing with ‘ksymoops’

# -x disables all klogd processing of oops messages entirely

# See klogd(8) for more details

KLOGD_OPTIONS=”-2″

After configuring restart the syslogd and klogd deamons for the changes to take effect.

Configuring the Client

The client configuration consists of pointing the logging service to the Linux logging server using the following steps. This entails updating the rsyslog.conf file with pointers to the new logging server that has just been configured. To do this it is just a case of pointing it towards the @server_name.

  1. Discover the Linux Syslog Servers IP address and fully qualified domain name
  2. Configure the local /etc/rsyslog.conf to send messages to the server

For example;

# Sample syslog.conf file that sorts messages by

# mail, kernel, cron and “other”

# send mail, cron, and kernel/firewall msgs to

# their respective log files

 

mail.*                    -/var/log/mail

kern.*                    -/var/log/kernel_n_firewall

cron.*                    -/var/log/cron

 

# save the rest in one file

*.info;mail.none;cron.none    /var/log/messages

*.*                                                                          @server_IP/

 

Alternatively, an alias could be set up in the hosts file for the Syslog server.

The Server and client are now configured and ready (after syslogd rstart) to send and accept syslog messages. To test the configuration, shut down a service on the client and check that this triggers a message being sent to the server. It will be found in the /var/log/

Learn more about Linux and take a course at Udemy.com.