Syslog is the (built-in) solution for logging messages generated by AIX. The AIX kernel, various daemons and applications are able to send their log output to syslogd (syslog daemon). Syslogd will create /etc/syslog.pid file during its start-up, which contains the process id of sylogd. Based on the main configuration file: /etc/syslog.conf, syslogd will filter and distribute the incoming messages to different logfiles.
/etc/syslog.conf contains the facilities, severities, the assigned action and optionally the rotation parameters:
-----------------------------------------------------
Facility:
Facility is a category of a message. Basically it is a filter for a specific category from all the incoming messages. Using a facility we can select a type of message and do something with it.
Available facilities:
kern Messages generated by the kernel.
user Messages generated by user processes.
mail Mesages generated by the mail system.
daemon Messages generated by system daemons, such as ftpd and the telnetd daemons.
auth Messages generated by the authorization system, including the sshd, login and su commands.
syslog Messages generated internally by the syslogd daemon.
lpr Messages genrated by the line printer, such as the lpr and lpc commands.
news Files reserved for the USENET network news system.
uucp (obsolete) The UNIX-to-UNIX copy (UUCP) system does not use the syslog function.
local0-7 these local facilities (e.g. local0 or local1) can be used for user defined message handling
* all facilities
-----------------------------------------------------
Severity:
It specifies the importance or priority of a message. Keep in mind, that when selecting a level, it automatically includes all the levels above of that severity.
(For example choosing "err" will handle at the same time "crit", "alert" and "emerg" messages as well.)
Available severities (in order from top to down):
emerg Panic conditions that are normally broadcast to all users
alert Conditions that should be corrected immediately, such as a corrupted system database.
crit Warnings about critical conditions, such as hardware failures.
err any kind of errors (below critical level)
warning Warning messages, that generally does not interfere with normal operation.
notice Non-error conditions that might require special handling
info Purely informational messages (usually does not require any handling)
debug Messages that are used when debugging a program
none Messages are not sent from the indicated facility to the selected file
-----------------------------------------------------
Action:
It says what should be done with the message, like put it in a file or send it to a user's terminal
Available actions:
file Output sent to the file specified
@host The @ sign denotes that messages must be forwarded to a host The name should be defined in /etc/hosts and represent a remote logserver.
user[,user] The user(s) receive messages if they are logged in.
* All logged in users will receive messages when they are logged in.
-----------------------------------------------------
Rotation (optional):
The rotation field identifies how rotation is used. If the action field is a file, then rotation can be based on size or time, or both. One can also compress and/or archive the rotated files.
size specifies that rotation is based on size, and it is followed by a number and either a k (kilobytes) or m(megabytes).
time specifies that rotation is based on time, followed by a number and either a h(hour) or d(day) or w(week) or m(month) or y(year).
files specifies the total number of rotated files, followed by a number. If not specified, then there is no limit of rotated files.
compress specifies that the saved rotated files will be compressed.
archive specifies that the saved rotated files will be copied to a directory. It is followed by the directory name.
----------------------------------------------------------------------
Sources of log messages
Syslog can receive messages in three ways:
- Through the syslog() function (most languages provide)
- Through named sockets such as /dev/log (which is enabled by default on most platforms)
- Via UDP on port 514 (if syslogd is running with the -r option.)
So, one important feature of SYSLOG is the ability send messages via UDP on port 514 and then aggregate messages sent from multiple servers on a special server.
Note that there is no authentication or authorization implemented in the standard syslog protocol, and It is recommended that the source port also be 514 to indicate that the message is from the syslog process of the sender,
----------------------------------------------------------------------
Some examples for syslog.conf:
lpr.err /var/log/lpd-errs <--all messages with severity err and above from the line printer are appended to lpd-errs file
*.err;kern.debug;auth.notice /dev/console <--all error messages, kern.debug, and auth.notice messages are sent to the console
(Note that kern.debug means all messages of priority debug and above.)
daemon,auth.notice /var/log/messages <--notice messages from either daemon or the auth. system are appended to /var/log/messages
(Note that this is the second line that mentions auth.notice messages.)
(As a result, auth.notice messages will be sent to both the console and the messages file.)
auth.* root,secadmin <--all messages from the authorization system to be sent to the users root and secadmin.
(Note, that if the users are not logged in, the messages will be lost.)
auth.* @LOGHOST <---all auth. messages are sent to the syslog daemon on the remote computer
(Note that it is recommended that LOGHOST server is defined in /etc/hosts file).
mail.debug /var/log/mail rotate size 100k files 4 <-- 4 files, 100kB each
user.debug /var/log/user rotate files 12 time 1m <-- 12 files, monthly rotate
kern.debug /var/log/kern rotate files 12 time 1m compress <-- 12 files, monthly rotate, compress
----------------------------------------------------------------------
lssrc -ls syslogd <---shows syslogd specifics
(after modifying syslogd.conf: refresh -s syslogd)
----------------------------------------------------------------------
Local (local0-local7)
local0-local7 are unused facilities that syslog provides, which can be defined/customized by any user. If a developer creates an application and wants to log that to syslog, or if you want to redirect the output of anything to syslog (for example, Apache logs), you can choose to send it to the local# facilities. Then, in /etc/syslog.conf that local# has to be added, so it will log to a file (or it will send it to a remote server).
Changing sshd logging from auth to local7:
1. in sshd_config file change:
SyslogFacility AUTH to Syslogfacility local7
2. in /etc/syslog.conf add local7 to log to a file:
local7.* /var/log/sshd.log
3. restart syslogd and sshd:
after that ssh daemon will use /var/log/sshd.log file via local7 facility
----------------------------------------------------------------------
Enabling Oracle audit log (by a local facility)
1. in Oracle these parameters have been set:
SQL> show parameter AUDIT_FILE_DEST
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /oracle/audit
SQL> show parameter AUDIT_SYSLOG_LEVEL
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_syslog_level string LOCAL1.WARNING
2. in /etc/syslog.conf this has been added:
local1.warn /oracle/audit/audit.log
3. restart syslogd
----------------------------------------------------------------------
8 comments:
daemon,auth.notice /var/log/messages ---- Is it enough to get the messages log in /var/log
How to send all logs to remote host? It is working in Linux using rsyslog, how to configure the same in AIX?
Hi, this is written above:
"@host The @ sign denotes that messages must be forwarded to a host The name should be defined in /etc/hosts and represent a remote logserver"
Is there any way by which we can ignore some message strings from logging into system log files?
Probably you can play with severity settings to remove unnecessary messages.
How to recived only authentication log in aix.
Example authpriv.* @server name In Linux ?
Can you specify a port other than 514 in the syslog.conf? If not, then what is the process for sending logs to a remote system that listens on port 8514?
Thanks!
i am getting unnecessary messages in syslog as user:notice but my configuration is *.info;auth.none /var/adm/syslog rotate time 1w files 4. how to ignore those messages
Post a Comment