AIX - syslogd

syslogd (system logging):

Syslog is the (built-in) solution for logging messages generated by AIX. The AIX kernel, various daemons and applications are able to send their log output to syslogd (syslog daemon). Syslogd will create /etc/syslog.pid file during its start-up, which contains the process id of sylogd. Based on the main configuration file: /etc/syslog.conf, syslogd will filter and distribute the incoming messages to different logfiles.

/etc/syslog.conf contains the facilities, severities, the assigned action and optionally the rotation parameters:

-----------------------------------------------------

Facility:

Facility is a category of a message. Basically it is a filter for a specific category from all the incoming messages. Using a facility we can select a type of message and do something with it.

Available facilities:
kern     Messages generated by the kernel.
user     Messages generated by user processes.
mail     Mesages generated by the mail system.
daemon   Messages generated by system daemons, such as ftpd and the telnetd daemons.
auth     Messages generated by the authorization system, including the sshd, login and su commands.
syslog   Messages generated internally by the syslogd daemon.
lpr      Messages genrated by the line printer, such as the lpr and lpc commands.
news     Files reserved for the USENET network news system.
uucp     (obsolete) The UNIX-to-UNIX copy (UUCP) system does not use the syslog function.
local0-7 these local facilities (e.g. local0 or local1) can be used for user defined message handling
*        all facilities

-----------------------------------------------------

Severity:

It specifies the importance or priority of a message. Keep in mind, that when selecting a level, it automatically includes all the levels above of that severity.
(For example choosing "err" will handle at the same time "crit", "alert" and "emerg" messages as well.)

Available severities (in order from top to down):
emerg     Panic conditions that are normally broadcast to all users
alert     Conditions that should be corrected immediately, such as a corrupted system database.
crit      Warnings about critical conditions, such as hardware failures.
err       any kind of errors (below critical level)
warning   Warning messages, that generally does not interfere with normal operation.
notice    Non-error conditions that might require special handling
info      Purely informational messages (usually does not require any handling)
debug     Messages that are used when debugging a program
none      Messages are not sent from the indicated facility to the selected file

-----------------------------------------------------

Action:

It says what should be done with the message, like put it in a file or send it to a user's terminal

Available actions:
file        Output sent to the file specified
@host       The @ sign denotes that messages must be forwarded to a host  The name should be defined in /etc/hosts and represent a remote logserver.
user[,user] The user(s) receive messages if they are logged in.
*           All logged in users will receive messages when they are logged in.

-----------------------------------------------------

Rotation (optional):

The rotation field identifies how rotation is used. If the action field is a file, then rotation can be based on size or time, or both. One can also compress and/or archive the rotated files.

size    specifies that rotation is based on size, and it is followed by a number and either a k (kilobytes) or m(megabytes).
time    specifies that rotation is based on time, followed by a number and either a h(hour) or d(day) or w(week) or m(month) or y(year).
files       specifies the total number of rotated files, followed by a number. If not specified, then there is no limit of rotated files.
compress    specifies that the saved rotated files will be compressed.
archive     specifies that the saved rotated files will be copied to a directory. It is followed by the directory name.

----------------------------------------------------------------------

Sources of log messages

Syslog can receive messages in three ways:
- Through the syslog() function (most languages provide)
- Through named sockets such as /dev/log (which is enabled by default on most platforms)
- Via UDP on port 514  (if syslogd is running with the -r option.)

So, one important feature of SYSLOG is the ability send messages via UDP on port 514 and then aggregate messages sent from multiple servers on a special server.
Note that there is no authentication or authorization implemented in the standard syslog protocol, and It is recommended that the source port also be 514 to indicate that the message is from the syslog process of the sender,

----------------------------------------------------------------------

Some examples for syslog.conf:

lpr.err /var/log/lpd-errs                   <--all messages with severity err and above from the line printer are appended to lpd-errs file

*.err;kern.debug;auth.notice /dev/console   <--all error messages, kern.debug, and auth.notice messages are sent to the console
                                            (Note that kern.debug means all messages of priority debug and above.)

daemon,auth.notice /var/log/messages        <--notice messages from either daemon or the auth. system are appended to /var/log/messages
                                            (Note that this is the second line that mentions auth.notice messages.)
                                            (As a result, auth.notice messages will be sent to both the console and the messages file.)

auth.* root,secadmin                        <--all messages from the authorization system to be sent to the users root and secadmin.
                                            (Note, that if the users are not logged in, the messages will be lost.)

auth.* @LOGHOST                             <---all auth. messages are sent to the syslog daemon on the remote computer
                                            (Note that  it is recommended that LOGHOST server is defined in /etc/hosts file).

mail.debug   /var/log/mail  rotate size 100k files 4         <-- 4 files, 100kB each
user.debug   /var/log/user  rotate files 12 time 1m          <-- 12 files, monthly rotate
kern.debug   /var/log/kern  rotate files 12 time 1m compress <-- 12 files, monthly rotate, compress

----------------------------------------------------------------------

lssrc -ls syslogd                           <---shows syslogd specifics
                                            (after modifying syslogd.conf: refresh -s syslogd)

----------------------------------------------------------------------

Local (local0-local7)

local0-local7 are unused facilities that syslog provides, which can be defined/customized by any user. If a developer creates an application and wants to log that to syslog, or if you want to redirect the output of anything to syslog (for example, Apache logs), you can choose to send it to the local# facilities. Then, in /etc/syslog.conf that local# has to be added, so it will log to a file (or it will send it to a remote server).


Changing sshd logging from auth to local7:

1. in sshd_config file change:
SyslogFacility AUTH to Syslogfacility local7

2. in /etc/syslog.conf add local7 to log to a file:
local7.* /var/log/sshd.log 

3. restart syslogd and sshd:
after that ssh daemon will use /var/log/sshd.log file via local7 facility

----------------------------------------------------------------------

Enabling Oracle audit log (by a local facility)


1. in Oracle these parameters have been set:

SQL> show parameter AUDIT_FILE_DEST

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /oracle/audit

SQL> show parameter AUDIT_SYSLOG_LEVEL

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_syslog_level                   string      LOCAL1.WARNING


2. in /etc/syslog.conf this has been added:
local1.warn /oracle/audit/audit.log


3. restart syslogd

----------------------------------------------------------------------