Linux version | Apple System Log |
syslogd
[-d]
[-f config_file]
[-h]
system logging and kernel message trapping,
Use of internet and unix domain sockets enables local and remote logging.
If an error occurs during parsing of the config file the whole line is ignored.
-d |
SIGHUP |
facility.
level destination
Prefix the destination filename with -
to omit sync'ing the file after every write to it.(reduces I/O load).
Example:
Cause ALL messages using the daemon
facility
(debug is the lowest priority, so all higher levels match) to go into /var/log/daemons
and don't sync I/O system:
daemon.debug -/var/log/daemons
* |
Examples:
Direct debug messages from all sources
*.=debug /var/log/debug
All messages of the facility mail except those with the priority info
mail.*;mail.!=info /var/log/mailAll messages from news.info (including) to news.crit (excluding)
news.info;news.!crit /var/log/news
mail.none or mail.!* or mail.!debugto skip all messages with a mail facility.
-r
; Default: ignore network.
Sending and receiving syslogd /etc/services
must contain syslog 514/udp
otherwise syslogd will die.
To forward messages to another host :
use @syslogdhostname
in syslog.conf
for destination.
For example, to forward ALL messages to a remote host
*.* @syslogdhostnam
If the remote hostname cannot be resolved at startup, Syslogd will try to resolve the name ten times and then complain. and ????
syslog-loops (bad) : forwarding messages to a syslogd that forwards them back.
In a network provide a central log server to have all the logs kept on one machine.
If the network consists of different domains logging will include fully qualfied names.
-s
stripdomain off several domains other than the one the server is located in and only log simple hostnames.
-l
define single hosts as local machines.
The UDP socket used to forward messages to remote hosts or to receive messages from them is only opened when it is needed.
|
to the name of the file.
the fifo must be created with the mkfifo command before syslogd is started.
# Sample configuration to route kernel debugging # messages ONLY to /var/log/debug which is a named pipe. kern.=debug |/var/log/debug
syslogd
and klogd
can be run from init
or started as part of the /etc/rc.*
sequence. -n
(don't switch to background.)
SECURITY THREATS
There is the potential for the syslogd daemon to be used as a conduit for a denial of service attack.
A rogue program(mer) could flood the syslogd daemon with syslog messages resulting in the log files consuming all the remaining space on
the filesystem.
Activating logging over the inet domain sockets will expose a system to risks outside of programs or individuals
on the local machine.
There are a number of methods of protecting a machine:
ext2
filesystem which can be configured to limit
a percentage of a filesystem to usage by root only, requiring syslogd to be run as a non-root process.
-d
verbose display of activity is output to stdout. When the configuration file is read a tabular report is output:
number
sequence number representing the position in the internal data structure./etc/syslog.conf.
pattern
facility
(only the left most are used. )action
when a message is received that matches the pattern.
arguments
additional arguments to the actions
/etc/syslog.conf
syslog.conf(5) /dev/log
, socket used by local syslog /var/run/syslogd.pid
, file containing the process id of syslogd.
etc/services
)syslog 514/udp syslog-conn 601/udp # Reliable Syslog Service syslog-conn 601/tcp # Reliable Syslog Service
If an error occurs in one line the whole rule is ignored. (Don't forget the #
to preceed comments (NOT ALL VERSIONS)
Syslogd doesn't change the permissions of logfiles.
created files are world readable.
Use savelog(8)
to rotate logfiles.
It is a security hole if everybody is able to message from the auth.*
facility.
SEE ALSO
syslogBDS really Mac OSX ; darwin
syslog-ngBalaBit Ltd version
syslog.conf klogd(8),
logger, syslog(2), syslog(3), services(5), savelog(8)
From smacker OS X 10.5.7 6/18/09
# Emergency (0) note counter-intuitive Emergency has a level less than Debug.
# Alert # Critical # Error # Warning # Notice # Info # Debug
*.err /dev/console
kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console
# DONT Send messages to the serial port.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial
*.notice /var/log/system.log
mail.crit /var/log/system.log
kern.debug /var/log/system.log
authpriv,remoteauth,ftp /var/log/system.log
install.none /var/log/system.log
# authpriv log file should be restricted access
auth.info;authpriv.* /var/log/secure.log
remoteauth.crit /var/log/secure.log
lpr.info /var/log/lpr.log
mail.* /var/log/mail.log
ftp.* /var/log/ftp.log
install.* /var/log/install.log
install.* @127.0.0.1:32376
local0.* /var/log/appfirewall.log
local1.* /var/log/ipfw.log
*.emerg *
*.alert /var/log/01-alert.log
*.crit /var/log/02-crit.log
##see above *.err /var/log/03-err.log
*.warn /var/log/04-warn.log
##see above *.notice /var/log/05-notice.log
*.notice /var/log/05-notice.log
*.info /var/log/06-info.log
*.debug /var/log/07-debug.log
sudo.* /var/log/sudo.log
#++++++++++++++++++++++++++++++++++++++++++++++
: rsyslogd
Collaborators: Syslogd is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com) performed the port to Linux,