Difference between revisions of "Linux Syslog"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
 
(11 intermediate revisions by one other user not shown)
Line 17: Line 17:
The Syslog Standard uses facilities and severities to categorize messages. Facilities are used to indicate what type of program or what part of the system the message originated from, e.g.
The Syslog Standard uses facilities and severities to categorize messages. Facilities are used to indicate what type of program or what part of the system the message originated from, e.g.
* Facility: messages that are labeled with a kernel facility originate from the Linux kernel.
* Facility: messages that are labeled with a kernel facility originate from the Linux kernel.
* Severities on the other hand are used to categorize messages based on their urgency. The severities are emergency, alert, critical, error, warning, notice and info.
* Severities on the other hand are used to categorize messages based on their urgency. The severities are emergency, alert, critical, error, warning, notice informational and debug.


{| class="wikitable"  
{| class="wikitable"  
Line 63: Line 63:
| 7
| 7
| network news (nntp)
| network news (nntp)
|
| 7
| debug
| debug
|-
|-
Line 93: Line 93:
| local use 0-7 (local0-local7)
| local use 0-7 (local0-local7)
|}
|}




Line 148: Line 149:


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Basic]]

Latest revision as of 18:38, 12 March 2024

Summary

Linux uses the syslog standard for message logging, this allows programms and applications to generate messages that can be captured, processed and stored by the system logger. It eliminates the need for each and every application having to come up with and implement a logging mechanism on their own and also means that logging can be configured and controlled in a centralized location. Syslog file is one of the importants log files. It contains almost all messages. This file is therefore well suited for the analysis of many problems.

Requirements

A syslog server accepts syslog messages and processes, those messages based on a set of configurable rules.

Traditionally the syslogd daemon filled this role but many Linux distributions now ship with alternatives such as:

  • rsyslog (rocket-fast system for log processing)
  • syslog-ng (ng stands for next-generation)

How it works

The Syslog Standard uses facilities and severities to categorize messages. Facilities are used to indicate what type of program or what part of the system the message originated from, e.g.

  • Facility: messages that are labeled with a kernel facility originate from the Linux kernel.
  • Severities on the other hand are used to categorize messages based on their urgency. The severities are emergency, alert, critical, error, warning, notice informational and debug.
Code Facilities Code Severities
0 kernel 0 emergency
1 user 1 alert
2 mail 2 critical
3 auth 3 error
4 syslog 4 warning
5 cron 5 notice
6 line printer (lpr) 6 informational
7 network news (nntp) 7 debug
8 unix-toUnix Copy (UUCP)
9 clock
10 security/authorization
11 FTP
12 NTP
13 log audit
14 log alert
15 clock daemon (formerly cron in RFC 3164)
16 local use 0-7 (local0-local7)


A syslog service uses configurable logging rules to determine what to do with the given message, these rules use combinations of facilities and severities. In most cases messages are simply written to a file in the /var/log directory somewhere but you can do advanced things such as send the messages over the network to a central location. If you want to generate your own log messages for example when you’re writing shell scripts use the logger command-line utility. To automatically prune files and keep your disks from filling up with old messages use the logrotate utility.

The following example shows the entries in /var/log/syslog after starting a Ubuntu 20.04 system further below the entries that occur when connecting a USB stick:

Jan  4 06:10:20 bitsf kernel: [    0.000000] Linux version 5.8.0-53-generic (buildd@lcy01-amd64-012) (gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #60~20.04.1-Ubuntu SMP Thu May 6 09:52:46 UTC 2021 (Ubuntu 5.8.0-53.60~20.04.1-generic 5.8.18)
Jan  4 06:10:20 bitsf kernel: [    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.8.0-53-generic root=UUID=5c80c0a8-2833-4cc9-be7f-6ca343989eb6 ro quiet splash
Jan  4 06:10:20 bitsf kernel: [    0.000000] KERNEL supported cpus:
Jan  4 06:10:20 bitsf kernel: [    0.000000]   Intel GenuineIntel
Jan  4 06:10:20 bitsf kernel: [    0.000000]   AMD AuthenticAMD
Jan  4 06:10:20 bitsf kernel: [    0.000000]   Hygon HygonGenuine
Jan  4 06:10:20 bitsf kernel: [    0.000000]   Centaur CentaurHauls
Jan  4 06:10:20 bitsf kernel: [    0.000000]   zhaoxin   Shanghai
Jan  4 06:10:20 bitsf kernel: [    0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Jan  4 06:10:20 bitsf kernel: [    0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Jan  4 06:10:20 bitsf kernel: [    0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
Jan  4 06:10:20 bitsf kernel: [    0.000000] x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
Jan  4 06:10:20 bitsf kernel: [    0.000000] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'compacted' format.
[...]
Jan  4 06:20:01 bitsf kernel: [  585.917268] usb 1-1: new high-speed USB device number 2 using ehci-pci
Jan  4 06:20:01 bitsf kernel: [  586.214302] usb 1-1: New USB device found, idVendor=0781, idProduct=5581, bcdDevice= 1.00
Jan  4 06:20:01 bitsf kernel: [  586.214306] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jan  4 06:20:01 bitsf kernel: [  586.214309] usb 1-1: Product: Ultra
Jan  4 06:20:01 bitsf kernel: [  586.214310] usb 1-1: Manufacturer: SanDisk
Jan  4 06:20:01 bitsf kernel: [  586.214312] usb 1-1: SerialNumber: 4C530001140828116221
Jan  4 06:20:01 bitsf mtp-probe: checking bus 1, device 2: "/sys/devices/pci0000:00/0000:00:11.0/0000:02:03.0/usb1/1-1"
Jan  4 06:20:01 bitsf mtp-probe: bus: 1, device: 2 was not an MTP device
Jan  4 06:20:01 bitsf kernel: [  586.247843] usb-storage 1-1:1.0: USB Mass Storage device detected
Jan  4 06:20:01 bitsf kernel: [  586.249017] scsi host33: usb-storage 1-1:1.0
Jan  4 06:20:01 bitsf kernel: [  586.249296] usbcore: registered new interface driver usb-storage
Jan  4 06:20:01 bitsf kernel: [  586.255991] usbcore: registered new interface driver uas
Jan  4 06:20:01 bitsf mtp-probe: checking bus 1, device 2: "/sys/devices/pci0000:00/0000:00:11.0/0000:02:03.0/usb1/1-1"
Jan  4 06:20:01 bitsf mtp-probe: bus: 1, device: 2 was not an MTP device
Jan  4 06:20:01 bitsf dbus-daemon[735]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.81' (uid=1000 pid=1742>
Jan  4 06:20:01 bitsf systemd[1]: Starting Fingerprint Authentication Daemon...
Jan  4 06:20:01 bitsf dbus-daemon[735]: [system] Successfully activated service 'net.reactivated.Fprint'
Jan  4 06:20:01 bitsf systemd[1]: Started Fingerprint Authentication Daemon.
Jan  4 06:20:02 bitsf kernel: [  587.271261] scsi 33:0:0:0: Direct-Access     SanDisk  Ultra            1.00 PQ: 0 ANSI: 6
Jan  4 06:20:02 bitsf kernel: [  587.272204] sd 33:0:0:0: Attached scsi generic sg2 type 0
Jan  4 06:20:02 bitsf kernel: [  587.278328] sd 33:0:0:0: [sdb] 120127488 512-byte logical blocks: (61.5 GB/57.3 GiB)
Jan  4 06:20:02 bitsf kernel: [  587.286835] sd 33:0:0:0: [sdb] Write Protect is off
Jan  4 06:20:02 bitsf kernel: [  587.286839] sd 33:0:0:0: [sdb] Mode Sense: 43 00 00 00
Jan  4 06:20:02 bitsf kernel: [  587.294171] sd 33:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Jan  4 06:20:02 bitsf kernel: [  587.356378]  sdb: sdb1
Jan  4 06:20:02 bitsf kernel: [  587.387213] sd 33:0:0:0: [sdb] Attached SCSI removable disk

References