Syslog Better Logging Tutorial

Want to support HowtoForge? Become a subscriber!
 
Submitted by RogueCoder (Contact Author) (Forums) on Thu, 2010-05-06 15:13. :: Linux | Security

Syslog Better Logging Tutorial

Syslog is an excellent tool for system monitoring and is almost always included in your distribution. However, the default setup is terrible. It will log all kinds of useless messages in weird places. I've included a really good configuration that should be great for most systems. I've commented out the debug lines because they will fill your logs to quickly. I advise you only uncomment them when you are troubleshooting.

Syslog rules have three parts. Facility.Priority /path/to/log. Facility can refer to anything in the left column below. Priority can refer to anything in the right column below. Priorities are listed in order of increasing severity.

auth               Debug
authpriv           Info
daemon             Notice
cron               Warning
ftp                Error
lpr                Critical
kern               Alert
mail               Emergency
news
syslog
user
uucp
local0-local7

 If you are wondering where to put the below rules, generally the file is in /etc/syslog.conf. However, it can be in /etc/sysconfig/syslog as well. Refer to your distro documentation for the location if you need too.

Once you are done make changes, you must restart the syslog daemon. You can restart with

/etc/init.d/syslogd restart

on most systems, other ways include:

/etc/init.d/syslogd
/etc/init.d/sysklogd 

I've included extra lines to demonstrate the use of the local0-local7 logging facilities. These are free for your use, except in some cases, local7 is used for boot logs.

#############################################
# Easier logging
#############################################
### General Logging
#*.info;*.notoice                                       /log/all.info
#*.warning                                              /log/all.warning
#*.debug                                                /log/all.debug
*.err;*.crit;*.emerg                                    /log/all.err
### Email Logging
#mail.info;mail.notice                                  /log/maillog/maillog.info # Enabling this will make REALLY HUGE log files
mail.warning                                            /log/maillog/maillog.warning
#mail.debug                                             /log/maillog/maillog.debug
mail.err;mail.crit;mail.emerg                           /log/maillog/maillog.err
### FTP Logging
ftp.info;ftp.notice                                     /log/ftplog/ftplog.info
ftp.warning                                             /log/ftplog/ftplog.warning
#ftp.debug                                              /log/ftplog/ftplog.debug
ftp.err;ftp.crit;ftp.emerg                              /log/ftplog/ftplog.err
### Cron Logging
cron.info;cron.notice                                   /log/cron/cron.info
cron.warning                                            /log/cron/cron.warning
#cron.debug                                             /log/cron/cron.debug
cron.err;cron.crit;cron.emerg                           /log/cron/cron.err
### Authpriv Logging
authpriv.info;authpriv.notice                           /log/secure/secure.info
authpriv.warning                                        /log/secure/secure.warning
#authpriv.debug                                         /log/secure/secure.debug
authpriv.err;authpriv.crit;authpriv.emerg               /log/secure/secure.err
### Authentication Logging
auth.info;auth.notice                                   /log/auth/auth.info
auth.warning                                            /log/auth/auth.warning
#auth.debug                                             /log/auth/auth.debug
auth.err;auth.crit;auth.emerg                           /log/auth/auth.err
### Kernel Logging
kern.info;kern.notice                                   /log/kernel/kernel.info
kern.warning                                            /log/kernel/kernel.warning
#kern.debug                                             /log/kernel/kernel.debug
kern.err;kern.crit;kern.emerg                           /log/kernel/kernel.err
### Boot Logging
local7.info;local7.notice                               /log/boot/boot.info
local7.warning                                          /log/boot/boot.warning
#local7.debug                                           /log/boot/boot.debug
local7.err;local7.crit;local7.emerg                     /log/boot/boot.err
### User Logging
user.info;user.notice                                   /log/user/user.info
user.warning                                            /log/user/user.warning
#user.debug                                             /log/user/user.debug
user.err;user.crit;user.emerg                           /log/user/user.err
### Daemon Logging
daemon.info;daemon.notice                               /log/daemon/daemon.info
daemon.warning                                          /log/daemon/daemon.warning
#daemon.debug                                           /log/daemon/daemon.debug
daemon.err;daemon.crit;daemon.emerg                     /log/daemon/daemon.err
### Apache logging using local0
#local0.info;local0.notice                               /log/httpd/httpd.info
#local0.warning                                          /log/httpd/httpd.warning
#local0.debug                                            /log/httpd/httpd.debug
#local0.err;local0.crit;local0.emerg                     /log/httpd/httpd.err
### Clamav logging using local1
#local1.info;local1.notice                               /log/clamav/clamav.info
#local1.warning                                          /log/clamav/clamav.warning
#local1.debug                                            /log/clamav/clamav.debug
#local1.err;local1.crit;local1.emerg                     /log/clamav/clamav.err

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by thehulk (registered user) on Tue, 2010-05-11 01:49.
Great article! Great website! I do wish that you had explained your reasons for choosing the rules that you chose.