Professional Documents
Culture Documents
203
Computer & Network Forensics
Xinwen Fu
Linux Logging Mechanisms
Outline
Log files
CS@UML
CS@UML
Logging policies
1.
2.
3.
4.
CS@UML
Depends on:
CS@UML
Not recommend
CS@UML
CS@UML
CS@UML
#! /bin/sh
cd /var/log
mv logfile.2 logfile.3
mv logfile.1 logfile.2
mv logfile logfile.1
cat /dev/null > logfile
Some daemons keep their log files open all the time, this
script cant be used with them. To install a new log file, you
must either signal the daemon, or kill and restart it.
In Unix-like operating systems, /dev/null or the null device is
a special file that discards all data written to it, and provides
no data to any process that reads from it. In Unix
programmer jargon, it may also be called the bit bucket or
black hole.
CS@UML
CS@UML
10
CS@UML
11
/var/log/*
/var/cron/log
/usr/adm
/var/adm
CS@UML
12
Outline
Log files
Syslog: the system event logger
CS@UML
13
What is syslog
A comprehensive logging system, used to
manage information generated by the
kernel and system utilities
Allow messages to be sorted by their
sources and importance, and routed to a
variety of destinations:
CS@UML
14
2.
3.
logger
CS@UML
15
syslog-aware programs
Using syslog library routines
write log entries to a special file
/dev/log
/dev/klog
reads
syslogd
consults
dispatches
Log
files
CS@UML
Userss
terminals
Other
machines
/etc/syslog.conf
Most system logging
daemons listen on one or
more Unix sockets, the most
typical being /dev/log;
/dev/klog is kernel log socket
16
http://www.calpoly.edu/cgi-bin/man-cgi?syslogd
Configuring syslogd
The configuration file /etc/syslog.conf
controls syslogds behavior
It is a text file with simple format, blank
lines and lines beginning with # are
ignored (comment).
CS@UML
17
Identifies
Syntax
facility.level
Facility names and severity levels must be
chosen from a list of defined values
CS@UML
18
CS@UML
19
CS@UML
20
CS@UML
21
not
severe
CS@UML
LEVEL
emerg (panic)
alert
crit
err
warning
notice
info
debug
APPROXIMATE MEANING
Panic situation
Urgent situation
Critical condition
Other error conditions
Warning messages
Unusual things that may need
investigation
Informational messages
For debugging
22
CS@UML
23
commas
e.g., daemon,auth,mail.info
action
Multiple selectors can be combined with ;
e.g. daemon.level1;mail.level2action
Can contain
CS@UML
* - meaning all
none - meaning nothing
24
MEANING
filename
@hostname
@ipaddress
user1, user2,
*
CS@UML
CS@UML
26
CS@UML
/var/adm/messages
/var/adm/lpd-errs
27
@netloghost
@ialab.cs.uml.edu
/var/adm/lpd-errs
/var/adm/sudolog
28
CS@UML
29
Syslogd
A hangup signal (HUP, signal 1) cause
syslogd to close its log files, reread its
configuration file, and start logging again
If you modify the syslog.conf file, you
must HUP syslogd to make your changes
take effect
CS@UML
30
CS@UML
FACILITY
auth
auth
daemon
daemon
daemon
auth
auth
lpr
LEVELS
err-info
notice
err-debug
alert-info
err
crit
crit-info
err-info
DESCRIPTION
NFS automounter
Display and set date
ftp daemon
Routing daemon
Internet info server
Shutdown programs
Login programs
BSD line printer daemon
31
LEVELS
err-info
err
sendmail
rwho
su
sudo
syslogd
debug-alert
err-notice
crit, notice
notice, alert
err-info
CS@UML
mail
daemon
auth
local2
syslog, mark
DESCRIPTION
Name sever (DNS)
Password setting
programs
Mail transport system
romote who daemon
substitute UID prog.
Limited su program
internet errors,
timestamps
32
CS@UML
33
CS@UML
For example..
34
/var/log/test.log
CS@UML
35
Remote logging
syslogd -r
CS@UML
authpriv.*;auth.* @10.0.0.192
Question: where are those events written?
36
Process Accounting
touch /var/log/pacct
/sbin/accton /var/log/pacct
lastcomm -f /var/log/pacct
ac -p -d
CS@UML
sa /var/log/pacct
37
CS@UML
38
close( );
CS@UML
39
CS@UML
40
Summary
CS@UML
man logrotate
man syslogd
41
References
1.
2.
3.
4.
CS@UML
42
Notes
CS@UML
43
#! /bin/sh
cd /var/log
mv logfile.2.Z logfile.3.Z
mv logfile.1.Z logfile.2.Z
mv logfile logfile.1
cat /dev/null > logfile
kill -signal pid
compress logfile.1
signal - appropriate signal for the program writing the log file
pid - process id
CS@UML
44