Syslog

From Halfface
Jump to navigation Jump to search

syslog

Messages refer to a facility (auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, ... , local7 ) and are assigned a severity (Emergency, Alert, Critical, Error, Warning, Notice, Info or Debug) by the sender of the message.

Configuration allows directing messages to various local devices (console), files (/var/log/) or remote syslog daemons. Care must be taken when updating the configuration as omitting or misdirecting message facilities or severities can cause important messages to be ignored by syslog or overlooked by the administrator.

Facility Levels

Facility Number Facility Description
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)

Severity levels

Code Severity Description General Description
0 Emergency System is unusable. A "panic" condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call.
1 Alert Action must be taken immediately. Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a backup ISP connection.
2 Critical Critical conditions. Should be corrected immediately, but indicates failure in a primary system, an example is a loss of primary ISP connection.
3 Error Error conditions. Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time.
4 Warning Warning conditions. Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time.
5 Notice Normal but significant condition. Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required.
6 Informational Informational messages. Normal operational messages - may be harvested for reporting, measuring throughput, etc. - no action required.
7 Debug Debug-level messages. Info useful to developers for debugging the application, not useful during operations.

Send syslog message to remote host

nc -w0 -u 10.151.101.110 514 <<< "<14>User Info msg from remote machine. abjorklund"

tcpdump and syslog

To calculate the priority value the following formula is used : Priority = Facility * 8 + Level

#!/bin/bash
SYSLOG_PACKAGE=${1}
FACILITY=$(echo ${SYSLOG_PACKAGE} / 8 | bc)
SEVERITY_LEVEL=$(echo ${SYSLOG_PACKAGE} - ${FACILITY} \* 8 | bc)
echo Facility: ${FACILITY}
echo Severity level: ${SEVERITY_LEVEL}
[root@logserver ~]# tcpdump -Xni eth0 port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:08:05.306002 IP 10.1.1.10.55595 > 10.1.1.1.514: length: 288
      0x0000:  4500 013c 177d 0000 4011 4b06 0a01 0164  E..<.}..@.K....d
      0x0010:  0a01 01c9 d92b a2a2 0128 5f4b 3c31 3431  .....+...(_K<141
      0x0020:  3e6e 7335 6774 3a20 4e65 7453 6372 6565  >ns5gt:.NetScree
      0x0030:  6e20 6465 7669 6365 5f69 643d 6e73 3567  n.device_id=ns5g
      0x0040:  7420 205b 526f 6f74 5d73 7973 7465 6d2d  t..[Root]system-
      0x0050:  6e6f

tcp/udp

@  forward via udp
@@ forward via tcp

logging to individual file

/etc/rsyslog.d/tcp_udp.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
# bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
$InputTCPServerRun 514
$InputUDPServerBindRuleset remote
$UDPServerRun 514
$template RemoteHost,"/var/log/%HOSTNAME%-%$DAY%.log"
# Remote Logging
$RuleSet remote
*.* ?RemoteHost

Open firewall.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 514 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 514 -j ACCEPT