Syslog: Difference between revisions
Jump to navigation
Jump to search
Line 105: | Line 105: | ||
0x0040: 7420 205b 526f 6f74 5d73 7973 7465 6d2d t..[Root]system- | 0x0040: 7420 205b 526f 6f74 5d73 7973 7465 6d2d t..[Root]system- | ||
0x0050: 6e6f | 0x0050: 6e6f | ||
=tcp/udp= | |||
@ forward via udp | |||
@@ forward via tcp |
Revision as of 08:35, 4 December 2018
syslog
Messages refer to a facility (auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, ... , local7
) and are assigned a severity (Emergency, Alert, Critical, Error, Warning, Notice, Info
or Debug
)
by the sender of the message.
Configuration allows directing messages to various local devices (console), files (/var/log/) or remote syslog daemons. Care must be taken when updating the configuration as omitting or misdirecting message facilities or severities can cause important messages to be ignored by syslog or overlooked by the administrator.
Facility Levels
Facility Number | Facility Description |
---|---|
0 | kernel messages |
1 | user-level messages |
2 | mail system |
3 | system daemons |
4 | security/authorization messages |
5 | messages generated internally by syslogd |
6 | line printer subsystem |
7 | network news subsystem |
8 | UUCP subsystem |
9 | clock daemon |
10 | security/authorization messages |
11 | FTP daemon |
12 | NTP subsystem |
13 | log audit |
14 | log alert |
15 | clock daemon |
16 | local use 0 (local0) |
17 | local use 1 (local1) |
18 | local use 2 (local2) |
19 | local use 3 (local3) |
20 | local use 4 (local4) |
21 | local use 5 (local5) |
22 | local use 6 (local6) |
23 | local use 7 (local7) |
Severity levels
Code | Severity | Description | General Description |
---|---|---|---|
0 | Emergency | System is unusable. | A "panic" condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call. |
1 | Alert | Action must be taken immediately. | Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a backup ISP connection. |
2 | Critical | Critical conditions. | Should be corrected immediately, but indicates failure in a primary system, an example is a loss of primary ISP connection. |
3 | Error | Error conditions. | Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time. |
4 | Warning | Warning conditions. | Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time. |
5 | Notice | Normal but significant condition. | Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required. |
6 | Informational | Informational messages. | Normal operational messages - may be harvested for reporting, measuring throughput, etc. - no action required. |
7 | Debug | Debug-level messages. | Info useful to developers for debugging the application, not useful during operations. |
Send syslog message to remote host
nc -w0 -u 10.151.101.110 514 <<< "<14>User Info msg from remote machine. abjorklund"
tcpdump and syslog
To calculate the priority value the following formula is used : Priority = Facility * 8 + Level
#!/bin/bash SYSLOG_PACKAGE=${1} FACILITY=$(echo ${SYSLOG_PACKAGE} / 8 | bc) SEVERITY_LEVEL=$(echo ${SYSLOG_PACKAGE} - ${FACILITY} \* 8 | bc) echo Facility: ${FACILITY} echo Severity level: ${SEVERITY_LEVEL}
[root@logserver ~]# tcpdump -Xni eth0 port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 20:08:05.306002 IP 10.1.1.10.55595 > 10.1.1.1.514: length: 288 0x0000: 4500 013c 177d 0000 4011 4b06 0a01 0164 E..<.}..@.K....d 0x0010: 0a01 01c9 d92b a2a2 0128 5f4b 3c31 3431 .....+...(_K<141 0x0020: 3e6e 7335 6774 3a20 4e65 7453 6372 6565 >ns5gt:.NetScree 0x0030: 6e20 6465 7669 6365 5f69 643d 6e73 3567 n.device_id=ns5g 0x0040: 7420 205b 526f 6f74 5d73 7973 7465 6d2d t..[Root]system- 0x0050: 6e6f
tcp/udp
@ forward via udp @@ forward via tcp