oreilly.comSafari Books Online.Conferences.


Tools of the Trade: Part 3
Pages: 1, 2, 3

Comment on this articleWe're looking for tips and pointers on effective use of syslog and snort.
Post your comments

Previously in this series:

Tools of the Trade: Part 1 -- In this first of a three-part series, Carl Constantine covers tools and techniques that system administrators can use to protect their networks, including discussion of nmap, Ethereal, and how to set up honey pots.

Tools of the Trade: Part 2 -- In the second part of this ongoing series, Carl Constantine shows you how to use tcpdump and Tripwire to protect your Linux server.


The syslog.conf file is used by both syslogd and klogd. It consists of three parts. The first is the log file type (called a facility) you want to keep, the level (or priority) at which you wish to log events, and an action to take -- basically where you want the log to go. Both the facility and priority are case sensitive so be careful what you type. The log type, or facility, can be one of the following:

  • auth
  • auth-priv
  • cron
  • daemon
  • kern
  • lpr
  • mail
  • news
  • syslog
  • user
  • uucp
  • local0 to local7

There are a couple others but they should not be used. The priority for the log level can be one of the following:

  • debug
  • info
  • notice
  • warning
  • err
  • crit
  • alert
  • emerg

Again there are a couple others, but they should no longer be used. syslog also supports the use of wildcards in the configuration file. So for example, you can log all mail logs regardless of the priority or all priorities regardless of the log type. Let's look at a small section:

#  /etc/syslog.conf	Configuration file for syslogd.

# First some standard logfiles.  Log by facility.

auth,authpriv.*              /var/log/auth.log
*.*;auth,authpriv.none       /var/log/syslog
#cron.*                      /var/log/cron.log
daemon.*                     /var/log/daemon.log
kern.*                       /var/log/kern.log
lpr.*                        /var/log/lpr.log
mail.*                       /var/log/mail.log
user.*                       /var/log/user.log
uucp.*                       /var/log/uucp.log

In this example, I'm logging authorizations to /var/log/auth.log, and mail logs to /var/log/mail.log, but I'm not logging cron messages as that line is commented out. As an added bonus, I'm logging everything (*.*) to /var/log/syslog.

Well, this is all very nice, but all the logs are located on the local system. If a black hat gets into your system, deleting the logs behind him will be the last thing he does as he heads out the door. To help prevent this, you can log to a remote host by using "@hostname" in the action section of the log. For example:

#  /etc/syslog.conf	Configuration file for syslogd.

# First some standard logfiles.  Log by facility.

auth,authpriv.*           @logger
kern.*                    @logger
lpr.*                     @logger
mail.*                    @logger

Here, I'm logging all authorization, kernel, printing, and mail logs to a remote machine called logger. Logger must be defined in /etc/hosts. You can use this to send logs from several machines to a single machine on your network.

Having a central log host may not be enough to stop a determined cracker. You might want to take added protection by having hard copy printouts of your log files or sending email to your logs to various IDs. You can do this using cron or a utility such as logrotate. I highly recommend logrotate.

There is much more that you can do with syslog. You can restrict logging to certain logs for example. Here's a full syslog.conf file for your perusal. Check it against the man page for syslog.conf and see if you can figure out all it's doing.

#  /etc/syslog.conf	Configuration file for syslogd.

# First some standard logfiles.  Log by facility.

auth,authpriv.*           @logger
*.*;auth,authpriv.none    @logger
#cron.*                   /var/log/cron.log
daemon.*                  -/var/log/daemon.log
kern.*                    @logger
lpr.*                     -/var/log/lpr.log
mail.*                    /var/log/mail.log
user.*                    root, joeuser
uucp.*                    -/var/log/uucp.log

# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#           -/var/log/
mail.warn           -/var/log/mail.warn
mail.err            /var/log/mail.err

# Logging for INN news system
news.crit           /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice         -/var/log/news/news.notice

# Some `catch-all' logfiles.
  news.none;mail.none   -/var/log/debug
  mail,news.none        @logger

# Emergencies are sent to everybody logged in.
*.emerg				*

# I like to have messages displayed on the console, 
# but only on a virtual console I usually leave idle.
#  news.=crit;news.=err;news.=notice;\
#  *.=debug;*.=info;\
#  *.=notice;*.=warn	/dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' 
# utility.  To use it, you must invoke `xconsole' 
# with the `-file' option:
#    $ xconsole -file /dev/xconsole [...]
# NOTE: adjust the list below, or you'll go crazy if 
# you have a reasonably busy site..
  *.=notice;*.=warn	|/dev/xconsole

Before I leave syslog, remember that many other tools such as Tripwire and snort can use the syslog facility. I recommend you check out how to implement logs in the tools you choose to use on your network.

Pages: 1, 2, 3

Next Pagearrow

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: