Quick notes
-----------
* Good idea to send logs to a central, secure log collection server
* Better if the server is on another, private network
* Second NIC used would be *unnumbered* and in *promiscuous* mode
* Port used is **514/UDP**
* Frequent target for hackers; PAM, for example, uses a lot
of syslog.
* Relay loghosts can also be used. If there are many 'hops', the final
loghost does not know the source IP
* This is fixed by using something like `syslog-ng`
Anatomy of `/etc/syslog.conf`
-----------------------------
Two parts: A *selector* and an *action*. TODO: Convert to HTML...
{|class="wikitable" width="100%"
!colspan="2"|Selector
|------------
!width="33%"|Facility
!width="33%"|Priority
!width="33%"|Action
|------------
|
* auth (Security events get logged with this)
* authpriv (user access messages use this)
* cron (atd and crond daemons)
* daemon (other daemon programs without a facility of their own)
* kern (kernel messages)
* lpr (printing subsystem)
* mail (mail system)
* mark (used by syslogd to produce timestamps in log files)
* news (news system)
* syslog (internal syslog messages)
* user (for user programs)
* uucp local0 – local7 (any use; RH uses local7 for boot messages)
* * (for all)
|valign="top"|
* emerg (system unavailable)
* alert (immediate action required)
* crit (critical condition)
* err (error)
* warning (what it says)
* notice (normal but significant)
* info (normal)
* debug (debugging info)
(Importance, descending)
|valign="top"|
* /complete/path/of/some/file
* /dev/console
* -/complete/path/of/some/file (Don't flush file each time; better performance but risks loss of some log info.)
* username1[,username2 ...]
* * (all logged in users)
* @remotehost.org
* |/path/to/named/pipe (To send output to a command you must create a named pipe, say /var/lib/cmd.pipe with the mkfifo command. Then start the command with cmd
|}
### Notes & Examples
* *Cannot* create new facilities. Need to use `local{0,7}`
* Syslog assumes that the program sending it logs knows how to do so.
* See [the
PDF](Media:Logging,_Log_File_Rotation,_and_Syslog_Tutorial.pdf "wikilink")
for examples of selectors
Logger
------
I use this to quickly test/view a facility or priority
logger [-p facility.priority] [-t tag] message
* The default selector is `user.info`
* The default tag is `logger`.
Sources
-------
* [Logging, Log File Rotation, and Syslog Tutorial](Media:Logging,_Log_File_Rotation,_and_Syslog_Tutorial.pdf "wikilink")
* [System Logging Explained in Linux](http://linuxhelp.blogspot.com/2005/09/system-logging-explained-in-linux.html)
* [Unix/Linux System Administration - Syslog Module](http://fog.ccsf.cc.ca.us/~gboyd/cs260a/online/syslog/introduction.html)