Syslog Revision as of Sunday, 20 December 2015 at 19:56 UTC
Quick notes
- Good idea to send logs to a central, secure log collection server
- Better if the server is on another, private network
- Second NIC used would be unnumbered and in promiscuous mode
- Port used is 514/UDP
- Frequent target for hackers; PAM, for example, uses a lot
of syslog.
- Relay loghosts can also be used. If there are many ‘hops’, the final
loghost does not know the source IP- This is fixed by using something like
syslog-ng
- This is fixed by using something like
Anatomy of /etc/syslog.conf
Two parts: A selector and an action.
Selector |------------ |
Facility |
Priority |
Action |------------ |
|
|
|
---|
Notes & Examples
- Cannot create new facilities. Need to use
local{0,7}
- Syslog assumes that the program sending it logs knows how to do so.
- See the
PDF
for examples of selectors
Logger
I use this to quickly test/view a facility or priority
 logger [-p facility.priority] [-t tag] message
- The default selector is
user.info
- The default tag is
logger
.