CHAPTER 4 : SYSTEM LOGGING

Puan Shahnita Binti Shaharin

Autor: 26.04.13

INTRODUCTION TO SYSTEM LOGS

Linux keeps detailed records of events within the system known as log files created by many programs Sys. Admin refer to log file to determine

the status of the system, watch for intruders, look for data about particular program or event

Autor: 26.04.13

INTRODUCTION TO SYSTEM LOGS

Commonly logged events and their log files

Event !ain system messages #eb server transfer %& server transfer E'mail server information Automatic script execution ath and filename of the log "var"log"messages "var"log"httpd"access$log "var"log"xferlog "var"log"maillog "var"log"cron

messages log file ("var"log"messages) contains message from Linux kernel and most of the programs in Linux

Autor: 26.04.13

PURPOSE OF LINUX LOG FILES

Events are in the background as the user logs in *aemons special purpose background process designed

to watch for network activity +un other programs !onitor user actions the status information collected by daemon is written to log files, not displayed on the screen

Autor: 26.04.13

THE message FILE

!ain system log is stored in "var"log"messages !essage description of what is happening within a program

!ay report information, warning, serious error indicating a program is about to crash Each line makes up an individual log message &he date and time when event being logged timestamp &he hostname (or computer name of the system which the event occurred &he name of the program generating the log message &he message text itself (may be more than one line)

,ses a standard format

Each message consists of - parts .

Autor: 26.04.13

THE message FILE - example

Apr /0 12.-3./1 shahnita kernel. 4/-255./6/7/68 usb 2'/.7. roduct. 9C!/1-0 Apr /0 12.-3./1 shahnita kernel. 4/-255./6/7278 usb 2'/.7. !anufacturer. 9roadcom Corp Apr /0 12.-3./1 shahnita bluetoothd46338. :C; dev 1 registered Apr /0 12.-3./1 shahnita bluetoothd46338. Listening for :C; events on hci1 Apr /0 12.-3./1 shahnita <etwork!anager4=1-8. >info? (eth1). preparing device. Apr /0 12.-3./1 shahnita <etwork!anager4=1-8. >info? (eth1). deactivating device (reason @managed@) 4/8 Apr /0 12.-3./1 shahnita kernel. 4/-255.2100738 ; v3. A**+CA<%(<E&*EB$, ). eth1. link is not ready Apr /0 12.-3./1 shahnita kernel. 4/-255.23072-8 usb 2'/./. new full'speed ,S9 device number 7/ using uhci$hcd

Autor: 26.04.13

syslogd and klogd DAEMONS

Every program uses a set of common function stored in system libraries shared by many programs System can use resources more efficiently %unction set of computer programming code that completes a certain task for any program that uses the function Syslog is one of the function in the shared libraries Any program can call this function, passing it a message Syslog function then writes these messages to the "var"log"messages file All the call to syslog function is manage by background program called syslogd (system logging daemon) urpose to watch for message submit by program Autor: 26.04.13

syslogd and klogd DAEMONS

Clogd (kernel logging daemon)

urpose Logs message submitted by Linux kernel to "var"log"message file

:ow syslogd and klogd accept messages for the log files

Autor: 26.04.13

VIEWING BOOT MESSAGES

#hen turn on computer system, kernel boots and initialiDe the comp hardware &hen kernel starts the init program start the system logging daemon syslogd and klogd

Clogd is not available when kernel initialiDe the comp hardware

Cernel writes messages to screen during system startup (before klogd is active) this message is also stored in the kernel ring buffer

Autor: 26.04.13

VIEWING BOOT MESSAGES

Cernel ring buffer small area of memory that holds internel kernel messages

;f kernel ring buffer becomes full the first message (the oldest message) will be discarded Ensures most recent message can be found in the buffer

dmesg utility shows the content of the kernel ring buffer E view on the screen

Can be executed by any user not only root F dmesg G less use less to browse file using page up and page down

Autor: 26.04.13

VIEWING BOOT MESSAGES

F dmesg G less . . 4/31=6.7-5/138 usbcore. registered new interface driver cdc$ether 4/31==.16=3708 scsi 3.1.1.1. C*'+A! C#;* ,S9 SCS; C*' +A! /.27 H. 1 A<S;. / 4/31==.1=12028 scsi 3.1.1.7. *irect'Access I&E !!C Storage /.27 H. 1 A<S;. / 4/31==.1=-=518 sr7. scsi'7 drive 4/31==.1=02728 sr 3.1.1.1. Attached scsi C*'+A! sr7 4/31==.1=62-58 sr 3.1.1.1. Attached scsi generic sg/ type 0 4/31==.71156=8 sd 3.1.1.7. Attached scsi generic sg2 type 1 4/31==.7127378 sd 3.1.1.7. 4sdb8 Attached SCS; removable disk 4/3=3-.6706=18 composite sync not supported

Autor: 26.04.13

VIEWING BOOT MESSAGES

*mesg contain much detailed info about how linux recogniDe and initialiDe hardware of the system

Linux system store the dmesg output right after the system started in case of hardware problem with linux &he original boot messages are preserved even if other messages are written to th kernel ring buffer later on.

Autor: 26.04.13

CONFIGURING THE message LOG FILE

"var"log"message contain many types of messages from many different programs 9oth syslogd and klogd are configured using syslog.conf configuration file stored in "etc directory Syslog.conf determines where each type of message from different programs will be logged

Autor: 26.04.13

FORMAT OF syslog.conf

Example .
J.infoKmail.noneKauthpriv.none "var"log"message

Lines begin with hash mark (L) are considered comments ignored
%ormat of each line in syslog.conf file

facility.priorityK facility.priority
selector
Autor: 26.04.13

Action

Aptional additional selector

FORMAT OF syslog.conf

Each line in syslog.conf contain / parts .

Selector set of code words that select what events are being logged Action filename or username

%ilename . determines which file the message of an event will be written to ,sername . determine which user@s screen the message appears on (can also refer to a file on remote computer)

&he selector part is composed of / parts .

%acility code word that specifies which type of program is being selected riority code word that specifies the type of message being selected for logging

Autor: 26.04.13

FORMAT OF syslog.conf

Example .

daemon.info "var"log"messages Left part selector daemon.info

%acility . daemon riority . info message from any daemon program with priority info or higher are selected by these code words &his action is a filename specifies messages by daemon.info selector will be written to the "var"log"messages file

+ight part action "var"log"messages

Autor: 26.04.13

Facility

#hen a program wants to write a messsage in "var"log"messages

&he program issue a programming call to syslog function rogram will indicate its program type or category &he syslogd daemon use the category info to determine where to write the message based on the syslog.conf configuration file.

Autor: 26.04.13

Facility
%acility description !essage from user authentication utilities such as login Special purpose (private) user authentication messages !essages from the cron program (used to control automated, scheduled tasks) !essages from all standard daemon or servers Cernel messages (through klogd) rinter server messages !ail server messages (from !ail &ransfer Agent) <ews server messages !essages about the system logging process itself !essages from programs started by end users !essages from the uucp program (rarely used) Eight special purpose categories that a linux vendor or programmer can define for specific needs not covered by other categories %acility name auth auth'priv cron daemon kern lpr mail news syslog user uucp locale1 through local5

Code Autor: 26.04.13

words used to specify facilities in syslog.conf

Priorities

rogram in linux generate different types of messages

Eg .

;nformation messages E how the program is using resources !essage indicate potential problem !essage indicate serious or critical problem

Each program can generate messages with different priorities depend on seriousness of the event

Autor: 26.04.13

Priorities
riority description *ebungging messages used by programmers or those testing how a program works ;nformational messages about what a progra is doing ;nformation about noteworthy events occuring as a program executes #arnings about potential problems with a program <otices about errors occuring within a program Critical error messages that will likely cause a program to shut down Error messages that will cause a program to shut down and may also affect other programs !essages about events serious enough to potentially crash the system
Autor: 26.04.13

riority name debug info notice warning err crit alert emerg