Syslog
From Teknologisk videncenter
Syslog is a method for delivering log information from a sender to a receiver, typically across and IP network. The term syslog can be used to describe the protocol that is used to transfer messages, the application to send or receive the messages as well as the logs messages themselves.
- The syslog protocol and message format are defined in RFC 3164.
- RFC 3195 defines reliable delivery of syslog over UDP.
- There is also a draft RFC - exprires october 1. 2009 Signed syslog Messages to standardize security in syslog messages.
- Wikipedia syslog
Facility values
| Code | Name | RFC 3164 facility | FreeBSD facility |
|---|---|---|---|
| 0 | kern | Kernel messages | Kernel messages |
| 1 | user | User-level messages | User-level messages |
| 2 | Mail messages | Mail system | |
| 3 | daemon | System daemons | System Daemons |
| 4 | auth | Security and Authorisation | Security and Authorisation |
| 5 | syslog | Messages generated by syslogd | Messages generated by syslogd |
| 6 | lpr | Line Printer subsystem | Line Printer subsystem |
| 7 | news | Network News subsystem | Network News subsystem |
| 8 | uucp | UUCP subsystem | UUCP subsystem |
| 9 | cron | Clock daemon | Clock daemon |
| 10 | authpriv | Security and Authorisation | Security and Authorisation |
| 11 | ftp | FTP daemon | FTP daemon |
| 12 | ntp | Network Time Protocol | Network Time Protocol |
| 13 | - | Log audit | - |
| 14 | - | Log alert | - |
| 15 | - | Clock daemon | Kernel messages |
| 16 | local0 | Local use 0 | Local use 0 |
| 17 | local1 | Local use 1 | Local use 1 |
| 18 | local2 | Local use 2 | Local use 2 |
| 19 | local3 | Local use 3 | Local use 3 |
| 20 | local4 | Local use 4 | Local use 4 |
| 21 | local5 | Local use 5 | Local use 5 |
| 22 | local6 | Local use 6 | Local use 6 |
| 23 | local7 | Local use 7 | Local use 7 |
Priority values
| Priority | Name |
|---|---|
| None | No priority |
| 0 | Emerg (Emergency) |
| 1 | Alert |
| 2 | Crit (Critical) |
| 3 | Err (Error) |
| error | Same as 3 err |
| 4 | Warn (Warning) |
| warn | Same as 4 warn |
| 5 | Notice |
| 6 | Info |
| 7 | Debug |
Linux
It is possible to monitor output from a syslog identifier. In the example below syslog from the sshd daemon are logged tostdout
root@h5:/etc/sshguard# journalctl -afb -p info -n1 -t sshd -o cat
Connection reset by 198.235.24.119 port 58836 [preauth]
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root
Failed password for root from 127.0.0.1 port 45768 ssh2
Failed password for root from 127.0.0.1 port 45768 ssh2
Failed password for root from 127.0.0.1 port 45768 ssh2
Connection closed by authenticating user root 127.0.0.1 port 45768 [preauth]
^C
Links
Security
- There is also a draft RFC - exprires october 1. 2009 Signed syslog Messages to standardize security in syslog messages.
- RFC 3227 - Guidelines for Evidence Collection and Archiving[[Category:Fejlfinding]