Kernel Logging   «Prev  Next»

Lesson 5Configuring the system log
ObjectiveConfigure the System Log.

Configuring System Log

To configure the Linux system logging facility, use the /etc/syslog.conf file. This file enables you to specify how log messages will be handled when they arrive, such as what file or host will log them. Every line in this file is called a rule. Rules map selectors to actions, which allows the Linux system logging facility to route messages of certain types to different locations. For example, you might want to route debugging messages and critical messages to different locations.
A facility[1] and severity[2] combine to form a selector. Linux predefines valid facilities and severities, which applications use to log entries to the system logger. To make a selector, place the facility name followed by a period in front of the severity. For example, an email program might use the mail.warn selector if it is unable to download your email.

Sending log messages to Different Locations

The system logger checks a log message's selector against selectors defined in /etc/syslog.conf. If the selector is configured in /etc/syslog.conf, the system logger performs the associated action.
You can specify actions that
  1. log the message to a file
  2. broadcast the message to all logged-in users
  3. write the message to the system console
  4. transmit the message to remote logging daemons across the network

By default, emergency messages (those with a severity of emerg) are broadcast to all users, and most other messages are written to the standard system logfile /var/log/messages.

1) Configure System 1 2) Configure System 2 3) Configure System 3
Program 1 Program 2 Program 2
Click the link below to see how to configure the /etc/syslog.conf file to log a selector to a particular logfile.
Configuring System Log

Alphanumeric Pager

If you would like to be notified immediately of emergency messages, you can configure Linux to send them to your alphanumeric pager.
For firewall machines, you should send all logs to an internal machine for safekeeping. If a cracker breaks in and deletes your logs, you will have a copy on another machine. To erase those, the cracker would have to break into that machine as well, which takes time.
For example, to send a copy of every logged message to the machine, include the following entry in /etc/syslog.conf:

The asterisks (*) are wildcards and indicate that anything matches. The "at" sign (@) signals that the following name ( is a remote host on which to log messages.
More information on configuring system logging is available in the syslog.conf man page.

Restarting System Logger

Once you have made configuration changes, restart the system logging facility with
/etc/rc.d/init.d/syslog restart
The next lesson explains how to maintain logs.

Configuring System Log

Before moving on to the next lesson, click the link below to read about configuring a system log.
Configuring System Log

[1] Facility: Facilities are simply programs that can be configured to send notices to the system log. Common facilities include user, kern, mail, daemon, auth, lpr, news, uucp, and cron.
[2] Severity: The severity level indicates the importance of a given message. The severity levels listed from most importance to least important are: emerg, alert, crit, err, warning, notice, info, debug, and none.