COMPUTER AND NETWORK
SYSTEM ADMINISTRATION
Summer 1996 - Lesson 25
Syslog Daemon
A. log files
1. hard to find them all
> especially in Solaris
2. this is good for security but bad for log
maintenance
> you may want to change standard locations
> create scripts for truncation
3. rotation - see /usr/lib/newsyslog
#! /bin/sh
#
# @(#)newsyslog.sh 1.3 89/06/22 SMI
#
LOG=messages
cd /var/adm
test -f $LOG.2 && mv $LOG.2 $LOG.3
test -f $LOG.1 && mv $LOG.1 $LOG.2
test -f $LOG.0 && mv $LOG.0 $LOG.1
mv $LOG $LOG.0
cp /dev/null $LOG
chmod 644 $LOG
#
LOGDIR=/var/log
LOG=syslog
if test -d $LOGDIR
then
cd $LOGDIR
if test -s $LOG
then
test -f $LOG.2 && mv $LOG.2 $LOG.3
test -f $LOG.1 && mv $LOG.1 $LOG.2
test -f $LOG.0 && mv $LOG.0 $LOG.1
mv $LOG $LOG.0
cp /dev/null $LOG
chmod 666 $LOG
sleep 40
fi
fi
#
kill -HUP `cat /etc/syslog.pid`
> some daemons keep their log files open
> note that the syslog daemon must be sent a signal
> note modes, owner, group
B. syslogd daemon
1. consists of:
- the daemon and its config file
- library routines used to send messages
- a user-level command used to send log entries
2. syslogd
- listens for remote logging requests on port 514/udp
- listens for local messages by watching the UNIX domain
socket /dev/log
srw-rw-rw- 1 root staff 0 Mar 30 10:58 log
and the kernel log device /dev/klog
crw------- 1 root staff 16, 0 Oct 31 1991 /dev/klog
- starts at boot time and runs until shutdown
3. config file
- /etc/syslog.conf
- if config file is changed then send HUP signal to
the syslog daemon to get it to reread the config
file
- this is a file that separates fields with TABs
- format is "selector TAB action"
- selectors are chosen from a list of facilities and
severity levels
- a facility is the supposed source (see Table 12.2 - p. 208)
- the severity levels are the supposed importance of
the message (see Table 12.3)
- the actions are limited to logging, writing to console,
and forwarding
- a look at the syslog.conf file:
*.err;kern.debug;user.none,mail.notice /dev/console
*.err;kern.debug;daemon,auth.notice;mail.crit;user.none
/var/adm/messages
lpr.debug /var/adm/lpd-errs
*.alert;kern.err;daemon.err;user.none operator
*.alert;user.none root
*.emerg;user.none *
auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)
mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost)
4. debugging
- run syslogd -d to see the internal syslog daemon table
- columns are facilities, numbers are priority levels,
rows are actions
mu# syslogd -d
off & running....
init
cfline(*.err;kern.debug;user.none,mail.notice /dev/console)
cfline(*.err;kern.debug;daemon,auth.notice;mail.crit;user.none
/var/adm/messages)
cfline(lpr.debug /var/adm/lpd-errs)
cfline(*.alert;kern.err;daemon.err;user.none operator)
cfline(*.alert;user.none root)
cfline(*.emerg;user.none *)
cfline(auth.notice @loghost)
cfline(mail.debug @loghost)
cfline(user.err /dev/console)
cfline(user.err /var/adm/messages)
cfline(user.alert root, operator)
cfline(user.emerg *)
7 X 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
7 X 2 5 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X FILE: /var/adm/messages
X X X X X X 7 X X X X X X X X X X X X X X X X X X FILE: /var/adm/lpd-errs
3 X 1 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 X USERS: operator,
1 X 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 X USERS: root,
0 X 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
X X X X 5 X X X X X X X X X X X X X X X X X X X X FORW: loghost
X X 7 X X X X X X X X X X X X X X X X X X X X X X FORW: loghost
X 3 X X X X X X X X X X X X X X X X X X X X X X X CONSOLE: /dev/console
X 3 X X X X X X X X X X X X X X X X X X X X X X X FILE: /var/adm/messages
X 1 X X X X X X X X X X X X X X X X X X X X X X X USERS: root, operator,
X 0 X X X X X X X X X X X X X X X X X X X X X X X WALL:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
logmsg: pri 56, flags 8, from mu, msg syslogd: restart
syslogd: restarted
readfds = 0x38
- it looks like column 2 is for facility 'user'
5. use of syslog for security
- need source code to operating system
- necessary parameter options are in
- examples from login program on our workstations (from which outside
login are not allowed)
- log all denials of service:
if ( strstr(utmp.ut_host,".") ) {
openlog("login", LOG_ODELAY, LOG_AUTH);
syslog(LOG_NOTICE,
"REMOTE TELNET ATTEMPT FROM %s HAS BEEN DENIED",
utmp.ut_host);
printf("Remote access denied. ");
exit(1);
}
- grep /var/adm/messages on nu for DENIED
Apr 5 17:06:13 vpo login: REMOTE LOGIN ATTEMPT FROM
count.cis.famu.e by harmon,harmon HAS BEEN DENIED
Apr 5 18:09:37 eta login: REMOTE LOGIN ATTEMPT FROM
jamil.cis.famu.e by black,bblack HAS BEEN DENIED
- log all remote queries (successful or not) to xi
if (localcheck()==0) {
syslog(LOG_NOTICE,
"REMOTE SITE FAILED CS QUERY AT %s BY %.*s",
hname, NMAX, utmp.ut_name);
exit(1);
}
else {
syslog(LOG_NOTICE,
"REMOTE SITE PASSED CS QUERY AT %s BY %.*s",
hname, NMAX, utmp.ut_name);
}
- grep var/adm/messages on nu for QUERY
Apr 10 08:25:04 xi telnet: REMOTE SITE PASSED CS QUERY AT
sun1.dms.state.fl.us BY deal
Apr 10 09:18:48 xi telnet: REMOTE SITE PASSED CS QUERY AT
serel7.cis.famu.edu BY bakers
Apr 10 09:27:55 xi login: REMOTE SITE PASSED CS QUERY AT
nexus.polaris.net BY decker
Apr 10 10:51:34 xi login: REMOTE SITE FAILED CS QUERY AT
168.223.20.134 BY ehlmann