Many services under CentOS use a standard logging system called syslog. You are probably familiar with
the log files located in /var/log. Many of these are controlled by syslog. Each service that uses syslog
must nominate a facility to indicate the type of service it is. There are not enough facilities for each
service to have its own unique value, so many services may use the same value. For example, sendmail
and dovecot both use the mail facility because they both process email. There are also a number of
generic facilities, named local0 thru local7. Under CentOS, some of these are already allocated but you
are free to alter them if required. Table 10-4 shows the available facilities.
Table 10-4. syslog Facilities
Facility Usage
authpriv Used for security and sensitive authorization messages
cron Used by the cron and at services
daemon Used by generic services that do not have a dedicated facility
ftp Used by any FTP service
kern Used by messages generated by the kernel
lpr Used by the printing subsystem
mail Used by mail services
news Used by the USENET news service
syslog Used by the syslog service
user Generic user-generated messages
uucp Used by the UUCP subsystem
local0 Available for local customization
local1 Available for local customization
local2 Available for local customization
local3 Available for local customization
local4 Used by clustering software
local5 Used by SpamAssassin, an open source mail filter
local6 Available for local customization
local7 Used for boot time messages
Each message sent to syslog is also tagged with a priority. The priority indicates the importance of
the message from debug information thru emergency messages. The available priorities are show in
Table 10-5. The priority of a message is determined by the author of the service. Although each priority
has a description, there are no hard and fast rules for selecting a priority, and relying heavily on them
should be avoided. Generally all priorities from Information and above are of interest and are logged.
Table 10-5. syslog Priorities
Priority Description Example
Debug Unimportant unless you are debugging
a specific problem
A hexadecimal dump of a packet.
Information General information message A service has accepted a connection.
Notice Normal significant condition The kernel has detected an unknown piece of
hardware.
Warning Warning condition An operation has failed but will be retried.
Error Error condition A service has crashed.
Critical Critical condition File system corruption has been detected.
Alert Condition requiring immediate action A RAID disk failure has been detected.
Emergency System unusable The system is overheating.
When the message is saved to the log file it is also saved with a timestamp and the name of the host
that generated the message. Listing 10-18 shows some sample log entries from /var/log/messages and
/var/log/secure. Note that the message does not indicate the priority or the facility that was used when
the message was sent.
Listing 10-18. Sample Log Messages
Mar 20 17:12:26 acer shutdown[4215]: shutting down for system reboot
Mar 20 17:14:30 acer kernel: Using APIC driver default
Mar 20 17:14:30 acer kernel: pnp: 00:09: ioport range 0x400–0x4bf could not be reserved
Mar 20 17:14:30 acer kernel: r8169: eth0: link up
Mar 20 17:14:43 acer dhclient: DHCPREQUEST on eth0 to 192.168.2.1 port 67
Mar 21 20:09:10 acer login: pam_unix(login:session): session opened for user
root by LOGIN(uid=0)
Mar 21 20:51:58 acer sshd[14837]: error: Bind to port 22 on 0.0.0.0 failed:
Address already in use.
Mar 21 20:52:09 acer groupadd[14854]: new group: name=ecryptfs, GID=105
Configuring the Server to Receive Logs
It is possible to send syslog messages over the network to a central log processing server. To enable the
reception of log messages on the server you must edit the configuration file /etc/sysconfig/syslog and
add the –r option to SYSLOGD_OPTIONS, as shown in Listing 10-19.
Listing 10-19. /etc/sysconfig/syslog Edited to Allow Remote Logging
# Options to syslogd
# –m 0 disables 'MARK' messages.
# –r enables logging from remote machines
# –x disables DNS lookups on messages recieved with –r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="–m 0 –r"
# Options to klogd
# –2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# –x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="–x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
You must then restart the syslog service with the command service syslog restart. Check the file
/var/log/messages for the message syslogd 1.4.1: restart (remote reception). If you do not see that
message, check that you have edited the file and restarted the service correctly.
If you have already enabled your firewall, then you must add an entry to allow the syslog messages
to be received. If you have used system–config–securitylevel, then you can add the port syslog
protocol UDP. If you have customized your firewall rules, then you will need to add a rule similar to this:
–A RH–Firewall–1–INPUT –i eth0 –s 192.168.3.0/24 \
–p udp –m udp ––dport 514 –j ACCEPT
■ Tip: syslog uses the UDP protocol, which is connectionless. This type of protocol is more susceptible to
spoofing or fake IP address information. If you have multiple interfaces, you should specify the interface on which
you expect to receive the traffic.
After making the configuration changes, remember to activate your new firewall configuration with
the command service iptables start. You should now be ready to configure the clients.
Configuring the Client to Send Logs
Configuring the client requires a simple edit to the /etc/syslog.conf configuration file. All that is
required is to add this line to the file
*.info @servername
Once the file has been edited you must restart the syslog daemon with the command service
syslog reload.
You can test the remote logging with the logger command: echo "Test" | logger. This will cause
the message Test to be written to the local /var/log/messages log file and sent over the network to the
log server, where it will also be written to the /var/log/messages log file.
The configuration entry *.info will tell the syslog service to send messages from all facilities with a
priority of info or higher to the specified log server. You can, of course, alter this to send whichever log
entries you want, but sending all messages in this way is simple and still allows the remote log server to
separate the logs if required. If you have multiple log servers you can add multiple entries, one for each
server. Listing 10-20 shows how you can send mail logs to one server called maillogs and all other
messages to a server called logs.
Listing 10-20. Example syslog.conf Entries
mail.* @maillogs.example.com
*.info;mail.none @logs.example.com
■ Tip: You can use the logger command from your own scripts to send messages to the log server. See its man
page for more details.