cent 305 information systems security overview of system logging syslog 1

Post on 03-Jan-2016






Click to see full reader


CENT 305CENT 305Information Systems Information Systems SecuritySecurity

Overview of System Logging



System Logging (syslog) System Logging (syslog) ServicesServicesCentral service for system logging provided by Linux/UNIX.

◦ The syslog service provides the system logging function.◦ Many services log activities in their own logs, or use the

system log.System logs, in /var/log/ directory track system-level

events.◦ Used for troubleshooting and auditing.◦ Security measure: review logs!

syslog is used by many services to log events.◦ The new syslog program is now syslog-ng◦ The related configuration files are:

/etc/sysconfig/syslog /etc/syslog-ng/syslog-ng.conf

◦ The syslog service accepts messages from system services and logs them.


/etc/sysconfig/syslog File /etc/sysconfig/syslog File ((man syslog.confman syslog.conf))

General parameters applicable to syslog-ng as well as the traditional syslog service.

◦ These parameters are evaluated by the startup script:/etc/init.d/syslog


syslog-ng.conf File syslog-ng.conf File ((man 5 syslog-ng.confman 5 syslog-ng.conf))4 kinds of entries

◦ source definitions defines sources for system log messages default is internal() which gets messages from the

syslog process we won't focus on the sources

◦ filter definitions (need to know) defines the rules for what actions should be

logged◦ destination definitions (need to know)

defines where to send the logged information file, pipe, tcp host, udp host, etc.

◦ Log paths (need to know)• Rules that link a message source, filter and destination

Global options entry◦ sets default options for all logs 4

Syslog ParametersSyslog Parameters

Parameters common to both syslog and syslog-ng configuration are:◦Facilities (or categories)◦Priorities (or levels)


syslog Facilities syslog Facilities ((man syslogman syslog))

Facility ◦ the subsystem

that provides the message.

◦ each program is assigned to a category or facility.

◦ Used in filter definitions


syslog syslog PrioritiesPriorities Designates the urgency of message. listed below from lowest priority to highest.

◦ lower priority levels produce more log entries! Used in filter definitions


Sources (man 5 syslog-ng.conf)Sources (man 5 syslog-ng.conf) Source driver definitions

◦ Collect messages using a given method◦ Used to gather log messages from a particular “source”

# 'src' is our main source definition. you can add more source driver definitions to it, or define

# your own sources, i.e.: #source my_src { .... };#source src { # # include internal syslog-ng messages # note: the internal() source is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network:

# #udp(ip("") port(514));}; 8

Filter Definitions Filter Definitions (man 5 syslog-ng.conf)(man 5 syslog-ng.conf) Boolean expressions that are applied to messages and

evaluated as true or false.

Example:filter f_iptables { facility(kern) and match("IN=" and

match("OUT=") };


filter name { boolean expression; }; Things you can test for:

◦ Facility - facility(facility name)◦ Priority or Level - level(level)◦ Match contents of message - match(regexp)◦ Another filter - filter(filtername)


Destinations (man 5 syslog-Destinations (man 5 syslog-ng.conf)ng.conf)

Destinations define where messages can be logged.

Example:destination firewall { file(

"/var/log/firewall" ); };

Syntax:destination destname { dest_definition; };

Destinations you can use include:

◦ Files - file (filename)

◦ Pipes - pipe(filename)

◦ Users, if logged in - usertty("username")

◦ TCP hosts - tcp(tcp_hostname)

◦ UDP hosts - udp(udp_hostname)10

Log Path Definitions Log Path Definitions (man 5 syslog-ng.conf)(man 5 syslog-ng.conf)

Log Paths link a message source with a specified filter and a specified destination.


log { source(src); filter( f_iptables ); destination( firewall );


log { source( src_name ); filter (filtername); dest(destname); };


System Log FileSystem Log File

/var/log/messages◦ Default system log◦ Used by many

services◦ tail -f

/var/log/messages Other daemons also

store messages in other files in /var/log/ directory


Examples of System and Examples of System and Custom Log FilesCustom Log Files


Samba SMB server logs/var/log/samba

CUPS print service errors/var/log/cups/error_log

CUPS print service transactions/var/log/cups/access_log

Web Server error log/var/log/httpd/error_log

Web Server transaction log/var/log/httpd/access_log

FTP server transaction log/var/log/xferlog

System log file for sensitive information (e.g., authentication)


Default system log file/var/log/messages

PurposeLog File Name

logger Utilitylogger Utility Allows administrators to generate log messages.

◦ Used for syslog debugging and testing◦ Used for reporting conditions within shell scripts.

Syntax: logger [-is] [-p pri] [-t tag] message Switches

◦ -i Includes the PID with the message◦ -s Duplicate the message to standard

error◦ -p pri Specify a facility.priority pair. Default is

user.notice◦ -t tag Short label to include with message, such as

the name of application

Example: logger -is -p syslog.notice -t SYSLOG

syslog test 14

top related