[go: up one dir, main page]
Scribd
Upload
25 views10 pages

SA - Chapter10 - Linux Syslog and Log Files

The document outlines logging policies for system administration, emphasizing the importance of managing log files effectively to retain evidence of security issues and system performance. It discusses various strategies such as rotating, archiving, and compressing log files, as well as utilizing tools like Logrotate and Syslog for efficient log management. Additionally, it highlights the role of systemd in logging and the need for monitoring utilities to extract critical information from logs.

Uploaded by

nguyentienviet190391
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views10 pages

SA - Chapter10 - Linux Syslog and Log Files

The document outlines logging policies for system administration, emphasizing the importance of managing log files effectively to retain evidence of security issues and system performance. It discusses various strategies such as rotating, archiving, and compressing log files, as well as utilizing tools like Logrotate and Syslog for efficient log management. Additionally, it highlights the role of systemd in logging and the need for monitoring utilities to extract critical information from logs.

Uploaded by

nguyentienviet190391
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

System Administration

Logging Policies

Thái Minh Tuấn - minhtuan@ctu.edu.vn


Slides are adapted from:
[1] Slides prepared by Prof. Brian D. Davison (http://www.cse.lehigh.edu/~brian/)
[2] The Practice of System and Network Administration, 3rd Ed., by Limoncelli, Hogan, and Chalup (Addison Wesley, 2017) 1
[3] Practical Linux System Administration: A Guide to Installation, Configuration, and Management, by Kenneth Hess (O'Reilly Media, 2023)
Logging policies
● Log files grow and grow
● What do you do with log files? Some options:
○ Throw away all data immediately
○ Reset log files periodically
○ Rotate log files, keeping data for a fixed time
○ Compress and archive files to tape or other media

2
Throwing away log files
● Not recommended!
● Need evidence of security problems
● Alert for hardware and software problems
● Ideally, keep for a month
○ may take that long to notice a problem!
● Resetting when disk is full isn't good either

3
Rotating log files
● Keep a fixed set of previous log files
○ Rotate current file into set on a regular basis (daily, weekly, etc.)
○ Example:
#!/bin/sh
cd /var/log
mv logfile.2 logfile.3
mv logfile.1 logfile.2
mv logfile logfile.1
touch logfile
chmod 600 logfile

● May want to add compression, reset server

4
Archiving log files
● May need to archive all accounting data and log files for policy, potential
audits, etc.
● First rotate on disk
○ fast access to recent data
● Then write to tape or other media
● Log files should be part of backup sequence
○ Hackers tend to delete them!

5
Linux log files
● Most log files are recorded in /var/log
○ /var/adm may also contain some (distro dependent)
● Most programs send entries to syslog daemon
○ /etc/rsyslog.conf usually puts them in /var/log
● Sample log files:
○ messages – main system log file
○ maillog – record of sendmail activity
○ boot.log – output of system startup scripts

6
Other log files
● /var/log/wtmp
○ Record of users' logins and logouts
○ Binary format – use last to read
○ Still truncated and rotated
● /var/log/lastlog
○ Record of time of last log in
○ Binary format (is used to say when you last logged in)
○ Constant size – no need to rotate
● /var/log/dmesg
○ Dump of kernel message buffer at end of boot
● /var/log/secure (/var/log/auth.log on Debian)
○ Authentication logs for both successful or failed logins, and authentication processes

7
Linux Logging with Systemd Journal
● Systemd is a system and service manager for Linux
● Whenever a service starts, stops, crashes, or changes its configuration,
systemd generates logs
○ Managed by systemd-journald, a system service that collects and stores logging data
● Journald configuration: /etc/systemd/journald.conf.d/*.conf
● Journald log file : /var/log/journal
○ On CentOS 9, we have to create the folder; then restart systemd-journald service
○ Volatile journals: /run/log/journal
● journalctl command queries and manipulates the journal data collected
by the journald daemon
○ $journalctl -n 10 # print the last 10 entries
○ $journalctl --since "2015-01-10" --until "2015-01-11 03:00"
○ $journalctl -u nginx.service --since today 8
Logrotate and Syslog
● Logrotate
○ Excellent utility to manage log files
○ Specifies groups of log files to be managed
● Syslog
○ Comprehensive logging system
■ Frees programmers from needing to write their own
■ Allows sysadmins to control logging
○ Flexible
■ Can sort by source or severity level
■ Output to variety of destinations – files, terminals, other machines
○ Can centralize logging to a well-controlled machine

9
Condensing log files
● Syslog (as well as any other monitoring and logging facility) generates lots
of log files
● Need utilities to scan log files and find important entries
○ security-related entries
○ messages about disks full
○ messages repeated many times
● It is imperative to monitor systems and generate logs
○ For warnings, job performance, trends, etc.
● Logs cannot be permitted to impact proper system operation

10

You might also like