Upload
donald-poole
View
222
Download
1
Embed Size (px)
Citation preview
CENT 305CENT 305Information Systems Information Systems SecuritySecurity
Overview of System Logging
syslog
1
System Logging (syslog) System Logging (syslog) ServicesServicesCentral service for system logging provided by Linux/UNIX.
◦ The syslog service provides the system logging function.◦ Many services log activities in their own logs, or use the
system log.System logs, in /var/log/ directory track system-level
events.◦ Used for troubleshooting and auditing.◦ Security measure: review logs!
syslog is used by many services to log events.◦ The new syslog program is now syslog-ng◦ The related configuration files are:
/etc/sysconfig/syslog /etc/syslog-ng/syslog-ng.conf
◦ The syslog service accepts messages from system services and logs them.
2
/etc/sysconfig/syslog File /etc/sysconfig/syslog File ((man syslog.confman syslog.conf))
General parameters applicable to syslog-ng as well as the traditional syslog service.
◦ These parameters are evaluated by the startup script:/etc/init.d/syslog
3
syslog-ng.conf File syslog-ng.conf File ((man 5 syslog-ng.confman 5 syslog-ng.conf))4 kinds of entries
◦ source definitions defines sources for system log messages default is internal() which gets messages from the
syslog process we won't focus on the sources
◦ filter definitions (need to know) defines the rules for what actions should be
logged◦ destination definitions (need to know)
defines where to send the logged information file, pipe, tcp host, udp host, etc.
◦ Log paths (need to know)• Rules that link a message source, filter and destination
Global options entry◦ sets default options for all logs 4
Syslog ParametersSyslog Parameters
Parameters common to both syslog and syslog-ng configuration are:◦Facilities (or categories)◦Priorities (or levels)
5
syslog Facilities syslog Facilities ((man syslogman syslog))
Facility ◦ the subsystem
that provides the message.
◦ each program is assigned to a category or facility.
◦ Used in filter definitions
6
syslog syslog PrioritiesPriorities Designates the urgency of message. listed below from lowest priority to highest.
◦ lower priority levels produce more log entries! Used in filter definitions
7
Sources (man 5 syslog-ng.conf)Sources (man 5 syslog-ng.conf) Source driver definitions
◦ Collect messages using a given method◦ Used to gather log messages from a particular “source”
# 'src' is our main source definition. you can add more source driver definitions to it, or define
# your own sources, i.e.: #source my_src { .... };#source src { # # include internal syslog-ng messages # note: the internal() source is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network:
# #udp(ip("0.0.0.0") port(514));}; 8
Filter Definitions Filter Definitions (man 5 syslog-ng.conf)(man 5 syslog-ng.conf) Boolean expressions that are applied to messages and
evaluated as true or false.
Example:filter f_iptables { facility(kern) and match("IN=" and
match("OUT=") };
Syntax:
filter name { boolean expression; }; Things you can test for:
◦ Facility - facility(facility name)◦ Priority or Level - level(level)◦ Match contents of message - match(regexp)◦ Another filter - filter(filtername)
9
Destinations (man 5 syslog-Destinations (man 5 syslog-ng.conf)ng.conf)
Destinations define where messages can be logged.
Example:destination firewall { file(
"/var/log/firewall" ); };
Syntax:destination destname { dest_definition; };
Destinations you can use include:
◦ Files - file (filename)
◦ Pipes - pipe(filename)
◦ Users, if logged in - usertty("username")
◦ TCP hosts - tcp(tcp_hostname)
◦ UDP hosts - udp(udp_hostname)10
Log Path Definitions Log Path Definitions (man 5 syslog-ng.conf)(man 5 syslog-ng.conf)
Log Paths link a message source with a specified filter and a specified destination.
Example:
log { source(src); filter( f_iptables ); destination( firewall );
Syntax:
log { source( src_name ); filter (filtername); dest(destname); };
11
System Log FileSystem Log File
/var/log/messages◦ Default system log◦ Used by many
services◦ tail -f
/var/log/messages Other daemons also
store messages in other files in /var/log/ directory
12
Examples of System and Examples of System and Custom Log FilesCustom Log Files
13
Samba SMB server logs/var/log/samba
CUPS print service errors/var/log/cups/error_log
CUPS print service transactions/var/log/cups/access_log
Web Server error log/var/log/httpd/error_log
Web Server transaction log/var/log/httpd/access_log
FTP server transaction log/var/log/xferlog
System log file for sensitive information (e.g., authentication)
/var/log/secure
Default system log file/var/log/messages
PurposeLog File Name
logger Utilitylogger Utility Allows administrators to generate log messages.
◦ Used for syslog debugging and testing◦ Used for reporting conditions within shell scripts.
Syntax: logger [-is] [-p pri] [-t tag] message Switches
◦ -i Includes the PID with the message◦ -s Duplicate the message to standard
error◦ -p pri Specify a facility.priority pair. Default is
user.notice◦ -t tag Short label to include with message, such as
the name of application
Example: logger -is -p syslog.notice -t SYSLOG
syslog test 14