Lab #15: syslog
Date: April 7, 2008
In this lab, we'll be working with syslog, the standard UNIX logging framework. Syslog is also available for Windows and is used widely as a remote logging protocol by network switches and routers.
- Syslog Basics
- Verify that syslog is running. If it is not running, start it.
ps auxw|grep syslog
- Read the syslog configuration file. Where do messages about failed logins go? What is the general log file that receives most syslog messages?
less /etc/syslog.conf
- Use the logger command to send a sample syslog message, using the local0 facility, which one of 8 user-defined syslog facilities. This command is useful when you want to test syslog or use syslog from a shell script.
logger -p local0.alert -t TEST "Test from $USER"
- Verify that your message was logged.
tail /var/log/messages
- Backup the syslog configuration file before changing it.
cp -p /etc/syslog.conf /etc/syslog.conf.dist
- Configure syslog so that messages of type local5 go to /var/log/local5.
vim /etc/syslog.conf
- Restart syslog so that the configuration change takes effect.
service syslog restart
- Verify that your configuration change is correct.
logger -p local5.info -t TEST "Test from $USER"
tail /var/log/local5
- Configure syslog so that only local5 messages of emerg priority go to /var/log/local5.
vim /etc/syslog.conf
- Restart syslog so that the configuration change takes effect.
service syslog restart
- Verify that your configuration change is correct.
logger -p local5.info -t TEST "Test from $USER"
tail /var/log/local5
Log Rotation
- Find the cron file that runs logrotate to rotate the log files every night.
locate logrotate
- Run logrotate in debug mode to determine which log files are currently being rotated.
logrotate -d /etc/logrotate.conf >/tmp/logrotate.out 2>&1
- Add your new local5 file to the rotation list. Use the information gathered from running logrotate in debug mode to determine which system file you need to modify. Reading the man page will help you modify the file correctly.
man logrotate
- Verify that your change is correct by running logrotate in debugging mode again. The difference between the output of the two runs of logrotate should mention your local5 file.
logrotate -d /etc/logrotate.conf >/tmp/logrotate.new 2>&1
diff /tmp/logrotate.out /tmp/logrotate.new
- Run logrotate with verbose output to manually force a log rotation. We don't want to wait until the daily cron jobs run.
logrotate -v /etc/logrotate.conf
- Check to see if your log file has been rotated.
ls /var/log
- Since your log file wasn't rotated, modify your logrotate command to rotate it now. The man page may prove helpful again.
man logrotate
Remote Logging
- Configure syslog to permit remote logging.
vim /etc/sysconfig/syslog
- Restart syslog so that the configuration change takes effect.
service syslog restart
- Lookup the protocol and port used by syslog.
grep syslog /etc/services
- Modify the firewall configuration to enable remote access to syslog.
cp -p /etc/sysconfig/iptables /etc/sysconfig/iptables.old
vim /etc/sysconfig/iptables
service iptables restart
- On your virtual machine, reconfigure syslog to log to your physical machine.
cp -p /etc/syslog.conf /etc/syslog.conf.dist
vim /etc/syslog.conf
- Restart syslog on the virtual machine.
service syslog restart
- Start Wireshark and begin capturing files so you can observe syslog packets moving across the network.
- On the virtual machine, send a test message to syslog.
logger -p local0.alert -t TEST "Test from virtual machine user $USER"
- Observe the message as it travels across the network. Is syslog a secure protocol? Why or why not?
- Verify that the message appears on your physical machine, the syslog server. Record how this message differs from a similar test you did in the first part of the lab.
tail /var/log/messages
©2008 James Walden, Ph.D.