J&P Group J&P BMCG J&P InfoSol J&P Multimedia Labs J&P NoBoS
friends
fun
J&P InfoSol

syslog logging

part of Technologies area

 

J&P Group > J&P InfoSol > Technologies > syslog

syslog

 

Introduction <top>

2011-02-05: Decided to take time to summarize knowledge and document usage of tools, and complementing with additional resources from the Internet.

 


syslogd Daemon, rsyslogd, ... <top>


Enable Use by Remote Systems

Examplified using Mac OS X 10.6 (BSD-based):

$ cd /etc
$ sudo cp -p syslog.conf syslog.conf.before-2010-12-28   # backup
$ sudo emacs syslog.conf                              # edit, add local10.* below ###
<?xml version="1.0" encoding="UTF-8"?>
*.notice;authpriv,remoteauth,ftp,install,internal.none /var/log/system.log kern.* /var/log/kernel.log # Send messages normally sent to the console also to the serial port. # To stop messages from being sent out the serial port, comment out this line. #*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial # The authpriv log file should be restricted access; these # messages shouldn't go to terminals or publically-readable # files. auth.info;authpriv.*;remoteauth.crit /var/log/secure.log lpr.info /var/log/lpr.log mail.* /var/log/mail.log ftp.* /var/log/ftp.log install.* /var/log/install.log install.* @127.0.0.1:32376 local0.* /var/log/appfirewall.log local1.* /var/log/ipfw.log local10.* /var/log/gw254.log *.emerg *
$ cd /System/Library/LaunchDaemons/
$ sudo cp -p com.apple.syslogd.plist ~/Desktop/       # backup
$ sudo plutil -convert xml1 com.apple.syslogd.plist   # convert bin to text, as applicable
$ sudo emacs com.apple.syslogd.plist                  # edit; add NetworkListener code (below)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>EnableTransactions</key>
<true/>
<key>HopefullyExitsLast</key>
<true/>
<key>Label</key>
<string>com.apple.syslogd</string>
<key>MachServices</key>
<dict>
<key>com.apple.system.logger</key>
<true/>
</dict>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/syslogd</string>
</array>
<key>Sockets</key>
<dict>
<key>AppleSystemLogger</key>
<dict>
<key>SockPathMode</key>
<integer>438</integer>
<key>SockPathName</key>
<string>/var/run/asl_input</string>
</dict>
<key>BSDSystemLogger</key>
<dict>
<key>SockPathMode</key>
<integer>438</integer>
<key>SockPathName</key>
<string>/var/run/syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>

<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist # stop running syslogd
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist   # start again


syslog -s -l 6 "test 6"     # NOTHING
$ syslog -s -l 5 "test 5"     # DO show; SO current config (w/o any reconfig, yet, logs up to Notice

$ ps ax|grep syslog
14 ?? Ss 0:01.38 /usr/sbin/syslogd
32500 s004 R+ 0:00.00 grep syslog

 


syslog Utility, logger Utility

The more common utility is the logger(1) command (on *NIX, but also Mac OS X). Mac OS X also has a more powerful command - syslog(1).

 

  logger(1) syslog(1)  
Local entry logger [opts] message syslog -s [opts] message  
To host X n/a syslog -s -r X [opts] message  

 

 


Levels (Priorities)

Priority Level Name Level# Comments
  (syslog -l <name | #>)  
Highest Emergency, Panic 0  
  Alert 1  
  Critical 2  
  Error 3  
  Warning 4  
  Notice 5  
  Info 6  
Lowest Debug 7 Default if -l is omitted to syslog command

Tests 2011-02-05:

$ syslog -s test              # NOTHING shows in syslog log (Debug (7) as no -l specified
$ syslog -s -l 1 "test 1"     # DO show
$ syslog -s -l 6 "test 6"     # NOTHING
$ syslog -s -l 5 "test 5"     # DO show; SO current config (w/o any reconfig, yet, logs up to Notice

$ syslog -s -r 171.13.15.4 -l 3 test   # won't work unless enabled use by remote systems (above)
$ syslog -s -l 5 "test 5"     # DO show; SO current config (w/o any reconfig, yet, logs up to Notice

$ ps ax|grep syslog
14 ?? Ss 0:01.38 /usr/sbin/syslogd
32500 s004 R+ 0:00.00 grep syslog

 


Port 514 - syslog (UDP), rsh (TCP)

From iss.net/security_center/advice/Exploits/Ports/514/default.htm (retrieved 2011-02-05):

(UDP) Receives incoming 'syslog' messages and logs them to a database. The 'syslogd' is one of the more important daemons running on a UNIX host. A common hacker technique is to flood messages at the syslog daemon in hopes to fill up its queue. Client ports are both above and below port 1023.

(TCP) rsh (remote shell) sends a command to a shell on the remote machine and receives the stderr and stdout from it.

 

 

Date Notes
2011-02-06 First public version

This section uses Nov 08 CSS Frames.