linux:classnotes:rh134:systemlogs:rsyslog
Review Syslog Files
Overview of Syslog Facilities
| Code | Facility | Facility description |
|---|---|---|
| 0 | kern | Kernel messages |
| 1 | user | User-level messages |
| 2 | Mail system messages | |
| 3 | daemon | System daemon messages |
| 4 | auth | Authentication and security messages |
| 5 | syslog | Internal syslog messages |
| 6 | lpr | Printer messages |
| 7 | news | Network news messages |
| 8 | uucp | UUCP protocol messages |
| 9 | cron | Clock daemon messages |
| 10 | authpriv | Non-system authorization messages |
| 11 | ftp | FTP protocol messages |
| 16-23 | local0 to local7 | Custom local messages |
Overview of Syslog Priorities
| Code | Priority | Priority description |
|---|---|---|
| 0 | emerg | System is unusable |
| 1 | alert | Action must be taken immediately |
| 2 | crit | Critical condition |
| 3 | err | Non-critical error condition |
| 4 | warning | Warning condition |
| 5 | notice | Normal but significant event |
| 6 | info | Informational event |
| 7 | debug | Debugging-level message |
configuration file is usually at /etc/rsyslog.conf extra configurations are stored in the drop in directory at /etc/rsyslog.d/
example
make ssh use its own log. By default ssh uses the Authpriv to make it so that it uses its own log requires 3 steps
1: modify sshd.conf and a new conf file to /etc/sshd_config.d/99-logging.conf and put SyslogFacilty local6
SyslogFacilty local6
By default its in sshd.conf and set to SyslogFacilty Auth
2: and an extra conf file to rsyslog stgored in /etc/rsyslog.d/99-sshd.conf
local6.* 3: restart both sshd and rsyslog to test rsyslog you can use logger <code> logger -p local6.info " teting testing"
this will generate a log entry on the sshd.log
linux/classnotes/rh134/systemlogs/rsyslog.txt · Last modified: by 127.0.0.1