Unix systems record all kinds of system activity in logs. Logs are
particularly useful to the system administrator for discovering
intruders, tracking down problems, and improving efficiency of the
system. Syslogd, the system log daemon, monitors system activity
looking for loggable events. When syslogd discovers an event that
should be logged, it puts it in the correct log file. Some messages,
such as kernel messages, are immediately printed to the screen, while
others are mailed to root. Syslogd quietly places routine messages in
the appropriate log file, to wait for the system administrator to open
the log file and read the messages.
Syslogd's behavior is determined by the syslog configuration file
/etc/syslog.conf. /etc/syslog.conf lists the
kinds of events which should be logged, and the file where each event
should be placed. There are two parts to an
/etc/syslog.conf entry: the facility, which lists
the process that involves the event, and the severity, which gives
different instructions for the logging of the event, depending on its
severity. A sample syslog.conf file is shown below:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
|