• Choose a category
• All
• Classic-Fiction

# CS Department syslog.conf file for non-master machines

# Emergencies: tell everyone who is logged on

*.emerg;user.none *

# Forward important messages to the central logger

*.warning;lpr,local1.none @netloghost

daemon,auth.info @netloghost

# Send local stuff to the central logger too

local2.info;local0,local7.debug @netloghost

# cardd logs through facility local1 -- send to boulder

local1.debug @boulder.colorado.edu

# Keep printer errors local

lpr.debug /var/adm/lpd-errs

# sudo logs to local2 - keep a copy here

local2.info /var/adm/sudolog

# Keep kernel messages local

kern.info /var/adm/kern.log

This configuration does not keep much log information locally. It’s worth mentioning that if netloghost is down or unreachable, log messages will be irretrievably lost. You may want to keep some additional local duplicates of important messages to guard against this possibility.

At a site with lots of local software installed, lots of messages can be logged inappropriately to facility user, level emerg. In this example, user/emerg has been specifically excluded with the user.none clause in the first line.

The second and third lines forward all important messages to the central logging host; messages from the printing system and the campus-wide card access system are explicitly excluded. The fourth line forwards local logging information to netloghost as well. The fifth line forwards card access logging information to the campus-wide logging host, boulder. The last two entries keep local copies of printer errors and sudo log messages.

See page 41 for more information about sudo.

Central logging host

This example is for netloghost, the central, secure logging host for a moderate-sized network of 400 to 500 hosts.

# CS Department syslog.conf file, master logging host

# Emergencies to the console and log file, with timing marks

*.emerg /dev/console

*.err;kern,mark.debug;auth.notice /dev/console

*.err;kern,mark.debug;user.none /var/adm/console.log

auth.notice /var/adm/console.log

# Send non-emergency messages to the usual log files

*.err;user.none;kern.debug /var/adm/messages

daemon,auth.notice;mail.crit /var/adm/messages

lpr.debug /var/adm/lpd-errs

mail.debug /var/adm/mail.log

# Local authorization stuff like sudo and npasswd

local2.debug /var/adm/sudo.log

local2.alert /var/adm/sudo-errs.log

auth.info /var/adm/auth.log

# Other local stuff

local0.info /var/adm/netblazer.log

local4.notice /var/adm/da.log

local6.debug /var/adm/annex-isn.log

local7.debug /var/adm/tcp.log

# User stuff (the default if no facility is specified)

user.info /var/adm/user.log

Logging data arriving from local programs and from syslogds on the network is written to files. In some cases, the output from each facility is put into its own file.

The central logging host generates the time stamp for each message as it writes the message out. The timestamps do not reflect the time on the originating host. If you have machines in several time zones or your system clocks are not synchronized, the timestamps can be somewhat misleading.

Sample syslog output

Below is a snippet from one of the log files on the master syslog host at the University of Colorado’s computer science department. About 200 hosts log to this machine.

Dec 18 15:12:42 av18.cs.colorado.edu sbatchd[495]: sbatchd/main: ls_info()

failed: LIM is down; try later; trying ...

Dec 18 15:14:28 proxy-1.cs.colorado.edu pop-proxy[27283]: Connection from

128.138.198.84

Dec 18 15:14:30 mroe.cs.colorado.edu pingem[271]: maltese-

office.cs.colorado.edu has not answered 42 times

Dec 18 15:15:05 schwarz.cs.colorado.edu vmunix: Multiple softerrors: Seen 100

Corrected Softerrors from SIMM J0201

Dec 18 15:15:05 schwarz.cs.colorado.edu vmunix: AFSR = 0x4c21, AFAR0 =

0x87ffdd30, AFAR1 = 0xb8f8a0

Dec 18 15:15:48 proxy-1.cs.colorado.edu pop-proxy[27285]: Connection from

12.2.209.183

Dec 18 15:15:50 av18.cs.colorado.edu last message repeated 100 times

This example contains