System administrators must analyze numerous
types of log entries not only from multitudes of sub-systems within each system
but also from multitudes of systems in order to detect system intrusions. For
example, an FTP server will write
an entry for every connection it gets, the kernel
will generate entries for failures of hardware (such as in a disk drive), and a
DNS server might regularly report
usage statistics. Some of these log entries might require the immediate
attention of a system administrator or of someone having expertise in a particular
type. Still other entries simply need to be recorded for future reference. To
deal with these important matters, most UNIX
systems have a log sub-system facility called Syslog, implemented as a daemon program named Â“Syslogd.Â” This
program listens for messages on a socket called /dev/log.
By classifying information in the entries and in the
contents of the config file (typically /etc/syslog.conf), Syslogd routes the
informationÂ—such as Â“print to the system console,Â” Â“mail to a specific user,Â”
Â“create entry in a logfile,Â”
Â“forward to another daemon,Â” or Â“discard.Â” Syslogd can also listen for
information on the Syslog UDP
port and on the local socket.
Though Syslogd can operate on information from the operating system, the kernel
does not write to /dev/log. Instead, another daemon (named Klogd) receives
information from the kernel and forwards it to Syslogd.
Syslogd must receive a two-part classfication piece of
information from each process consisting of Â“facilityÂ” and Â“priority.Â” A
facility/priority number is one indicating both the facility and the priority.
Facility ascertains the sourceÂ—such as the kernel, the mail subsystem, or an
FTP server. Priority ascertains the importance of the contentsÂ—such as debug,
informational, warning, or critical. Except for the fact that priorities have a
defined order, the real meaning of these is determined by the system
Administrator; Daemon; Domain Name System (DNS); /etc/syslog.conf; FTP (File
Transfer Protocol); Kernel; Logfile; Socket; UNIX; User Datagram Protocol
GNU Organization. Overview of Syslog. [Online, 2004.] GNU Organization Website.