Log Subsystem - technical definition

System administrators must analyze numerous types of log entries not only from multitudes of sub-systems within each system but also from multitudes of systems in order to detect system intrusions. For example, an FTP server will write an entry for every connection it gets, the kernel will generate entries for failures of hardware (such as in a disk drive), and a DNS server might regularly report usage statistics. Some of these log entries might require the immediate attention of a system administrator or of someone having expertise in a particular type. Still other entries simply need to be recorded for future reference. To deal with these important matters, most UNIX systems have a log sub-system facility called Syslog, implemented as a daemon program named “Syslogd.” This program listens for messages on a socket called /dev/log.

By classifying information in the entries and in the contents of the config file (typically /etc/syslog.conf), Syslogd routes the information—such as “print to the system console,” “mail to a specific user,” “create entry in a logfile,” “forward to another daemon,” or “discard.” Syslogd can also listen for information on the Syslog UDP port and on the local socket. Though Syslogd can operate on information from the operating system, the kernel does not write to /dev/log. Instead, another daemon (named Klogd) receives information from the kernel and forwards it to Syslogd.

Syslogd must receive a two-part classfication piece of information from each process consisting of “facility” and “priority.” A facility/priority number is one indicating both the facility and the priority. Facility ascertains the source—such as the kernel, the mail subsystem, or an FTP server. Priority ascertains the importance of the contents—such as debug, informational, warning, or critical. Except for the fact that priorities have a defined order, the real meaning of these is determined by the system administrator.

See Also: Administrator; Daemon; Domain Name System (DNS); /etc/syslog.conf; FTP (File Transfer Protocol); Kernel; Logfile; Socket; UNIX; User Datagram Protocol (UDP).