命令行大全

sysklogd

嚯嚯 发表于 2020-10-22 10:10浏览次数:

在Linux操作系统上,sysklogd是一组Linux系统日志记录实用程序。

查看英文版

目录:

1 sysklogd 运行系统环境

2 sysklogd 描述

3 sysklogd 语法

4 配置文件语法

5 远程日志记录支持

6 调试

7 安全注意事项

sysklogd 运行系统环境

Linux

sysklogd 描述

Sysklogd提供了两个系统实用程序,它们为系统日志记录和内核消息捕获提供支持。Internet和Unix域套接字的支持使该实用程序包能够支持本地和远程日志记录。

系统日志记录由从BSD派生的syslogd版本提供。为内核日志的支持由提供klogd的实用程序,其允许在任何一个独立的方式或作为要进行内核日志客户端的syslogd的。

syslogd提供了许多现代程序使用的一种日志记录。每个记录的消息至少包含一个时间和一个主机名字段,通常包含一个程序名称字段,但是它取决于记录程序。

启动时会读取主配置文件/etc/syslog.conf或带有-f选项的备用文件。以井号(“ ”)开头的任何行和空行都将被忽略。如果在解析行期间发生错误,则将忽略整行。

Sysklogd provides two system utilities which provide support for system logging and kernel message trapping. Support of both Internet and unix domain sockets enables this utility package to support both local and remote logging.

System logging is provided by a version of syslogd derived from BSD. Support for kernel logging is provided by the klogd utility that allows kernel logging to be conducted in either a standalone fashion or as a client of syslogd.

syslogd provides a kind of logging that many modern programs use. Every logged message contains at least a time and a hostname field, and normally a program name field, but it depends on the logging program.

The main configuration file /etc/syslog.conf or an alternative file, given with the -f option, is read at startup. Any lines that begin with the hash mark ("#") and empty lines are ignored. If an error occurs during parsing a line, the whole line is ignored.

查看英文版

查看中文版

sysklogd 语法

>syslogd [ -a socket ] [ -d ] [ -f config-file ] [ -h ] [ -l hostlist ] 
        [ -m interval ] [ -n ] [ -p socket ] [-r ] [ -s domainlist ] 
        [ -u user ] [ -v ]

选项

-a socket 使用此参数,您可以指定syslogd必须侦听的其他套接字。 如果要在chroot()环境中运行某些守护程序,则需要这样做。 您最多可以使用19个其他插槽。 如果您的环境需要更多,则必须在syslogd.c源文件中增加符号MAXFUNIX
-d 打开调试模式。 使用此守护程序将不会继续进行派生以将其自身设置在后台,而是与之相反,它将驻留在前台并在当前tty上写入许多调试信息。
-f config-file 指定替代配置文件,而不是默认的/etc/syslog.conf
-h 默认情况下,syslogd不会转发从远程主机接收的消息。在命令行上指定此开关将导致日志守护程序将其接收到的任何远程消息转发到已定义的转发主机。这可能会导致syslog循环以相当快的速度填满硬盘,因此需要谨慎使用。
-l hostlist 指定仅使用简单主机名而不是fqdn记录的主机名。 可以使用冒号(“:”)分隔符指定多个主机。
-m nterval syslogd定期记录标记时间戳记。 两行“-MARK-”之间的默认间隔为20分钟。 可以使用此选项进行更改。 将间隔设置为零会完全关闭它。 根据生成的其他日志消息,这些行可能不会连续写入。
-n 避免自动背景。 这是特别需要的,如果syslogd是由init启动并控制的。
-p socket 您可以指定替代的UNIX域套接字,而不是/ dev / log
-r 此选项将使设施使用具有系统日志服务的 Internet 域套接字从网络接收消息。默认值是不接收来自网络的任何消息。此选项在sysklogd包的版本 1.3 中引入。

请注意,默认行为与旧版本的行为方式相反,因此您可能需要启用此功能。

-s domainlist 指定在日志记录前应删除的域名。使用冒号 (": ")分隔符可以指定多个域。请注意,不能指定任何子域,但只能指定整个域。例如,如果指定了 -s north.de,并且主机日志记录解析为 satu.info-drom.north.de将不剪切任何域,则必须指定两个域,如:-s North.de:info-drom.north.de
-u user 默认情况下,syslogd守护进程以完全root权限运行。如果指定此选项,守护程序将在启动日志记录之前放弃对给定用户(以及该用户的主要组)的权限。这大大降低了syslogd中可利用的安全漏洞的潜在影响。

syslogd在启动时仍将以root用户身份打开所有日志文件。 但是,在收到SIGHUP信号(这会导致守护程序重新启动)之后,日志文件将以非特权用户的身份重新打开,如果该日志文件只能由root用户写入,则该用户将失败。 如果需要使用信号重新启动守护程序,则必须调整日志文件的权限,以使其可以由指定用户(或其主要组)写入。
-v 打印版本并推出

信号

Syslogd对一组信号做出反应。 您可以使用以下命令轻松地向syslogd发送信号:

kill -SIGNAL `cat /var/run/syslogd.pid`

其中,SIGNAL是以下信号之一:

SIGHUP 这使syslogd执行重新初始化。关闭所有打开的文件,将重新读取配置文件(默认为/etc/syslog.conf),并再次启动syslog工具。
SIGTERM 消毁syslogd
SIGINT, SIGQUIT 如果启用了调试,这些都将被忽略,否则syslogd将消亡。
SIGUSR1 打开/关闭调试。 仅当使用-d debug选项启动syslogd时,才能使用此选项。
SIGCHLD 等待子进程(如果已生成)。
>syslogd [ -a socket ] [ -d ] [ -f config-file ] [ -h ] [ -l hostlist ] 
        [ -m interval ] [ -n ] [ -p socket ] [-r ] [ -s domainlist ] 
        [ -u user ] [ -v ]

Options

-a socket Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you're going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file.
-d Turns on debug mode. Using this the daemon will not proceed a fork to set itself in the background, but opposite to that stay in the foreground and write much debug information on the current tty.
-f config-file Specify an alternative configuration file instead of /etc/syslog.conf, which is the default.
-h By default syslogd will not forward messages it receives from remote hosts. Specifying this switch on the command line will cause the log daemon to forward any remote messages it receives to forwarding hosts which have been defined. This can cause syslog loops that fill up hard disks quite fast and thus needs to be used with caution.
-l hostlist Specify a hostname that should be logged only with its simple hostname and not the fqdn. Multiple hosts may be specified using the colon (":") separator.
-m interval The syslogd logs a mark timestamp regularly. The default interval between two "-- MARK --" lines is 20 minutes. This can be changed with this option. Setting the interval to zero turns it off entirely. Depending on other log messages generated these lines may not be written consecutively.
-n Avoid auto-backgrounding. This is needed especially if the syslogd is started and controlled by init.
-p socket You can specify an alternative unix domain socket instead of /dev/log.
-r This option will enable the facility to receive message from the network using an Internet domain socket with the syslog service. The default is to not receive any messages from the network.

This option is introduced in version 1.3 of the sysklogd package. Please note that the default behavior is the opposite of how older versions behave, so you might have to turn this on.
-s domainlist Specify a domain name that should be stripped off before logging. Multiple domains may be specified using the colon (":") separator. Please be advised that no sub-domains may be specified but only entire domains. For example, if -s north.de is specified and the host logging resolves to satu.info-drom.north.de no domain would be cut, you will have to specify two domains like: -s north.de:info-drom.north.de.
-u user The syslogd daemon runs with full root privileges by default. If you specify this option, the daemon will drop its privileges to the given user (and the primary group of this user) before starting up logging. This greatly reduces the potential impact of exploitable security holes in syslogd.

syslogd will still open all log files as root at startup. However, after receiving a SIGHUP signal (which causes the daemon to restart) the log files will be reopened as the non-privileged user which fails if the log files are only writeable by root. If you need to restart the daemon using the signal, then you have to adapt the permissions of your log files to be writeable by the specified user (or its primary group).
-v Print version and exit.

Signals

Syslogd reacts to a set of signals. You may easily send a signal to syslogd using the following:

kill -SIGNAL `cat /var/run/syslogd.pid`

where SIGNAL is one of the following signals:

SIGHUP This lets syslogd perform a re-initialization. All open files are closed, the configuration file (default is /etc/syslog.conf) will be reread and the syslog facility is started again.
SIGTERM Kills syslogd.
SIGINTSIGQUIT If debugging is enabled these are ignored, otherwise syslogd will die.
SIGUSR1 Switch debugging on/off. This option can only be used if syslogd is started with the -d debug option.
SIGCHLD Wait for child processes (if some were spawned).

查看英文版

查看中文版

配置文件语法

Syslogd的配置文件使用语法与原始 BSD 源略有不同。最初,特定优先级及以上的所有消息都转发到日志文件。

例如,以下行导致使用守护程序设施(调试是最低优先级,因此所有更高的内容也将匹配)的守护进程的所有输出进入 /usr/adm/daemons:

# Sample syslog.conf 
daemon.debug 		/usr/adm/daemons

根据新方案,此行为保持不变。区别在于添加四个新指定符,星号(*)通配符,等号(=),感叹号(!), 和减号(-)。

*指定将指定设施的所有消息都定向到目的地。 请注意,此行为通过指定调试的优先级而退化。 用户已经表明,星号表示法更加直观。

=通配符用于将日志记录限制为指定的优先级类别。 例如,这允许仅将调试消息路由到特定的日志记录源。

例如,syslog.conf中的以下行会将调试消息从所有源定向到/ usr / adm / debug文件。

# Sample syslog.conf 
*.=debug 		/usr/adm/debug

!用于排除指定优先级的日志记录。这会影响所有(!)指定优先级的可能性

例如,以下行将记录设施邮件的所有邮件,但具有优先级信息的邮件除外,这些邮件将记录到 /usr/adm/mail文件中。从"news.info(包括)到 news.crit(不包括)的所有消息将被记录到 /usr/adm/news文件中。

# Sample syslog.conf 
mail.*;mail.!=info 	/usr/adm/mail 
news.info;news.!crit 	/usr/adm/news

您可以直观地使用它作为异常指定符。上述解释是倒置的。这样做,你可以使用

mail.none

mail.!*

mail.!debug

跳过邮件功能附带的每条消息。

如果您要在每次写入文件后都忽略同步文件,则只能在文件名前添加“-”前缀。

Syslogd uses a slightly different syntax for its configuration file than the original BSD sources. Originally all messages of a specific priority and above were forwarded to the log file.

For example, the following line caused ALL output from daemons using the daemon facilities (debug is the lowest priority, so everything higher will also match) to go into /usr/adm/daemons:

# Sample syslog.conf 
daemon.debug 		/usr/adm/daemons

Under the new scheme this behavior remains the same. The difference is the addition of four new specifiers, the asterisk (*) wildcard, the equal sign (=), the exclamation mark (!), and the minus sign (-).

The * specifies that all messages for the specified facility are to be directed to the destination. Note that this behavior is degenerate with specifying a priority level of debug. Users have indicated that the asterisk notation is more intuitive.

The = wildcard is used to restrict logging to the specified priority class. This allows, for example, routing only debug messages to a particular logging source.

For example, the following line in syslog.conf would direct debug messages from all sources to the /usr/adm/debug file.

# Sample syslog.conf 
*.=debug 		/usr/adm/debug

The ! is used to exclude logging of the specified priorities. This affects all (!) possibilities of specifying priorities.

For example, the following lines would log all messages of the facility mail except those with the priority info to the /usr/adm/mail file. And all messages from news.info (including) to news.crit (excluding) would be logged to the /usr/adm/news file.

# Sample syslog.conf 
mail.*;mail.!=info 	/usr/adm/mail 
news.info;news.!crit 	/usr/adm/news

You may use it intuitively as an exception specifier. The above mentioned interpretation is inverted. Doing that you may use

mail.none

or

mail.!*

or

mail.!debug

to skip every message that comes with a mail facility.

The "-" may only be used to prefix a file name if you want to omit sync'ing the file after every write to it.

查看英文版

查看中文版

远程日志记录支持

若要启用远程日志记录,请在命令行上指定-r选项。默认行为是syslogd不会侦听网络。

策略是让syslogd 侦听本地生成的日志消息的unix 域套接字。此行为将允许syslogd与标准 C 库中的系统日志进行互操作。同时,syslogd在标准系统日志端口上侦听来自其他主机的消息。要正确处理此工作,services文件(通常在/etc中找到)必须具有以下条目:

syslog 514/udp

如果缺少此条目 syslogd既不能接收远程消息,也不能发送它们,因为无法打开 UDP 端口。相反,syslogd将立即死亡,并打印一条错误消息。

若要使消息转发到另一个主机,请将syslog.conf文件中的正常文件行替换为要向其发送消息的主机的名称,该主机将预发消息以@开头 。

例如,要将所有消息转发到远程主机,请使用以下syslog.conf条目:

# Sample syslogd configuration file to 
# messages to a remote host forward all. 
*.* 		@hostname

要将所有内核消息转发到远程主机,配置文件将如下所示:

# Sample configuration file to forward all kernel 
# messages to a remote host. 
kern.* 		@hostname

如果在启动时无法解析远程主机名,因为名称服务器可能无法访问(可能在syslogd之后启动),syslogd将重试解析名称十次,然后进行投诉。避免这种情况的另一个可能性是将主机名放在/etc/hosts

为了避免这种情况,不再将从远程主机接收的消息发送到另一个(或相同的)远程主机。如果您遇到需要此行为的设置,请使用-h 命令行开关。但是,需要谨慎处理此选项,因为syslogd循环可以相当快地填满硬盘。

如果远程主机与主机位于同一域中,则 syslogd正在运行,则将只记录简单的主机名,而不是整个 fqdn。

在本地网络中,您可以提供一个中央日志服务器,以便将所有重要信息保存在一台计算机上。如果网络由不同的域组成,您不必抱怨记录完全限定的名称,而不是简单的主机名。您可能需要使用此服务器的带域功能 -s。您可以告诉syslogd删除服务器位于的域以外的多个域,并且只记录简单的主机名。

使用-l选项还可以将单个主机定义为本地计算机。这还会导致只记录其简单的主机名,而不是 fqdns。

用于将消息转发到远程主机或接收来自远程主机的消息的 UDP 套接字仅在需要时打开。在 1.3-23 之前的版本中,它每次都被打开,但未分别打开以进行读取或转发。

To enable remote logging, specify the -r option on the command line. The default behavior is that syslogd won't listen to the network.

The strategy is to have syslogd listen on a unix domain socket for locally generated log messages. This behavior will allow syslogd to interoperate with the syslog found in the standard C library. At the same time syslogd listens on the standard syslog port for messages forwarded from other hosts. To have this work correctly the services files (typically found in /etc) must have the following entry:

syslog 514/udp

If this entry is missing syslogd neither can receive remote messages nor send them, because the UDP port can't be opened. Instead syslogd will die immediately, and print an error message.

To cause messages to be forwarded to another host replace the normal file line in the syslog.conf file with the name of the host to which the messages is to be sent prepended with an @.

For example, to forward ALL messages to a remote host use the following syslog.conf entry:

# Sample syslogd configuration file to 
# messages to a remote host forward all. 
*.* 		@hostname

To forward all kernel messages to a remote host the configuration file would be as follows:

# Sample configuration file to forward all kernel 
# messages to a remote host. 
kern.* 		@hostname

If the remote hostname cannot be resolved at startup, because the name server might not be accessible (it may be started after syslogdsyslogd will retry to resolve the name ten times and then complain. Another possibility to avoid this is to place the hostname in /etc/hosts.

To avoid this, no messages received from a remote host are sent out to another (or the same) remote host anymore. If you experience are setup in which you need this behavior, please use the -h command line switch. However, this option needs to be handled with caution since a syslog loop can fill up hard disks quite fast.

If the remote host is located in the same domain as the host, syslogd is running on, only the simple hostname will be logged instead of the whole fqdn.

In a local network you may provide a central log server to have all the important information kept on one machine. If the network consists of different domains you don't have to complain about logging fully qualified names instead of simple hostnames. You may want to use the strip-domain feature -s of this server. You can tell the syslogd to strip off several domains other than the one the server is located in and only log simple hostnames.

Using the -l option there's also a possibility to define single hosts as local machines. This, too, results in logging only their simple hostnames and not the fqdns.

The UDP socket used to forward messages to remote hosts or to receive messages from them is only opened when it is needed. In releases prior to 1.3-23 it was opened every time but not opened for reading or forwarding respectively.

查看英文版

查看中文版

调试

当使用-d选项打开调试时,syslogd将非常详细,因为它将编写它所做大部分操作。每当重新读取和重新分析配置文件时,您都会看到一个与内部数据结构对应的表格。此表格由四个字段组成:

number 此字段包含以零开始的序列号。此数字表示内部数据结构(数组)中的位置。如果一个数字被抛出,则/etc/syslog.conf 中的相应行中可能有错误。
pattern 此字段正好表示内部结构。每个列代表一个syslog设施。如您所见,仍然有一些设施可供先前使用,仅剩下最左边的设施被使用。 列中的每个字段代表优先级。
action 此字段描述每当收到与模式匹配的消息时发生的特定操作。
arguments 此字段显示最后一个字段中操作的其他参数。对于文件日志记录,这是日志文件的文件名;对于文件日志记录,这是日志文件的文件名。对于用户日志记录,这是用户列表;对于远程日志记录,这是要记录到的计算机的主机名;对于控制台日志,这是用过的控制台;对于 tty - logging, 这是指定的 tty 。

When debugging is turned on using -d option, syslogd will be very verbose by writing much of what it does to stdout. Whenever the configuration file is reread and re-parsed you'll see a tabular, corresponding to the internal data structure. This tabular consists of four fields:

number This field contains a serial number starting by zero. This number represents the position in the internal data structure (the array). If one number is left out then there might be an error in the corresponding line in /etc/syslog.conf.
pattern This field is represents the internal structure exactly. Every column stands for a syslog facility. As you can see, there are still some facilities left free for former use, only the left most are used. Every field in a column represents the priorities.
action This field describes the particular action that takes place whenever a message is received that matches the pattern.
arguments This field shows additional arguments to the actions in the last field. For file-logging this is the file name for the logfile; for user-logging this is a list of users; for remote logging this is the hostname of the machine to log to; for console-logging this is the used console; for tty-logging this is the specified tty.

查看英文版

查看中文版

安全注意事项

syslogd守护程序有可能被用作拒绝服务攻击的管道。流氓程序(或程序员)很容易用syslog消息淹没syslogd守护程序,导致日志文件占用了文件系统上的所有剩余空间。当然,在 inet 域套接字上激活日志记录会使系统面临本地计算机上的程序或个人之外的风险。

保护机器的方法有很多:

  • 实施内核防火墙以限制哪些主机或网络有权访问 514/UDP 套接字。  
  • 日志记录可以定向到隔离或非根文件系统,如果填充,不会损害它们。、
  • ext2文件系统可用于仅按 root 配置以限制文件系统的一定百分比。请注意,这将要求syslogd作为非根进程运行,并防止使用远程日志记录,因为syslogd将无法绑定到 514/UDP 套接字。  
  • 禁用inet域套接字将把风险限制在本地计算机上。

Security Notes

There is the potential for the syslogd daemon to be used as a conduit for a denial of service attack. A rogue program (or programmer) could very easily flood the syslogd daemon with syslog messages resulting in the log files consuming all the remaining space on the filesystem. Activating logging over the inet domain sockets will of course expose a system to risks outside of programs or individuals on the local machine.

There are a number of methods of protecting a machine:

  • Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket. 
  •  Logging can be directed to an isolated or non-root filesystem which, if filled, will not impair themachine. 
  •  The ext2 filesystem can be used which can be configured to limit a certain percentage of a filesystem to usage by root only. Note that this will require syslogd to be run as a non-root process, and prevent usage of remote logging since syslogd will be unable to bind to the 514/UDP socket. 
  •  Disabling inet domain sockets will limit risk to the local machine.

查看英文版

查看中文版