The /etc/syslog.conf file
The /etc/syslog.conf file configures the level of information that the storage system records. It specifies the subsystem from which the message originated, the severity of the message, and where the message is sent.
The /etc/syslog.conf file consists of lines with two tab-separated (not space-separated) fields of the following form: facility.level action
The facility parameter specifies the subsystem from which the message originated. The following table describes the facility parameter keywords.
| Keyword | Description |
|---|---|
| auth | Messages from the authentication system, such as login |
| cron | Messages from the internal cron facility |
| daemon | Messages from storage system daemons, such as rshd |
| kern | Messages from the storage system kernel |
| * | Messages from all facilities |
The level parameter describes the severity of the message. The following table describes the level parameter keywords arranged in order from most to least severe.
| Level | Description |
|---|---|
| emerg | Panic condition that causes a disruption of normal service |
| alert | Condition that you should correct immediately, such as a failed disk |
| crit | Critical conditions, such as disk errors |
| err | Errors, such as those caused by a bad configuration file |
| warning | Conditions that might become errors if not corrected |
| notice | Conditions that are not errors, but might require special handling |
| info | Information, such as the hourly uptime message |
| debug | Used for diagnostic purposes |
| * | All levels of errors |
The action parameter specifies where to send messages. Messages for the specified level or higher are sent to the message destination. The following table describes the possible actions and gives examples of each action.
| Action | Example |
|---|---|
| Send messages to a file specified by a path. | /etc/messages |
| Send messages to a host name preceded by an @ sign. | @adminhost |
| Send messages to the console. | /dev/console or * |
Syslog stands for System Logging Protocol and is a standard protocol used to send system log or event messages to a specific server, called a syslog server. It is primarily used to collect various device logs from several different machines in a central location for monitoring and review.
The protocol is enabled on most network equipment such as routers, switches, firewalls, and even some printers and scanners. In addition, syslog is available on Unix and Linux based systems and many web servers including Apache. Syslog is not installed by default on Windows systems, which use their own Windows Event Log. These events can be forwarded via third-party utilities or other configurations using the syslog protocol.
Syslog is defined in RFC 5424, The Syslog Protocol, which obsoleted the previous RFC 3164.
Syslog components
On any given device various events are generated by the system in response to changing conditions. These events are typically logged locally where they can be reviewed and analyzed by an administrator. However, monitoring numerous logs over an equally numerous number of routers, switches, and systems would be time consuming and impractical. Syslog helps solve this issue by forwarding those events to a centralized server.
Syslog transmission
Traditionally, Syslog uses the UDP protocol on port 514 but can be configured to use any port. In addition, some devices will use TCP 1468 to send syslog data to get confirmed message delivery.
Syslog packet transmission is asynchronous. What causes a syslog message to be generated is configured within the router, switch, or server itself. Unlike other monitoring protocols, such as SNMP, there is no mechanism to poll the syslog data. In some implementations, SNMP may be used to set or modify syslog parameters remotely.
Posted from: https://www.paessler.com/it-explained/syslog