Fedora Linux

relationship between the changes that you have made and any messages that start or stop appearing in the log as a result.

By default, logger uses the facility user and the priority notice . You can override this using the -p option, and you can override the insertion of the username by supplying an alternate tag with the -t option:

$ logger -p local1.crit -t cooling Stopped water pump

Which would result in this message being logged:

Jun 1 09:54:49 darkday cooling: Stopped water pump

An alias can be used to simplify logging from the command line:

$ alias note='logger -p local4.notice '
$ note Ran yum update

If you are logging a message that contains metacharacters, surround the message with quotation marks.

By adding a custom rule to /etc/syslog.conf , the messages sent to the local1 facility can be placed in their own file (in addition to being logged in /var/log/messages ):

local1.* /var/log/cooling

The security context of any new logfiles must be set to the same context as /var/log/messages :

# touch /var/log/cooling
# ls -Z /var/log/messages /var/log/cooling
-rw-r--r-- root root user_u:object_r:var_log_t /var/log/cooling
-rw------- root root system_u:object_r:var_log_t /var/log/messages
# chcon system_u:object_r:var_log_t /var/log/cooling
# chmod 0600 /var/log/cooling # Optional!
# ls -Z /var/log/messages /var/log/cooling
-rw------- root root system_u:object_r:var_log_t /var/log/cooling
-rw------- root root system_u:object_r:var_log_t /var/log/messages

8.7.1.3. Keeping an eye on logs

The -f option to tail provides a convenient way to watch messages that are being appended to a file and is perfect for use with logfiles:

# tail -f /var/log/messages
Jun 1 08:47:14 darkday kernel: hub 1-0:1.0: over-current change on port 1
Jun 1 08:47:14 darkday kernel: hub 1-0:1.0: port 2 disabled by hub (EMI?), re-enabling...
Jun 1 08:47:14 darkday kernel: hub 1-0:1.0: over-current change on port 2
Jun 1 08:47:14 darkday kernel: usb 1-2: USB disconnect, address 4
Jun 1 08:47:14 darkday kernel: usb 1-2: new low speed USB device using uhci_hcd and address 5
Jun 1 08:47:14 darkday kernel: usb 1-2: configuration #1 chosen from 1 choice
Jun 1 08:47:14 darkday kernel: input: Logitech USB-PS/2 Optical Mouse as /class/input/input4
Jun 1 08:47:14 darkday kernel: input: USB HID v1.10 Mouse [Logitech USB-PS/2 Optical Mouse] on usb-0000:00:1f.2-2
Jun 1 09:54:49 darkday cooling: Water temperature exceeds 70C
Jun 1 09:54:49 darkday cooling: Water temperature exceeds 85C
...(Additional lines are displayed as they are added to the logfile)...

/var/log/messages is normally readable only by root. Although making it readable by other users may reveal a small amount of information about your system (reducing security), it can also reduce the amount of time spent in superuser mode (which, in turn, increases security). To make the messages file accessible to everyone:

# chmod a+r /var/log/messages

This tail command will display the last 10 lines in the file, and then additional lines within a second of the time that they are appended to the file. It can be left running in a terminal window in the corner of the screen while you perform system administration tasks.

8.7.1.4. Configuring remote logging

The syslog service was designed to facilitate remote logging. This is very useful in two circumstances:

? In the event of a successful system intrusion, an attacker will often edit or delete logfiles to erase any record of his presence. If messages are logged to a remote server, it becomes more difficult to erase the trail because the attacker then needs to successfully attack the machine recording the log in addition to the system originally compromised.

? In a network, it is convenient to gather logs in one place for centralized analysis. This lets you stay on top of the state of many systems from one location.

To configure a syslog network server, edit that host's /etc/sysconfig/syslog file, which initially looks like this:

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS='-m 0'
# Options to klogd
# -2 prints all kernel oops messages twice: once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely