Syslog is a protocol used for logging. It usually uses UDP 514. It can also be configured to use TCP. It is best to select the appropriate severity for logging. If you set the severity to “Debug” then your host will send messages from severity levels 0 through 7.
If you have a ton of machines all sending data at once it can create un-necessary bottleneck on the syslog server. It is best to fine tune this up stream at the device.
Cisco
logging host IPAddress
To exclude annoying Cisco messages from being sent to your server:
logging discriminiator NAME mnemonics drops SYSLOGMSG
logging host IPAddress discriminator NAME
To Test your device’s syslog configuration:
logger -p authpriv.notice test
logger -n IPAddress hello
A facility code is used to specify the type of program that is logging the message. Messages with different facilities may be handled differently. The mapping between facility code and keyword is not uniform in different operating systems and syslog implementations.
Which are the most critical Linux logs to monitor?
• /var/log/syslog or /var/log/messages—stores all activity data across the Linux system.
• /var/log/auth.log or /var/log/secure—stores authentication logs
• /var/log/boot.log—messages logged during startup
• /var/log/maillog or var/log/mail.log—events related to email servers
• /var/log/kern—Kernel logs
• /var/log/dmesg—device driver logs
• /var/log/faillog—failed login attempts
• /var/log/cron—events related to cron jobs or the cron daemon
• /var/log/yum.log—events related to installation of yum packages
• /var/log/httpd/—HTTP errors and access logs containing all HTTP requests
• /var/log/mysqld.log or /var/log/mysql.log—MySQL log files
Examples
authpriv.* @IPAddr:514 | *.crit @IPAddr:514 |
authpriv.*;*.crit @IPAddr:514 | authpriv.* @IPAddr:514 |
Note
- *.crit @IPAddr:514 include below critical as well
- authpriv has lots of messages and can be filtered by an upstream syslog server and forwarded to the main syslog server or SIEM