syslog 日志
syslog日志是系统日志的一种,可以存放在本地也可以发送到syslog日志服务器,
但是syslog日志由于的格式不统一,在日常工作中审计syslog日志是一种很麻烦的
事情。不过在2001出现了一份关于syslog标准的协议(建议)。
生成发送日志的叫做:Device
转发的叫做:Relay(可以作为Device或Coolector)
接收的叫做:Collector
传输标准使用UDP,消息大小小于1024个字节,端口使用514
PS:只是建议。
syslog日志可以分为三部分:
4.1 syslog Message Parts The full format of a syslog message seen on the wire has three discernable parts. The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. The total length of the packet MUST be 1024 bytes or less. There is no minimum length of the syslog message although sending a syslog packet with no contents is worthless and SHOULD NOT be transmitted.
标准格式:<23>Oct 9 23:33:20 192.168.0.1 ssh[1787]: Accepted publickey for root from.
PRF部分
Numerical Facility Code 0 kernel messages 内核信息; 1 user-level messages 用户进程信息; 2 mail system 电子邮件相关信息; 3 system daemons 后台进程相关信息; 4 security/authorization messages (note 1)
5 messages generated internally by syslogd 系统日志信息
6 line printer subsystem 打印服务相关信息。
7 network news subsystem 新闻组服务器信息
8 UUCP subsystemuucp 生成的信息
9 clock daemon (note 2) 时钟守护进程
10 security/authorization messages (note 1) 安全授权信息
11 FTP daemon
12 NTP subsystem 子进程
13 log audit (note 1) 日志审核
14 log alert (note 1)日志警报
15 clock daemon (note 2)
16 local use 0 (local0)本地用户信息
17 local use 1 (local1)本地用户信息
18 local use 2 (local2)本地用户信息
19 local use 3 (local3)本地用户信息
20 local use 4 (local4)本地用户信息
21 local use 5 (local5)本地用户信息
22 local use 6 (local6)本地用户信息
23 local use 7 (local7)本地用户信息
Table 1. syslog Message Facilities Note 1 - Various operating systems have been found to utilize Facilities 4, 10, 13 and 14 for security/authorization, audit, and alert messages which seem to be similar. Note 2 - Various operating systems have been found to utilize both Facilities 9 and 15 for clock (cron/at) messages. Each message Priority also has a decimal Severity level indicator. These are described in the following table along with their numerical values. Numerical Severity Code 0 Emergency: system is unusable 紧急状态:系统无法使用 1 Alert: action must be taken immediately 警报:必须立即采取行动 2 Critical: critical conditions 临界:临界条件 3 Error: error conditions 错误:错误条件 4 Warning: warning conditions 警告:警告条件 5 Notice: normal but significant condition 通知:正常但重要的条件 6 Informational: informational messages 信息:信息消息 7 Debug: debug-level messages 调试:调试级别消息
Table 2. syslog Message Severities
HEADER部分(可选)
包括时间和HOST(主机或IP)
时间
格式为:MM dd hh:mm:ss
用数字表示
其中月MM为英文缩写:Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec
有些长期日志可能会增加年字段。
HOST
主机或IP,无域名。
MSG部分
包括TAG:Content
TAG(可选):表示进程名及其进程号;格式:p[343]或p-343
Content:表示应用程序的自定义信息。
这是对syslog日志格式的简单了解,为以后的日志审计提供基础