The Log and Pony Show - Linux Logging and Instrumentation

The default logging for Linux systems is syslog. Syslog was developed in the 1980s by Eric Allman who developed the sendmail protocol. Allman also developed syslog as a mechanism to log issues related to sendmail operations. By default syslog stores log messages in log files. Common Linux log file locations are:

/var/log/messages

/var/log/auth.log

/var/log/secure

/var/log/<XYZ Application log>

A form of syslog called rsyslog (r for remote) allows the sending of syslog messages to an external logging system.

Syslog Fields

The standard syslog message has five key fields.

<34>1 2019-06-05T22:14:15.003Z server1 sshd - - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2

• PRI

• Time/Date

• Source Host

• Source Process

• Message

To determine the syslog PRI, syslog combines a concept called "facility" and "severity' in a mathematical formula. Facility is a number 0-23, and Severity is a number 0-7 (0=Emergency,

1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notice, 6=Informational, 7=Debug).

Facility = PRI / 8 rounded down to whole number

rsyslog.cof

auth,authriv.* /var/log/auth.log

authpriv.=warning @<syslog server IP address>

Message filed issues where data is not strucred in xml or json format??? there is no unique logiid per evnet type

ref diagram

auditd

Items auditd can log:

• File Access

• System calls

• Program execution

• File changes

• Security events

• Network access

audit.rules file

Mitre Attack audit.rules file

log only what you intentd to look at

comamnd line argument logging

References

https://linuxhandbook.com/syslog-guide/