top of page
brencronin

The Log and Pony Show - Linux Logging and Instrumentation

Updated: Jul 29, 2023

The default logging for Linux systems is syslog. Syslog was developed in the 1980s by Eric Allman who developed the sendmail protocol. Allman also developed syslog as a mechanism to log issues related to sendmail operations. By default syslog stores log messages in log files. Common Linux log file locations are:


/var/log/messages

/var/log/auth.log

/var/log/secure

/var/log/<XYZ Application log>


A form of syslog called rsyslog (r for remote) allows the sending of syslog messages to an external logging system.


Syslog Fields


The standard syslog message has five key fields.


<34>1 2019-06-05T22:14:15.003Z server1 sshd - - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2

  • PRI

  • Time/Date

  • Source Host

  • Source Process

  • Message

To determine the syslog PRI, syslog combines a concept called "facility" and "severity' in a mathematical formula. Facility is a number 0-23, and Severity is a number 0-7 (0=Emergency,

1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notice, 6=Informational, 7=Debug).






Facility = PRI / 8 rounded down to whole number


rsyslog.cof


auth,authriv.* /var/log/auth.log

authpriv.=warning @<syslog server IP address>



Message filed issues where data is not strucred in xml or json format??? there is no unique logiid per evnet type


ref diagram


auditd


Items auditd can log:

  • File Access

  • System calls

  • Program execution

  • File changes

  • Security events

  • Network access

audit.rules file


Mitre Attack audit.rules file


log only what you intentd to look at



comamnd line argument logging






References




6 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page