syslog

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Syslog is a standard for computer message logging. It permits separation of the software that generates messages from the system that stores them and the software that reports and analyzes them.

Syslog can be used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages. It is supported by a wide variety of devices (like printers and routers) and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.

Messages are labeled with a facility code (one of: auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0 ... local7) indicating the type of software that generated the messages, and are assigned a severity (one of: Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug).

Implementations are available for many operating systems. Specific configuration may permit directing messages to various devices (console), files (/var/log/) or remote syslog servers. Most implementations also provide a command line utility, often called logger, that can send messages to the syslog. Some implementations permit the filtering and display of syslog messages.

Syslog is now standardized by the IETF in RFC 5424.

History[edit]

Syslog was developed in the 1980s by Eric Allman as part of the Sendmail project, and was initially used solely for Sendmail. It proved so valuable that other applications began using it as well. Syslog has since become the standard logging solution on Unix and Unix-like systems; there have also been a variety of syslog implementations on other operating systems and is commonly found in network devices such as routers.

Syslog functioned as a de facto standard, without any authoritative published specification, and many implementations existed, some of which were incompatible. The Internet Engineering Task Force documented the status quo in RFC 3164. It was made obsolete by subsequent additions in RFC 5424.[1]

At different points in time, various companies have attempted patent claims on syslog.[2][3] This had little effect on the use and standardization of the protocol.

Outlook[edit]

Various groups are working on draft standards detailing the use of syslog for more than just network and security event logging, such as its proposed application within the health care environment.

Regulations, such as SOX, PCI DSS, HIPAA, and many others are requiring organizations to implement comprehensive security measures, which often include collecting and analyzing logs from many different sources. Syslog has proven to be an effective format to consolidate logs, as there are many open source and proprietary tools for reporting and analysis. Converters exist from Windows Event Log as well as other log formats to syslog.

An emerging area of managed security services is the collection and analysis of syslog records for organizations. Companies calling themselves Managed Security Service Providers attempt to apply analytics techniques (and sometimes artificial intelligence algorithms) to detect patterns and alert customers of problems.

Facility levels[edit]

A facility level is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently.[4] The list of facilities available:[5] (defined by RFC 3164)

Facility NumberKeywordFacility Description
0kernkernel messages
1useruser-level messages
2mailmail system
3daemonsystem daemons
4authsecurity/authorization messages
5syslogmessages generated internally by syslogd
6lprline printer subsystem
7newsnetwork news subsystem
8uucpUUCP subsystem
9clock daemon
10authprivsecurity/authorization messages
11ftpFTP daemon
12-NTP subsystem
13-log audit
14-log alert
15cronclock daemon
16local0local use 0 (local0)
17local1local use 1 (local1)
18local2local use 2 (local2)
19local3local use 3 (local3)
20local4local use 4 (local4)
21local5local use 5 (local5)
22local6local use 6 (local6)
23local7local use 7 (local7)

The mapping between Facility Number and Keyword is not uniform over different operating systems and different syslog implementations.[6]
For cron either 9 or 15 or both may be used.
The confusion is even greater regarding auth/authpriv. 4 and 10 are most common but 13 and 14 may also be used.

Severity levels[edit]

RFC 5424 defines eight severity levels:

CodeSeverityKeywordDescriptionGeneral Description
0Emergencyemerg (panic)System is unusable.A "panic" condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call.
1AlertalertAction must be taken immediately.Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a primary ISP connection.
2CriticalcritCritical conditions.Should be corrected immediately, but indicates failure in a secondary system, an example is a loss of a backup ISP connection.
3Errorerr (error)Error conditions.Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time.
4Warningwarning (warn)Warning conditions.Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time.
5NoticenoticeNormal but significant condition.Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required.
6InformationalinfoInformational messages.Normal operational messages - may be harvested for reporting, measuring throughput, etc. - no action required.
7DebugdebugDebug-level messages.Info useful to developers for debugging the application, not useful during operations.

A common mnemonic used to remember the syslog levels from bottom to top is: "Do I Notice When Evenings Come Around Early".

Format of a Syslog packet[edit]

The full format of a Syslog message seen on the wire has three distinct parts:

<PRI> HEADER MSG

The total length of the packet cannot exceed 1,024 bytes, and there is no minimum length

Priority[edit]

The PRI part is a number that is enclosed in angle brackets. This represents both the Facility and Severity of the message. This number is an eight bit number. The first 3 least significant bits represent the Severity of the message (with 3 bits you can represent 8 different Severities) and the other 5 bits represent the Facility of the message. You can use the Facility and the Severity values to apply certain filters on the events in the Syslog Daemon. Note that Syslog Daemon cannot generate these Priority and Facility values. They are generated by the applications on which the event is generated. Following are the codes for Severity and Facility. Please note that the codes written below are the recommended codes that the applications should generate in the specified situations. You cannot, however, be 100 % sure if it really is the correct code sent by the application. For example: An application can generate a numerical code for severity as 0 (Emergency) when it should have generated 4 (Warning) instead. Syslog Daemon can not do anything about it!! It will simply receive the message as it is.

Calculating Priority Value[edit]

The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity. For example, a kernel message (Facility=0) with a Severity of Emergency (Severity=0) would have a Priority value of 0. Also, a "local use 4" message (Facility=20) with a Severity of Notice (Severity=5) would have a Priority value of 165. In the PRI part of a Syslog message, these values would be placed between the angle brackets as <0> and <165> respectively.

Header[edit]

The HEADER part contains the following things:

  • Timestamp -- The Time stamp is the date and time at which the message was generated. Be warned, that this timestamp is picked up from the system time and if the system time is not correct, you might get a packet with totally incorrect time stamp
  • Hostname or IP address of the device.

Message[edit]

The MSG part will fill the remainder of the Syslog packet. This will usually contain some additional information of the process that generated the message, and then the text of the message. The MSG part has two fields:

  • TAG field
  • CONTENT field

The value in the TAG field will be the name of the program or process that generated the message. The CONTENT contains the details of the message.

Limitations[edit]

Since Syslog protocol is UDP based, it is unreliable. It does not guarantee you the delivery of the messages. They may either be dropped through network congestion, or they may be maliciously intercepted and discarded. The Syslog protocol does not ensure ordered delivery of packets.

Since each process, application and operating system was written independently, there is little uniformity to the content of syslog messages. For this reason, no assumption is made upon the formatting or contents of the messages. The protocol is simply designed to transport these messages.

The receiver of a Syslog packet may not be able to authenticate that the message was indeed sent from the reported sender. A misconfigured machine may send syslog messages to a Syslog daemon representing itself as another machine. The administrative staff may become confused because the status of the supposed sender of the messages may not be accurately reflected in the received messages. Another problem associated with authentication is that an attacker may start sending fake messages indicating a problem on some machine. This may get the attention of the system administrators who will spend their time investigating the alleged problem. During this time, the attacker may be able to compromise a different machine, or a different process on the same machine. An attacker may record a set of messages that indicate normal activity of a machine. At a later time, that attacker may remove that machine from the network and replay the syslog messages to the daemon.

Protocol[edit]

Syslog is a client/server protocol:[7] a logging application transmits a maximum 1024-byte text message to the syslog receiver. The receiver is commonly called syslogd, syslog daemon or syslog server. Syslog messages may be sent via the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP).[8] The data is sent in cleartext; although not part of the syslog protocol itself, an SSL wrapper may be used to provide for a layer of encryption through SSL/TLS. Syslog uses the port number 514.

Internet standards[edit]

The Syslog protocol is defined by Request for Comments (RFC) documents published by the Internet Engineering Task Force (Internet standards). The following is a list of RFCs that define the Syslog protocol:[9]

See also[edit]

References[edit]

External links[edit]


+ Recent posts