Skip to main content

syslog

syslogd -n -O -

# -s 同时 log 到 stderr
# -t TAG 默认为用户名
# -p PRIO 数字或 FACILITY.LEVEL
logger Log Works

sudo killall -HUP syslogd

conf

  • /etc/syslog.conf
  • selector
    • facility.level
    • 数字
    • err/warn 任意一个
    • * 任意
    • = 匹配
    • ! 排除
    • none 不存储
  • action
    • 常规文件 - /var/log/xxx.log
    • 管道文件 - |filename
    • 远程转发 - @hostname
facilitycodenfor
kern0<<30
user1<<31
mail2<<32
daemon3<<33
auth4<<34
syslog5<<35
lpr6<<36
news7<<37
uucp8<<38
cron9<<39
authpriv10<<310
ftp11<<311
ntp12<<312
security13<<313audit, auth
console14<<314alert
solaris-cron15<<315scheduling
local016<<3
local117<<3
local218<<3
local319<<3
local420<<3
local521<<3
local622<<3
local723<<3
levelnnote
emerg0panic
alert1
crit2
err3error
warning4warn
notice5
info6
debug7
# selector                                  action
local2.*                                    /var/log/haproxy.log

kern,user.*                                 /var/log/messages
kern.!err                                   /var/log/critical
*.*;auth,authpriv.none                      /var/log/noauth
kern,user.*;kern.!=notice;*.err;syslog.none /var/log/OMG
*.*                                         /dev/null
  • API
    • openlog
    • syslog
    • stelogmask
    • closelog

klogd

  • kernel log -> syslog
service klogd start
kern.*  /var/log/kern.log
*.*     /var/log/messages

FAQ

sshd[27530]: Connection closed by authenticating user root 1.1.1.1port 39256 [preauth]
sshd[19855]: Connection closed by invalid user ubuntu 1.1.1.1port 48706 [preauth]
sshd[19855]: Invalid user ubuntu from 1.1.1.1port 48706
crond[23340]: USER root pid 17499 cmd run-parts /etc/periodic/15min

authpriv.notice

sudo: admin : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/bash

auth.info

sshd[35516]: Accepted publickey for admin from 10.37.0.19 port 1563 ssh2: RSA SHA256:XXX
sshd[65609]: banner exchange: Connection from 10.37.0.15 port 42808: invalid format

auth.err

sshd[12372]: error: kex_exchange_identification: banner line contains invalid characters