利用Linux syslog写日记
2012-10-10 17:49
281 查看
这两天,因为项目的需要研究了一把如何利用Linux syslog写日记,这里简单整理一下。本人使用的系统是RHEL 5.5。
System Logging
Linux日记系统由系统日志监控程序syslogd和内核日志监控程序klogd组成。从它们的命名可以看到,这两个监控程序都是守护程序(daemon),且都注册成了系统服务。换句话说,我们可以在目录/etc/init.d/下找到它们对应的执行程序,并通过service命令对它们进行启动,关闭,重启等操作。/etc/syslog.conf文件是Linux日记系统的配置文件。下面是本人/etc/syslog.conf文件内容:
[c-sharp]
view plaincopyprint?
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
其中openlog和closelog都是可选的。不过,通过调用openlog,我们可以指定ident参数。这样,ident将被加到每条日记记录中。ident一般设成程序的名字,如在下面例子中的"testsyslog":
[cpp:firstline[1]]
view plaincopyprint?
#include <syslog.h>
int main(int argc, char *argv[])
{
openlog("testsyslog", LOG_CONS | LOG_PID, 0);
syslog(LOG_USER | LOG_INFO, "syslog test message generated in program %s /n", argv[0]);
closelog();
return 0;
}
格式基本是:timestamp hostname ident[pid]:log message。其中ident就是我们调用openlog是指定的"testsyslog",而之所以会打印出[27214]是openlog的option参数中指定了LOG_PID。下面我们详细讨论openlog函数中的option,facility和syslog函数中的priority参数。
根据/usr/include/sys/syslog.h文件,我们可以看到syslog支持的option如下:
[c-sharp]
view plaincopyprint?
/*
* Option flags for openlog.
*
* LOG_ODELAY no longer does anything.
* LOG_NDELAY is the inverse of what it used to be.
*/
#define LOG_PID 0x01 /* log the pid with each message */
#define LOG_CONS 0x02 /* log on the console if errors in sending */
#define LOG_ODELAY 0x04 /* delay open until first syslog() (default) */
#define LOG_NDELAY 0x08 /* don't delay open */
#define LOG_NOWAIT 0x10 /* don't wait for console forks: DEPRECATED */
#define LOG_PERROR 0x20 /* log to stderr as well */
facility的ID(上面对应的数值)与名字的对应关系如下:
[c-sharp]
view plaincopyprint?
{ "auth", LOG_AUTH },
{ "authpriv", LOG_AUTHPRIV },
{ "cron", LOG_CRON },
{ "daemon", LOG_DAEMON },
{ "ftp", LOG_FTP },
{ "kern", LOG_KERN },
{ "lpr", LOG_LPR },
{ "mail", LOG_MAIL },
{ "mark", INTERNAL_MARK }, /* INTERNAL */
{ "news", LOG_NEWS },
{ "security", LOG_AUTH }, /* DEPRECATED */
{ "syslog", LOG_SYSLOG },
{ "user", LOG_USER },
{ "uucp", LOG_UUCP },
priority的ID(上面对应的数值)与名字的对应关系如下:
[c-sharp]
view plaincopyprint?
{ "alert", LOG_ALERT },
{ "crit", LOG_CRIT },
{ "debug", LOG_DEBUG },
{ "emerg", LOG_EMERG },
{ "err", LOG_ERR },
{ "error", LOG_ERR }, /* DEPRECATED */
{ "info", LOG_INFO },
{ "none", INTERNAL_NOPRI }, /* INTERNAL */
{ "notice", LOG_NOTICE },
{ "panic", LOG_EMERG }, /* DEPRECATED */
{ "warn", LOG_WARNING }, /* DEPRECATED */
{ "warning", LOG_WARNING },
要是添加的新规则生效,第二步我们需要重启syslogd和klogd:service syslog restart
为了测试新规则是否生效,我们可以将testsyslog修改如下:
[cpp:firstline[1]]
view plaincopyprint?
#include <syslog.h>
int main(int argc, char *argv[])
{
openlog("testsyslog", LOG_CONS | LOG_PID, 0);
syslog(LOG_USER | LOG_DEBUG, "syslog test message generated in program %s /n", argv[0]);
closelog();
return 0;
}
#include <syslog.h>
int main(int argc, char *argv[])
{
openlog("testsyslog", LOG_CONS | LOG_PID, 0);
syslog(LOG_USER | LOG_DEBUG, "syslog test message generated in program %s /n", argv[0]);
closelog();
return 0;
}
编译生成执行文件后,每运行一次,/var/log/debug文件都会增加一条新的记录。
System Logging
Linux日记系统由系统日志监控程序syslogd和内核日志监控程序klogd组成。从它们的命名可以看到,这两个监控程序都是守护程序(daemon),且都注册成了系统服务。换句话说,我们可以在目录/etc/init.d/下找到它们对应的执行程序,并通过service命令对它们进行启动,关闭,重启等操作。/etc/syslog.conf文件是Linux日记系统的配置文件。下面是本人/etc/syslog.conf文件内容:
[c-sharp]
view plaincopyprint?
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
] [cpp:collapse:firstline[1]] + expand sourceview plaincopyprint? #include <syslog.h> void openlog(char *ident, int option, int facility); void syslog(int priority, char *format, ...); void closelog(); #include <syslog.h> void openlog(char *ident, int option, int facility); void syslog(int priority, char *format, ...); void closelog();
其中openlog和closelog都是可选的。不过,通过调用openlog,我们可以指定ident参数。这样,ident将被加到每条日记记录中。ident一般设成程序的名字,如在下面例子中的"testsyslog":
[cpp:firstline[1]]
view plaincopyprint?
#include <syslog.h>
int main(int argc, char *argv[])
{
openlog("testsyslog", LOG_CONS | LOG_PID, 0);
syslog(LOG_USER | LOG_INFO, "syslog test message generated in program %s /n", argv[0]);
closelog();
return 0;
}
[cpp] view plaincopyprint? Apr 23 17:15:15 lirong-920181 testsyslog[27214]: syslog test message generated in program ./a.out Apr 23 17:15:15 lirong-920181 testsyslog[27214]: syslog test message generated in program ./a.out
格式基本是:timestamp hostname ident[pid]:log message。其中ident就是我们调用openlog是指定的"testsyslog",而之所以会打印出[27214]是openlog的option参数中指定了LOG_PID。下面我们详细讨论openlog函数中的option,facility和syslog函数中的priority参数。
根据/usr/include/sys/syslog.h文件,我们可以看到syslog支持的option如下:
[c-sharp]
view plaincopyprint?
/*
* Option flags for openlog.
*
* LOG_ODELAY no longer does anything.
* LOG_NDELAY is the inverse of what it used to be.
*/
#define LOG_PID 0x01 /* log the pid with each message */
#define LOG_CONS 0x02 /* log on the console if errors in sending */
#define LOG_ODELAY 0x04 /* delay open until first syslog() (default) */
#define LOG_NDELAY 0x08 /* don't delay open */
#define LOG_NOWAIT 0x10 /* don't wait for console forks: DEPRECATED */
#define LOG_PERROR 0x20 /* log to stderr as well */
[c-sharp] view plaincopyprint? /* facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ #define LOG_FTP (11<<3) /* ftp daemon */ /* facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ #define LOG_FTP (11<<3) /* ftp daemon */
facility的ID(上面对应的数值)与名字的对应关系如下:
[c-sharp]
view plaincopyprint?
{ "auth", LOG_AUTH },
{ "authpriv", LOG_AUTHPRIV },
{ "cron", LOG_CRON },
{ "daemon", LOG_DAEMON },
{ "ftp", LOG_FTP },
{ "kern", LOG_KERN },
{ "lpr", LOG_LPR },
{ "mail", LOG_MAIL },
{ "mark", INTERNAL_MARK }, /* INTERNAL */
{ "news", LOG_NEWS },
{ "security", LOG_AUTH }, /* DEPRECATED */
{ "syslog", LOG_SYSLOG },
{ "user", LOG_USER },
{ "uucp", LOG_UUCP },
[c-sharp] view plaincopyprint? #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */
priority的ID(上面对应的数值)与名字的对应关系如下:
[c-sharp]
view plaincopyprint?
{ "alert", LOG_ALERT },
{ "crit", LOG_CRIT },
{ "debug", LOG_DEBUG },
{ "emerg", LOG_EMERG },
{ "err", LOG_ERR },
{ "error", LOG_ERR }, /* DEPRECATED */
{ "info", LOG_INFO },
{ "none", INTERNAL_NOPRI }, /* INTERNAL */
{ "notice", LOG_NOTICE },
{ "panic", LOG_EMERG }, /* DEPRECATED */
{ "warn", LOG_WARNING }, /* DEPRECATED */
{ "warning", LOG_WARNING },
[c-sharp] view plaincopyprint? user.debug /var/log/debug user.debug /var/log/debug
要是添加的新规则生效,第二步我们需要重启syslogd和klogd:service syslog restart
为了测试新规则是否生效,我们可以将testsyslog修改如下:
[cpp:firstline[1]]
view plaincopyprint?
#include <syslog.h>
int main(int argc, char *argv[])
{
openlog("testsyslog", LOG_CONS | LOG_PID, 0);
syslog(LOG_USER | LOG_DEBUG, "syslog test message generated in program %s /n", argv[0]);
closelog();
return 0;
}
#include <syslog.h>
int main(int argc, char *argv[])
{
openlog("testsyslog", LOG_CONS | LOG_PID, 0);
syslog(LOG_USER | LOG_DEBUG, "syslog test message generated in program %s /n", argv[0]);
closelog();
return 0;
}
编译生成执行文件后,每运行一次,/var/log/debug文件都会增加一条新的记录。
相关文章推荐
- 利用Linux syslog写日记
- 利用Linux syslog写日记
- 利用securecrt在linux与windows之间传输文件
- 如何使用 syslog-ng 从远程 Linux 机器上收集日志
- Nginx 利用Linux 的PAM 机制整合各种登录
- 利用Linux命令在终端打开文件的方法
- 利用 libvirt 和 Linux 审计子系统跟踪 KVM 客户机
- 利用Screen实现Linux程序后台运行
- Linux日志管理高级进阶:实例详解syslog 推荐
- [原创] 利用busybox, extlinux 在工控机CompactFlash(CF卡)上构建Linux系统(上)
- [Linux C]利用libxml2解析xml文件
- linux利用screen命令管理远程会话
- 如何利用多核CPU来加速你的Linux命令 — awk, sed, bzip2, grep, wc等
- linux 利用export 更新系统环境变量
- linux下利用PF_PACKET协议族捕包方法
- 利用ddd和qemu调试arm-linux
- 渗透日记-利用SQLMAP伪静态注入
- 利用Linux防火墙隔离本地欺骗地址的方法详解
- 利用capability特征加强Linux系统安全
- Linux下利用backtrace追踪函数调用堆栈以及定位段错误