L in u X ba sics for h acke rs g e t t I n g s t a r t e d w I t h
Download 7.3 Mb. Pdf ko'rish
|
linuxbasicsforhackers
- Bu sahifa navigatsiya:
- The rsyslog Logging Rules
|
The rsyslog Configuration File
Like nearly every application in Linux, rsyslog is managed and configured by a plaintext configuration file located, as is generally the case in Linux, in the /etc directory. In the case of rsyslog , the configuration file is located at /etc/rsyslog.conf. Open that file with any text editor, and we’ll explore what’s inside (here, I use Leafpad): kali >leafpad /etc/rsyslog.conf You should see something like Listing 111. #/etc/rsyslog.conf Configuration file for rsyslog. # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html ################# #### MODULES #### ################# The Logging System 113 module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") ########################### #### GLOBAL DIRECTIVES #### ########################### --snip-- Listing 11-1: A snapshot of the rsyslog.conf file As you can see, the rsyslog.conf file comes well documented with numer ous comments explaining its use. Much of this information will not be use ful to you at this moment, but if you navigate down to below line 55, you’ll find the Rules section. This is where you can set the rules for what your Linux system will automatically log for you. The rsyslog Logging Rules The rsyslog rules determine what kind of information is logged, what pro grams have their messages logged, and where that log is stored. As a hacker, this allows you to find out what is being logged and where those logs are written so you can delete or obscure them. Scroll to about line 55 and you should see something like Listing 112. ############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log 1pr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # 114 Chapter 11 mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err Listing 11-2: Finding the logging rules in rsyslog.conf Each line is a separate logging rule that says what messages are logged and where they’re logged to. The basic format for these rules is as follows: facility.priority action The facility keyword references the program, such as , kernel , or lpr , whose messages are being logged. The priority keyword determines what kind of messages to log for that program. The action keyword, on the far right, references the location where the log will be sent. Let’s look at each section more closely, beginning with the facility keyword, which refers to whatever software is generating the log, whether that’s the kernel, the mail system, or the user. The following is a list of valid codes that can be used in place of the facility keyword in our configuration file rules: Download 7.3 Mb. Do'stlaringiz bilan baham: 
|