L in u X ba sics for h acke rs g e t t I n g s t a r t e d w I t h

Download 7,3 Mb. Pdf ko'rish
bet	118/125
Sana	14.05.2024
Hajmi	7,3 Mb.
	#232858

1 ... 114 115 116 117 118 119 120 121 ... 125

Bog'liq
linuxbasicsforhackers

The rsyslog Logging Rules

The rsyslog Configuration File
Like nearly every application in Linux,
rsyslog
is managed and configured
by a plaintext configuration file located, as is generally the case in Linux, in
the /etc directory. In the case of
rsyslog
, the configuration file is located at
/etc/rsyslog.conf. Open that file with any text editor, and we’ll explore what’s
inside (here, I use Leafpad):
kali >
leafpad /etc/rsyslog.conf
You should see something like Listing 111.
#/etc/rsyslog.conf Configuration file for rsyslog.
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#################
#### MODULES ####
#################

The Logging System
113
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
--
snip
--
Listing 11-1: A snapshot of the
rsyslog.conf
file
As you can see, the rsyslog.conf file comes well documented with numer
ous comments explaining its use. Much of this information will not be use
ful to you at this moment, but if you navigate down to below line 55, you’ll
find the
Rules
section. This is where you can set the rules for what your
Linux system will automatically log for you.
The rsyslog Logging Rules
The
rsyslog
rules determine what kind of information is logged, what pro
grams have their messages logged, and where that log is stored. As a hacker,
this allows you to find out what is being logged and where those logs are
written so you can delete or obscure them. Scroll to about line 55 and you
should see something like Listing 112.
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
1pr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#

114
Chapter 11
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
Listing 11-2: Finding the logging rules in
rsyslog.conf
Each line is a separate logging rule that says what messages are logged
and where they’re logged to. The basic format for these rules is as follows:
facility
.
priority
action
The
facility
keyword references the program, such as
mail
,
kernel
, or
lpr
, whose messages are being logged. The
priority
keyword determines
what kind of messages to log for that program. The
action
keyword, on
the far right, references the location where the log will be sent. Let’s look
at each section more closely, beginning with the
facility
keyword, which
refers to whatever software is generating the log, whether that’s the kernel,
the mail system, or the user.
The following is a list of valid codes that can be used in place of the
facility
keyword in our configuration file rules:

Download 7,3 Mb.

1 ... 114 115 116 117 118 119 120 121 ... 125

Download 7,3 Mb.

Pdf ko'rish