Log Management
For the most part, if you are doing security testing, you may never really need to look
at the logs on your system. However, over a lot of years, I have found logs to be
utterly invaluable. As solid a distribution as Kali is, there is always the possibility that
something will go wrong and you will need to investigate. Even when everything is
going well, you may still want to see what an application is logging. Because of that,
you need to understand the logging system in Linux. To do that, you need to know
what you are using. Unix has long used
syslog
as the system logger, though it began its
life as a logging facility for the sendmail mail server.
Over the years,
syslog
has had many implementations. Kali Linux comes with the
rsy‐
slog
implementation installed by default. It is a fairly straightforward implementation,
and it’s easy to determine the locations for the files you will need to look in for log
information. In general, all logs go to
/var/log
. However, there are specific files you
will need to look in for log entries in different categories of information. On Kali, you
would check the
/etc/rsyslog.conf
file. In addition to a lot of other configuration set‐
tings, you will see the entries shown in
Example 1-10
.
Example 1-10. Log configuration for rsyslog
auth,authpriv.*
/var/log/auth.log
*.*;auth,authpriv.none
-/var/log/syslog
#cron.*
/var/log/cron.log
daemon.*
-/var/log/daemon.log
kern.*
-/var/log/kern.log
lpr.*
-/var/log/lpr.log
mail.*
-/var/log/mail.log
user.*
-/var/log/user.log
What you see on the left side is a combination of facility and severity level. The word
before the dot is the facility. The facility is based on the different subsystems that are
logging using
syslog
. You may note that
syslog
goes back a long way, so there are still
facilities identified for subsystems and services that you are unlikely to see much of
these days. In
Table 1-1
, you will see the list of facilities as defined for use in
syslog
.
The Description column indicates what the facility is used for in case the facility itself
doesn’t give that information to you.
