Updated March 17, 2023
Introduction to Linux System Logging
The following article provides an outline for Linux System Logging. Any of the operating systems let us track the activities that are performed on their platform. The feature to store the logs is very useful when it comes to investigating the activities performed on the operating system. As the operating system is used as the core of any server, it lets us keep track of how users are leveraging the operating system by storing all the user’s activities in the form of a log. Similar to all the operating systems, Linux also provides a mechanism to store logs. In some of the servers that host the application, Linux OS is used, and it stores all the logs that are generated whenever the user tries to access the web pages stored on the server.
Facilities of Linux System Logging
Syslog Facilities with their Description: Before understanding the logging method in Linux, we have to understand what exactly it means when we talk about logging in Linux. Logging can be defined as the approach of storing all the activities that are being performed with the operating system. The Linux operating system provides us with some of the special facilities that are used to store logs in the system. Logging usually captures the timestamp together with the activity snippet. The logs are considered the main component that is essential to facilitate any investigation. Though logging of activities occupies memory, the scope of logging has to be kept limited and specific.
Syslog Facilities are the special keywords that are used to store the log in the operating system in a particular manner. There are situations where the system administrators are expected to have the log data stored in a particular manner in order to serve the business purpose; in that case, they leverage the Syslog facilities to have the data stored in the way they want. Linux provides us with several facilities, and the function of all of them is unique.
Below is the list of facilities that are used very often in the Linux operating system and are popular as Syslog facilities.
Auth is one of the most important Syslog facilities that is used in order to get the activities that are concerned with the username and the password. While storing the log, there are certain places where we need to store data related to the username and the password; in such cases, the auth facility is being used to serve the purpose.
The authpriv facility actually stands for author privilege. The functioning of this facility is similar to that of the auth facility, but the only difference is, it stores the log in a file that can be read by the users that have to privilege to read that file. It also stores the information related to the username and the password. All the logs are stored in a particular file that has to be circulated through specific users.
Logging of the information linked with the console is crucial as it is the essential part that plays a vital role in the investigation. All the messages that are sent to the console are recorded using this facility. It works like a sniffer that captures the messages that are sent to the console and stores them in the form of a log.
The role of this facility is to ensure that all the messages that are concerned with ftp daemon have been logged into the system. When the user works with ftp, he usually leaves the logs behind that can be captured and stored using this facility. One can leverage this Syslog facility to store every event that is the outcome of working with FTP.
The kern facility is used to keep track of all the kernel-based messages. The kernel works as the soul of the operating system, which tells us anything that happens at the kernel level. Keeping track of the kernel level messages is something important to troubleshoot issues.
This facility is used for logging all the messages that are populated from the mail system. The main reason the log files as the email-related data captured there to study the kind of mail that has been sent or received.
The ntp facility is used to store the data related to the network time protocol. Whenever the system triggers any message related to the network time protocol, it is the ntp facility that sniffs or stores the message in the form of logs.
The news facility works as the message logger to the network news protocol. The network news protocol invokes some of the incidents with specific data associated with it, and the news facility helps store that data.
Lpr stands for the line printing system. The role of this facility is to store all the messages that are related to the line printing system. It captures the data and stores it in the log file as similar to how all facilities store the log.
Mark may be considered a facility to generate the timestamp and store that into the log file. In this facility, the pseudo-event is leveraged to generate the timestamp.
This facility captures the messages that are related to the usual user processes. All the normal activities that the users do are captured by virtue of this facility.
The corn facility is one of the very important facilities used to store the messages related to the corn system scheduler generated when a user interacts with the corn system.
Conclusion – Linux System Logging
The Syslog facilities are the keywords in Linux that comes with predefined functionalities. These keywords are used to store the data in a specific manner that serves the needs of the business. The logs that are stored in the log file are used for several purposes, but the main reason for storing the log is to understand the user’s behaviors that eventually help to facilitate the investigation.
This is a guide to Linux System Logging. Here we discuss the list of facilities that are used very often in the Linux operating system. You may also have a look at the following articles to learn more –