Solved: Syslog Defaults

darraghos · ‎2015-10-13

I'm looking at configuring the syslogd on my 8.2 7-mode filers. Having a read here https://library.netapp.com/ecmdocs/ECMP1196890/html/man8/na_syslogd.8.html it states that

"If /etc/syslog.conf does not exist the syslogd daemon will output all log messages of priority info or higher to the console and to the file /etc/messages"

This does not appear to be wholey accurate though. By default it seems that audit messages generated by the local7 facility will also be logged but to /etc/logs/audit file also. Is this correct? Also, are these defaults overridden by the syslogd.comf file. For example, by default we are logging *.info to /etc/messages. If I add a line to the .confg file of

kern.crit /etc/messages

Does this override the default and enable logging of only kernel message at critical level to the messages log?

YIshikawa · ‎2015-10-13

Local auditlog logging is not handled by syslog. auditlog is recorded even when syslog.conf has no corresponding entry. Whereas, you can configure remote logging of auditlog by adding special facility in syslog.conf.

https://kb.netapp.com/support/index?page=content&actp=LIST&id=1010374

"kern.crit /etc/messages" just suppress logging for messages log. To suppress console message, add "kern.crit /dev/console".

View solution in original post

YIshikawa · ‎2015-10-13

Local auditlog logging is not handled by syslog. auditlog is recorded even when syslog.conf has no corresponding entry. Whereas, you can configure remote logging of auditlog by adding special facility in syslog.conf.

https://kb.netapp.com/support/index?page=content&actp=LIST&id=1010374

"kern.crit /etc/messages" just suppress logging for messages log. To suppress console message, add "kern.crit /dev/console".

darraghos · ‎2015-10-14

🙂 Thanks for that. So it's a different daemon that handles the audit logging but it reads some config from the syslog.conf file. A little confusing but makes sense based on the tests I have been performing. In terms of the message loggin to console/file though, is the following correct:

if there is an entry relating to message loggin to messages log/console it will override the default of *.info

YIshikawa · ‎2015-10-14

> if there is an entry relating to message loggin to messages log/console it will override the default of *.info

Well, it is a bit dirrerent.
If you create custom syslog.conf file, syslogd works like that on other UNIX/Linux OS.
No line of /dev/console destination in syslog.conf, log output of console is completely disabled. Or, if /dev/console output is defined with other facility, syslog follows as it is.

darraghos · ‎2016-05-25

I had to revisit this recently. It seems ( to me) that the following lines achieve the same namely sending the auditlog messages to a remote syslog server:

local7.* @ipaddress
cmdsaudit.auditlog @ipaddress

The only difference I can think of is this statement from here: https://kb.netapp.com/support/index?page=content&actp=LIST&id=1010374

"Note:
Audit log messages are more verbose than syslog messages. A typical syslog entry is a single line. A typical audit log entry is as follows:
date [method of access] :START:command incoming hostname
date [method of access] :IN:command "input" command being sent to filer
date [method of access] :OUT: output from command (may be multiple lines)
date [method of access] :END:command"

Is that the only difference between these configs?