mail debug entry was not defined properly and the same corrected.

after
correcting it to point /var/log/syslog the logs are being updated in syslog file

Syslog Configuration and

/etc/syslog.conf
Recommended Messages
Articles
Classification
Syslog
Loghost
Configuration
Syslog-ng Syslog Tools configuration logger utility server and
examples
debugging
remote syslog
Syslog for
SFU 3.5
Syslog
Log rotation AIX syslog
Windows Troubleshooting
syslog
Internals
syslog
Humor
Etc
spoofing
News

See also

Recommended
Links

RFCs

OneofthemostneglectedareaofUnixishandlingsystem
events.Dailychecksforsystemmessagesiscrucialforthe
securityandhealthconditionsofacomputersystem.
Systemlogscontainmuch"noise"
messageswhichhavenoimportance
andonthecontraryimportantevents,
whichshouldnotbelostintheloadof
messages.Withcurrenttoolsit'sdifficult
toselectwhichmessagesweare
interestedin.
Amessageissenttodifferent
destinationsbasedontheassigned
facility/prioritypair.Thereare12+8(12
realand8local)predefinedfacilities
(mail,news,authetc.),and8different
priorities(rangingfromalerttodebug).
BSDsyslogprotocolisdefinedinRFC3164(rfc3164)TheBSDSyslogProtocol A
good summary of RFC can be found in IntroductiontoSyslogProtocolMonitorWare

SyslogusestargetUDPport514.RFCrecommendsthatsourceportalsobesetto514.
syslogusestheuserdatagramprotocol(UDP)[1]asitsunderlyingtransportlayer
mechanism.TheUDPportthathasbeenassignedtosyslogis514.
ItisRECOMMENDEDthatthesourceportalsobe514toindicatethatthemessageis
fromthesyslogprocessofthesender,buttherehavebeencasesseenwherevalidsyslog
messageshavecomefromasenderwithasourceportotherthan514.Ifthesenderuses
asourceportotherthan514thenitisRECOMMENDEDandhasbeenconsideredtobe
goodformthatsubsequentmessagesarefromasingle
consistentport.
It its pure form it is an outdated, insecure (if used with central logging host, as it actually
should be used in any modern enterprise environment) and rather primitive logging
mechanism that lucks the flexibility of dynamically extending message classification
scheme. A better scheme was proposed in 2004 syslog1buttremendousamountof
inerciapreventanychanges.
The fixed classification scheme with just a dozen of entries is a major problem with the
protocol. Messages severity classification also can be improved/simplified (IBM has a
better classification on mainframes) but even in present form it is an OK solution.
Therearetwoslightlybetter,moremodernimplementationoftraditionalsyslogdaemon
calledsyslogngandkiwisyslog.Syslogngisabetterimplementationifyouwishto
integrateTivolilogpreprocessing.Itisalsoportablebetweendifferentplatforms.Ido
notknowwhySundidnotreplacedthetraditionalsyslogwithsyslognginSolaris10
(afteralltheydiscardedprettyusableownfirewallinfavorofIPFilter).Itprobably
shouldconsiderthismove.
Standard Solaris syslog system consists of the following components:

syslogd the system daemon used to receive and route system log events from
syslog() calls and logger commands
/etc/syslog.conf the configuration file used to control the logging and routing
of system log events

logger a UNIX command used to add single-line entries to the system log. See
also ogger

syslog() an application program interface (API) referenced by several standard

system utilities and available to anyone writing software in the C programming
language, C++, Java and many scripting languages (Perl is one example).

logadmSystemLogRotationUtility(Solaris9andlater)

Thekeyfilethatisinfluencingsyslogbehavioris/etc/syslog.conffile.Itcontainstwo
columscalledtheselectionandaction.

selectorfield:asemicolonseparatedlistofpriorityspecificationsinthe
followingformat:facility.level;facility.level.
actionfield:defineswheretoforwardthemessage.Thisfieldcanhaveoneor
severalofthefollowingentriesfourtypesofentries:
1. file Outputsenttothefilespecified
2. @hostThe@signdenotesthatmessagesmustbeforwardedtoahost
Thenameshouldbedefinedin/etc/hostsandrepresentaremotelogserver.
3. user[,user]Theuser(s)(canbecommadelimitatedlist)receivemessages
iftheyareloggedin.
4. *Allloggedinuserswillreceivemessageswhentheyareloggedin.

AstypicalforSunthefilehasadinosaur(pre70thstyle)syntax,asitdoesnotpermit
usingspacesasaseparator,tabsshouldbeusedasaseparatorbetweentwocolumnsof
syslog.conf.Nowlet'sdiscussthosetwocolumnsissomedetails:
Theselectorfieldisasemicolonseparatedlistofpriorityspecificationsinthefollowing
format:facility.level; facility.level.

Thefacilityfieldcancontainonly16codes:
o kernMessagesgeneratedbythekernel.
o user Messagesgeneratedbyuserprocesses.Thisfiledoesnotlistthe
defaultpriorityformessagesfrom
programsorfacilities.
o mail Themailsystem.
o daemon Systemdaemons,suchasthein.ftpdandthetelnetd
daemons.
o authTheauthorizationsystem,includingthelogin,su,andttymon
commands.
o syslogMessagesgeneratedinternallybythesyslogddaemon.
o lprThelineprinterspoolingsystem,suchasthelprandlpccommands.
o newsFilesreservedfortheUSENETnetworknewssystem.
o uucpTheUNIXtoUNIXcopy(UUCP)systemdoesnotusethesyslog
function.
o cronThecronandatfacilities,includingcrontab,at,andcron.
o local0-7Fieldsreservedforlocaluse.
thelevelselectorspecifiestheseverityorimportanceofthemessage.Eachlevel
includesallthelevelsabove(ofahigherseverity).Torememberthesequencefor
thecertificationexamyoucanuseanappropriatelyconstructedphaselike"Every
alertedcardriverescapeswarningnotice"
o emerg0Panicconditionsthatarenormallybroadcasttoallusers

o
o
o
o
o
o
o

alert1Conditionsthatshouldbecorrectedimmediately,suchasa
corruptedsystemdatabase.Onlysysadminofaparticularserverneedsto
beinformedbymailorpaged.
crit2Warningsaboutcriticalconditions,suchasharddeviceerrors.
err3Errorsotherthanharddeviceerrors
warning4Warningmessages
notice5Nonerrorconditionsthatmightrequirespecialhandling
info6Purelyinformationalmessages(usuallydoesnotrequireany
handling)
debug7Messagesthatarenormallyusedonlywhendebuggingaprogram
none8Messagesarenotsentfromtheindicatedfacilitytotheselected
file

Aftermakinganychangestosyslog.conffile,youneedtoaskthedaemontorereadthe
configurationfilewithkillHUPcommand,forexamplepkillHUPsyslogd.Thisisan
operationthatisoftenforgotten.Itmightmakesensetoimplement"system
configuration"attributethatcanautomaticallysendexecutesacommandafterclosingof
thefilewithsuchattributeifitwasopenedforwriting(Unixhas"commandexecution
string"forscriptsforever,forexample#!/usr/bin/perl,soitcanbeusedforconfiguration
files).Intheabsenceofsuchfacilitythatwouldbearealparadiseforabsentminded
peoplelikemeyouprobablywillbebetteroffcreatingaspecialscript,likevisyslogthat
containsjusttwocommand:viandpkilltoensurethatyoudonotforgetthisoperation;I
oftendoandthenfaceconsequences)
The default Solaris syslog configuration (/etc/syslog.conf) is far from being optimal (any
selector in /etc/syslog.conf means "this level and higher", for example mail.crit includes
mail.emerg):
*.err;kern.notice;auth.notice
/dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit
/var/adm/messages
*.alert;kern.err;daemon.err
*.alert
*.emerg

operator
root
*

# if a non-loghost machine chooses to have authentication messages

# sent to the loghost machine, un-comment out the following line:
#auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)
mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost)
#
# non-loghost machines will use the following lines to cause "user"

# log messages to be logged locally.

#
ifdef(`LOGHOST', ,
user.err
user.err
user.alert
user.emerg
)

/dev/sysmsg
/var/adm/messages
root, operator
*

For one thing, AUTH messages dont get logged to any logfiles. This is important if you
want to know when people are trying to break into your system so such messages should
be emailed at least to operator (may be operator and root) and written to /var/adm/authlog
*.emerg *
*.kernel.notice;*.alert

root,operator

*.err;kern.notice;auth.notice
*.notice

/dev/sysmsg

/var/adm/messages

auth.notice

/var/adm/authlog, /var/log/messages

Eachlineofthefilecontainstwoparts:

Aselectorthatspecifieswhichkindsofmessagestolog(e.g.,allerrormessages
oralldebuggingmessagesfromthekernel).
Anactionfieldthatsayswhatshouldbedonewiththemessage(e.g.,putitina
fileorsendthemessagetoauser'sterminal).

You must use the tab character between the selector and the
action field. If you use a space, it will look the same, but syslog
will not work.

Messageselectorshavetwoparts:afacilityandapriority.kern.debug,forexample,
selectsalldebugmessages(thepriority)generatedbythekernel(thefacility).Italso
selectsallprioritiesthataregreaterthandebug.Anasteriskinplaceofeitherthefacility
orthepriorityindicates"all."(Thatis,*.debugmeansalldebugmessages,whilekern.*
meansallmessagesgeneratedbythekernel.)Youcanalsousecommastospecify
multiplefacilities.Twoormoreselectorscanbegroupedtogetherbyusingasemicolon.
(Seetheearlierexamples.)

Theactionfieldspecifiesoneoffiveactions(someversionsofsyslogsupportadditional
actions,suchasloggingtoaproprietaryerrormanagementsystem):
1. Logtoafileoradevice
Inthiscase,theactionfieldconsistsofafilename(ordevicename),whichmust
startwithaforwardslash(e.g.,/var/adm/lpderrsor/dev/console).Beware:
loggingto/dev/consolecreatesthepossibilityofadenialofserviceattack.Ifyou
areloggingtotheconsole,anattackercanfloodyourconsolewithlogmessages,
renderingitunusable.Ifyoursystemsupportsvirtualconsoles,aswithLinux,you
canusuallysafelylogtooneofthevirtualconsoles,andleavetheothers
uncluttered.

2. Sendamessagetoauser.Inthiscase,theactionfieldconsistsofausername
(e.g.,root).Youcanspecifymultipleusernamesbyseparatingthemwithcommas
(e.g.,root,nosmis).Themessageiswrittentoeachterminalwheretheseusersare
showntobeloggedin,accordingtotheutmpfile.

3. Sendamessagetoallusers.Inthiscase,theactionfieldconsistsofanasterisk
(*).

4. Pipethemessagetoaprogram.Inthiscase,theprogramisspecifiedafterthe
Unixpipesymbol(|).NotethatthecurrentSolarisversionsyslogdoesnotsupport
loggingtoprograms.Youneedtousesyslogngtoachievethat.

5. Sendthemessagetothesyslogonanotherhost.Inthiscase,theactionfield
consistsofahostnameprecededbyanatsign(e.g.,@prep.ai.mit.edu).
Withthefollowingexplanation,understandingthetypicalsyslog.confconfigurationfile
shownearlierbecomeseasy:
*.err;kern.debug;auth.notice/dev/console
Thislinecausesallerrormessages,allkerneldebugmessages,andallnotice
messagesgeneratedbytheauthorizationsystemtobeprintedonthesystem
console.Ifyoursystemconsoleisaprintingterminal,thisprocesswillgeneratea
permanenthardcopythatyoucanfileanduseforlaterreference.(Notethat
kern.debugmeansallmessagesofprioritydebugandabove.)
daemon,auth.notice/var/log/messages
Thislinecausesallnoticemessagesfromeitherthesystemdaemonsorthe
authorizationsystemtobeappendedtothefile/var/log/messages.Notethatthisis
thesecondlinethatmentionsauth.noticemessages.Asaresult,auth.notice
messageswillbesenttoboththeconsoleandthemessagesfile.

lpr.*/var/log/lpderrs
Thislinecausesallmessagesfromthelineprintersystemtobeappendedtothe
/var/log/lpderrsfile.
auth.*root,nosmis
Thislinecausesallmessagesfromtheauthorizationsystemtobesenttotheusers
rootandnosmis.Note,however,thatiftheusersarenotloggedin,themessages
willbelost.
auth.*@prep.ai.mit.edu
Thislinecausesallauthorizationmessagestobesenttothesyslogdaemononthe
computerprep.ai.mit.edu.Ifyouhaveaclusterofmanydifferentmachines,you
maywishtohavethemallperformtheirloggingsonacentral(andpresumably
secure)computer.
*.emerg*
Thislinecausesallemergencymessagestobedisplayedoneveryuser'sterminal.
*.alert|dectalker
Thislinecausesallalertmessagestobesenttoaprogramcalleddectalker,which
mightbroadcastthemessageoverapublicaddresssystem.
mark.*/dev/console
Thislinecausesthetimetobeprintedonthesystemconsoleevery20minutes.
Thisisusefulifyouhaveotherinformationbeingprintedontheconsole,andyou
wantarunningclockontheprintout.
9811448009 --- naridar