Syslog 系统日志

From Wikipedia, the free encyclopedia
Syslog 系统日志
Original author(s) 原作者Eric Allman 埃里克·奥尔曼
Initial release 初始版本1980s 1980年代
Operating system 操作系统Unix-like 类 Unix
Type 类型System logging 系统日志记录
Website 网站 Edit this on Wikidata

In computing, syslog /ˈsɪslɒɡ/ is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.
在计算中,syslog /ˈsɪslɒɡ/ 是消息日志记录的标准。它允许将生成消息的软件、存储消息的系统以及报告和分析消息的软件分开。每条消息都标有设施代码,指示生成消息的系统类型,并分配严重性级别。

Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems.
计算机系统设计人员可以使用 syslog 进行系统管理和安全审核,以及一般信息、分析和调试消息。许多平台上的各种设备(例如打印机、路由器和消息接收器)都使用 syslog 标准。这允许将来自不同类型系统的日志记录数据整合到中央存储库中。许多操作系统都存在 syslog 的实现。

When operating over a network, syslog uses a client-server architecture where a syslog server listens for and logs messages coming from clients.
通过网络运行时,syslog 使用客户端-服务器体系结构,其中 syslog 服务器侦听并记录来自客户端的消息。

History 历史[edit]

Syslog was developed in the 1980s by Eric Allman as part of the Sendmail project.[1] It was readily adopted by other applications and has since become the standard logging solution on Unix-like systems.[2] A variety of implementations also exist on other operating systems and it is commonly found in network devices, such as routers.[3]
Syslog 由 Eric Allman 于 1980 年代开发,作为 Sendmail 项目的一部分。 [1] 它很容易被其他应用程序采用,并从此成为类 Unix 系统上的标准日志记录解决方案。 [2] 其他操作系统上也存在各种实现,常见于网络设备(如路由器)中。 [3]

Syslog originally functioned as a de facto standard, without any authoritative published specification, and many implementations existed, some of which were incompatible. The Internet Engineering Task Force documented the status quo in RFC 3164 in August of 2001. It was standardized by RFC 5424 in March of 2009.[4]
Syslog 最初是作为事实上的标准运行,没有任何权威的发布规范,并且存在许多实现,其中一些是不兼容的。Internet 工程任务组在 2001 年 8 月的 RFC 3164 中记录了现状。2009 年 3 月,RFC 5424 对其进行了标准化。 [4]

Various companies have attempted to claim patents for specific aspects of syslog implementations.[5][6] This has had little effect on the use and standardization of the protocol.[citation needed]
许多公司都试图为系统日志实现的特定方面申请专利。 [5] [6] 这对协议的使用和标准化影响不大。 [citation needed]

Message components 消息组件[edit]

The information provided by the originator of a syslog message includes the facility code and the severity level. The syslog software adds information to the information header before passing the entry to the syslog receiver. Such components include an originator process ID, a timestamp, and the hostname or IP address of the device.
syslog 消息的发起者提供的信息包括设施代码和严重性级别。syslog 软件在将条目传递给 syslog 接收器之前将信息添加到信息标头中。此类组件包括发起方进程 ID、时间戳以及设备的主机名或 IP 地址。

Facility 设备[edit]

A facility code is used to specify the type of system that is logging the message. Messages with different facilities may be handled differently.[7] The list of facilities available is described by the standard:[4]: 9 
设施代码用于指定记录消息的系统类型。具有不同设施的邮件可能会以不同的方式处理。 [7] 可用设施列表由标准描述: [4] : 9 

Facility code  设施代码 Keyword  关键词 Description  描述
0 kern 科恩 Kernel messages  内核消息
1 user 用户 User-level messages  用户级消息
2 mail 邮件 Mail system  邮件系统
3 daemon 守护 进程 System daemons  系统守护程序
4 auth 认证 Security/authentication messages
5 syslog 系统日志 Messages generated internally by syslogd
syslogd 内部生成的消息
6 lpr Line printer subsystem  行式打印机子系统
7 news 新闻 Network news subsystem  网络新闻子系统
8 uucp UUCP公司 UUCP subsystem  UUCP 子系统
9 cron 克朗 Cron subsystem  Cron 子系统
10 authpriv Security/authentication messages
11 ftp FTP daemon  FTP 守护程序
12 ntp NTP subsystem  NTP 子系统
13 security 安全 Log audit  日志审核
14 console 安慰 Log alert  日志警报
15 solaris-cron 索拉里斯-克朗 Scheduling daemon  调度守护程序
16–23 local0 – local7 local0 – 本地 7 Locally used facilities  当地使用的设施

The mapping between facility code and keyword is not uniform in different operating systems and syslog implementations.[8]
在不同的操作系统和 syslog 实现中,设施代码和关键字之间的映射并不统一。 [8]

Severity level 严重性级别[edit]

The list of severities is also described by the standard:[4]: 10 
该标准还描述了严重性列表: [4] : 10 

Value 价值 Severity 严厉 Keyword 关键词 Deprecated keywords 已弃用的关键字 Description 描述 Condition  条件
0 Emergency 紧急 emerg panic[9] System is unusable 系统无法使用 A panic condition.[10]
恐慌状态。 [10]
1 Alert 警报 alert Action must be taken immediately
A condition that should be corrected immediately, such as a corrupted system database.[10]
应立即更正的情况,例如系统数据库已损坏。 [10]
2 Critical 危急 crit Critical conditions 危急条件 Hard device errors.[10]
硬设备错误。 [10]
3 Error 错误 err error[9] Error conditions 错误条件
4 Warning 警告 warning warn[9] Warning conditions 警告条件
5 Notice 通知 notice Normal but significant conditions
Conditions that are not error conditions, but that may require special handling.[10]
不是错误条件,但可能需要特殊处理的条件。 [10]
6 Informational 信息 info Informational messages 信息性消息 Confirmation that the program is working as expected.
7 Debug 调试 debug Debug-level messages 调试级消息 Messages that contain information normally of use only when debugging a program.[10]
包含通常仅在调试程序时使用的信息的消息。 [10]

The meaning of severity levels other than Emergency and Debug are relative to the application. For example, if the purpose of the system is to process transactions to update customer account balance information, an error in the final step should be assigned Alert level. However, an error occurring in an attempt to display the ZIP code of the customer may be assigned Error or even Warning level.

The server process which handles display of messages usually includes all lower (more severe) levels when display of less severe levels is requested. That is, if messages are separated by individual severity, a Warning level entry will also be included when filtering for Notice, Info and Debug messages.[11]
当请求显示不太严重的级别时,处理消息显示的服务器进程通常包括所有较低(较严重)的级别。也就是说,如果消息按单个严重性分隔,则在筛选“通知”、“信息”和“调试”消息时,还将包含“警告级别”条目。 [11]

Message 消息[edit]

In RFC 3164, the message component (known as MSG) was specified as having these fields: TAG, which should be the name of the program or process that generated the message, and CONTENT which contains the details of the message.
在 RFC 3164 中,消息组件(称为 MSG)被指定为具有以下字段:TAG(应为生成消息的程序或进程的名称)和 CONTENT(包含消息的详细信息)。

Described in RFC 5424,[4] "MSG is what was called CONTENT in RFC 3164. The TAG is now part of the header, but not as a single field. The TAG has been split into APP-NAME, PROCID, and MSGID. This does not totally resemble the usage of TAG, but provides the same functionality for most of the cases." Popular syslog tools such as Rsyslog conform to this new standard.
在 RFC 5424 中描述,“ [4] MSG 是 RFC 3164 中所谓的 CONTENT。TAG 现在是标头的一部分,但不是单个字段。TAG 已拆分为 APP-NAME、PROCID 和 MSGID。这与TAG的使用并不完全相似,但在大多数情况下提供了相同的功能。流行的 syslog 工具(如 Rsyslog)符合这一新标准。

The content field should be encoded in a UTF-8 character set and octet values in the traditional ASCII control character range should be avoided.[12][4]
content 字段应以 UTF-8 字符集编码,并应避免使用传统 ASCII 控制字符范围内的八位字节值。 [12] [4]

Logger 记录[edit]

Generated log messages may be directed to various destinations including console, files, remote syslog servers, or relays. Most implementations provide a command line utility, often called logger, as well as a software library, to send messages to the log.[13]
生成的日志消息可能会定向到各种目标,包括控制台、文件、远程系统日志服务器或中继。大多数实现都提供命令行实用程序(通常称为记录器)以及软件库,用于将消息发送到日志。 [13]

To display and monitor the collected logs one needs to use a client application or access the log file directly on the system. The basic command line tools are tail and grep. The log servers can be configured to send the logs over the network (in addition to the local files). Some implementations include reporting programs for filtering and displaying of syslog messages.
要显示和监视收集的日志,需要使用客户端应用程序或直接在系统上访问日志文件。基本的命令行工具是 tail 和 grep。日志服务器可以配置为通过网络发送日志(除了本地文件之外)。一些实现包括用于过滤和显示系统日志消息的报告程序。

Network protocol 网络协议[edit]

When operating over a network, syslog uses a client-server architecture where the server listens on a well-known or registered port for protocol requests from clients. Historically the most common transport layer protocol for network logging has been User Datagram Protocol (UDP), with the server listening on port 514.[14] Because UDP lacks congestion control mechanisms, Transmission Control Protocol (TCP) port 6514 is used; Transport Layer Security is also required in implementations and recommended for general use.[15][16]
在网络上操作时,syslog 使用客户端-服务器体系结构,其中服务器在已知或注册的端口上侦听来自客户端的协议请求。从历史上看,网络日志记录最常见的传输层协议是用户数据报协议 (UDP),服务器侦听端口 514。 [14] 由于 UDP 缺少拥塞控制机制,因此使用传输控制协议 (TCP) 端口 6514;传输层安全性在实现中也是必需的,建议用于一般用途。 [15] [16]

Limitations 局限性[edit]

Since each process, application, and operating system was written independently, there is little uniformity to the payload of the log message. For this reason, no assumption is made about its formatting or contents. A syslog message is formatted (RFC 5424 gives the Augmented Backus–Naur form (ABNF) definition), but its MSG field is not.
由于每个进程、应用程序和操作系统都是独立编写的,因此日志消息的有效负载几乎没有统一性。因此,对其格式或内容不作任何假设。系统日志消息的格式是(RFC 5424 给出了增强的 Backus-Naur 形式 (ABNF) 定义),但其 MSG 字段不是。

The network protocol is simplex communication, with no means of acknowledging the delivery to the originator.

Outlook 展望[edit]

Various groups are working on draft standards detailing the use of syslog for more than just network and security event logging, such as its proposed application within the healthcare environment.[17]
各个小组正在制定标准草案,详细说明系统日志的用途不仅仅是网络和安全事件日志记录,例如其在医疗保健环境中的拟议应用。 [17]

Regulations, such as the Sarbanes–Oxley Act, PCI DSS, HIPAA, and many others, require organizations to implement comprehensive security measures, which often include collecting and analyzing logs from many different sources. The syslog format has proven effective in consolidating logs, as there are many open-source and proprietary tools for reporting and analysis of these logs. Utilities exist for conversion from Windows Event Log and other log formats to syslog.
《萨班斯-奥克斯利法案》(Sarbanes-Oxley Act)、PCI DSS、HIPAA 等法规要求组织实施全面的安全措施,其中通常包括收集和分析来自许多不同来源的日志。syslog 格式已被证明在整合日志方面是有效的,因为有许多开源和专有工具可用于报告和分析这些日志。存在用于将 Windows 事件日志和其他日志格式转换为 syslog 的实用程序。

Managed Security Service Providers attempt to apply analytical techniques and artificial intelligence algorithms to detect patterns and alert customers to problems.[18]
托管安全服务提供商尝试应用分析技术和人工智能算法来检测模式并提醒客户注意问题。 [18]

Internet standard documents

The Syslog protocol is defined by Request for Comments (RFC) documents published by the Internet Engineering Task Force (Internet standards). The following is a list of RFCs that define the syslog protocol:[19]
Syslog 协议由 Internet 工程任务组(Internet 标准)发布的征求意见 (RFC) 文档定义。以下是定义 syslog 协议的 RFC 列表: [19]

  • The BSD syslog Protocol. RFC 3164. (obsoleted by The Syslog Protocol. RFC 5424.)
    BSD syslog 协议。RFC 3164 中。(已被 Syslog 协议废弃。RFC 5424.)
  • Reliable Delivery for syslog. RFC 3195.
    系统日志的可靠交付。RFC 3195 中。
  • The Syslog Protocol. RFC 5424.
    Syslog 协议。RFC 5424 中。
  • TLS Transport Mapping for Syslog. RFC 5425.
    syslog 的 TLS 传输映射。RFC 5425 中。
  • Transmission of Syslog Messages over UDP. RFC 5426.
    通过 UDP 传输 Syslog 消息。RFC 5426 中。
  • Textual Conventions for Syslog Management. RFC 5427.
    Syslog 管理的文本约定。RFC 5427 中。
  • Signed Syslog Messages. RFC 5848.
    已签名的 Syslog 消息。RFC 5848 中。
  • Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog. RFC 6012.
    Syslog 的数据报传输层安全性 (DTLS) 传输映射。RFC 6012 中。
  • Transmission of Syslog Messages over TCP. RFC 6587.
    通过 TCP 传输 Syslog 消息。RFC 6587 中。

See also 另请参阅[edit]

References 引用[edit]

  1. ^ "Eric Allman". Internet Hall of Fame. Retrieved 2017-10-30.
    “埃里克·奥尔曼”。互联网名人堂。已检索 2017-10-30 .
  2. ^ "3 great engineering roles to apply for this week". VentureBeat. 2021-08-06. Retrieved 2021-08-16.
    “本周要申请的 3 个很棒的工程职位”。创业节拍。2021-08-06. 已检索 2021-08-16 .
  3. ^ "Efficient and Robust Syslog Parsing for Network Devices in Datacenter Networks".
  4. ^ Jump up to: a b c d e Gerhards, Rainer. The Syslog Protocol. doi:10.17487/RFC5424. RFC 5424.
    格哈德,雷纳。Syslog 协议。doi: 10.17487/RFC5424.RFC 5424 中。
  5. ^ "LXer: Patent jeopardizes IETF syslog standard".
    “LXer:专利危及 IETF 系统日志标准”。
  6. ^ "IETF IPR disclosure on HUAWEI's patent claims".
  7. ^ "Syslog Facility". Retrieved 22 November 2012.
    “系统日志工具”。检索 22 November 2012.
  8. ^ "The Ins and Outs of System Logging Using Syslog". SANS Institute.
    “使用 syslog 进行系统日志记录的来龙去脉”。SANS研究所。
  9. ^ Jump up to: a b c "syslog.conf(5) - Linux man page". Retrieved 2017-03-29.
    “syslog.conf(5) - Linux 手册页”。已检索 2017-03-29 .
  10. ^ Jump up to: a b c d e "closelog, openlog, setlogmask, syslog - control system log". Retrieved 2017-03-29.
    “CloseLog, OpenLog, SetLogMask, Syslog - 控制系统日志”。已检索 2017-03-29 .
  11. ^ "Severity Levels for Syslog Messages". Retrieved 2021-08-16.
    “系统日志消息的严重性级别”。。已检索 2021-08-16 .
  12. ^ "Transmission of Syslog Messages over TCP". Retrieved 2021-08-16.
    “通过 TCP 传输 Syslog 消息”。 已检索 2021-08-16 .
  13. ^ "logger Command". Retrieved 2021-08-16.