# The logging system

## The rsyslog Logging Daemon

Linux uses a daemon called `syslogd` and we have some variation for different distributions, like Debian uses `rsyslog` and that’s what I use so I'll talk about here

We can locate the files related to it

```bash
$ locate rsyslog
/etc/rsyslog.conf
/etc/rsyslog.d
/etc/default/rsyslog
/etc/init.d/rsyslog
/etc/logcheck/ignore.d.server/rsyslog
/etc/logrotate.d/rsyslog
```

### rsyslog.conf

Here we can see some stuff going on and we are focus on the line 55 and below, if you can’t find it it should see this, means that it stored in other files

```bash
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
```

#### The RULES

This is the rules, it determine what kind of info is logged, what programs have their messages logged, and where that log is stored

```bash
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
#daemon.*			-/var/log/daemon.log
kern.*				-/var/log/kern.log
#lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
#user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info			-/var/log/mail.info
#mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err
```

The rule will look like this:

```bash
facility.priority      action
```

The facility(like program) meaning

`auth, authpriv` Security/authorization messages

`cron` Clock daemons

`daemon` Other daemons

`kern` Kernel messages

`lpr` Printing system

`mail` Mail system

`user` Generic user level messages

If the **priority** is set to `*` (wildcard) it will log all of the **priorities**, same thing as **facility** if set to `*` it will then log all **facility** with the priority that has been set

The list of all valid priorities

<table data-full-width="true"><thead><tr><th width="159.25">Keyword(s)</th><th width="151.5">Numerical Value</th><th>Description</th></tr></thead><tbody><tr><td><strong><code>debug</code></strong></td><td>7</td><td>Detailed information for debugging applications. Typically turned off in production.</td></tr><tr><td><strong><code>info</code></strong></td><td>6</td><td>Informational messages. Normal operational data, like a service starting or stopping.</td></tr><tr><td><strong><code>notice</code></strong></td><td>5</td><td>Normal but significant conditions. Events that are not errors but may warrant attention.</td></tr><tr><td><strong><code>warning</code></strong> / <strong><code>warn</code></strong></td><td>4</td><td>Warning conditions. Potential issues that do not (yet) cause an error but could if not addressed.</td></tr><tr><td><strong><code>err</code></strong> / <strong><code>error</code></strong></td><td>3</td><td>Error conditions. Non-urgent failures that typically don't halt the system or a major service.</td></tr><tr><td><strong><code>crit</code></strong></td><td>2</td><td>Critical conditions. Urgent failures, such as a corrupt database or loss of a primary network link.</td></tr><tr><td><strong><code>alert</code></strong></td><td>1</td><td>Action must be taken immediately. A condition that requires an administrator's immediate intervention.</td></tr><tr><td><strong><code>emerg</code></strong> / <strong><code>panic</code></strong></td><td>0</td><td>Emergency: system is unusable. The system is in a catastrophic state and is likely to crash.</td></tr></tbody></table>

So `mail.* -/var/log/mail.log` will log all mail events to `-/var/log/mail.log` file

## Cleaning logs with logrotate

Use `logrotate` to clean the log files

You can edit logrotate.conf with text editors and make changes

```bash
$ cat /etc/logrotate.conf
# see "man logrotate" for details

# global options do not affect preceding include directives

# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
#dateext

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# system-specific logs may also be configured here.
```

## Stealth as we must

### shred it

Unlike `rm` we got another interesting one `shred` (it’s similar to `cipher` on Windows)

`rm` deletes the reference; `shred` destroys the data. `shred` overwrites the file's actual data multiple times with random patterns

`shred` is ideal for for securely deleting sensitive files just like log files here

```bash
$ shred <secret.log> #by default it will rewrite 3 times
$ shred -f -n 10 <secret.log> #flag -f change permissions to allow writing if necessary, flag -n overwrite N times
```

### Disable logging

When attacker take over the whole system they will disable logging to keep stealthy but like I said the whole system control this means it requires root privilege

Syntax and example:

```bash
$ service servicename start|stop|restart

$ service rsyslog stop # yes, is that easy
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vix-w1zzer.gitbook.io/vixwizzer/notes/linux/the-logging-system.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.