KVM | Security Onion Log Management
Basic of Syslog Standard
When logs are collected with syslog mechanism, three important things must be taken into consideration:
- Facility level:what type of processes to monitor
- Severity (priority) level:what type of log messages to collect
- Destination:where to send or record log messages
Let's take a look at how the configuration is defined in more detail.
The facility levels define a way to categorize internal system processes. Some of the common standard facilities in Linux are:
- auth: messages related to authentication (login)
- cron:messages related to scheduled processes or applications
- daemon: messages related to daemons (internal servers)
- kernel: messages related to the kernel
- mail: messages related to internal mail servers
- syslog: messages related to the syslog daemon itself
- lpr: messages related to print servers
- local0 - local7:messages defined by user (local7 is usually used by Cisco and Windows servers)
The severity (priority) levels are standardized, and defined by using standard abbreviation and an assigned number with number 7 being the highest level of all. These levels are:
- emerg: Emergency - 0
- alert: Alerts - 1
- crit:Critical - 2
- err: Errors - 3
- warn: Warnings - 4
- notice: Notification - 5
- info: Information - 6
- debug: Debugging - 7
Finally, the destination statement enforces a syslog client to perform one of three following tasks: (1) save log messages on a local file, (2) route them to a remote syslog server over TCP/UDP, or (3) send them to stdout such as a console. |
Source/Quellen:
- https://securityonion.net/
- https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion
- https://github.com/Security-Onion-Solutions/security-onion/wiki/Tools
- https://www.youtube.com/channel/UCEt-VQX8pxvDPuB7fip5b0g
-
-