Log files form the life line of any system administrator. They help pin point any discrepancies in the day to day functioning of the OS.
Why you should monitor log files
Monitoring log files will help detect the following:
- Equipment problems such as hard disk crashes or power outages.
- User problems such as repeated login failures.
- Security breaches from outside the system.
Most common log files
These are the most important log files you should keep track in your system.
/var/log/messages- Logs most system messages
/var/log/secure- Authentication messages, xinetd services etc are logged here.
/var/log/cron- Cron job activities are logged to this file.
/var/log/maillog- Mail transactions.
These log files contain detailed information about the respective functions they track.
For example, the information contained in
/var/log/messagesinclude the following:
- Date and time the message was written.
- Name of the utility, program or daemon that caused the message.
- Action that occurred.
- Executing program's hostname.
Many applications also create their own log files which may also need to be monitored.
Syslog is the software that manages all the logging in Linux.
Fedora, Red Hat, and Debian have migrated to Rsyslog which is superior to Syslog. But Syslog syntax is still supported.
Syslog software consists of two daemons namely -
In RedHat/Fedora, you start Syslog as a service as shown below.
# service syslog start
This will start both syslogd and klogd daemons.
You can learn more about starting and stopping services in Linux, by reading the tutorial -
Enabling and disabling services in Linux.
Syslog daemons read the configuration file
/etc/syslog.confand start logging messages accordingly.
Functions of Syslog
syslogd- Receives messages from other applications.
klogd- Logs kernel messages.
Syslogd and Klogd configuration
These two daemons are configured using the
/etc/syslog.conffile. The format of the file is quite simple as shown below :
#Format used in syslog.conf file facility.priority log_location
... where facility can be any of the following:
authpriv- security / authorization messages
cron- clock daemons (atd and crond)
daemon- other daemons
kern- kernel messages
local[0-7]- reserved for local use
lpr- printing system
news- news system
syslog- internal syslog messages
user- generic user level messages
... and the priorities are as follows:
debug- debugging information
info- general informative messages
notice- normal, but significant, condition
warning- warning messages
err- error condition
crit- critical condition
alert- immediate action required
emerg- system no longer available
Each time you make changes to the /etc/syslog.conf file, you have to restart syslog to bring those changes into effect.
Examples of Syslog configuration
The following examples show entries in a typical /etc/syslog.conf file and their meaning.
The above rule will direct all kernel informational messages to the first console.
For example, after entering this rule, and restarting syslogd and klogd, try restarting a service. You will find the message on your /dev/tty0 console.
This will send all critical mail messages to the console logged in by the users - root and ravi.
Everybody gets emergency messages from all facilities.
Log all kernel messages except with priority
infoand all mail messages other than
debugto the file my_special_messages.
Do not log private authentication messages.
Special operators used in the /etc/syslog.conf file
As shown in the examples above, logging can be further specified with certain operators. They are as follows -
=- Log on only this exact priority.
!- Exclude this facility or priority.
*- Log all facilities / priorities.
Specify a comma separated list of users who will be notified.
You can also use a named pipe (|) for use with external logging programs (|/name/of/pipe). The pipe has to exist before syslogd starts.
Linux has a very good robust logging mechanism. And its strong point is that it enables one to change the parameters by editing plain text files - /etc/syslog.conf in this case.
I hope you have enjoyed reading this short guide on how to configure logging in Linux.