System Logging explained in Linux

September 29, 2005
This short guide explains the concept of system logging in Linux.

Log files form the life line of any system administrator. They help pin point any discrepancies in the day to day functioning of the OS.

Why you should monitor log files

Monitoring log files will help detect the following:

  • Equipment problems such as hard disk crashes or power outages.
  • User problems such as repeated login failures.
  • Security breaches from outside the system.

Most common log files

These are the most important log files you should keep track in your system.

/var/log/messages - Logs most system messages

/var/log/secure - Authentication messages, xinetd services etc are logged here.

/var/log/cron - Cron job activities are logged to this file.

/var/log/maillog - Mail transactions.

These log files contain detailed information about the respective functions they track.

For example, the information contained in /var/log/messages include the following:

  • Date and time the message was written.
  • Name of the utility, program or daemon that caused the message.
  • Action that occurred.
  • Executing program's hostname.

Many applications also create their own log files which may also need to be monitored.


Syslog is the software that manages all the logging in Linux.

Fedora, Red Hat, and Debian have migrated to Rsyslog which is superior to Syslog. But Syslog syntax is still supported.

Syslog software consists of two daemons namely - syslogd and klogd.

In RedHat/Fedora, you start Syslog as a service as shown below.

# service syslog start

This will start both syslogd and klogd daemons.

You can learn more about starting and stopping services in Linux, by reading the tutorial -
Enabling and disabling services in Linux.

Syslog daemons read the configuration file /etc/syslog.conf and start logging messages accordingly.

Functions of Syslog

syslogd - Receives messages from other applications.

klogd - Logs kernel messages.

Syslogd and Klogd configuration

These two daemons are configured using the /etc/syslog.conf file. The format of the file is quite simple as shown below :

#Format used in syslog.conf file
facility.priority log_location

... where facility can be any of the following:

authpriv - security / authorization messages

cron - clock daemons (atd and crond)

daemon - other daemons

kern - kernel messages

local[0-7] - reserved for local use

lpr - printing system

mail - mail system

news - news system

syslog - internal syslog messages

user - generic user level messages

... and the priorities are as follows:

debug - debugging information

info - general informative messages

notice - normal, but significant, condition

warning - warning messages

err - error condition

crit - critical condition

alert - immediate action required

emerg - system no longer available

Each time you make changes to the /etc/syslog.conf file, you have to restart syslog to bring those changes into effect.

Examples of Syslog configuration

The following examples show entries in a typical /etc/syslog.conf file and their meaning. /dev/tty0

The above rule will direct all kernel informational messages to the first console.

For example, after entering this rule, and restarting syslogd and klogd, try restarting a service. You will find the message on your /dev/tty0 console.

mail.crit ravi,root

This will send all critical mail messages to the console logged in by the users - root and ravi.

*.emerg *

Everybody gets emergency messages from all facilities.

kern.=!info;mail.=!debug /var/log/my_special_messages

Log all kernel messages except with priority info and all mail messages other than debug to the file my_special_messages.

authpriv.none;cron.none /var/log/messages

Do not log private authentication messages.

Special operators used in the /etc/syslog.conf file

As shown in the examples above, logging can be further specified with certain operators. They are as follows -

= - Log on only this exact priority.

! - Exclude this facility or priority.

* - Log all facilities / priorities.

Specify a comma separated list of users who will be notified.

You can also use a named pipe (|) for use with external logging programs (|/name/of/pipe). The pipe has to exist before syslogd starts.

Linux has a very good robust logging mechanism. And its strong point is that it enables one to change the parameters by editing plain text files - /etc/syslog.conf in this case.

I hope you have enjoyed reading this short guide on how to configure logging in Linux.