108.2. System logging
Weight: 3
Description: Candidates should be able to configure the syslog daemon. This objective also includes configuring the logging daemon to send log output to a central log server or accept log output as a central log server. Use of the systemd journal subsystem is covered. Also, awareness of rsyslog and syslog-ng as alternative logging systems is included.
Key Knowledge Areas:
Configuration of the syslog daemon
Understanding of standard facilities, priorities and actions
Configuration of logrotate
Awareness of rsyslog and syslog-ng
Terms and Utilities:
syslog.conf
syslogd
klogd
/var/log/
logger
logrotate
/etc/logrotate.conf
/etc/logrotate.d/
journalctl
/etc/systemd/journald.conf
/var/log/journal/
Why Logging?
A Linux system has many subsystems and applications running. We use system logging to gather data about our running system from the moment it boots. Sometimes we just need to know that all is well. At other times we use this data for auditing, debugging, knowing when a disk or other resource is running out of capacity, and many other purposes.
syslog
Syslog is a standard for sending and receiving notification messages–in a particular format–from various network devices. The messages include time stamps, event messages, severity, host IP addresses, diagnostics and more.
syslogd
The syslog daemon is a server process that provides a message logging facility for application and system processes.Unfortunately linux logging is one of aspects of linux which is transition fase. The traditional syslog facility and its syslogd daemon has been supplemented by other logging facilities such as rsyslog, syslog-ng, and the systemd journal subsystem.
syslog.conf
The syslog.conf file is the main configuration file for the syslogd. Whenever syslogd receives a log message, it acts based on the message's type (or facility) and its priority (called selector fields).
Facilities are simply categories. Some facilities in Linux are: auth, user, kern, cron, daemon, mail, local1, local2, ...
auth
user
: User-level messageskern
: Kernel messagescorn
: Clock daemondaemon
: System daemonsmail
: Mail systemlocal0 – local7
: Locally used facilities
priorities Unlike facilities, which have no relationship to each other, priorities are hierarchical. Possible priorities in Linux are: emerg/panic, alert, crit, err/error, warn/warning, notice, info, debug
emerg :
System is unusablealert :
Action must be taken immediatelycritical :
Critical conditionserr :
Error conditionswarning :
Warning conditionsnotice :
Normal but significant conditionsinfo :
Informational messagesdebug :
Debug-level messages
if we log some specific priority , all the more important things will be logged too
Action: Each line in this file specifies one or more facility/priority selectors followed by an action . On the action field we can have things like:
action
example
notes
filename
/var/log/messages
Writes logs to specified file
username
user2
Will notify that person on the screen
@ip
@192.168.10.42
Will send logs to specified log server and that server decides how to treat logs based on its configs.
In the following syslog.conf line, mail.notice is the selector and /var/log/mail is the action (i.e., “write messages to /var/log/mail”):
Within the selector, “mail” is the facility (message category) and “notice” is the level of priority. You can see part of syslog.conf (CentOS6) :
*
: wildcard . signifying “any facility” or "any priority"dash - : means it can use memory cache (:don't waist time constantly writing to the disk )
equal sign = : to log ONLY one specific level of priority.
facility.=priority action
There is also /etc/rsyslog.d/ directory and it is better for different softwares and admins to add their specific configs there, instead of editing the main configuration file (See Ubuntu16).
klogd
How do boot-time kernel messages get logged before a file system is even mounted? The kernel stores messages in a ring buffer in memory. The klogd
daemon processes these messages directly to a console, or a file such as /var/log/dmesg, or through the syslog facility.
/var/log
Almost all logfiles are located under /var/log directory and its sub-directories on Linux(CentOS6).
You can use your favorite text editor or less or tail commands in conjunction with grep to read these log files.
creating rsyslog listener
We can creating rsyslog listener and catch other systems log messages. That is pretty easy.
and finally do not forget to restart the service systemctl restart rsyslog
.
journalctl
Systemd also has its own journaling program called journald and it stores things in binary files. We can't go and see text files (like what we did in syslog/rsyslog), so we have to use special tool called journalctl to access them(CentOS7):
As we mentioned earlier , linux logging is one of aspects of linux which is in under change. Distributions with systemd has journald, beside that some of them still preserve rsyslog and some other not. Try to find out your linux logging system
/etc/systemd/journald.conf
The config file of journalctl is located at /etc/systemd/journald.conf (CentOS7)
logger
The Linux logger command provides an easy way to generate some logs(centOS6)
and it will appear at /var/log/syslog (or /var/log/messages):
logrotate
With the amount of logging that is possible, we need to be able to control the size of log files. This is done using the logrotate
utility , which is usually run as a cron job.
The important files to pay attention to are:
/usr/sbin/logrotate -- the logrotate command itself (the executable)
/etc/cron.daily/logrotate -- the shell script that runs logrotate on a daily basis (note that it might be /etc/cron.daily/logrotate.cron on some systems)
/etc/logrotate.conf -- the log rotation configuration file
Another important file is /etc/logrotate.d, included in the process through this line in the /etc/logrotate.conf file:
/etc/logrotate.conf
Use the /etc/logrotate.conf configuration file to specify how your log rotating and archiving should happen.
Each log file may be handled daily, weekly, monthly, or when it grows too large.
parameter
meaning
missingok
don’t write an error message if the log file is missing
daily, weekly, monthly
rotate logs daily, weekly, monthly
rotate N
keep the latest N logs and delete the older ones
compress
compress the log (creates gz files)
create mode owner group
Immediately after rotation (before the postrotate script is run) the log file is created with this acces and owner
minsize N
Log files are rotated when they grow bigger than size bytes, but not before the additionally specified time interval(daily,...)
this file contains some default settings and sets up rotation for a few logs that are not owned by any system packages. It also uses an include
statement to pull in configuration from any file in the /etc/logrotate.d
directory(CentOS6).
/etc/logrotate.d
Any packages we install that need help with log rotation will place their Logrotate configuration here.
These are the meaning of some of these parameters:
parameter
meaning
missingok
don’t write an error message if the log file is missing
notifempty
don’t rotate the log file if it is empty.
shared scripts
Run prerotate and postrotate scripts for every log file which is rotated
delaycompress
Postpone compression of the previous log file to the next rotation cycle
That's all!
.
.
.
.
https://developer.ibm.com/tutorials/l-lpic1-108-2/
https://stackify.com/syslog-101/
https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.15/gtpc1/hsyslog.html
https://linux.die.net/man/5/syslog.conf
https://www.linuxjournal.com/article/5476
https://jadi.gitbooks.io/lpic1/content/1082_system_logging.html
https://en.wikipedia.org/wiki/Syslog
https://renenyffenegger.ch/notes/Linux/logging/klogd/index
https://www.tecmint.com/create-centralized-log-server-with-rsyslog-in-centos-7/
https://linux.die.net/man/8/logrotate
.
Last updated