System Logs

Files

/etc/syslog.conf – configuration file for sysylogd in Red Hat
/etc/rsyslog.conf – configuration file for syslogs in Debian. Consists rules of the form: (facility) .(level ) (action)

rsyslog.conf contains:

# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
less 50   
...
...
...
/var/log/* # log files are found

syslog facility shows where the log messages come from:
authpriv — security/authorization messages (private)
cron — clock daemon (cron and at)
daemon — system daemons without separate facility
value
ftp — ftp daemon
kern — kernel messages
local0. . . local7 — reserved for local use
lpr — line printer subsystem
mail — mail subsystem
news — USENET news subsystem
syslog — messages generated internally by syslogd
user — generic user-level message
uucp — UUCP subsystem

security threshhold beyond which messages are logged in decreasing importance:
emerg — system is unusable
alert — action must be taken immediately
crit — critical conditions
err — error conditions
warning — warning conditions
notice — normal, but significant, condition
info — informational message
debug — debug-level message

syslog actions can be:
– filename (with full pathname), or
– a hostname preceded with ‘@’, or
– a comma-separated list of users, or
– an asterisk ‘*’ meaning all logged in users

logrotate

logrotate rotates, compresses, and mails system logs. Main configuration file is stored in /etc/logrotate.conf but most configuration belongs to the software packages, which put a file into directory /etc/logrotate.d/.

Examining Log Files

tail -f – watch log files in real time
e.g.:

sudo tail -f /var/log/messages
sudo less /var/log/messages

each syslog message contains:
date and time – machine’s local time
hostname – hostname of the ,achine that generated the message
program or user – that generates the message
message text