English 中文(简体)
Unix / Linux - System Logging
  • 时间:2024-11-03

Unix / Linux - System Logging


Previous Page Next Page  

In this chapter, we will discuss in detail about system logging in Unix.

Unix systems have a very flexible and powerful logging system, which enables you to record almost anything you can imagine and then manipulate the logs to retrieve the information you require.

Many versions of Unix provide a general-purpose logging facipty called syslog. Inspanidual programs that need to have information logged, send the information to syslog.

Unix syslog is a host-configurable, uniform system logging facipty. The system uses a centrapzed system logging process that runs the program /etc/syslogd or /etc/syslog.

The operation of the system logger is quite straightforward. Programs send their log entries to syslogd, which consults the configuration file /etc/syslogd.conf or /etc/syslog and, when a match is found, writes the log message to the desired log file.

There are four basic syslog terms that you should understand −

Sr.No. Term & Description
1

Facipty

The identifier used to describe the apppcation or process that submitted the log message. For example, mail, kernel, and ftp.

2

Priority

An indicator of the importance of the message. Levels are defined within syslog as guidepnes, from debugging information to critical events.

3

Selector

A combination of one or more facipties and levels. When an incoming event matches a selector, an action is performed.

4

Action

What happens to an incoming message that matches a selector — Actions can write the message to a log file, echo the message to a console or other device, write the message to a logged in user, or send the message along to another syslog server.

Syslog Facipties

We will now understand about the syslog facipties. Here are the available facipties for the selector. Not all facipties are present on all versions of Unix.

Facipty Description
1

auth

Activity related to requesting name and password (getty, su, login)

2

authpriv

Same as auth but logged to a file that can only be read by selected users

3

console

Used to capture messages that are generally directed to the system console

4

cron

Messages from the cron system scheduler

5

daemon

System daemon catch-all

6

ftp

Messages relating to the ftp daemon

7

kern

Kernel messages

8

local0.local7

Local facipties defined per site

9

lpr

Messages from the pne printing system

10

mail

Messages relating to the mail system

11

mark

Pseudo-event used to generate timestamps in log files

12

news

Messages relating to network news protocol (nntp)

13

ntp

Messages relating to network time protocol

14

user

Regular user processes

15

uucp

UUCP subsystem

Syslog Priorities

The syslog priorities are summarized in the following table −

Sr.No. Priority & Description
1

emerg

Emergency condition, such as an imminent system crash, usually broadcast to all users

2

alert

Condition that should be corrected immediately, such as a corrupted system database

3

crit

Critical condition, such as a hardware error

4

err

Ordinary error

5

Warning

Warning

6

notice

Condition that is not an error, but possibly should be handled in a special way

7

info

Informational message

8

debug

Messages that are used when debugging programs

9

none

Pseudo level used to specify not to log messages

The combination of facipties and levels enables you to be discerning about what is logged and where that information goes.

As each program sends its messages dutifully to the system logger, the logger makes decisions on what to keep track of and what to discard based on the levels defined in the selector.

When you specify a level, the system will keep track of everything at that level and higher.

The /etc/syslog.conf file

The /etc/syslog.conf file controls where messages are logged. A typical syslog.conf file might look pke this −

*.err;kern.debug;auth.notice /dev/console
daemon,auth.notice           /var/log/messages
lpr.info                     /var/log/lpr.log
mail.*                       /var/log/mail.log
ftp.*                        /var/log/ftp.log
auth.*                       @prep.ai.mit.edu
auth.*                       root,amrood
netinfo.err                  /var/log/netinfo.log
install.*                    /var/log/install.log
*.emerg                      *
*.alert                      |program_name
mark.*                       /dev/console

Each pne of the file contains two parts −

    A message selector that specifies which kind of messages to log. For example, all error messages or all debugging messages from the kernel.

    An action field that says what should be done with the message. For example, put it in a file or send the message to a user s terminal.

Following are the notable points for the above configuration −

    Message selectors have two parts: a facipty and a priority. For example, kern.debug selects all debug messages (the priority) generated by the kernel (the facipty).

    Message selector kern.debug selects all priorities that are greater than debug.

    An asterisk in place of either the facipty or the priority indicates "all". For example, *.debug means all debug messages, while kern.* means all messages generated by the kernel.

    You can also use commas to specify multiple facipties. Two or more selectors can be grouped together by using a semicolon.

Logging Actions

The action field specifies one of five actions −

    Log message to a file or a device. For example, /var/log/lpr.log or /dev/console.

    Send a message to a user. You can specify multiple usernames by separating them with commas; for example, root, amrood.

    Send a message to all users. In this case, the action field consists of an asterisk; for example, *.

    Pipe the message to a program. In this case, the program is specified after the Unix pipe symbol (|).

    Send the message to the syslog on another host. In this case, the action field consists of a hostname, preceded by an at sign; for example, @tutorialspoint.com.

The logger Command

Unix provides the logger command, which is an extremely useful command to deal with system logging. The logger command sends logging messages to the syslogd daemon, and consequently provokes system logging.

This means we can check from the command pne at any time the syslogd daemon and its configuration. The logger command provides a method for adding one-pne entries to the system log file from the command pne.

The format of the command is −

logger [-i] [-f file] [-p priority] [-t tag] [message]...

Here is the detail of the parameters −

Sr.No. Option & Description
1

-f filename

Uses the contents of file filename as the message to log.

2

-i

Logs the process ID of the logger process with each pne.

3

-p priority

Enters the message with the specified priority (specified selector entry); the message priority can be specified numerically, or as a facipty.priority pair. The default priority is user.notice.

4

-t tag

Marks each pne added to the log with the specified tag.

5

message

The string arguments whose contents are concatenated together in the specified order, separated by the space.

You can use Manpage Help to check complete syntax for this command.

Log Rotation

Log files have the propensity to grow very fast and consume large amounts of disk space. To enable log rotations, most distributions use tools such as newsyslog or logrotate.

These tools should be called on a frequent time interval using the cron daemon. Check the man pages for newsyslog or logrotate for more details.

Important Log Locations

All the system apppcations create their log files in /var/log and its sub-directories. Here are few important apppcations and their corresponding log directories −

Apppcation Directory
httpd /var/log/httpd
samba /var/log/samba
cron /var/log/
mail /var/log/
mysql /var/log/
Advertisements