Syslog is the general standard for logging system and program messages in the Linux environment. This service constitutes the system log daemon, where any program can do its logging (debug, security, normal operation) through in addition the Linux kernel messages.
In principle, the logs handled by syslog are available in the /var/log/ directory on Linux system:
# ls /var/log boot.log cloud-init-output.log firewalld maillog rhsm tallylog anaconda btmp cron gdm maillog-20151219 samba tuned audit btmp-20151219 cron-20151219 grubby messages secure wpa_supplicant.log auth.log choose_repo.log dmesg grubby_prune_debug messages-20151219 secure-20151219 wtmp yum.log chrony dmesg.old lastlog pm-powersave.log spooler xrdp.log
where some of the logs are dumped under a subdirectory like cups, samba, httpd. Among the logs under /var/log the /var/log/messages is the most common one as the kernel/core system logs are held there. The kernel modules generally dumps there too. So, for problem diagnosis / monitoring the /var/log/messages is the primary log file to examine.
The logs are rotated every week (renaming the existing log to filename.number order):
# ls -l /var/log/messages* -rw------- 1 root root 1973 Jun 10 15:07 /var/log/messages -rw------- 1 root root 10866 Jun 6 04:02 /var/log/messages.1 -rw------- 1 root root 19931 May 30 04:02 /var/log/messages.2 -rw------- 1 root root 238772 May 23 04:02 /var/log/messages.3 -rw------- 1 root root 171450 May 14 18:29 /var/log/messages.4
the weekly rotated log file is deleted after 4 weeks passed (total logs span a time of 5 weeks). This rotation mechanism is provided by crond and logrotate.
There is also rsyslogd provided by the rsyslog package which is a more reliable and extended version of syslogd. For more information install the rsyslog package and check man page of rsyslogd.
To start the syslog service use any one of the below commands:
# service syslog start # /etc/init.d/syslog start
To stop the syslog service use any one of the below commands:
# service syslog stop # /etc/init.d/syslog stop
To see runlevel and service availability run:
# chkconfig --list syslog syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
If the service is disabled you can enable the service by:
# chkconfig --list syslog syslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off # chkconfig syslog on # chkconfig --list syslog syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
The configuration file for syslogd service is /etc/sysconfig/syslog. The default file is like below:
# Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all log files as in umask(1). # By default, all permissions are removed for "group" and "other".
There you see two different group of options for:
klogd – Kernel Log Daemon: This is the daemon that catches the messages from Linux kernel and logs them into files.
syslogd – System Log Daemon: Other message interception and logging.
The default configuration file lists some options where we can describe further:
- -m interval: Put a line with “MARK” every interval minutes. “-m 0” disables “MARK”‘ing entirely
- -r: Used to enable the facility to receive message from the network using an internet domain socket with the syslog service.
- -x: When logs arrive in from network (via -r option) the source addresses will be provided in the created logs. The addresses are to be looked up in DNS. If there are too frequent remote logging happening (and generally that is the case when there is a problem at the remote site), it is not preferred to spend time on DNS lookups. This option can be used to disable DNS lookups.
- -S: verbose logging
- -d: debug mode for syslogd
- -2: Print the lines once with raw text, and once more with addresses converted to symbols. This would be needed for ksymoops to do processing on original data.
- -x: Do not do EIP translation (for OOPS) not to read the System.map file (increased dump speed)
- -d: debug mode for klogd
- -c n: Default log level of console messages
umask: SYSLOG_UMASK controls the default access privileges / permissions for the generated log files.