syslog and log files
Ameera Jaradat
One integral part of any UNIX system are the logging
facilities.
The majority of logging in Linux is provided by two main
programs, sysklogd and klogd, the first providing logging
services to programs and applications, the second providing
logging capability to the Linux kernel.
Klogd actually sends most messages to the syslogd facility but
will on occasion pop up messages at the console (i.e. kernel
panics).
Sysklogd actually handles the task of processing most
messages and sending them to the appropriate file or device,
this is configured from within /etc/syslog.conf.
By default most logging to files takes place in /var/log/.
Rotating log files
A common way to keep logging information for a fixed period is “rotation”.
You keep backup files that are one day old, two days old, and so on. Each
day a script or utility program renames the files to push older data toward
the end of the chain.
e.g ) rotation policy: if log file is called logfile
#!/bin/sh
cd /var/log
mv logfile.2 logfile.3
mv logfile.1 logfile.2
mv logfile logfile.1
cat /dev/null > logfile
chmod 600 logfile
every day logfile.7 is lost as logfile.6 overwrites it.
Linux log files
For the most part, linux packages send their logging information to files in the
/var/log directory. On some distribution logs are also stored in /var/adm.
Special log files
• /var/log/wtmp contains a record of users‟ logins and logouts, entries that
indicate when the system was rebooted or shut down. Should be rotated .
• /var/log/lastlog it records only the time of last login for each user. Is
binary file, indexed by UID. No need to be rotated because its size stay
constant unless new users log in.
• checksecurity utility runs every day (from etc/cron.daily/standard) to
enumerate the systems complement of setuid programs( setuid.changes,
setuid.today, setuid.yesterday).
Managing Your Log Files
One common problem is figuring out what to do with all of the log
messages. If you do a lot of logging (particularly if everything is sent to a
central server), you can fill up your filesystem faster than you think. The
most obvious and direct solution is to remove them after a specific length
of time or when they reach a particular size.
As its name implies, the goal of the logrotate program is to "rotate" log
files. This could be as simple as moving a log file to a different name and
replacing the original with an empty file.
Logrotate: manage log files:
A logrotate configuration file consists of a series of specifications for groups of
logfiles to be managed.
# Example log rotation policy
errors sa-book@admin.com
rotate 5
weekly
/var/log/messages{
postrotate
/bin/kill –HUP „cat /var/run/syslogd.pid
endscript
}
/var/log/samba/*.log{
notifempty
copytruncate
sharedscripts
postrotate
/bin/kill –HUP „cat /var/run/syslogd.pid
endscript
}
syslog: the system event logger
syslog, is a comprehensive logging system. consists of 3 parts:
• Syslogd, the logging daemon( along with its config file, /etc/syslog.conf)
• Openlog, library routines that submit messages to syslogd.
• Logger, a user level command that submits log entries from the shell.
syslog: the system event logger
• Syslogd Started at boot time and runs continuously;
• Syslogd reads messages from /dev/log, consults its configuration
file, and dispatches each message to the appropriate destinations.
• Klogd is responsible for retrieving messages from the kernel‟s
internal log buffer and forwarding them to syslogd.
• A hangup signal (HUP, signal 1) causes syslogd to close log files,
reread its configuration file, and start logging again.
• A TERM signal causes syslogd to exit.
• Syslogd writes its process ID to the file /var/run/syslogd.pid
Configuring syslogd
The configuration file /etc/syslog.conf controls syslogd‟s behavior.
Basic format is:
Selector action
Mail.info /var/log/mailing
Causes messages from the email system to be saved in the file
/var/log/maillog.
Within the selector, “mail” is the facility (message category) and
“info” is the level of priority
/var/log/mailing is the action
Facilities
Facilities are simply categories. Supported facilities in
Linux:
Syslog Facility Associated Subsystem
authpriv Login authentication
cron cron subsystem
daemon System server processes
kern Linux kernel
lpr Spooling subsystem
mail Mail subsystem
news News subsystem
localN Locally-defined syslog facilities N runs from 0 to 7)
priorities
Unlike facilities, which have no relationship to each other, priorities are hierarchical.
Possible priorities in Linux are (in increasing order of urgency): debug, info, notice,
warning, err, crit, alert and emerg.
As with facilities, the wildcards * and none.
A priority may be preceded by either or both of the modifiers = and !.
Severity Level Keyword Description
0 emergencies System unusable
1 alerts Immediate action required
2 critical Critical condition
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant conditions
6 informational Informational messages
7 debugging Debugging messages
example:
.info;mail.none;authpriv.none;cron.none /var/log/messages
In this case, all messages of severity "info" and above are logged, but none
from the mail, cron or authentication facilities/subsystems.
selector meaning
Mail.info Select mail-related mesg. Of info prio. And higher
Mail. = info Select only messages at info priority
Mail.info;mail.!err Select only prio. Info, notice and warning
Mail.debug; mail.!=warning Select all priorities except warning
action
In practice, most log messages are written to files. If you list the
full path to a filename as a line's action in syslog.conf, messages
that match that line will be appended to that file. (If the file
doesn't exist, syslog will create it.)
You can send messages other places too. An action can be a file,
a named pipe, a device file, a remote host or a user's screen.
Action meaning
Filename Writes the mesg. To file on the local machine
@hostname Forward the msg. To syslogd on host name
@ipaddress Forward the mesg. To the host at ip address ipaddress
\fifoname Writes the mesg. To the named pipe fifoname
User1,user2,… Writes the mesg. To user‟s screen
* Writes the mesg. To all users who are logged in
Config file examples
stand-alone machine on a small network.
#small network syslog.conf file
#emergencies: tell every one who is logged on
*.emerge *
# important messages
*.warning; daemon, auth.info,user.non /var/log/messages
# printer errors
ipr.debug /var/log/lpd-errs
Config file examples
1. a client machine on a larger network.
# emergencies tell everyone who is logged on
*.ernerg;user.none *
# Forward important messages to the central logger
*.warning; lpr,locall.none @netloghost
daemon,auth.info @netloghost
# Send local staff to the central logger too
1ooa12.info; local0,local7,debug @netloghost
#cardd logs through facility local1 – send to boulder
local1.debug @boulder.colorado.edu
# keeping printer errors local
lpr.debug /var/log/lpd-errs
#sudo logs to local2 – keep a copy here too
local2.info /var/log/sudo.log
# keeping kernel messages local
kern.info /var/log/kern.log
designing logging scheme for your site.
The syslog config file can be customized for each host.
Choose stable machine as your logging server, one that is well secured and does
not have many logins.
Some very large sites may want to add more levels to the logging hierarchy.
Unfortunately syslog retains the name of the originating host for only one hop. If a
host “client” sends some log entries to host “server”, which sends them on to host
“master,” master will see the data coming from server, not from client.
Debugging syslog
The logger command is useful for submitting log entries from shell scripts.
If you have just added the line
Local5.warning /tmp/evi.log
To verify that it is working run
% logger –p local5.warning “test message”
the line containing test message should be written to /tmp/evi.log
using syslog from programs
the library routines openlog, syslog, and closelog allow programs to use
the syslog system.
Perl interface is described here:
to import the definitions of the library routines include this line at the
beginning of your perl script:
use Sys :: Syslog;
the openlog routine initializes logging using the facility name:
openlog(ident, logopt, facility);
openlog(“adminscript”,”pid,cons”, “local4”);
using syslog from programs
the syslogroutine sends a message to syslogd, which logs it at the specified
priority:
syslog(priority, message, ..)
syslog(“info”, “Delivery to %s failed after %d attempts”,$user,$nAttempts);
closelog routine closes the logging channel:
closelog();
References:
“Linux Administration Handbook”, E. nemeth, G. Snyder, T. R. Hein, Ch.11
Links:
http://www.linuxjournal.com/article.php?sid=5476
http://www.linux-mag.com/1999-11/guru_04.html