Kernel Talks

Unix, Linux, & Cloud!

You are here: Home / Config

syslog configuration in Linux

Published: | Modified:



Learn everything about Syslog in Linux. Its configuration file format, how to restart Syslog, rotation, and how to log Syslog entry manually.

Linux Syslog configuration

One of the most important daemons on Unix or Linux based system is syslogd! It logs many crucial system events by default. Logs written by syslogd are commonly referred to as Syslog. Syslogs are first logs when you want to trace issues with your system. They are the lifeline of sysadmins 🙂

In this article, we will see configuration files for syslogd, different configs and how to apply them. Before we begin to go through the below files which we will be using throughout this article frequently.

  1. /etc/syslog.conf : syslogd configuration file
  2. /var/log/messages : Syslog file

There are three projects on Syslog daemon spawned one after another to enhance the previous project’s functionality. They are: syslog (year 1980), syslog-ng (year 1998) and rsyslog (year 2004). So depending on which project’s fruit is running on your server, your daemon name changes. The rest of the configuration remains pretty close similar.

Syslog uses port TCP 514 for communication.

syslogd daemon

This daemon starts with systems and runs in the background all the time, capturing system events and logging them in Syslog. It can be started, stop, restart like other services operations in Linux. You need to check which Syslog version (three projects as stated above) is running (ps -ef |grep syslog) and accordingly, use the daemon name.

# service rsyslog status
rsyslogd (pid  999) is running...

# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

After making any changes in the configuration file you need to restart syslogd in order to take these new changes in effect.

syslog configuration file

As stated above /etc/syslog.conf is a configuration file where you can define when, where, which event to be logged by Syslog daemon. There name changes as per your Syslog version

  • /etc/syslog.conf for syslog
  • /etc/syslog-ng.conf for syslog-ng
  • /etc/rsyslog.conf for rsyslog

The typical config file looks like below :

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

Here, on the left side column shows services for which you want logs to be logged along with their priority (succeeded by . after service name) and on the right side are actions normally destinations where logs should be written by the daemon.

Services values and priorities :

  • local7: boot messages
  • kern: Kernel messages
  • auth: Security events
  • authpriv : Access control related messages
  • mail, cron: mail and cron related events

Service priorities :

  • debug
  • info
  • notice
  • warning
  • err
  • crit
  • alert
  • emerg
  • * means all level of messages to be logged
  • none means no messages to be logged

All the above priorities are given in ascending level of urgency.

Actions/destination :

Those mostly log files or remote Syslog server to which logs get sent. The remote server can be specified by IP or hostname preceded by @ sign.

Syslog

All logs by syslogd are written its Syslog file /var/log/messages. Typical Syslog file looks like :

May 22 02:00:29 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="999" x-info="http://www.rsyslog.com"] exiting on signal 15.
May 22 02:00:29 server1 kernel: imklog 5.8.10, log source = /proc/kmsg started.
May 22 02:00:29 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1698" x-info="http://www.rsyslog.com"] start
May 22 02:17:43 server1 dhclient[916]: DHCPREQUEST on eth0 to 172.31.0.1 port 67 (xid=0x445faedb)

Here file can be read in below parts from left to right :

  1. Date
  2. Time
  3. Hostname (This is important to identify which server’s log is this on centralized Syslog server)
  4. The service name for which logs were written by the daemon
  5. Separator colon
  6. Actual message or log

The first 5 fields can be used for sorting, filtering logs in various tools, scripts, etc. Since Syslog logs, all events on system, it’s obvious it grows in size pretty quickly. You can manually rotate Syslog over a specific period or you can even use logrotate utility to do it automatically in the background.

Testing Syslog logging

To test if the daemon is logging messages in Syslog or not, you can use logger command. With this command, you can specify numerous options like a priority, service, etc. But even without any argument, you can supply a string to write in Syslog and it will do the job for you.

# logger Writing KERNELTALKS in syslog using logger. Testing...

# cat /var/log/messages |grep -i kerneltalks
May 22 02:31:05 server1 root: Writing KERNELTALKS in syslog using logger. Testing...

In the above example, you can see all entries after logger command are printed in the Syslog file. Since we used logger command and didn’t specify any service, it logged message with userid root in-service field!

Share Your Comments & Feedback:

This site uses Akismet to reduce spam. Learn how your comment data is processed.