Learn everything about syslog in Linux. Its configuration file format, how to restart syslog, rotation and how to log syslog entry manually.
One of the most important daemon on Unix or Linux based system is syslogd! Its logs many crucial system events by default. Logs written by syslogd are commonly refereed as syslogs. Syslogs are first logs when you want to trace issues with your system. They are lifeline of sysadmins 🙂
In this article we will see configuration files for syslogd, different configs and how to apply them. Before we begin go through below files which we will be using throughout this article frequently.
- /etc/syslog.conf : syslogd configuration file
- /var/log/messages : syslog file
There are three projects on syslog daemon spawned one after other to enhance previous project’s functionality. They are : syslog (1980), syslog-ng (1998) and rsyslog (2004). So depending on which project’s fruit is running on your server, your daemon name changes. Rest of the configuration remains pretty close similar.
This daemon starts with systems and runs in background all the time, capturing system events and logging them in syslog. It can be start, stop, restart like other services operations in Linux. You need to check which syslog version (three projects as stated above) is running (ps -ef |grep syslog) and accordingly use daemon name.
# service rsyslog status
rsyslogd (pid 999) is running...
# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
After making nay changes in configuration file you need to restart syslogd in order to take these new changes in effect.
syslog configuration file
As stated above /etc/syslog.conf is configuration file where you can define when, where, which event to be logged by syslog daemon. There name changes as per your syslog version (/etc/syslog.conf or /etc/syslog-ng.conf or /etc/rsyslog.conf) Typical config file looks like below :
Here, on left side column shows services for which you want logs to be logged along with their priority (succeeded by . after service name) and on right side are actions normally destinations where logs should be written by daemon.
Services values and priorities :
- local7 : boot messages
- kern : Kernel messages
- auth : Security events
- authpriv : Access control related messages
- mail, cron : mail and cron related events
Service priorities :
- * means all level of messages to be logged
- none means no messages to be logged
All above priorities are given in ascending level of urgency.
Those are mostly log files or remote syslog server to which logs gets sent. Remote server can be specified by IP or hostname preceded by @ sign.
All logs by syslogd are written its syslog file /var/log/messages. Typical syslog file looks like :
May 22 02:00:29 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="999" x-info="http://www.rsyslog.com"] exiting on signal 15.
May 22 02:00:29 server1 kernel: imklog 5.8.10, log source = /proc/kmsg started.
May 22 02:00:29 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1698" x-info="http://www.rsyslog.com"] start
May 22 02:17:43 server1 dhclient: DHCPREQUEST on eth0 to 172.31.0.1 port 67 (xid=0x445faedb)
Here file can be read in below parts from left to right :
- Hostname (This is important to identify which server’s log is this on centralised syslog server)
- Service name for which logs were written by daemon
- Separator colon
- Actual message or log
First 5 fields can be used for sorting, filtering logs in various tools, scripts etc. Since syslogs logs all events on system, its obvious its grow in size pretty quickly. You can manually rotate syslog over specific period or you can even use logrotate utility to do it automatically in background.
Testing syslog logging
To test if daemon is logging messages in syslog or not, you can use logger command. With this command you can specify numorous options like priority, service etc. But even without any argument you can supply a string to write in syslog and it will do the job for you.
# logger Writing KERNELTALKS in syslog using logger. Testing...
# cat /var/log/messages |grep -i kerneltalks
May 22 02:31:05 server1 root: Writing KERNELTALKS in syslog using logger. Testing...
In above example you can see all entries after logger command are printed in syslog file. Since we used logger command and didnt specified any service, it logged message with userid root in service field!