Learn everything about Syslog in Linux. Its configuration file format, how to restart Syslog, rotation, and how to log Syslog entry manually.
One of the most important daemons on Unix or Linux based system is
syslogd! It logs many crucial system events by default. Logs written by
syslogd are commonly referred to as Syslog. Syslogs are first logs when you want to trace issues with your system. They are the lifeline of sysadmins 🙂
In this article, we will see configuration files for
syslogd, different configs and how to apply them. Before we begin to go through the below files which we will be using throughout this article frequently.
/etc/syslog.conf: syslogd configuration file
/var/log/messages: Syslog file
There are three projects on Syslog daemon spawned one after another to enhance the previous project’s functionality. They are:
syslog (year 1980),
syslog-ng (year 1998) and
rsyslog (year 2004). So depending on which project’s fruit is running on your server, your daemon name changes. The rest of the configuration remains pretty close similar.
Syslog uses port TCP 514 for communication.
This daemon starts with systems and runs in the background all the time, capturing system events and logging them in Syslog. It can be started, stop, restart like other services operations in Linux. You need to check which Syslog version (three projects as stated above) is running (
ps -ef |grep syslog) and accordingly, use the daemon name.
# service rsyslog status rsyslogd (pid 999) is running... # service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
After making any changes in the configuration file you need to restart
syslogd in order to take these new changes in effect.
syslog configuration file
As stated above
/etc/syslog.conf is a configuration file where you can define when, where, which event to be logged by Syslog daemon. There name changes as per your Syslog version
The typical config file looks like below :
*.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log
Here, on the left side column shows services for which you want logs to be logged along with their priority (succeeded by
. after service name) and on the right side are actions normally destinations where logs should be written by the daemon.
Services values and priorities :
- local7: boot messages
- kern: Kernel messages
- auth: Security events
- authpriv : Access control related messages
- mail, cron: mail and cron related events
Service priorities :
- * means all level of messages to be logged
- none means no messages to be logged
All the above priorities are given in ascending level of urgency.
Those mostly log files or remote Syslog server to which logs get sent. The remote server can be specified by IP or hostname preceded by @ sign.
All logs by syslogd are written its Syslog file
/var/log/messages. Typical Syslog file looks like :
May 22 02:00:29 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="999" x-info="http://www.rsyslog.com"] exiting on signal 15. May 22 02:00:29 server1 kernel: imklog 5.8.10, log source = /proc/kmsg started. May 22 02:00:29 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1698" x-info="http://www.rsyslog.com"] start May 22 02:17:43 server1 dhclient: DHCPREQUEST on eth0 to 172.31.0.1 port 67 (xid=0x445faedb)
Here file can be read in below parts from left to right :
- Hostname (This is important to identify which server’s log is this on centralized Syslog server)
- The service name for which logs were written by the daemon
- Separator colon
- Actual message or log
The first 5 fields can be used for sorting, filtering logs in various tools, scripts, etc. Since Syslog logs, all events on system, it’s obvious it grows in size pretty quickly. You can manually rotate Syslog over a specific period or you can even use
logrotate utility to do it automatically in the background.
Testing Syslog logging
To test if the daemon is logging messages in Syslog or not, you can use logger command. With this command, you can specify numerous options like a priority, service, etc. But even without any argument, you can supply a string to write in Syslog and it will do the job for you.
# logger Writing KERNELTALKS in syslog using logger. Testing... # cat /var/log/messages |grep -i kerneltalks May 22 02:31:05 server1 root: Writing KERNELTALKS in syslog using logger. Testing...
In the above example, you can see all entries after logger command are printed in the Syslog file. Since we used logger command and didn’t specify any service, it logged message with userid root in-service field!