May 23, 2021 UNIX Getting started
The UNIX system has a very flexible and powerful logging system that allows you to record almost anything you can imagine, and then you can manipulate logs to get the information you need.
Many versions of UNIX provide a common log tool called syslog, and separate programs with information to record send information to syslog.
Unix
syslog
is a host configurable, unified system log tool.
The system uses a centralized system log process, which runs
/etc/syslogd
/etc/syslog
The operation of the system logger is fairly simple.
The program sends a
log entry to syslogd,
which will be looked up in the profile
/etc/syslogd.conf
/etc/syslog
written to the desired log file.
There are four basic log terms you should know about:
Terms | Describe |
---|---|
Facility | This identifier is used to describe the application or process of the submitted log information. For example, messages, kernels, and FTP. |
Priority | An indicator that shows the importance of the message. syslog defines the level of messages as a guideline, from debug information to critical events. |
Selector | A combination of one or more facilities and levels. When an input event matches a selector, an action is executed. |
Action | What happens when an incoming message matches selector. Action can write messages to log files, send messages back to the console or other devices, write messages to one logged-in user, or send messages to another log server. |
Here's the facility available for selector. Not all facilities exist in all versions of UNIX.
Facility | Describe |
---|---|
auth | Activities that require a username and password (getty, su, login) |
authpriv | Authentication similar to auth, but recorded files can only be read by authorized users. |
console | Used to capture information, which is typically transmitted to the system console. |
Cron | Scheduled task information related to the cron system. |
daemon | All system daemon information captured. |
Ftp | ftp daemon-related information. |
kern | Kernel information. |
local0.local7 | The local information that the user customizes to use. |
Lpr | Information about the print service system. |
Information related to the messaging system. | |
mark | Pseudo-events for timestamps in production log files. |
news | Information related to the Network News Transfer Protocol (nntp). |
Ntp | Information about the network time protocol. |
user | Information generated by a normal user process. |
uucp | Information generated by the UUCP subsyscies. |
The priority of syslog (Priority) is as follows:
Priority | Describe |
---|---|
emerg | Emergencies, such as impending system crashes, are usually broadcast to all users. |
alert | Situations that require immediate modification, such as corruption of the system database. |
crit | Critical case, such as a hardware error. |
Err | Normal error. |
warning | Warning |
notice | This is not an error case, but may need to be handled in a specific way. |
info | A reported message. |
debug | The message used to debug the program. |
none | There are no important levels, typically used to specify non-log messages. |
The combination of facility and level allows you to tell what was recorded and where the log information went.
Each program dutyfully sends a message to the system logger, which determines what to track and discard based on the level defined by selector.
When you specify a level, everything about that level and higher is recorded.
File /etc/syslog.conf is used to configure the location of the record message. A typical syslog.conf file should look something like this:
*.err;kern.debug;auth.notice /dev/console
daemon,auth.notice /var/log/messages
lpr.info /var/log/lpr.log
mail.* /var/log/mail.log
ftp.* /var/log/ftp.log
auth.* @prep.ai.mit.edu
auth.* root,amrood
netinfo.err /var/log/netinfo.log
install.* /var/log/install.log
*.emerg *
*.alert |program_name
mark.* /dev/console
Each line in the file consists of two parts:
Here are the considerations for the above configuration:
The action section specifies one of the following five actions:
/var/log/lpr.log
/dev/console
UNIX provides the logger command, which is a very useful command for processing system logging. The logger command sends a log message to the syslogd daemon, which drives the system to log.
This means that we can always check the syslogd daemon and its configuration from the command line. The logger command provides a way to add a line of entries to the system log file on the command line.
The format of the command is:
logger [-i] [-f file] [-p priority] [-t tag] [message]...
Here are the details of the parameters:
Options | Describe |
---|---|
-f filename | The contents of the filename are recorded as messages. |
-i | Each line of the log records the id of the process. |
-p priority | Specify the priority of the input message priority (the specified selector), which can be either a number or a format specified as a facility.level pair. The default parameter is user.notice. |
-t tag | Each line recorded in the log with the specified tag tag. |
message | String parameters, its contents connected together in a specific order, separated by spaces. |
Log files are characterized by rapid growth and consume a lot of disk space. Most UNIX distribution systems use tools such as newsyslog or logrotate to enable log rotation.
These tools are called by the cron daemon at frequent intervals. You can get more details on the man pages of newsyslog or logrotate.
All system applications create their own log files in
/var/log
its subdirectts.
Here are a few important applications with corresponding log directories:
Application | Directory |
---|---|
httpd | /var/log/httpd |
Samba | /var/log/samba |
Cron | /var/log/ |
/var/log/ | |
Mysql | /var/log/ |