UNIX system logs

May 23, 2021 UNIX Getting started

1. The system log

2. Syslog Facilities

3. Syslog priority

4. File /etc/syslog.conf

5. Logging Action

6. Logger command

7. Log rotation

8. The location of the important log file

The system log

The UNIX system has a very flexible and powerful logging system that allows you to record almost anything you can imagine, and then you can manipulate logs to get the information you need.

Many versions of UNIX provide a common log tool called syslog, and separate programs with information to record send information to syslog.

Unix syslog is a host configurable, unified system log tool. The system uses a centralized system log process, which runs /etc/syslogd /etc/syslog

The operation of the system logger is fairly simple. The program sends a log entry to syslogd, which will be looked up in the profile /etc/syslogd.conf /etc/syslog written to the desired log file.

There are four basic log terms you should know about:

Terms	Describe
Facility	This identifier is used to describe the application or process of the submitted log information. For example, messages, kernels, and FTP.
Priority	An indicator that shows the importance of the message. syslog defines the level of messages as a guideline, from debug information to critical events.
Selector	A combination of one or more facilities and levels. When an input event matches a selector, an action is executed.
Action	What happens when an incoming message matches selector. Action can write messages to log files, send messages back to the console or other devices, write messages to one logged-in user, or send messages to another log server.

Syslog Facilities

Here's the facility available for selector. Not all facilities exist in all versions of UNIX.

Facility	Describe
auth	Activities that require a username and password (getty, su, login)
authpriv	Authentication similar to auth, but recorded files can only be read by authorized users.
console	Used to capture information, which is typically transmitted to the system console.
Cron	Scheduled task information related to the cron system.
daemon	All system daemon information captured.
Ftp	ftp daemon-related information.
kern	Kernel information.
local0.local7	The local information that the user customizes to use.
Lpr	Information about the print service system.
mail	Information related to the messaging system.
mark	Pseudo-events for timestamps in production log files.
news	Information related to the Network News Transfer Protocol (nntp).
Ntp	Information about the network time protocol.
user	Information generated by a normal user process.
uucp	Information generated by the UUCP subsyscies.

Syslog priority

The priority of syslog (Priority) is as follows:

Priority	Describe
emerg	Emergencies, such as impending system crashes, are usually broadcast to all users.
alert	Situations that require immediate modification, such as corruption of the system database.
crit	Critical case, such as a hardware error.
Err	Normal error.
warning	Warning
notice	This is not an error case, but may need to be handled in a specific way.
info	A reported message.
debug	The message used to debug the program.
none	There are no important levels, typically used to specify non-log messages.

The combination of facility and level allows you to tell what was recorded and where the log information went.

Each program dutyfully sends a message to the system logger, which determines what to track and discard based on the level defined by selector.

When you specify a level, everything about that level and higher is recorded.

File /etc/syslog.conf

File /etc/syslog.conf is used to configure the location of the record message. A typical syslog.conf file should look something like this:

    *.err;kern.debug;auth.notice /dev/console
    daemon,auth.notice           /var/log/messages
    lpr.info                     /var/log/lpr.log
    mail.*                       /var/log/mail.log
    ftp.*                        /var/log/ftp.log
    auth.*                       @prep.ai.mit.edu
    auth.*                       root,amrood
    netinfo.err                  /var/log/netinfo.log
    install.*                    /var/log/install.log
    *.emerg                      *
    *.alert                      |program_name
    mark.*                       /dev/console

Each line in the file consists of two parts:

A message selector that specifies which message is used to record. For example, all error messages or all debug information for the kernel.
An action that indicates what to do with the received message. For example, write a file or send a message to the user's terminal.

Here are the considerations for the above configuration:

The message selector has two parts: facility and priority. For example, kern.debug selects all debug information (priority) generated by the kernel ( facility ).
The message selectetorkern.debug selects all information that priority is greater than debug.
An asterisk at any facility and priority position that means "all". For example, .debug represents all the debug information for the facility, while kern.?
You can also specify more than one facility with a comma. Two or more selectetors can be combined with a half sign.

Logging Action

The action section specifies one of the following five actions:

Record information to a file or device. For example, /var/log/lpr.log /dev/console
Send a message to a user. You can specify multiple user names separately with commas (for example, root, amrood).
Send a message to all users. In this case, the action section contains an asterisk (for example, .
Send a message to the program through a pipeline. In this case, the program is specified after the UNIX | (the same).
Send a message to syslog on another host. In this case, the action section contains a host name with the at symbol in front of it (for example, w3cschool.cn).

Logger command

UNIX provides the logger command, which is a very useful command for processing system logging. The logger command sends a log message to the syslogd daemon, which drives the system to log.

This means that we can always check the syslogd daemon and its configuration from the command line. The logger command provides a way to add a line of entries to the system log file on the command line.

The format of the command is:

    logger [-i] [-f file] [-p priority] [-t tag] [message]...

Here are the details of the parameters:

Options	Describe
-f filename	The contents of the filename are recorded as messages.
-i	Each line of the log records the id of the process.
-p priority	Specify the priority of the input message priority (the specified selector), which can be either a number or a format specified as a facility.level pair. The default parameter is user.notice.
-t tag	Each line recorded in the log with the specified tag tag.
message	String parameters, its contents connected together in a specific order, separated by spaces.

Log rotation

Log files are characterized by rapid growth and consume a lot of disk space. Most UNIX distribution systems use tools such as newsyslog or logrotate to enable log rotation.

These tools are called by the cron daemon at frequent intervals. You can get more details on the man pages of newsyslog or logrotate.

The location of the important log file

All system applications create their own log files in /var/log its subdirectts. Here are a few important applications with corresponding log directories:

Application	Directory
httpd	/var/log/httpd
Samba	/var/log/samba
Cron	/var/log/
mail	/var/log/
Mysql	/var/log/