Difference between revisions of "Linux Syslog"
Line 94: | Line 94: | ||
|} | |} | ||
{| | {| class="wikitable" | ||
| a | | a | ||
| - | | - |
Revision as of 17:51, 20 January 2022
Summary
Linux uses the syslog standard for message logging, this allows programms and applications to generate messages that can be captured, processed and stored by the system logger. It eliminates the need for each and every application having to come up with and implement a logging mechanism on their own and also means that logging can be configured and controlled in a centralized location. Syslog file is one of the importants log files. It contains almost all messages. This file is therefore well suited for the analysis of many problems.
Requirements
A syslog server accepts syslog messages and processes, those messages based on a set of configurable rules.
Traditionally the syslogd daemon filled this role but many Linux distributions now ship with alternatives such as:
- rsyslog (rocket-fast system for log processing)
- syslog-ng (ng stands for next-generation)
How it works
The Syslog Standard uses facilities and severities to categorize messages. Facilities are used to indicate what type of program or what part of the system the message originated from, e.g.
- Facility: messages that are labeled with a kernel facility originate from the Linux kernel.
- Severities on the other hand are used to categorize messages based on their urgency. The severities are emergency, alert, critical, error, warning, notice informational and debug.
Code | Facilities | Code | Severities |
---|---|---|---|
0 | kernel | 0 | emergency |
1 | user | 1 | alert |
2 | 2 | critical | |
3 | auth | 3 | error |
4 | syslog | 4 | warning |
5 | cron | 5 | notice |
6 | line printer (lpr) | 6 | informational |
7 | network news (nntp) | 7 | debug |
8 | unix-toUnix Copy (UUCP) | ||
9 | clock | ||
10 | security/authorization | ||
11 | FTP | ||
12 | NTP | ||
13 | log audit | ||
14 | log alert | ||
15 | clock daemon (formerly cron in RFC 3164) | ||
16 | local use 0-7 (local0-local7) |
a | - | a |
A syslog service uses configurable logging rules to determine what to do with the given message, these rules use combinations of facilities and severities. In most cases messages are simply written to a file in the /var/log directory somewhere but you can do advanced things such as send the messages over the network to a central location. If you want to generate your own log messages for example when you’re writing shell scripts use the logger command-line utility. To automatically prune files and keep your disks from filling up with old messages use the logrotate utility.
The following example shows the entries in /var/log/syslog after starting a Ubuntu 20.04 system further below the entries that occur when connecting a USB stick:
Jan 4 06:10:20 bitsf kernel: [ 0.000000] Linux version 5.8.0-53-generic (buildd@lcy01-amd64-012) (gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #60~20.04.1-Ubuntu SMP Thu May 6 09:52:46 UTC 2021 (Ubuntu 5.8.0-53.60~20.04.1-generic 5.8.18) Jan 4 06:10:20 bitsf kernel: [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.8.0-53-generic root=UUID=5c80c0a8-2833-4cc9-be7f-6ca343989eb6 ro quiet splash Jan 4 06:10:20 bitsf kernel: [ 0.000000] KERNEL supported cpus: Jan 4 06:10:20 bitsf kernel: [ 0.000000] Intel GenuineIntel Jan 4 06:10:20 bitsf kernel: [ 0.000000] AMD AuthenticAMD Jan 4 06:10:20 bitsf kernel: [ 0.000000] Hygon HygonGenuine Jan 4 06:10:20 bitsf kernel: [ 0.000000] Centaur CentaurHauls Jan 4 06:10:20 bitsf kernel: [ 0.000000] zhaoxin Shanghai Jan 4 06:10:20 bitsf kernel: [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' Jan 4 06:10:20 bitsf kernel: [ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' Jan 4 06:10:20 bitsf kernel: [ 0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers' Jan 4 06:10:20 bitsf kernel: [ 0.000000] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256 Jan 4 06:10:20 bitsf kernel: [ 0.000000] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'compacted' format. [...] Jan 4 06:20:01 bitsf kernel: [ 585.917268] usb 1-1: new high-speed USB device number 2 using ehci-pci Jan 4 06:20:01 bitsf kernel: [ 586.214302] usb 1-1: New USB device found, idVendor=0781, idProduct=5581, bcdDevice= 1.00 Jan 4 06:20:01 bitsf kernel: [ 586.214306] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 Jan 4 06:20:01 bitsf kernel: [ 586.214309] usb 1-1: Product: Ultra Jan 4 06:20:01 bitsf kernel: [ 586.214310] usb 1-1: Manufacturer: SanDisk Jan 4 06:20:01 bitsf kernel: [ 586.214312] usb 1-1: SerialNumber: 4C530001140828116221 Jan 4 06:20:01 bitsf mtp-probe: checking bus 1, device 2: "/sys/devices/pci0000:00/0000:00:11.0/0000:02:03.0/usb1/1-1" Jan 4 06:20:01 bitsf mtp-probe: bus: 1, device: 2 was not an MTP device Jan 4 06:20:01 bitsf kernel: [ 586.247843] usb-storage 1-1:1.0: USB Mass Storage device detected Jan 4 06:20:01 bitsf kernel: [ 586.249017] scsi host33: usb-storage 1-1:1.0 Jan 4 06:20:01 bitsf kernel: [ 586.249296] usbcore: registered new interface driver usb-storage Jan 4 06:20:01 bitsf kernel: [ 586.255991] usbcore: registered new interface driver uas Jan 4 06:20:01 bitsf mtp-probe: checking bus 1, device 2: "/sys/devices/pci0000:00/0000:00:11.0/0000:02:03.0/usb1/1-1" Jan 4 06:20:01 bitsf mtp-probe: bus: 1, device: 2 was not an MTP device Jan 4 06:20:01 bitsf dbus-daemon[735]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.81' (uid=1000 pid=1742> Jan 4 06:20:01 bitsf systemd[1]: Starting Fingerprint Authentication Daemon... Jan 4 06:20:01 bitsf dbus-daemon[735]: [system] Successfully activated service 'net.reactivated.Fprint' Jan 4 06:20:01 bitsf systemd[1]: Started Fingerprint Authentication Daemon. Jan 4 06:20:02 bitsf kernel: [ 587.271261] scsi 33:0:0:0: Direct-Access SanDisk Ultra 1.00 PQ: 0 ANSI: 6 Jan 4 06:20:02 bitsf kernel: [ 587.272204] sd 33:0:0:0: Attached scsi generic sg2 type 0 Jan 4 06:20:02 bitsf kernel: [ 587.278328] sd 33:0:0:0: [sdb] 120127488 512-byte logical blocks: (61.5 GB/57.3 GiB) Jan 4 06:20:02 bitsf kernel: [ 587.286835] sd 33:0:0:0: [sdb] Write Protect is off Jan 4 06:20:02 bitsf kernel: [ 587.286839] sd 33:0:0:0: [sdb] Mode Sense: 43 00 00 00 Jan 4 06:20:02 bitsf kernel: [ 587.294171] sd 33:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA Jan 4 06:20:02 bitsf kernel: [ 587.356378] sdb: sdb1 Jan 4 06:20:02 bitsf kernel: [ 587.387213] sd 33:0:0:0: [sdb] Attached SCSI removable disk