< Day Day Up > |
The most important activities that take place on your Linux system are recorded in log files. There are many log files on your Linux system. One of the most important is syslog, which is the system event logger used by many programs to perform logging. syslog supports message sorting that allows a given message to be sorted by its importance and source and then sent to the appropriate destination. syslog consists of the syslogd (the logging daemon), openlog, which is a series of library routines the submit messages to syslogd, and logger, a user-level command that submits log entries from the shell. syslogd is started at boot time. If you want to see it running on your system, use the ps command to display all the processes running on your system. To specify the file in which specific log entries will be placed, use /etc/syslog.conf. The general format of this file is to have a selector field and an action field. Both fields have several sub-levels. For instance, the selector field can have levels that go from informational (info) all the way to emergencies (emerg). The action field can go from the file to which messages are written (filename) to writing messages to the screen of all users (*), if there is an important message to send. The following is the /etc/syslog.conf file from our Integrity server: # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # # INN # news.=crit /var/log/news/news.crit news.=err /var/log/news/news.err news.notice /var/log/news/news.notice You can see from this file that kernel-related messages are sent to the console, mail-related messages are sent to /var/log/maillog, cron-related messages are sent to /var/log/cron, and so on. In the previous listing, you can see that all the log files on the system are in /var/log, which is the most common location for log files. The following is a long listing of the /var/log directory of the Integrity server: # ls -l /var/log total 3664 -rw-r----- 1 root root 1425 Jan 28 20:08 acpid -rw------- 1 root root 9222 Jan 28 20:09 boot.log -rw------- 1 root root 8667 Jan 24 22:15 boot.log.1 -rw------- 1 root root 12593 Jan 24 16:58 boot.log.2 -rw------- 1 root root 750359 Jan 29 17:00 cron -rw------- 1 root root 305847 Jan 26 04:02 cron.1 -rw------- 1 root root 207252 Jan 24 17:03 cron.2 -rw-r--r-- 1 root root 12034 Jan 28 20:08 dmesg drwxr-xr-x 2 root root 4096 Jun 24 2001 fax drwxr-xr-x 2 root root 4096 Jan 16 16:41 gdm drwxr-xr-x 2 root root 4096 Jun 24 2002 httpd drwx------ 2 root root 4096 Feb 22 2002 iptraf -rw-r--r-- 1 root root 442 Jan 28 20:08 iscsi.log drwxr--r-- 2 junkbust junkbust 4096 Jul 7 2001 junkbuster -rw-r--r-- 1 root root 79506 Jan 28 20:08 ksyms.0 -rw-r--r-- 1 root root 79506 Jan 28 19:41 ksyms.1 -rw-r--r-- 1 root root 79506 Jan 28 19:20 ksyms.2 -rw-r--r-- 1 root root 79506 Jan 28 19:06 ksyms.3 -rw-r--r-- 1 root root 79506 Jan 24 22:15 ksyms.4 -rw-r--r-- 1 root root 79506 Jan 24 20:07 ksyms.5 -rw-r--r-- 1 root root 79506 Jan 24 18:38 ksyms.6 -rw-r--r-- 1 root root 19398360 Jan 29 01:05 lastlog -rw------- 1 root root 7665 Jan 29 16:08 maillog -rw------- 1 root root 3104 Jan 26 04:02 maillog.1 -rw------- 1 root root 1716 Jan 24 16:58 maillog.2 drwxrwsr-x 2 root mailman 4096 Jan 26 04:02 mailman -rw------- 1 root root 263224 Jan 29 04:03 messages -rw------- 1 root root 123647 Jan 25 04:03 messages.1 -rw------- 1 root root 173869 Jan 24 16:58 messages.2 -rw-r----- 1 mysql mysql 0 Jan 26 04:02 mysqld.log -rw-r----- 1 mysql mysql 0 Jan 24 17:03 mysqld.log.1 -rw-r--r-- 1 root root 0 Jan 16 11:32 mysqld.log.2 drwxr-xr-x 3 news news 4096 Jan 16 10:54 news -rw------- 1 root root 177984 Jan 29 17:00 pacct -rw------- 1 root root 95922 Jan 29 04:02 pacct.1.gz -rw------- 1 root root 29079 Jan 28 04:02 pacct.2.gz -rw------- 1 root root 50909 Jan 27 04:02 pacct.3.gz -rw------- 1 root root 29069 Jan 26 04:02 pacct.4.gz -rw------- 1 root root 91306 Jan 25 04:02 pacct.5.gz -rw------- 1 root root 50800 Jan 24 17:03 pacct.6.gz -rw------- 1 root root 89431 Jan 17 04:02 pacct.7.gz -rwx------ 1 postgres postgres 0 Jan 16 10:54 pgsql drwxrwxr-x 2 piranha root 4096 Jan 16 11:26 piranha -rw-r--r-- 1 root root 28991 Jan 29 04:02 rpmpkgs -rw-r--r-- 1 root root 28991 Jan 25 04:02 rpmpkgs.1 -rw-r--r-- 1 root root 28991 Jan 17 04:02 rpmpkgs.2 drwxr-xr-x 2 root root 4096 Jan 29 04:03 sa drwx------ 2 root root 4096 Sep 18 2001 samba -rw------- 1 root root 0 Sep 6 2001 savacct -rw------- 1 root root 1473 Jan 29 01:05 secure -rw------- 1 root root 1857 Jan 24 22:15 secure.1 -rw------- 1 root root 1393 Jan 24 16:58 secure.2 -rw------- 1 root root 0 Jan 26 04:02 spooler -rw------- 1 root root 0 Jan 24 17:03 spooler.1 -rw------- 1 root root 0 Jan 16 10:42 spooler.2 drwxr-x--- 2 squid squid 4096 Jun 27 2002 squid -rw------- 1 root root 0 Sep 6 2001 usracct drwxr-xr-x 2 uucp uucp 4096 Jan 16 11:35 uucp drwxr-xr-x 2 root root 4096 May 21 2002 vbox -rw-rw-r-- 1 root utmp 206400 Jan 29 01:05 wtmp -rw------- 1 root root 0 Jan 26 04:02 xferlog -rw------- 1 root root 0 Jan 24 17:03 xferlog.1 -rw------- 1 root root 0 Jan 16 10:54 xferlog.2 -rw-r--r-- 1 root root 112525 Jan 28 21:34 XFree86.0.log drwxr-x--- 2 root root 4096 Aug 2 14:24 zebra # Most of the log files in this directory are ASCII files that can be viewed or edited as text files. Because wtmp contains a list of logins and logouts for users and is a binary file, you must use a command that can interpret it. In the following example, last -20 shows the last 20 lines in the file. As you can see, the last command decodes the information in this file: # last -20 root pts/0 pal2nai168208.ns Wed Jan 29 01:05 still logged in rootroot pts/1 atl2nai162053.ss Tue Jan 28 21:19 - 21:23 (00:04) root pts/2 :0 Tue Jan 28 21:11 - 21:34 (00:23) root pts/0 :0 Tue Jan 28 20:09 - 21:34 (01:24) root :0 Tue Jan 28 20:09 - 21:34 (01:25) root :0 Tue Jan 28 20:09 - 20:09 (00:00) reboot system boot 2.4.18-e.12smp Tue Jan 28 20:08 (20:54) root pts/0 :0 Tue Jan 28 19:43 - down (00:23) root :0 Tue Jan 28 19:42 - down (00:23) reboot system boot 2.4.18-e.12smp Tue Jan 28 19:41 (00:24) root pts/0 :0 Tue Jan 28 19:21 - down (00:18) root :0 Tue Jan 28 19:21 - down (00:18) reboot system boot 2.4.18-e.12smp Tue Jan 28 19:20 (00:19) root pts/0 :0 Tue Jan 28 19:08 - down (00:10) root :0 Tue Jan 28 19:07 - down (00:10) reboot system boot 2.4.18-e.12smp Tue Jan 28 19:06 (00:11) root pts/1 :0 Tue Jan 28 16:44 - 19:04 (02:20) root pts/0 :0 Tue Jan 28 16:19 - 19:04 (02:44) root :0 Tue Jan 28 16:18 - down (02:46) reboot system boot 2.4.18-e.12smp Fri Jan 24 22:15 (3+20:49) wtmp begins Thu Jan 16 16:40:37 2003 # This example shows the last 20 entries in wtmp including reboots. Most of the files are automatically "rotated" meaning that the newest files have an extension of 1 and the oldest files have an extension with a higher number. Notice in the long listing of /var/log that some subdirectories for some applications such as samba. Many log files that are in the /var/log/samba directory on the IA-32 system are used in the Samba chapter, as shown in the following long listing: # ll /var/log/samba total 53 -rw-r--r-- 1 root root 0 Jun 15 11:15 f4412bfg.log -rw-r--r-- 1 root root 0 Aug 17 04:03 f4457mxp.log -rw-r--r-- 1 root root 118 Aug 17 04:03 f4457mxp.log.1 -rw-r--r-- 1 root root 235 Jul 22 04:03 f4457mxp.log. -rw-r--r-- 1 root root 664 Jun 23 04:03 f4457mxp.log.3 -rw-r--r-- 1 root root 0 Jun 21 12:22 linuxdev.log -rw-r--r-- 1 root root 25738 Aug 17 04:03 log.nmbd -rw-r--r-- 1 root root 5069 Aug 16 08:36 log.smbd -rw-r--r-- 1 root root 411 Aug 15 17:40 nmbd.log -rw-r--r-- 1 root root 209 Aug 11 04:03 nmbd.log.1 -rw-r--r-- 1 root root 460 Aug 10 10:30 nmbd.log.2 -rw-r--r-- 1 root root 158 Jul 28 04:03 nmbd.log.3 -rw-r--r-- 1 root root 79 Jul 21 04:03 nmbd.log.4 -rw-r--r-- 1 root root 130 Aug 17 04:03 smbd.log -rw-r--r-- 1 root root 65 Aug 11 04:03 smbd.log.1 -rw-r--r-- 1 root root 130 Aug 10 10:30 smbd.log.2 -rw-r--r-- 1 root root 130 Jul 28 04:03 smbd.log.3 -rw-r--r-- 1 root root 65 Jul 21 04:03 smbd.log.4 -rw-r--r-- 1 root root 0 Aug 10 10:30 smbmount.log -rw-r--r-- 1 root root 1224 Aug 10 10:30 smbmount.log.1 -rw-r--r-- 1 root root 135 Jul 29 04:03 smbmount.log.2 -rw-r--r-- 1 root root 402 Jul 21 04:03 smbmount.log.3 -rw-r--r-- 1 root root 3405 Jun 30 04:03 smbmount.log.4 If all these files were to be placed in the /var/log directory, it would become too crowded, so the subdirectory is produced for samba. A large number of log files are in /var/log. You may want to take a look at some of these. For example, the boot.log file contains a history of the significant commands that you've issued and dmesg provides a dump of the kernel message buffer. Many others can give you insight into your system operation. Sometimes, log files can be very long. When they are, it is a good idea to try searching (grep) for what you need. In the following example, you copy the output of dmesg to the screen (cat dmesg). This is a long file, so before it displays, you have used grep to search for the three-letter string, CPU, in the output: # cat dmesg | grep CPU CPU 0: mapping PAL code [0x3ff40000-0x3ff80000) into [0xe00000003f000000- 0xe000000040000000) CPU 0: 61 virtual and 50 physical address bits CPU 0 (0x0000) enabled (BSP) CPU 1 (0x0100) enabled 2 CPUs available, 2 CPUs total CPU 0: base freq=200.000MHz, ITC ratio=10/2, ITC freq=1000.000MHz CPU 1: mapping PAL code [0x3ff40000-0x3ff80000) into [0xe00000003f000000-0xe000000040000000) CPU 1: 61 virtual and 50 physical address bits CPU 1: synchronized ITC with CPU 0 (last diff 0 cycles, maxerr 451 cycles) CPU 1: base freq=200.000MHz, ITC ratio=10/2, ITC freq=1000.000MHz CPU1: CPU has booted. # The two CPUs and information associated with them are shown in the output, including the 1 GHz frequency. Next, use grep to look for hpzx1 in the output: # cat dmesg | grep hpzx1 booting generic kernel on platform hpzx1 hpzx1: HWP0001 SBA at 0xfed00000; pci dev 00:1e.0 hpzx1: HWP0001 IOC at 0xfed01000; pci dev 00:1d.0 hpzx1: HWP0002 PCI LBA _BBN 0x00 at 0xfed20000; pci dev 00:1c.0 hpzx1: HWP0002 PCI LBA _BBN 0x20 at 0xfed22000; pci dev 20:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0x40 at 0xfed24000; pci dev 40:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0x60 at 0xfed26000; pci dev 60:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0x80 at 0xfed28000; pci dev 80:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0xc0 at 0xfed2c000; pci dev c0:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0xe0 at 0xfed2e000; pci dev e0:1e.0 # This output shows information related to the hpzx1 chipset. This chipset provides high bandwidth and low latency solution for one to four-way workstations and servers such as the two-way rx2600 used in the example. I check log files on an as-needed basis, but many system administrators review the log files frequently to look for potential problems in an effort to be proactive. |
< Day Day Up > |