syslog is the Linux system s default logging daemon. The default location for syslog s configuration file is /etc/syslog.conf. The syslog daemon is configurable and allows you to specify exactly where you want each type of system message to go. First, we will look at a format for a single line of syslog.conf since they all follow the same formatting. Then we will look at the whole syslog configuration file. A syslog configuration line looks like this:
mail.* /var/log/mail
This line consists of two parts . First there is a selector or selectors, which in this case is mail . The selector section is followed by some white space and then an activity section, which in this case is
/var/log/mail
The selector component itself is broken into two parts separated by a period. The first piece is a facility and the second is a priority.
The selector is really a category for the message type. This helps you separate the kinds of messages into different places. syslog s configuration supports more than one selector on a line as long as they are separated by a semicolon. In our example there is only the one selector mail . In the next section, we show the whole syslog configuration and there are several examples of lines with multiple selectors. Table 12-1 lists the selectors recognized in most flavors of the Linux operating system.
Facility | Description | Symbol in sys/syslog.h | syslog Number |
---|---|---|---|
kern | Kernel messages | LOG_KERN |
|
user | User processes | LOG_USER | 1 |
| | LOG_MAIL | 2 |
daemon | Background processes | LOG_DAEMON | 3 |
authpriv | Authorization | LOG_AUTH | 4 |
syslog | System logging | LOG_SYSLOG | 5 |
lpr | Printing messages | LOG_LPR | 6 |
news | Usenet news | LOG_NEWS | 7 |
uucp | Unix-to-Unix copy program | LOG_UUCP | 8 |
cron | Cron scheduled tasks | LOG_CRON | 9 |
local0-local7 | Local use | LOG_LOCALn | 16 “23 |
* | Wildcard for any facility |
Priorities are the second part of a selector. Priorities are urgency rankings for the message. The programmer of an application decides in advance what the level of urgency is for any application message, so you must live with the priority any given message has unless you want to start recompiling your system applications. Table 12-2 shows the possible priorities in increasing level of severity.
Priority | Meaning | Symbol in syslog.h | syslog Number |
---|---|---|---|
debug | Debug level “ verbose | LOG_DEBUG | 7 |
info | Informational messages | LOG_INFO | 6 |
none | Log none of the messages | Not Defined | |
notice | Normal yet important messages | LOG_NOTICE | 5 |
warning | Warning messages | LOG_WARNING | 4 |
err | Error messages | LOG_ERR | 3 |
crit | Important messages | LOG_CRIT | 2 |
alert | Urgent messages | LOG_ALERT | 1 |
emerg | Emergency messages | LOG_EMERG |
|
Priorities are different from facilities because they are on a continuum. When an unmodified selector is used, it really means the minimum threshold and all increasingly urgent message types. So, if the priority warning is used in a selector it actually includes warning , err , crit , alert , and emerg .
syslog s configuration permits you to modify priorities through the use of the three specifiers: the asterisk ( * ), the equal sign ( = ), and the exclamation mark ( ! ). If you understand regular expressions, these modifiers will be familiar and intuitive.
The asterisk ( * ) means that all messages for the facility are sent to the activity component. Just like when it s used in a regular expression, the asterisk means everything. In the example line mail.* this is exactly what is happening ”all possible priorities are sent to the action. Using a specifier of * is exactly the same as using a specifier of debug , because a specifier means the minimum plus the rest.
The equal sign ( = ) limits only the specified priority to be sent to the activity. You might use this to send only debug messages without sending the increasingly urgent messages, which is a decent approach with production applications. The equal sign is used to single out an individual message priority. As in its use in programming, the equal sign means equivalence.
The exclamation mark ( ! ) is another way to limit the priorities sent to the activity using an exception. It is a form of negation. For instance, this syslog line
mail.*;mail.!info /var/adm/mail
would send all mail messages except the info ones to the logfile /var/adm/mail. This is because mail.* sends all the messages, but mail.!info blocks the info ones. As in its use in programming, the exclamation mark means not.
Logged information can be divided among multiple files, sent to named pipes, to programs, and even to other machines, as explained in the next section. The syslog configuration file is straightforward and easy to read and work with. The information in the comments is useful and you should be sure to read it. This next code listing shows the default syslog.conf from SUSE. The default syslog.conf from Red Hat is
very similar and a little shorter. (Comment lines start with # .)
# /etc/syslog.conf - Configuration file for syslogd(8) # # For info about the format of this file, see "man syslog.conf". # # print most on tty10 and on the xconsole pipe # kern.warn;*.err;authpriv.none /dev/tty10 kern.warn;*.err;authpriv.none /dev/xconsole *.emerg * # enable this, if you want that root is informed # immediately, e.g. of logins #*.alert root # # all email-messages in one file # mail.* -/var/log/mail # # all news-messages # # these files are rotated and examined by "news.daily" news.crit -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice # enable this, if you want to keep all news messages # in one file #news.* -/var/log/news.all # # Warnings in one file # *.=warn;*.=err -/var/log/warn *.crit /var/log/warn # # save the rest in one file # *.*;mail.none;news.none -/var/log/messages # # enable this, if you want to keep all messages # in one file #*.* -/var/log/allmessages # # Some foreign boot scripts require local7 # local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages
Heads Up | If the syslog daemon needs to write to a logfile it can often have implications on performance. A hyphen ( - ) in front of a logfile name as shown in the previous example tells syslogd not to sync the file system for the messages written to that particular logfile. This will reduce the load on the server, but it reduces the integrity of the system logging. The downside of waiting to sync the logfiles is that if the system crashes, some log messages may be lost. When you want to know exactly what is going on at all times, you need everything to be written to log as soon as it happens. Of course this depends on the amount of activity on your system and may not be practical if there are several activities per second or many thousand activities per day. You need to determine what is reasonable for yourself since the way things are set up will alter how syncing affects your situation. The way to have immediate logging influence your server the least is to have the logs on a partition serviced by a separate controller and hard drive from the controller and hard drive running the applications and operating system. |