🌐 🇵🇱 Polski · 🇬🇧 EN

Experienced administrators quite often review system log files. They contain important clues that can point the way to resolving troublesome configuration-related issues. If a daemon fails to start or the same error keeps appearing during system boot, it is worth checking what is being recorded in the system logs. In Unix, there has long been an effort to use an integrated system known as syslog to ensure information is recorded in a single location, though these efforts have met with only partial success at best. While the syslogd daemon is still considered the king of system information monitoring, there are many applications, network daemons, startup scripts, and other supervisory programs that still write information to their own log files. This lack of standardization has resulted in the set of log files varying significantly across different distributions. Generally, syslog is a system service responsible for logging all events that have occurred in the operating system.
After installing the operating system, syslog is active immediately, which can be verified with the command:
# chkconfig rsyslog --list
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
This service is configured in the /etc/rsyslog.conf configuration file.
By default, all logs are stored in the /var/log directory in specific files or subdirectories. You can define your own log storage location, which is done in the rsyslog.conf file.
The configuration file is divided into sections. The first one covers modules and specifies which syslog modules should be loaded. Syslog itself is a modular service, meaning we have the ability to enable or disable selected modules.
Syslog distinguishes the following message severity levels:
- emerg - system is unusable
- alert - action must be taken immediately
- crit - critical conditions
- err - error conditions
- warning - warning conditions
- notice - normal but significant condition
- info - informational messages
- debug - debug-level messages
- none
In most cases, a logged event is saved as a single line of text containing the date and time of occurrence, the type and severity level of the event, and any other relevant details. Depending on the specific file, individual message elements may be separated by spaces, tabs, or punctuation marks.
Log files are typically text files and can be viewed and searched using basic system tools such as cat, grep, tail, and Perl. In most modern systems, there are also log management tools that allow for rotation, compression, and monitoring of log files, which can be performed at set intervals.
LOGGING TO A REMOTE SYSTEM
To save host system logs on another host over the network, you must modify the main /etc/rsyslog.conf configuration file on both machines.
On the machine intended to receive the logs, we configure the following:
Uncomment the following lines by removing the # character:
# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
Add the appropriate iptables rule:
iptables -I INPUT 23 -p udp -m udp --dport 514 -j ACCEPT
On the machine intended to send logs to a remote host, we modify the file: /etc/rsyslog.conf as follows:
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @192.168.56.101
# The authpriv file has restricted access.
#authpriv.* /var/log/secure
authpriv.* @192.168.56.101
# Log all the mail messages in one place.
#mail.* -/var/log/maillog
mail.* @192.168.56.101
Comments