syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical. Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle.
- The first describes the function (facility) of the application that generated it. For example, applications such as mail and cron generate messages with easily identifiable facilities named mail and cron.
- The second describes the degree of severity of the message. There are eight in all and they are listed in Table 5-1:
You can configure syslog's /etc/rsyslog.conf configuration file to place messages of differing severities and facilities in different files. This procedure will be covered next.
Table 5-1 Syslog Facilities
Severity Level Keyword Description 0 emergencies System unusable 1 alerts Immediate action required 2 critical Critical condition 3 errors Error conditions 4 warnings Warning conditions 5 notifications Normal but significant conditions 6 informational Informational messages 7 debugging Debugging messages
The /etc/rsyslog.conf File
The files to which syslog writes each type of message received is set in the
/etc/rsyslog.conf configuration file. In older versions of Fedora this file was named
This file consists of two columns. The first lists the facilities and severities of messages to expect and the second lists the files to which they should be logged. By default, RedHat/Fedora's
/etc/rsyslog.conf file is configured to put most of the messages in the file
/var/log/messages. Here is a sample:
In this case, all messages of severity "info" and above are logged, but none from the mail, cron or authentication facilities/subsystems. You can make this logging even more sensitive by replacing the line above with one that captures all messages from debug severity and above in the
/var/log/messages file. This example may be more suitable for troubleshooting.
In this example, all debug severity messages; except auth, authpriv, news and mail; are logged to the
/var/log/debug file in caching mode. Notice how you can spread the configuration syntax across several lines using the slash (\) symbol at the end of each line.
*.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug
Here we see the
/var/log/messages file configured in caching mode to receive only info, notice and warning messages except for the auth, authpriv, news and mail facilities.
*.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages
You can even have certain types of messages sent to the screen of all logged in users. In this example messages of severity emergency and above triggers this type of notification. The file definition is simply replaced by an asterisk to make this occur.
Certain applications will additionally log to their own application specific log files and directories independent of the
syslog.conf file. Here are some common examples:
/var/log/maillog : Mail /var/log/httpd/access_log : Apache web server page access logs
/var/log /var/log/samba : Samba messages /var/log/mrtg : MRTG messages /var/log/httpd : Apache webserver messages
Note: In some older versions of Linux the /etc/rsyslog.conf file was very sensitive to spaces and would recognize only tabs. The use of spaces in the file would cause unpredictable results. Check the formatting of your
/etc/rsyslog.conf file to be safe.