Search This Blog

Friday, October 17, 2008

Troubleshooting Linux with Syslog


syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical. Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle.

  • The first describes the function (facility) of the application that generated it. For example, applications such as mail and cron generate messages with easily identifiable facilities named mail and cron.
  • The second describes the degree of severity of the message. There are eight in all and they are listed in Table 5-1:

You can configure syslog's /etc/rsyslog.conf configuration file to place messages of differing severities and facilities in different files. This procedure will be covered next.

Table 5-1 Syslog Facilities

Severity LevelKeywordDescription
0emergenciesSystem unusable
1alertsImmediate action required
2criticalCritical condition
3errorsError conditions
4warningsWarning conditions
5notificationsNormal but significant conditions
6informationalInformational messages
7debuggingDebugging messages

The /etc/rsyslog.conf File

The files to which syslog writes each type of message received is set in the /etc/rsyslog.conf configuration file. In older versions of Fedora this file was named /etc/syslog.conf.

This file consists of two columns. The first lists the facilities and severities of messages to expect and the second lists the files to which they should be logged. By default, RedHat/Fedora's /etc/rsyslog.conf file is configured to put most of the messages in the file /var/log/messages. Here is a sample:

*.info;mail.none;authpriv.none;cron.none           /var/log/messages 

In this case, all messages of severity "info" and above are logged, but none from the mail, cron or authentication facilities/subsystems. You can make this logging even more sensitive by replacing the line above with one that captures all messages from debug severity and above in the /var/log/messages file. This example may be more suitable for troubleshooting.

*.debug                                          /var/log/messages 

In this example, all debug severity messages; except auth, authpriv, news and mail; are logged to the /var/log/debug file in caching mode. Notice how you can spread the configuration syntax across several lines using the slash (\) symbol at the end of each line.

 *.=debug;\        auth,authpriv.none;\        news.none;mail.none     -/var/log/debug 

Here we see the /var/log/messages file configured in caching mode to receive only info, notice and warning messages except for the auth, authpriv, news and mail facilities.

*.=info;*.=notice;*.=warn;\        auth,authpriv.none;\        cron,daemon.none;\        mail,news.none          -/var/log/messages 

You can even have certain types of messages sent to the screen of all logged in users. In this example messages of severity emergency and above triggers this type of notification. The file definition is simply replaced by an asterisk to make this occur.

*.emerg                         * 

Certain applications will additionally log to their own application specific log files and directories independent of the syslog.conf file. Here are some common examples:


/var/log/maillog             : Mail /var/log/httpd/access_log    : Apache web server page access logs 


/var/log /var/log/samba                      : Samba messages /var/log/mrtg                       : MRTG messages /var/log/httpd                      : Apache webserver messages 

Note: In some older versions of Linux the /etc/rsyslog.conf file was very sensitive to spaces and would recognize only tabs. The use of spaces in the file would cause unpredictable results. Check the formatting of your /etc/rsyslog.conf file to be safe.

No comments: