linux下的syslog和/var/log

Syslog is the general standard (IETF) for logging system and program messages in the Linux environment.
This service constitutes the system log daemon, where any program can do its logging (debug, security, normal operation) through in addition the Linux kernel messages.
--該服務由其daemon程式/sbin/syslogd維護，可透過如下命令啟動

1 service syslog start

2 /etc/init.d/syslog start

--配置檔案為/etc/sysconfig/syslog，大致結構如下；其中klogd負責捕獲kernel日誌資訊

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".

In principle, the logs handled by syslog are available in the /var/log/ directory on Linux system:

# ls /var/log
acpid            cron.1     maillog.3         rpmpkgs.3         spooler.3
anaconda.log     cron.2     maillog.4         rpmpkgs.4         spooler.4
anaconda.syslog  cron.3     messages          sa                squid
anaconda.xlog    cron.4     messages.1        samba             tallylog
audit            cups       messages.2        scrollkeeper.log  vbox
boot.log         dmesg      messages.3        secure            wtmp
boot.log.1       faillog    messages.4        secure.1          Xorg.0.log
boot.log.2       gdm        oracle-validated  secure.2          Xorg.0.log.old
boot.log.3       httpd      pm                secure.3          YaST2
boot.log.4       lastlog    ppp               secure.4          yum.log
btmp             mail       prelink           setroubleshoot
conman           maillog    rpmpkgs           spooler
conman.old       maillog.1  rpmpkgs.1         spooler.1
cron             maillog.2  rpmpkgs.2         spooler.2

where some of the logs are dumped under a subdirectory like cups, samba, httpd. Among the logs under /var/log the /var/log/messages is the most common one as the kernel / core system logs are held there. The kernel modules generally dumps there too. So, for problem diagnosis / monitoring the /var/log/messages is the primary log file to examine.

--syslog產生的日誌位於/var/log目錄下，其中messages是最常用到的，記錄startup資訊等

The logs are rotated every week (renaming the existing log to filename.number order):

# ls -l /var/log/messages*
-rw------- 1 root root 1973 Jun 10 15:07 /var/log/messages
-rw------- 1 root root 10866 Jun 6 04:02 /var/log/messages.1
-rw------- 1 root root 19931 May 30 04:02 /var/log/messages.2
-rw------- 1 root root 238772 May 23 04:02 /var/log/messages.3
-rw------- 1 root root 171450 May 14 18:29 /var/log/messages.4

 

Rsyslogd可以看作是syslogd的改良版，可透過man 8 rsyslogd檢視詳細資訊。

 

以下是最常見的/var/log日誌介紹

1. /var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
2. /var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the .
3. /var/log/auth.log – Contains system authorization information, including user logins and authentication machinsm that were used.
4. /var/log/boot.log – Contains information that are logged when the system boots
5. /var/log/daemon.log – Contains information logged by the various background daemons that runs on the system
6. /var/log/dpkg.log – Contains information that are logged when a package is installed or removed using
7. /var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
8. /var/log/lastlog – Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
9. /var/log/maillog /var/log/mail.log – Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
10. /var/log/user.log – Contains information about all user level logs
11. /var/log/Xorg.x.log – Log messages from the X
12. /var/log/alternatives.log – Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
13. /var/log/btmp – This file contains information about failed login attemps. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”
14. /var/log/cups – All printer and printing related log messages
15. /var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file
16. /var/log/yum.log – Contains information that are logged when a package is installed using yum
17. /var/log/cron – Whenever (or ) starts a cron job, it logs the information about the cron job in this file
18. /var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
19. /var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
20. /var/log/faillog – Contains user failed login attemps. Use faillog command to display the content of this file.