12-E.16: Linux Logging
- Page ID
- 43088
EXAM OBJECTIVES COVERED
3.4 Given a scenario, implement logging services.
Log Files
One of the things which makes GNU/Linux a great operating system is that virtually anything and everything happening on and to the system may be logged in some manner. This information is invaluable for using the system in an informed manner, and should be one of the first resources you use to trouble-shoot system and application issues. The logs can tell you almost anything you need to know, as long as you have an idea where to look first.
Your Ubuntu system provides vital information using various system log files. These log files are typically plain ASCII text in a standard log file format, and most of them sit in the traditional system log subdirectory /var/log. Many are generated by the system log daemon syslogd on behalf of the system and certain applications, while some applications generate their own logs by writing directly to files in /var/log.
Log File Location
| Location | Description |
|---|---|
| /var/log/messages | General message and system related stuff |
| /var/log/auth.log | Authentication logs |
| /var/log/kern.log | Kernel logs |
| /var/log/cron.log | Crond logs (cron job) |
| /var/log/maillog | Mail server logs |
| /var/log/qmail/ | Qmail log directory (more files inside this directory) |
| /var/log/httpd/ | Apache access and error logs directory |
| /var/log/lighttpd/ | Lighttpd access and error logs directory |
| /var/log/boot.log | System boot log |
| /var/log/mysqld.log | MySQL database server log file |
| /var/log/secure or /var/log/auth.log | Authentication log |
| /var/log/utmp or /var/log/wtmp | Login records file |
| /var/log/yum.log | Yum command log file |
The logrotate Command
The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.
By default, logrotate's rotation consists of renaming existing log files with a numerical suffix, then recreating the original empty log file. For example, /var/log/syslog.log is renamed /var/log/syslog.log.1. If /var/log/syslog.log.1 already exists from a previous rotation, it is first renamed /var/log/syslog.log.2.
Configuration
The primary configuration file for logrotate which sets default parameters is /etc/logrotate.conf; additional application-specific configuration files are included from the /etc/logrotate.d directory. Values set in application-specific configuration files override those same parameters in the primary configuration file. See logrotate.conf(5) for configuration examples and a reference of available directives.
To verify if logrotate works correctly, run it in debug mode; in this mode it does nothing except producing debug output:
pbmac@pbmac-server $ logrotate --debug /etc/logrotate.conf
Usage
logrotate is usually run through the systemd service: logrotate.service.
To run logrotate manually:
pbmac@pbmac-server $ logrotate /etc/logrotate.conf
To rotate a single log file:
pbmac@pbmac-server $ logrotate /etc/logrotate.d/mylog
To simulate running your configuration file (dry run):
pbmac@pbmac-server $ logrotate --debug /etc/logrotate.d/mylog
To force running rotations even when conditions are not met, run:
pbmac@pbmac-server $ logrotate -vf /etc/logrotate.d/mylog
Linux rsyslogd
Rsyslogd is a system utility providing support for message logging. Support of both internet and Unix domain sockets enables this utility to support both local and remote logging.
Rsyslogd(8) is derived from the sysklogd package which in turn is derived from the stock BSD sources.
Rsyslogd provides a kind of logging that many modern programs use. Every logged message contains at least a time and a hostname field, normally a program name field, too, but that depends on how trusty the logging program is. The rsyslog package supports free definition of output formats via templates. It also supports precise timestamps and writing directly to databases. If the database option is used, tools like phpLogCon can be used to view the log data.
While the rsyslogd sources have been heavily modified, a couple of notes are in order. First of all there has been a systematic attempt to ensure that rsyslogd follows its default, standard BSD behavior. Of course, some configuration file changes are necessary in order to support the template system. However, rsyslogd should be able to use a standard syslog.conf and act like the original syslogd. However, an original syslogd will not work correctly with a rsyslog-enhanced configuration file. At best, it will generate funny looking file names. The second important concept to note is that this version of rsyslogd interacts transparently with the version of syslog found in the standard libraries. If a binary linked to the standard shared libraries fails to function correctly we would like an example of the anomalous behavior.
The main configuration file /etc/rsyslog.conf or an alternative file, given with the -f option, is read at startup. Any lines that begin with the hash mark (''#'') and empty lines are ignored. If an error occurs during parsing the error element is ignored. It tries to parse the rest of the line.
Third Party Logging Tools
There are other Linux logging tools available. Some of them are open source, and some of them are commercially licensed. They can be found by doing a simple web search. Some of these tools implement some different type of options. Make sure you understand how to install and configure these tools if you decide to use them.
Adapted From:
"Logrotate" by Multiple Contributors, Arch Linux Wiki is licensed under CC BY-SA 3.0
"RSyslog Documentation" by Multiple Contributors is in the Public Domain, CC0