Previous Section
 < Day Day Up > 
Next Section


System Logs: /var/log and syslogd

Various system logs for tasks performed on your system are stored in the /var/log directory. Here you can find logs for mail, news, and all other system operations, such as web server logs. The /var/log/messages file is a log of all system tasks not covered by other logs. This usually includes startup tasks, such as loading drivers and mounting file systems. If a driver for a card failed to load at startup, you find an error message for it here. Logins are also logged in this file, showing you who attempted to log in to what account. The /var/log/maillog file logs mail message transmissions and news transfers.

redhat-logviewer

You can manage and view logs with the Red Hat Log Viewer, redhat-logviewer (System Tools | System Logs). The Red Hat Log Viewer displays a list of all current system logs in a left pane (see Figure 27-2). Clicking a log displays the contents of that log in the left pane. Use the Filter box to enter patterns you wish to look for, and click the Filter button to perform the match. Reset restores the complete listing. In the Preferences dialog, the Log Files panel lets you select a different location for a log file. The Alerts panel lets you create alert words. An alert icon is displayed next to any entry containing an alert word. Configuration settings, such as log file locations and alert words, are kept in the /etc/sysconfig/redhat-logviewer file.

Click To expand
Figure 27-2: Red Hat Log Viewer

syslogd and syslog.conf

The syslogd daemon manages all the logs on your system, as well as coordinating with any of the logging operations of other systems on your network. Configuration information for syslogd is held in the /etc/syslog.conf file, which contains the names and locations for your system log files. Here you find entries for /var/log/messages and /var/log/maillog, among others. Whenever you make changes to the syslog.conf file, you need to restart the syslogd daemon using the following command (or use redhat-config-services, Server Settings | Services):

service syslog restart

syslogd.conf Entries

An entry in syslog.conf consists of two fields: a selector and an action. The selector is the kind of service to be logged, such as mail or news, and the action is the location where messages are to be placed. The action is usually a log file, but it can also be a remote host or a pipe to another program. The kind of service is referred to as a facility. syslogd has several terms it uses to specify certain kinds of service (see Table 27-9). A facility can be further qualified by a priority. A priority specifies the kind of message generated by the facility. syslogd uses several designated terms to indicate different priorities. A sector is constructed from both the facility and priority, separated by a period. For example, to save error messages generated by mail systems, you use a sector consisting of the mail facility and the err priority, as shown here:

mail.err

To save these messages to the /var/log/maillog file, you specify that file as the action, giving you the following entry:

mail.err /var/log/maillog

syslogd also supports the use of * as a matching character to match either all the facilities or priorities in a sector. cron.* would match on all cron messages no matter what the priority, *.err would match on error messages from all the facilities, and *.* would match on all messages. The following example saves all mail messages to the /var/log/maillog file and all critical messages to the /var/log/mycritical file:

mail.* /var/log/maillog
*.crit /var/log/mycritical

Priorities

When you specify a priority for a facility, all messages with a higher priority are also included. So the err priority also includes the crit, alert, and emerg priorities. If you just want to select the message for a specific priority, you qualify the priority with the = operator. For example, mail.=err will select only error messages, not crit, alert, and emerg messages. You can also restrict priorities with the ! operator. This will eliminate messages with the specified priority and higher. For example, mail.!crit will exclude crit messages, and the higher alert and emerg messages. To specifically exclude all the messages for an entire facility, you use the none priority. mail.none excludes all mail messages. This is usually used when you're defining several sectors in the same entry.

You can list several priorities or facilities in a given sector by separating them with commas. You can also have several sectors in the same entry by separating them with semicolons. The first example saves to the /var/log/messages file all messages with info priority, excluding all mail, and authentication messages (authpriv). The second saves all crit messages and higher for the uucp and news facilities to the /var/log/spooler file:

*.info;mail.none;news.none;authpriv.none /var/log/messages
uucp,news.crit /var/log/spooler

Actions and Users

In the action field, you can specify files, remote systems, users, or pipes. An action entry for a file must always begin with a / and specify its full path name, such as /var/log/messages. To log messages to a remote host, you simply specify the hostname preceded by an @ sign. The following example saves all kernel messages on rabbit.trek.com:

kern.* @rabbit.trek.com

To send messages to users, you list their login names. The following example will send critical news messages to the consoles for the users chris and aleina:

news.=crit chris,aleina

You can also output messages to a named pipe (FIFO). The pipe entry for the action field begins with a |. The following example pipes kernel debug messages to the named pipe |/usr/adm/debug:

kern.=debug |/usr/adm/debug
Table 27-9: Syslogd Facilities, Priorities, and Operators

Facilities

Description

auth­priv

Security/authorization messages (private)

cron

Clock daemon (cron and at) messages

daemon

Other system daemon messages

kern

Kernel messages

lpr

Line printer subsystem messages

mail

Mail subsystem messages

mark

Internal use only

news

Usenet news subsystem messages

syslog

Syslog internal messages

user

Generic user-level messages

uucp

UUCP subsystem messages

local0 through local7

Reserved for local use

Priorities

Description

debug

7, Debugging messages, lowest priority

info

6, Informational messages

notice

5, Notifications, normal, but significant, condition

warning

4, Warnings

err

3, Error messages

crit

2, Critical conditions

alert

1, Alerts, action must be taken immediately

emerg

0, Emergency messages, system is unusable, highest priority

Operators

Description

*

Matches all facilities or priorities in a sector

=

Restrict to a specified priority

!

Exclude specified priority and higher ones

/

A file to save messages to

@@

A host to send messages to

|

FIFO pipe to send messages to

/etc/syslog.conf Example

The default /etc/syslog.conf file for Red Hat systems is shown here. Messages are logged to various files in the /var/log directory.

/etc/syslog.conf
Start example
# Log all kernel messages to the console.
#kern.*                               /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none     /var/log/messages
   
# The authpriv file has restricted access.
authpriv.*                       /var/log/secure
# Log all the mail messages in one place.
mail.*                              /var/log/maillog
# Log cron stuff.
cron.*                              /var/log/cron
# Everybody gets emergency messages
*.emerg                            *
# Save mail and news errors of level err and higher in a special file.
uucp,news.crit                /var/log/spooler
# Save boot messages also to boot.log
local7.*                           /var/log/boot.log
# INN
news.=crit                       /var/log/news/news.crit
news.=err                       /var/log/news/news.err
news.notice                    /var/log/news/news.notice
End example


Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.