Lecture
A syslog service (or daemon) is a service that provides centralized event logging. Utilities, programs, and other services — all of them can report any events to the syslog service, which receives, processes, and stores them in log files in the / var / log / directory. Log files are plain text files. Most of them are inaccessible for ordinary users, even for reading. Monitoring log files is the task of the system administrator.
syslog can work in network mode. That is , the syslog service on computer A can transmit messages to the syslog service on computer B, and the sysylog service of computer B will record messages in its log files. In this way, you can create a centralized server to collect messages from the syslog services of other computers on the network.
The syslog service cannot save messages from the kernel during the boot phase. To view all kernel messages, you must use the com *** at dmesg . In order for the log messages from the kernel to also be included in the log files, the klog service is intended .
The main syslog service configuration file is located in /etc/syslog.conf . The file consists of two columns: the first contains templates that describe which types of messages and from which programs will process the syslog . The second column indicates the action that will be performed by syslog when receiving a message. The \ sign is just a line break.
Initially, all programs in Linux were divided into groups. More information about groups can be found in the man syslog.conf help file in the SELECTORS section. Here we simply list the names of the groups:
auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security, syslog, user, uucp, local0-local7 .
Messages were divided into types (levels) depending on the importance and criticality. There are the following types of messages:
debug, info, notice, warning, warn (warning), err, error (err), crit, alert, emerg, panic (emerg) .
A template consists of an application group and a message type. For example, mail.info . Such a template indicates that messages from mail programs will be recorded starting from the type info and ending with the type panic . That is, if there is an error message, it will also be recorded in the log. If you need to explicitly indicate which message types you need to fix, then the equal sign is used: mail. = Info . With such a record, only messages with the info type will be recorded. You can also use the exclamation mark: mail.! Info . Such a record indicates that all messages except the above and above will be logged. That is only - debug . Accordingly, the mail.! = Info template is the registration of all messages except info . The template can also use the keyword none and * . Record mail.none - prohibits the registration of all types of messages, recording mail. * Accordingly indicates to register all messages. It is also allowed to list templates separated by a semicolon: mail.info; lpr.info , as well as listing of groups of applications in a template separated by commas: mail, lpr.info .
Let's move to the second field in the line that is written through the tab . If it is necessary to register messages in a log file, then in the second field simply write the path to this file. For example: /var/log/mail.info . Before specifying the full path, you can put a - sign, which tells the syslog daemon that when you receive a new message, you should not immediately run the *** command in sync and write the message from the buffer to the log file. If a large number of messages per second is registered in your system, then setting the - sign will allow increasing the speed of the disk subsystem. At the same time, if the computer crashes with its shutdown or reboot, the latest messages may be lost (since they will not be written to disk). Therefore, it is recommended not to use the - sign for especially critical messages.
As an example, several entries:
one 2 3 | mail.info - / var / log / mail.info mail.warning - / var / log / mail.warn mail.err /var/log/mail.err |
In addition to the log file in the second field, you can specify the computer name or its IP address . In this case, messages will be sent to the syslog service of the specified computer. Example:
one 2 | *. * @mycomp *. * @ 10.10.0.1 |
Also, a named pipe can act as a message receiver - | pipe_name or one of the virtual consoles - / dev / tty8 . Example:
one 2 3 four | daemon, mail. *; \ news. = crit; news. = err; news. = notice; \ *. = debug; *. = info; \ *. = notice; *. = warning / dev / tty8 |
A utility logger will be useful for studying and testing the syslog daemon. This program allows you to generate messages to the syslog daemon with the specified parameters and is often used when debugging new templates. Let's execute the following com *** u:
one | logger -p mail.info -t TEST test message |
The -p switch is used to specify a pattern.
The -t switch allows you to set a label for the string
test message is the message text
As a result, the following line will appear in the mail.info file:
one | Feb 3 14:58:21 adm-ubuntu TEST: test message |
No matter what volumes the hard drives of the computer (server) would be, but if the log files are not monitored, they can at some time fill up the disk space. That is why the servers recommended directory / var / log / mounted on a separate hard disk. To facilitate the management of log files, a logrotate program was created.
Consider the standard procedure for manual archiving of a log file. For the first time, the log file (let it be messages ) is archived and the number 0 ( messages.0.gz ) is added to the archive name. The old messages file is deleted, a new one with the same name is created in its place. Then a week later, the messages.0.gz file is renamed to messages.1.gz , the messages.0.gz archive is created from messages , the messages are deleted and a new file is created, etc. logrotate - can perform these actions automatically. You only need to configure the algorithm for processing log files once.
The logrotate configuration files are /etc/logrotete.conf and files that are located in the /etc/logrotate.d/ directory. Consider as an example the part of the configuration file in /etc/logrotate.d/samba :
one 2 3 four five 6 7 eight 9 ten | /var/log/samba/log.smbd { weekly missingok rotate 7 postrotate invoke-rc.d --quiet samba reload> / dev / null endscript compress notifempty } |
Line 1 contains the name of the log file and the opening brace for the command block. The second line is a comma *** a weekly , which informs you that the action should be performed every week. The value of missongok indicates that if the log file is not detected, then the algorithm should continue without an error message. rotate 7 - create no more than seven archives. Postrotate endscript - sets the beginning and end of the block in which you can write a bash- script. In this example, the script is only one line (line 6). The script will be executed after the rotation of the log file. The compress keyword indicates that archive files need to be compressed with gzip . notifempty - do not rotate the log file if it is empty.
As a result of this archiving scheme, there will be such a picture:
one 2 3 four five 6 7 eight 9 | igor @ adm-ubuntu: ~ $ ls -l /var/log/samba/log.smbd* -rw-rrr-- 1 root root 2050 2010-02-02 17:25 /var/log/samba/log.smbd -rw-r - r-- 1 root root 225 2010-02-01 14:52 /var/log/samba/log.smbd.1.gz -rw-r - r-- 1 root root 373 2010-01-25 09:03 /var/log/samba/log.smbd.2.gz -rw-r - r-- 1 root root 350 2010-01-13 11:25 /var/log/samba/log.smbd.3.gz -rw-r - r-- 1 root root 353 2010-01-11 08:59 /var/log/samba/log.smbd.4.gz -rw-r - r-- 1 root root 324 2010-01-04 08:54 /var/log/samba/log.smbd.5.gz -rw-r - r-- 1 root root 341 2009-12-28 09:11 /var/log/samba/log.smbd.6.gz -rw-r - r-- 1 root root 404 2009-12-21 09:07 /var/log/samba/log.smbd.7.gz |
Running the logrotate command is typically performed by the cron daemon .
Read more about the logrotate command in the logrotate man help.
Comments
To leave a comment
LINUX operating system
Terms: LINUX operating system