You get a bonus - 1 coin for daily activity. Now you have 1 coin

27 - syslog service

Lecture



A syslog service (or daemon) is a service that provides centralized event logging. Utilities, programs, and other services — all of them can report any events to the syslog service, which receives, processes, and stores them in log files in the / var / log / directory. Log files are plain text files. Most of them are inaccessible for ordinary users, even for reading. Monitoring log files is the task of the system administrator.

syslog can work in network mode. That is , the syslog service on computer A can transmit messages to the syslog service on computer B, and the sysylog service of computer B will record messages in its log files. In this way, you can create a centralized server to collect messages from the syslog services of other computers on the network.

The syslog service cannot save messages from the kernel during the boot phase. To view all kernel messages, you must use the com *** at dmesg . In order for the log messages from the kernel to also be included in the log files, the klog service is intended .

Syslog setup

The main syslog service configuration file is located in /etc/syslog.conf . The file consists of two columns: the first contains templates that describe which types of messages and from which programs will process the syslog . The second column indicates the action that will be performed by syslog when receiving a message. The \ sign is just a line break.

Initially, all programs in Linux were divided into groups. More information about groups can be found in the man syslog.conf help file in the SELECTORS section. Here we simply list the names of the groups:
auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security, syslog, user, uucp, local0-local7 .

Messages were divided into types (levels) depending on the importance and criticality. There are the following types of messages:
debug, info, notice, warning, warn (warning), err, error (err), crit, alert, emerg, panic (emerg) .

A template consists of an application group and a message type. For example, mail.info . Such a template indicates that messages from mail programs will be recorded starting from the type info and ending with the type panic . That is, if there is an error message, it will also be recorded in the log. If you need to explicitly indicate which message types you need to fix, then the equal sign is used: mail. = Info . With such a record, only messages with the info type will be recorded. You can also use the exclamation mark: mail.! Info . Such a record indicates that all messages except the above and above will be logged. That is only - debug . Accordingly, the mail.! = Info template is the registration of all messages except info . The template can also use the keyword none and * . Record mail.none - prohibits the registration of all types of messages, recording mail. * Accordingly indicates to register all messages. It is also allowed to list templates separated by a semicolon: mail.info; lpr.info , as well as listing of groups of applications in a template separated by commas: mail, lpr.info .

Let's move to the second field in the line that is written through the tab . If it is necessary to register messages in a log file, then in the second field simply write the path to this file. For example: /var/log/mail.info . Before specifying the full path, you can put a - sign, which tells the syslog daemon that when you receive a new message, you should not immediately run the *** command in sync and write the message from the buffer to the log file. If a large number of messages per second is registered in your system, then setting the - sign will allow increasing the speed of the disk subsystem. At the same time, if the computer crashes with its shutdown or reboot, the latest messages may be lost (since they will not be written to disk). Therefore, it is recommended not to use the - sign for especially critical messages.
As an example, several entries:

one
2
3
mail.info - / var / log / mail.info
mail.warning - / var / log / mail.warn
mail.err /var/log/mail.err

In addition to the log file in the second field, you can specify the computer name or its IP address . In this case, messages will be sent to the syslog service of the specified computer. Example:

one
2
*. * @mycomp
*. * @ 10.10.0.1

Also, a named pipe can act as a message receiver - | pipe_name or one of the virtual consoles - / dev / tty8 . Example:

one
2
3
four
daemon, mail. *; \
news. = crit; news. = err; news. = notice; \
*. = debug; *. = info; \
*. = notice; *. = warning / dev / tty8

A utility logger will be useful for studying and testing the syslog daemon. This program allows you to generate messages to the syslog daemon with the specified parameters and is often used when debugging new templates. Let's execute the following com *** u:

one
logger -p mail.info -t TEST test message

The -p switch is used to specify a pattern.
The -t switch allows you to set a label for the string
test message is the message text

As a result, the following line will appear in the mail.info file:

one
Feb 3 14:58:21 adm-ubuntu TEST: test message

Com *** and logrotate

No matter what volumes the hard drives of the computer (server) would be, but if the log files are not monitored, they can at some time fill up the disk space. That is why the servers recommended directory / var / log / mounted on a separate hard disk. To facilitate the management of log files, a logrotate program was created.

Consider the standard procedure for manual archiving of a log file. For the first time, the log file (let it be messages ) is archived and the number 0 ( messages.0.gz ) is added to the archive name. The old messages file is deleted, a new one with the same name is created in its place. Then a week later, the messages.0.gz file is renamed to messages.1.gz , the messages.0.gz archive is created from messages , the messages are deleted and a new file is created, etc. logrotate - can perform these actions automatically. You only need to configure the algorithm for processing log files once.

The logrotate configuration files are /etc/logrotete.conf and files that are located in the /etc/logrotate.d/ directory. Consider as an example the part of the configuration file in /etc/logrotate.d/samba :

one
2
3
four
five
6
7
eight
9
ten
/var/log/samba/log.smbd {
weekly
missingok
rotate 7
postrotate
invoke-rc.d --quiet samba reload> / dev / null
endscript
compress
notifempty
}

Line 1 contains the name of the log file and the opening brace for the command block. The second line is a comma *** a weekly , which informs you that the action should be performed every week. The value of missongok indicates that if the log file is not detected, then the algorithm should continue without an error message. rotate 7 - create no more than seven archives. Postrotate endscript - sets the beginning and end of the block in which you can write a bash- script. In this example, the script is only one line (line 6). The script will be executed after the rotation of the log file. The compress keyword indicates that archive files need to be compressed with gzip . notifempty - do not rotate the log file if it is empty.

As a result of this archiving scheme, there will be such a picture:

one
2
3
four
five
6
7
eight
9
igor @ adm-ubuntu: ~ $ ls -l /var/log/samba/log.smbd*
-rw-rrr-- 1 root root 2050 2010-02-02 17:25 /var/log/samba/log.smbd
-rw-r - r-- 1 root root 225 2010-02-01 14:52 /var/log/samba/log.smbd.1.gz
-rw-r - r-- 1 root root 373 2010-01-25 09:03 /var/log/samba/log.smbd.2.gz
-rw-r - r-- 1 root root 350 2010-01-13 11:25 /var/log/samba/log.smbd.3.gz
-rw-r - r-- 1 root root 353 2010-01-11 08:59 /var/log/samba/log.smbd.4.gz
-rw-r - r-- 1 root root 324 2010-01-04 08:54 /var/log/samba/log.smbd.5.gz
-rw-r - r-- 1 root root 341 2009-12-28 09:11 /var/log/samba/log.smbd.6.gz
-rw-r - r-- 1 root root 404 2009-12-21 09:07 /var/log/samba/log.smbd.7.gz

Running the logrotate command is typically performed by the cron daemon .
Read more about the logrotate command in the logrotate man help.

created: 2014-09-13
updated: 2021-03-13
132500



Rating 9 of 10. count vote: 2
Are you satisfied?:



Comments


To leave a comment
If you have any suggestion, idea, thanks or comment, feel free to write. We really value feedback and are glad to hear your opinion.
To reply

LINUX operating system

Terms: LINUX operating system