Log System in Linux

Log System in Linux

The log system records every status information of the system running in text, which helps us to observe the normal status of the system running and how to quickly locate the error location during system running errors; the following describes the log functions in Linux.

Each operating system has its own powerful log function, which is available in windows, and also in linux; the log function in the linux operating system is mainly implemented through the service syslog (syslog-ng is used after RedHat6.0). The syslog service has two processes: syslogd and klogd, one of these two processes is used to record system logs and the other is used to record kernel logs. However, the operating system generates a lot of logs during operation, if we record all this information, our disk I/O will be very busy, which has a great impact on the system performance, which violates our original intention, therefore, we classify the logs generated during system operation based on the sources of generated logs and the importance of log information. The log information and details recorded by syslogd and klogd are different:

Klogd: records the information generated during system initialization and displayed on the physical terminal, and stores it in the "/var/log/dmesg" file, we can use "cat/var/log/dmesg" for viewing, or we can use the dedicated Command "dmesg" for viewing

Syslogd: After the system initialization is complete, the system control is transferred to init. The generated log information is recorded in syslogd and stored in the "/var/log/messages" file, the information stored mainly includes "system standard error log information, non-kernel boot information, and information generated by subsystems of various service programs "; "# tail-f/var/log/messages" is generally used to monitor new log information when the monitoring system is running.

However, the system generates a large amount of information, even if only the information is recorded, there is also a large amount of information. At this time, if we still save all the log information in a messages file, so it is very difficult to manage; what should we do? We have introduced another technology, "log rolling"

Log scroll: After the size or time of the log messages file reaches a certain level, this file is defined as messages.1 and a new messages file is created. At this time, messages.1 no longer records new content, only store the previous content. If the new messages file reaches this standard again, rename the current messages file as messages.1 and the original messages.1 as messages.2, and so on; but this keeps rolling. The log information a long time ago is not very useful for our current management, so we can define how many log files will be retained; therefore, log information should be rolled frequently and multiple criteria are defined.

Rolling logs is to cut the log file. A special command on redhat can be used to perform this operation: logrotate; there is a dedicated system task plan on the system to complete log cutting "/etc/cron. daily "has a script called logrotate. The configuration file of this command is in" etc/logrotate. conf (defines the system's log rolling mechanism)

The content format is:

Weekly # global definition rolling once a week

Rotate 4 # retain only four rolling versions

Include/etc/logrotate. d # The above rows are the global attributes of the log system. The following are the specific attributes of each small system. The local attributes are used for execution. The local log attributes can be defined by multiple

/Var/log/wtmp {# define the log rolling mechanism of this Sub-system to store files

Monthly # How long does one scroll?

Minsize 1 M # minimum log file size: 1 M

Create 0664 root utmp # create a file with the permission of 0664. The owner is root and the file name is utmp.

Rotate 1 # retain only one rolling version

}

Script file for log scrolling: # vim/etc/cron. daily/logrotate

If you do not define it yourself, you can define it according to the Global log rolling attribute, or in the "/etc/logrotate. d/cups" file:

Storage location of log information generated by some other subsystems:

/Var/maillog # The log information generated by the mail system

/Var/log/secure # security information generated by each user upon Logon (the time when the user attempts to log on to the host from which the user attempts to log on, this file is frequently viewed)

The syslog configuration file is at:/etc/syslog. conf.

The configuration file format is: each row defines the level of log records generated by a sub-system to what location

Facility. priority action

Facility: log Source

Auth # generated by the authentication subsystem

Authpriv # generated by the permission authorization Subsystem

Cron # generated by the task scheduler Subsystem

Daemon # generated by the daemon sub-system

Kern # generated by the kernel subsystem, which defines the records of klogd

Lpr # generated by the print Subsystem

Mail # generated by the mail Subsystem

Mark # mark what the subsystem generates

News # produced by the news Subsystem

Security # generated by the security subsystem, similar to the auth Source

Syslog # define the syslog record

User # What is generated by the user subsystem?

Uucp #

Local0 --> local7 # custom use

* # All Sources

Priority (log level) log level: (the lower the level, the more detailed the record)

Debug # program or system debugging information (detailed records are generally used only when the system cannot be started and errors are excluded)

Info # General information

Notice # information that does not affect normal system functions, but must be noted

Warning/warn # important events that may affect system functions and need to be noticed; such information may cause some functions to run

Err/error # error message, which has affected some functions of the system; blue alarm

Crit # serious information; orange alarm

Alert # information that must be processed immediately; red alarm

Emerg/panic # indicates that the system is unavailable. Generally, when the system appears at this moment, the system will be down next time.

* # All log levels, similar to debug

None # Opposite to *, indicating which level does not exist

Action:

Absolute path on the system # common files, such as/var/log /***

| # Send messages to other commands through pipelines

Terminal # display terminal (physical terminal, virtual terminal, Pseudo Terminal, etc)

@ HOST # remote HOST; logs generated are sent to other hosts without being recorded by the user. These logs are generally used in log servers to enhance the security of the current server; by default, only log information is recorded for yourself

[If we want to call our server a log server, you only need to add a "-r" option in the "SYSLOGD_OPTIONS ="-r-m 0 "" line in the "/etc/sysconfig/syslog" file, restart the service to enable the log server function]

User # The generated log information is sent to a user, such as root

* # All users logging on to the system. Generally, emerg-level logs are defined as follows:

Syslog Log service attribute definition instance:

Mail.info/var/log/maillog # record mail-related information at the info and info levels to the/var/log/maillog file.

Auth. = info @ 10.0.0.1 # record auth-related info-level information to the 10.0.0.1 host, provided that the 10.0.0.1 host can receive logs from other hosts (only info-level logs are recorded at this time)

User .! = Error # records user-related information, but does not record error-level information. Only records all other levels

User .! Error # Opposite to user. error, only logs with a lower level than error are recorded.

*. Info # record all log information at or above the info level of the log subsystem that may generate logs

Mail. * # record all levels of log information generated by mail

*. * # Record all log information

Cron.info; mail.info # records cron-related info and above-level log information and mail-related info and above-level log information. Multiple log sources are separated by semicolons (;).

Cron, mail.info # indicates the same level as above. If the two log sources have the same record level, they can be abbreviated as separated by commas (,).

Mail. *; mail .! = Info # records all mail-related log information, but does not include all info-level logs.

Definition of the default Syslog configuration file:

# Cat/etc/syslog. conf

*. Info; mail. none; authpriv. none; cron. none/var/log/messages # All info-level and above-level logs of subsystems that may generate log information are stored in the messages file, but do not include mail, authpriv, cron subsystem

Authpriv. */var/log/secure # log information authorized by all users is recorded in the secure File

Mail. *-/var/log/maillog # All the log information generated by the mail subsystem is saved in the maillog file asynchronously. "-" indicates asynchronous writing, and other log information must be written synchronously.

Cron. */var/log/cron # the logs of all task plans are recorded in the cron file.

*. Emerg * # No matter which program on the system generates emerg-level information, it immediately notifies all users on the system and will be down soon.

Uucp, new. crit/var/log/spooler # crit-level information from UCP and new subsystems is stored in the spooler File

Local7. */var/log/boot. log # custom log records. In this example, system boot information is defined by default and stored in boot. log file, but it does not indicate who fills in the file, so this file is an empty file, we need to define the log information in other files to be sent to local7 before writing it to boot. in log files

After this file is saved, the log system configuration file does not take effect immediately. If we use the "service syslog restart" command to restart Log service, other subsystems that are recording log information may not be completely recorded. Therefore, we generally use "service syslog reload" to re-read the configuration file and take effect, which is equivalent to sending the No. 1 signal.

Configure a syslog server on Linux

Syslog usage

Output MySQL logs to syslog In the chroot environment

Syslog classification Configuration

Introduction to Linux: syslog in Linux

This article permanently updates the link address: