New school: Find out the ins and outs of Linux Log Processing

Every UNIX/LINUX User knows the usefulness of logs. Do you know the ins and outs of LINUX Log processing?

We can see that there are two ways to log information in LINUX:

1) dmesg view ---- this command is common.

2) files under/var/log/

Next we will start from these two ways and proceed step by step.

1) First, let's look at what is hidden behind the common dmesg command !!

1) Let's come to MAN first.

------------- Man dmesg --------------------------

NAME

Dmesg-print or control the kernel ring buffer

SYNOPSIS

Dmesg [-c] [-n level] [-s bufsize]

DESCRIPTION

Dmesg is used to examine or control the kernel ring buffer.

The program helps users to print out their bootup mes-sages. Instead of copying the messages by hand, the user need only:

Dmesg> boot. messages

And mail the boot. messages file to whoever can debug their

Problem.

OPTIONS

-C Clear the ring buffer contents after printing.

-Sbufsize

Use a buffer of size bufsize to query the kernel ring buffer. this is 16392 by default. (The default kernel syslog buffer size was 4096 at first, 8192 since 1.3.54, 16384 since 2.1.113 .) if you have set the kernel buffer to be larger than the default then this option can be used to view the entire buffer.

-Nlevel

Set the level at which logging of messages is done to the console. for example,-n 1 prevents all messages, CT panic messages, from appearing on the console. all levels of messages are still written to/proc/kmsg, so syslogd (8) can still be used to control exactly where kernel messages appear.

When the-n option is used, dmesg will not print or clear the kernel ring buffer.

When both options are used, only the last option on the command line will have an effect.

From the manual provided by LINUX, we can know that the most important information dmesg reads information from the ring buffer (ring buffer) of the kernel.

2) What is ring buffer?

In LINUX, all system information (package kernel information) is transmitted to the ring buffer, and the information generated by the kernel is printed by printk. The information displayed when the system starts is printed to the screen by the function. <0> <2>... indicates the importance of a message. Higher than a certain priority level will be printed to the screen, otherwise it will only be stored in the system buffer (ring buffer ).

As for how dmesg reads data from the ring buffer, you can see the source code of dmesg. c. It is very short and easy to understand.

2) You should understand how dmesg works. As for the files under/var/log/, you are even more familiar with it!

1) Why are there so many files in/var/log?

One sentence: The syslogd daemon records logs generated by different services to different files according to/etc/syslog. conf.

I will not elaborate on the/etc/syslog. conf here. There is a lot of information (check it ).

2) Now that you know,/var/log/... is generated by the syslogd daemon. Then proceed to this line.

After the LINUX system is started, klogd and syslogd daemon are successively started by/etc/init. d/sysklogd.

Klogd calls the syslog () system or reads the proc file system to obtain the kernel printk () from the System buffer (ring buffer ()

And syslogd reads system kernel information through klogd.

So far, I think we should feel something about log generation, reading, and other actions.

Summary:

1) All system information is output to the ring buffer. The content displayed by dmesg is also read from the ring buffer.

2) in LINUX,/etc/init. d/sysklogd will start two Daemon Processes: Klogd & Syslogd

3) klogd is responsible for reading kernel information. There are two methods:

Syslog () System Call (this function is fully used. Let's take a look at it)

Directly read/proc/kmsg (here,/proc/kmsg is the place that specifically outputs kernel information)

4) the output result of Klogd is sent to syslogd for processing. syslogd transfers the log according to/etc/syslog. conf configuration.

Information is output to different files under/var/log.

Related Articles]

• How to Use Syslog To record UNIX and Windows logs

• How to Use LogMiner to analyze database logs

• Firewall log wizard of the system administrator