Detailed description of Linux Log Management syslog

Source: Internet
Author: User
Tags openlog all mail

1. syslog Introduction
Syslog is an industrial standard protocol that can be used to record device logs. In UNIX systems, routers, switches, and other network devices, System logs record System events at any time. Administrators can view system records to keep abreast of system conditions. UNIX system logs use the syslogd process to record the system's close event records and Application Operation events. Through proper configuration, we can also implement inter-machine communication that runs the syslog protocol. By analyzing these network behavior logs, we can track the status of devices and networks.
2. syslog configuration file
The syslog device depends on two important files: the/etc/syslogd daemon and the/etc/syslog. conf configuration file. Generally, most syslog information is written to the/var/adm or the information file (messages. *) in the/var/log directory .*). A typical syslog record includes the name of the generated program and a text message. It also includes a device and a priority range.
By using the syslog. conf file, you can flexibly configure the location of the generated log and its related information. This configuration file specifies the row in which the syslogd daemon records logs. This program queries the configuration file at startup. This file consists of a single entry of different programs or message categories, each occupying a row. Provides a selection domain and an action domain for each type of message. These fields are separated by tabs:
Select a domain to specify the Message Type and priority;
The action field specifies the action that syslogd performs when it receives a message that matches the selection criteria.
The basic syntax of syslog. conf is as follows:
Message type. Priority Action domain
Each selection domain consists of the Message Type and priority. When a priority is specified, syslogd records a message with the same or higher priority. In Linux, some major message types are shown in table 2. Table 3 lists some priority information:
Table 1 syslog message types

Table 2 common syslog priorities

Different service types have different priorities. A larger value has a smaller priority. If only one priority is given for a selection condition and no priority qualifier is used, messages corresponding to this priority and all more urgent message types will be included. For example, if the priority in a selection condition is "warning ", it will actually include "warning", "err", "crit", "alert", and "emerg.
Syslog allows you to use three delimiters to modify the priority: asterisks (*), equal signs (=), and exclamation points (!) :
The asterisk (*) indicates that all log messages generated by this service are sent to the location specified by the operation. Just as it acts in Rule expressions, asterisks represent "everything ". In the preceding example, "mail. *" sends all priority messages to the/var/log/mail file specified by the operation. The effect of using the "*" qualifier is exactly the same as that of using the "debug" priority. The latter will also send all types of messages to the specified location.
The equal sign (=) indicates that only log messages of this priority generated by this service are sent to the location specified by the operation. For example, you can use the "=" qualifier to send only debugging messages, instead of other more urgent messages (this reduces the burden on the application ). When you only need to send a message with a specific priority, you need to use the equal sign qualifier.
Exclamation point (!) The meaning is that all log messages generated by this service are sent to the location specified by the Operation action, but messages with this priority are not included.
Therefore, based on the knowledge described above, we will give the following example as an example:
(1) If \ "crit \" is specified, all messages marked as crit, alert, and emerg will be recorded. The action fields in each row indicate where to send a specified message to the selected domain. For example, if you want to record all mail messages to a file, as shown below:
# Log all the mail messages in one place
Mail. */var/log/maillog
(2) Other devices also have their own logs. UUCP and news devices can produce many external messages. It stores these messages in its own logs (/var/log/spooler) and limits the level to \ "err \" or higher. For example:
# Save news errors of level crit and higher in a special file.
Uucp, news. crit/var/log/spooler
(3) When an emergency message arrives, all users may want to get it. You may also want to receive and save your own logs.
# Everybody gets emergency messages, plus log them on anther machine
*. Emerg *
*. Emerg @
(4) Sometimes syslogd will generate a large number of messages. For example, the kernel (\ "kern \" device) may be lengthy and difficult to understand, so you may want to record kernel messages to/dev/console. The following example shows that the kernel log is commented out:
# Log all kernel messages to the console
# Logging much else clutters up the screen
# Kern. */dev/console
(5) You can specify all devices in one row. In the following example, messages of info or higher level are sent to/var/log/messages, except for mail. Level \ "none \" disables a device:
# Log anything (could t mail) of level info or higher
# Don \'t log private authentication messages!
*. Info: mail. none; autHPriv. none/var/log/messages
3. syslog Process
The syslogd daemon is called by the/etc/rc. d/init. d/syslog script under runlevel 2. The options are not used by default. But there are two options-r and-h which are useful:
If you want to use a log server, you must call syslogd-r. Syslogd does not accept information from the remote system by default. If the-r option is specified, syslogd listens to UDP packets from port 514.
If you want the log server to transmit log information, you can use the-h flag. Syslogd ignores the need to send log information from one remote system to syslogd of another system.
In addition, if you need to restart the syslog daemon (/etc/syslog. the conf modification takes effect only after the syslog daemon is restarted. You only want to restart the syslog daemon instead of the entire system. On the Red Hat Linux machine, run one of the following two commands:
/Etc/rc. d/init. d/syslogstop;/etc/rc. d/init. d/syslogstart
/Etc/rc. d/init. d/syslogrestart
4. Use syslog To Call interfaces flexibly
In actual use, we can use syslog through the configuration file and view the corresponding log file. However, in many application scenarios, we often need to generate output information and record it through the program, that is, to write some information into a log file, under normal circumstances, people running the program do not need to care about the content in the log. Only when a problem occurs will they view the content in the log file to confirm the problem. Therefore, the following describes in detail how to use a program to use syslog through the API provided by the syslog log system.
1. Main Functions
In Linux, four system calls are provided for the syslog log system:
Openlog: open the Log Device for reading and writing, similar to open called by the file system;
Syslog: writes logs, similar to the write called by the file system;
Closelog: close the Log Device, similar to the close called by the file system;
Vsyslog: similar to syslog, it is responsible for writing logs, but the parameter format is different.
(1) openlog Functions
The declaration of this function is as follows:
Void openlog (const char * ident, int option, int facility );
This function is used to open a connection to the system logging program. After it is enabled, you can use the syslog or vsyslog function to add information to the system logs. The closelog function is used to close the connection.
The first ident parameter of openlog is a tag. The string represented by ident is added to the front of each log line to identify the log. It is usually written as the name of the current program for marking. The second option is generally the result of the "and" Operation (represented by "|", for example, "LOG_CONS | LOG_PID") for the following option values:
LOG_CONS: if a problem occurs when it is sent to system logger, it is directly written to the system terminal;
LOG_NDELAY: Enable the connection immediately. Generally, the connection is enabled only when a message is written for the first time;
LOG_PERROR: send messages to the stderr device at the same time;
LOG_PID: Include the process PID into all messages.
The third parameter facility indicates the type of the program that records logs. It mainly has the following types of logs:
LOG_AUTH: Security/authorization message
LOG_AUTHPRIV: Security/authorization message
LOG_CRON: dedicated to the time daemon (cron and)
LOG_DAEMON: Other System daemon
LOG_KERN: core message
LOG_LOCAL0 to LOG_LOCAL7: retained by the System
LOG_LPR: printer Subsystem
LOG_MAIL: mail Subsystem
LOG_NEWS: USENET news Subsystem
LOG_SYSLOG: messages generated within the syslogd Process
LOG_USER (default): Generally, messages are used by default.
LOG_UUCP: UUCP Subsystem
LOG_FTP: used by the FTP Subsystem
(2) syslog Function
The syslog function is declared as follows:
Void syslog (int priority, const char * message ,...);
The first parameter is the priority level of the message, the second parameter is the message and its format, and the second parameter is the parameter corresponding to the format, which is used as the printf output function in the C language, the specific format is not detailed here. It is not the focus of this book.
The first parameter priority is composed of severity level and facility. Facility has been introduced above. Next we will introduce severity level, which is the important level of the message. It mainly includes:
LOG_EMERG: Emergency
LOG_ALERT: high-priority issues, such as database crashes, must be immediately responded
LOG_CRIT: important situations, such as hardware faults
LOG_ERR: Error occurred
LOG_INFO: Information Status
LOG_DEBUG: Debug message
In actual use, if our program needs to use the system log function, we only need to use the openlog function to connect to the syslogd program when the program starts, and then use the syslog function to write logs at any time.
(3) closelog Function
Compared with the above two functions, this function is very simple and its declaration is as follows:
Void closelog (void );
It is worth noting that although the use and call of this function are very simple, it is essential because in Linux, The opened logs are also resources, if you only use the openlog function to open logs and forget to use closelog to disable logs, when the number of opened logs reaches a certain level, the memory will be insufficient, resulting in system problems. Therefore, we recommend that you do not pay attention to this feature.
2. An actual program call example
The following is an example of using the above functions to write logs for your reference:
# Include
# Include
# Include
Int main (void)
Int log_test;
/* Open the log */
Openlog ("log_test", LOG_PID | LOG_CONS, LOG_USER );
/* Write logs */
Syslog (LOG_INFO, "PID information, pid = % d", getpid ());
Syslog (LOG_DEBUG, "debug message ");
/* Disable logs */
Closelog ();

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.