Http://areyouok.iteye.com/blog/287980
Introduction
Different Linux distributions use different syslog programs to record system logs.
Debain 4.0/ubuntu8.04 (desktop version) uses sysklogd by default, and the configuration file is/etc/syslog. conf.
By default, fedora9 uses rsyslogd. The configuration file is/etc/rsyslog. conf.
Opensuse11 uses syslog-ng and the configuration file is/etc/syslog-ng/syslog-ng.conf.
Here, only Debian is used as an example to introduce the configuration of syslog. conf. The format of rsyslog. conf is basically the same as that of syslog. conf. You can run the man syslog. conf command to view the configuration help.
The configuration file consists of multiple rules. Each rule has three parts. # starts with a comment. Each rule is divided into three parts to specify the facility, severity, and the measures to be taken. Rules are combined.
Example
The following rules specify the facility as mail, and the severity as the/var/log/mail. Err file for logs above err, while logs below err are ignored:
Mail. Err/var/log/mail. Err
Facility and severity can be separated by commas (,) and can be specified with wildcards:
Auth, authpriv. */var/log/auth. Log
There can be multiple combinations of facility and severity, which are separated by semicolons. Adding a minus sign before the file indicates that the log is not written to the file immediately, but accumulating certain conditions in the buffer before writing, this improves performance, but data may be lost on the machine:
*. *; Auth, authpriv. None-/var/log/syslog
You can send a Syslog message to port 514 of the syslog server through UDP:
*. Err @ 192.168.0.1
When an error occurs, screen on the console:
*. Err/dev/console
Log format
Syslogs sent out of Debian 4.0 end with a line break \ n, with no host name and time. For example:
<38> su [2257]: (pam_unix) session opened for user root by root (uid = 0)
<30> dhclient: bound to 192.168.233.129 -- renewal in 878 seconds.
Sample (/var/log/auth. Log) in the local syslog log file, with host name and time, but no facility and severity
Oct 8 22:36:56 Debian sshd [2261]: (pam_unix) session opened for user root by root (uid = 0)
The SYSLOG forwarded by rsyslogd of Fedora does not end with a line break \ n.
Finally, the default syslog. conf file for debian4.0 is provided:
#/Etc/syslog. conf configuration file for syslogd.
#
# For more information see syslog. conf (5)
# Manpage.
#
# First some standard logfiles. log by facility.
#
Auth, authpriv. */var/log/auth. Log
*. *; Auth, authpriv. None-/var/log/syslog
# Cron. */var/log/cron. Log
Daemon. *-/var/log/daemon. Log
Kern. *-/var/log/Kern. Log
LPR. *-/var/log/lpr. Log
Mail. *-/var/log/mail. Log
User. *-/var/log/user. Log
Uucp. */var/log/uucp. Log
#
# Logging for the mail system. Split it up so that
# It is easy to write scripts to parse these files.
#
Mail.info-/var/log/mail.info
Mail. Warn-/var/log/mail. Warn
Mail. Err/var/log/mail. Err
# Logging for INN news system
#
News. crit/var/log/news. crit
News. Err/var/log/news. Err
News. Notice-/var/log/news. Notice
#
# Some 'catch-all' logfiles.
#
*. = Debug ;\
Auth, authpriv. None ;\
News. None; mail. None-/var/log/debug
*. = Info; *. = notice; *. = warn ;\
Auth, authpriv. None ;\
Cron, daemon. None ;\
Mail, news. None-/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*. Emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# Console I usually leave idle.
#
# Daemon, mail .*;\
# News. = crit; news. = err; news. = notice ;\
# *. = Debug; *. = Info ;\
# *. = Notice; *. = warn/dev/tty8
# The named pipe/dev/xconsole is for the 'xconsole' utility. To use it,
# You must invoke 'xconsole' with the '-file' option:
#
# $ Xconsole-file/dev/xconsole [...]
#
# Note: Adjust the list below, or you'll go crazy if you have a reasonably
# Busy site ..
#
Daemon. *; mail .*;\
News. crit; news. Err; news. Notice ;\
*. = Debug; *. = Info ;\
*. = Notice; *. = warn |/dev/xconsole