In-depth analysis of Linux log files

Overview

The concept of a log file is well understood, which is what time, who, where, and what has been done. A program called Syslog (an extended rsyslog for Ubuntu) is responsible for collecting the information generated by the system, and then writing them to specific places according to the rules, including files, consoles, printers, remote hosts, and so on. Because the log file record information increases gradually, need to have the program management log file, this is logrotate. The understanding of these two programs is mainly about configuration files. But the most important is not these, but to be able to read the log information, this will be on the system, the service and so have a comprehensive understanding, so as to know what the log file said is how.

Syslog configuration

Grammar

Syntax: service name [operator] information level where information is logged

Service Name

Service Name: The message generated by the service will be recorded in the meaning. The services recognized by Syslog are mainly the following:

Auth, Authpriv: The main certification-related mechanisms, such as Telnet, login, SSH and other services that need to be authenticated are the use of this mechanism;
Cron: The place where a routine order cron/at, etc, produces a record of a message;
Daemon: Information related to each daemon;
Kern: The place where the core (kernel) produces the message;
LPR: Print related messages!
Mail: As long as the message to send and receive information about the record belongs to this;
News: Something related to a newsgroup server;
Syslog:syslogd the information generated by this program itself!
User, UUCP, local0 \~ local7: Some messages related to the Unix like machine itself.
Operator

Operator limits the range of information that is logged

. : Represents a higher level (including that level) that is recorded as a mail.info, for example, when the information is represented as mail, and the information level is higher than the info (including info), it is recorded;
. =: The level that the representative needs is the rank of the back;
.! : The representative is not equal to.
Information level

Information level: Total divided into the following categories:

Info: Prompt for some message data;
NOTICE: Attention! Need to pay more attention to the message;
Waring or warn: Warning message, the above three messages are still no error situation, although it is necessary to pay attention, but not to the wrong situation;
Err or error: Yes! The error message appears! The cause of the problem should be tested;
Crit: The Tipping point! If you don't deal with it, you'll be vexed!
Alert: The error message is repeatedly warned! You're going to be screwed!
Emerg or panic: Ah! The system has entered a chaotic phase! It's really a bust.
Special level: For example, Debug (show more information!) And none (do not record the content of the service!) ) and other
Record Log Location

Where to record information

The absolute path to the file: it's usually the file in/var/log! This can improve performance if the absolute path followed by "-" indicates an asynchronous write.
Printer or other device: For example/dev/lp0 this printer device,/dev/console refers to the console
User name: such as root, displayed to the user?? X Qiaoqi rancid curled?? is to tell all users
Remote host: For example @test. adsldns.org
Configuration file Example

# Log all kernel messages to the console.
# Logging Much else clutters up the screen.
#kern. */dev/console

# Log anything (except mail) of level info or higher.
# Don ' t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none/var/log/messages

# The Authpriv file has restricted access.
authpriv.*/var/log/secure

# Log All of the mail messages in one place.
Mail.*-/var/log/maillog

# Log Cron Stuff
Cron.*/var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save News errors of level crit and higher in a special file.
Uucp,news.crit/var/log/spooler

# Save Boot messages also to Boot.log
local7.*/var/log/boot.log
Logrotate Configuration

/etc/logrotate.conf and/etc/logrotate.d/*

This is a default profile, that is, if the specific service does not have a specific setting, use this default

# "man logrotate" for details
# rotate log files weekly
Weekly
# Keep 4 weeks worth of backlogs
rot Ate 4
# Create new (empty) log files after the rotating old ones
Create
# Uncomment this if you want your log file s compressed
#compress
# RPM Packages drop log rotation information into this directory
#具体程序的配置文件在下面这个目录内, language regulations Then
INCLUDE/ETC/LOGROTATE.D
# no packages own wtmp--we'll rotate them here
/var/log/wtmp {
Monthly
MinSize 1M
Create 0664 root utmp
Rotate 1
}
# System-specific Logs May is also is configured here.