Linux Syslog notes

Source: Internet
Author: User
Tags openlog rsyslog

Original article address

Linux diary system is monitored by system logsProgramSyslogd is composed of the kernel log monitor klogd. The two monitoring programs are both daemon and registered as system services. In other words, we can find the corresponding execution programs under the/etc/init. d/directory, and start, close, and restart them using the service command. The/etc/syslog. conf file is the configuration file of the Linux diary system. The following is the content of my/etc/syslog. conf file (/Etc/rsyslog. conf in Ubuntu):



  1. # Log all kernel messages to the console. 
  2. # Logging much else clutters up the screen. 
  3. # Kern. */dev/console 
  5. # Log anything (could t mail) of level info or higher. 
  6. # Don't log private authentication messages!
  7. *. Info; mail. None; authpriv. None; cron. None/var/log/messages
  9. # The authpriv file has restricted access.
  10. Authpriv. */var/log/secure
  12. # Log all the mail messages in one place.
  13. Mail. *-/var/log/maillog
  16. # Log cron stuff
  17. Cron. */var/log/cron
  19. # Everybody gets emergency messages
  20. *. Emerg *
  22. # Save news errors of level crit and higher in a special file.
  23. Uucp, news. crit/var/log/Spooler
  25. # Save boot messages also to boot. Log
  26. Local7. */var/log/boot. Log


Before explaining this configuration file in detail, let's take a look at how to use syslogs in Linux C programming.

Syslog APIs

Linux C provides a set of system log writing interfaces, including three functions: openlog, syslog, and closelog.

Openlog is optional. If openlog is not called, openlog is automatically called when syslog is called for the first time. You can also choose to call closelog, which only disables the descriptor used for communicating with the Syslog daemon.

The following is the call format of the three functions:

  1. # Include <syslog. h>
  2. VoidOpenlog (Char* Ident,IntOption,IntFacility );
  3. VoidSyslog (IntPriority,Char* Format ,...);
  4. VoidCloselog ();


Both openlog and closelog are optional. However, by calling openlog, we can specify the ident parameter at In this way, the ident will be added to each diary record. IDENT is generally set to the program name, for example, "testsyslog" in the following example ":

  1. # Include <syslog. h>
  2. IntMain (IntArgc,Char* Argv [])
  3. {
  4. Openlog ("Testsyslog", Log_cons | log_pid, 0 );
  5. Syslog (log_user | log_info,"Syslog Test message generated in program % s \ n", Argv [0]);
  6. Closelog ();
  7. Return0;
  8. }


After an executable file is compiled and run every time, the program adds the following record to/var/log/messages:

    1. Apr 23 17:15:15 lirong-920181 testsyslog [27214]: syslog Test message generated in program./A. Out


The format is timestamp hostname ident [pid]: Log message. Ident indicates that we call openlog as the specified "testsyslog", and [27214] indicates that the option parameter of openlog specifies log_pid. The options, facility, and priority parameters in the syslog function are discussed in detail below.

According to the/usr/include/sys/syslog. h file, we can see that the options supported by syslog are as follows:

  1. /* 
  2. * Option flags for openlog. 
  3. * Log_odelay no longer does anything. 
  4. * Log_ndelay is the inverse of what it used to be. 
  5. */ 
  6. # Define log_pid 0x01/* log the PID with each message */ 
  7. # Define log_cons 0x02/* log on the console if errors in sending */ 
  8. # Define log_odelay 0x04/* Delay open until first syslog () (default )*/ 
  9. # Define log_ndelay 0x08/* Don't delay open */ 
  10. # Define log_nowait 0x10/* don't wait for console forks: deprecated */ 
  11. # Define log_perror 0x20/* log to stderr as well */
  12. We can combine these options with operations. Syslog supports the following faclility:

    1. /* Facility codes */ 
    2. # Define log_kern (0 <3)/* kernel messages */ 
    3. # Define log_user (1 <3)/* random user-level messages */ 
    4. # Define log_mail (2 <3)/* Mail System */ 
    5. # Define log_daemon (3 <3)/* system daemons */ 
    6. # Define log_auth (4 <3)/* Security/authorization messages */ 
    7. # Define log_syslog (5 <3)/* messages generated internally by syslogd */ 
    8. # Define log_lpr (6 <3)/* Line Printer subsystem */ 
    9. # Define log_news (7 <3)/* Network News subsystem */ 
    10. # Define log_uucp (8 <3)/* uucp subsystem */ 
    11. # Define log_cron (9 <3)/* Clock daemon */ 
    12. # Define log_authpriv (10 <3)/* Security/authorization messages (private )*/ 
    13. # Define log_ftp (11 <3)/* FTP daemon */

    The correspondence between the facility ID (the value above) and the name is as follows:

    1. {"Auth", Log_auth },
    2. {"Authpriv", Log_authpriv },
    3. {"Cron", Log_cron },
    4. {"Daemon", Log_daemon },
    5. {"Ftp", Log_ftp },
    6. {"Kern", Log_kern },
    7. {"LPR", Log_lpr },
    8. {"Mail", Log_mail },
    9. {"Mark", Internal_mark },/* Internal */
    10. {"News", Log_news },
    11. {"Security", Log_auth },/* Deprecated */
    12. {"Syslog", Log_syslog },
    13. {"User", Log_user },
    14. {"Uucp", Log_uucp },

    This ing maps the facility ID in the syslog System Call to the configuration options in the syslog. conf file. I will explain it in detail later. Facility indicates the type of the syslog application to be called. Syslog supports the following priority:

    1. # Define log_emerg 0/* system is unusable */ 
    2. # Define log_alert 1/* action must be taken immediately */ 
    3. # Define log_crit 2/* critical conditions */ 
    4. # Define log_err 3/* error conditions */ 
    5. # Define log_warning 4/* warning conditions */ 
    6. # Define log_notice 5/* normal but significant condition */ 
    7. # Define log_info 6/* informational */ 
    8. # Define log_debug 7/* debug-level messages */

    The correspondence between the priority ID (the value above) and the name is as follows:

    1. {"Alert", Log_alert },
    2. {"Crit", Log_crit },
    3. {"Debug", Log_debug },
    4. {"Emerg", Log_emerg },
    5. {"Err", Log_err },
    6. {"Error", Log_err },/* Deprecated */
    7. {"Info", Log_info },
    8. {"None", Internal_nopri },/* Internal */
    9. {"Notice", Log_notice },
    10. {"Panic", Log_emerg },/* Deprecated */
    11. {"Warn", Log_warning },/* Deprecated */
    12. {"Warning", Log_warning },

    This ing works in the same way as facility to match the configuration options in the syslog. conf file. Priority is used to indicate the priority of a log, or to indicate the severity of the log time. In actual use, the priority parameter in the syslog function is actually a combination of the facility and priority mentioned above.

    Return to the syslog. CONF file and testsyslog program. Based on the previous analysis, we will study why testsyslog writes the log to the file/var/log/messages, rather than other files.

    The basic syntax of the syslog. conf file line is as follows:

    [Message Type (rule)] [processing scheme (diary file)]

    Note that the two must be separated by one or more TAB characters. The message type is composed of a message source (facility) and a priority (priority. For example, news. crit in the preceding syslog. conf file indicates the "critical" status from news. Here, news indicates the message source, and crit indicates the critical situation. Wildcard * indicates all message sources, such as the first rule :*. info: Send all messages above the info level (Notice, warning, err, alert, emerg) (Priority table) to the/var/log/messages log file. In the testsyslog program, the priority specified when the syslog function is called is log_user | log_info. According to the relationship between the ID and name mentioned above, the corresponding message type rule is, contained in Rule *. info, so the log will be written to/var/log/messages.

    Modify the syslog. conf file

    In general, we want to be able to specify specific diary files for our applications. At this time, we need to modify the syslog. conf file. Suppose we want to write the debug log to the/var/log/debug file. The first step is to add the following message rules to the syslog. conf file as the first rule:

      1. User. debug/var/log/debug

    If the new rule takes effect, restart syslogd and klogd: Service syslog restart (/Etc/init. d/rsyslog restart in Ubuntu)

    To test whether the new rule takes effect, we can modify testsyslog as follows:

    1. # Include <syslog. h>
    2. IntMain (IntArgc,Char* Argv [])
    3. {
    4. Openlog ("Testsyslog", Log_cons | log_pid, 0 );
    5. Syslog (log_user | log_debug,"Syslog Test message generated in program % s \ n", Argv [0]);
    6. Closelog ();
    7. Return0;
    8. }

    After the execution file is compiled and generated, a new record is added to the/var/log/debug file every time it is run.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.