Linux syslog Server Erection Strategy

Source: Internet
Author: User
Tags syslog system log

From the current situation, syslog (System log), a long-standing log system, still occupies the most mainstream status. Due to the origin of Unix-like platforms, Syslog is the most easily available log system in a real-world application environment. At the same time, there are many syslog-based extension products, including a large number of network hardware devices built on UNIX-based platforms that tend to have syslog support, such as Cisco routers.

First, configure the syslog daemon

Syslog is the default log daemon for Linux systems. The default syslog configuration file is the/etc/syslog.conf file. The syslog daemon is configurable, which allows people to specify exactly a place of storage for each type of system information. Now let's look at the configuration line format for the syslog.conf file (each of the configuration lines in this file is the same format), and then look at a full syslog configuration file. The format of the Syslog configuration line is as follows:


This line is made up of two parts. The first section is one or more selection criteria, and the selection criteria in the previous example is mail. The selection criteria followed by some whitespace characters, followed by an "action action"; The action in the previous example is:/var/log/mail

1 selection criteria

The selection criteria itself is divided into two fields, separated by a decimal (.). The previous field is a service, and the latter field is a priority. The choice condition is actually a sort of message type, which makes it easy for people to send different types of messages to different places. More than one selection condition is allowed on the same syslog configuration line, but you must separate them with semicolons (;). In the example given above, there is only one selection condition "mail". You can see the configuration lines with multiple selection criteria in the complete syslog configuration file example given later. Table 1 lists the selection criteria that most Linux operating system variants can recognize.

2 Priority level

The priority is the second field of the selection criteria, which represents the urgency of the message. For an application, which messages it emits are prioritized by the programmer who originally wrote it, and the user of the application can only accept such an arrangement-unless it intends to recompile the system application. Table 2 lists all possible priorities in order of severity from low to high.

Different service types have different priorities, and the higher priority of the values covers the lesser priority. If a selection condition gives only one priority and no precedence qualifier is used, the message corresponding to that priority and all the more urgent message types are included. For example, if the priority in a selection condition is "warning", it will actually include "warning", "err", "Crit", "Alert" and "Emerg".

3 Precedence Qualifier

Syslog allows people to decorate the priority with three qualifiers: an asterisk (*), an equal sign (=), and an exclamation mark (!). Readers familiar with regular expressions should not be unfamiliar with these three qualifiers. The asterisk (*) means "All log messages generated by this service are sent to the location specified in the Action action". Just as it does in regular expressions, the asterisk stands for "anything". In the example given earlier, "mail.*" will send all priority messages to the/var/log/mail file specified in the action action. Using the "*" qualifier is exactly the same as using the "debug" precedence, which will also send all types of messages to the specified location.

The meaning of the equals sign (=) is "Send only the log messages of this priority generated by this service to the location specified in the Action action". For example, you can use the "=" qualifier to send only debug messages without sending other more urgent messages (this will relieve the application a lot of burden). Use the Equals qualifier when you only need to send messages of a particular priority level.

Just as it is used in programming, the equals sign means equal to and only equals. The exclamation point (!) means "All log messages generated by this service are sent to the location specified by the action action, but this priority message is not included". For example, this syslog configuration line will send all messages except the info priority to the/var/log/mail file:

mail.*;mail.! Info/var/log/mail

In this example, "mail.*" will send all the messages, but "mail.! Info "excludes message priority messages. Just as it is used in programming, an exclamation mark means "no".

4 Operation Action

Log information can be recorded in multiple files, and can also be sent to named pipes, other programs, or even another machine. The syslog configuration file is not complex and is easy to read and easy to use. The comments in this file are very useful and should be read well.

Second, establish a central log server

1 preparation before establishing a central log server

Well-configured network services (DNS and NTP) help improve the accuracy of logging efforts. By default, when a log message is sent to itself by another machine, the central log server attempts to resolve the FQDN (FullyQualifiedDomainName, full domain name) of the machine. (You can disable it by using the "-X" option when configuring the central server.) If the syslog daemon fails to resolve the address, it will continue to try, and this unnecessary additional burden will significantly reduce the efficiency of logging efforts. Similarly, if your systems are not synchronized in time, the timestamp of a central log server to an event may be inconsistent with the timestamp of the machine that sent the event, which can be a big problem when you sort the events. , synchronizing network time helps to ensure the time accuracy of log messages. If you want to eliminate the trouble of this time synchronization, first edit the/etc/ntp.conf file to point to a central time source, and then schedule the ntpd daemon to boot with the system.

2 Configuring a central log server

A central log server can be implemented with syslog with a little configuration. Any server running the Syslog daemon can be configured to accept messages from another machine, but this option is disabled by default. In a later discussion, if not specifically stated, the steps will apply to most Linux distributions, including SuSE and Redhat. Let's take a look at how to activate a syslog server to accept incoming log messages:

1. Edit the/etc/sysconfig/syslog file.

Add the "-r" option on the "Syslogd_options" line to allow incoming log messages to be accepted. You can also add the "-X" option if you do not want the central log server to resolve the FQDN of other machines because the DNS record entries for other machines are not complete or other reasons. In addition, you may want to change the default timestamp flag message (--mark--) frequency to a more meaningful value, such as 240, which indicates that a timestamp message is added to the log file every 240 minutes (6 times a day). The "--mark--" message in the log file lets you know that the syslog daemon on the central log server is not idle. The configuration lines written in the explanations above should look like this:

Syslogd_options= "-r-x-m240"

2. Restart the syslog daemon. Modifications will not take effect until the syslog daemon restarts. If you only want to restart the syslog daemon instead of the entire system, on the Redhat machine, execute one of the following two commands:



3. If the iptables firewall or tcpwrappers is running on this machine, make sure that they allow connections on port No. 514 to pass. The syslog daemon will use port No. 514.

4 Configuring each client machine for the central log server

It is not difficult for a client to send log messages to a central log server. Edit the/etc/syslog.conf file on the client computer, and point to the central log server with an "@" character in the Action action section of the configuration line, as follows:


Another option is to define a machine named "Loghost" in DNS, and then make the following modifications to the client's syslog configuration file (the benefit is that when you replace the central log server with another machine, you do not have to modify the Syslog configuration file on each client):

authpriv.* @loghost

Next, restart the syslog daemon on the client for the changes to take effect. It is still necessary for the client to continue logging locally while sending a log message to the central log server, at least when debugging the client without having to log in to the central log server, which can help with debugging when the central log server is in trouble.

Summary: The log system assumes the role of sensory organs throughout the information infrastructure, and a well-functioning system requires the deployment of log capture tools in the right place. Later I will introduce the enhanced version of Syslog Syslog-ng.

Linux syslog Server Erection Strategy

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.