Linux Log Basics

Linux Log Basics

First, we will describe the basic knowledge about what Linux logs are, where to find them, and how they are created. If you already know this, skip to the next section.

 

Linux system logs

Many valuable log files are automatically created for you by Linux. You can/var/logDirectory. The following figure shows the directory in a typical Ubuntu system:

Some of the most important Linux system logs include:

• /var/log/syslogOr/var/log/messagesStores all global system activity data, including boot information. Debian-based systems such as Ubuntu/var/log/syslogWhile RedHat-based systems such as RHEL or CentOS are/var/log/messages.
• /var/log/auth.logOr/var/log/secureStores logs from the pluggable authentication module (PAM), including successful logon, failed logon attempts, and authentication methods. Ubuntu and Debian/var/log/auth.logWhile RedHat and CentOS are/var/log/secure.
• /var/log/kernStores Kernel errors and warning data, which is especially useful for troubleshooting faults related to the custom kernel.
• /var/log/cronStores information about cron jobs. Use this data to ensure that your cron job is running successfully.

Digital Ocean has a complete tutorial on these files that describes how rsyslog creates them in common Release versions such as RedHat and CentOS.

The application will also write log files in this directory. For example, common server programs such as Apache, Nginx, and MySQL can write log files in this directory. Some log files are created by the application, while others are created by syslog (see below.

 

What is Syslog?

How does one create a Linux system log file? The answer is through the syslog daemon, which is in the syslog socket/dev/logListen to the log information, and then write them into the appropriate log file.

The word "syslog" represents several meanings and is often referred to as one of the following names:

1. Syslog Daemon-a program used to receive, process, and send syslog information. It can remotely send syslogs to a centralized server or write data to a local file. Common examples include rsyslogd and syslog-ng. In this way, people often say "send to syslog ".
2. Syslog protocol-a transmission protocol that specifies how logs are transmitted over the network and a definition of a data format for syslog information (see below. It is formally defined in RFC-5424. For text logs, the standard port is 514. For encrypted logs, the port is 6514. In this method, it is often said that "syslog transfer ".
3. Syslog information-syslog Format log information or events, which include a message header with several standard fields. In this way, people often say "Send syslog ".

Syslog information or events include a message header with several standard fields to facilitate analysis and routing. They include timestamps, application names, categories or locations of information sources in the system, and priority of events.

The following shows the log information that contains the syslog message header. It comes from the sshd daemon that controls Remote logon to the system. This information describes a failed logon attempt:

1. <34>1 2003-10-11T22:14:15.003Z server1.com sshd - - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2

 

Syslog Format and Field

Each syslog contains a header with fields. These fields are structured data, making it easier to analyze and route events. The following is the format used to generate the above syslog example. You can match each value to the name of a specific field.

1. <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% %msg%n

Below, you will see some syslog fields that are most commonly used in searching or troubleshooting:

 

Timestamp

The timestamp (2003-10-11T22: 14: 15.003Z in the preceding example) indicates the time and date when the message is sent in the system. This time may vary when receiving this information on another system. The timestamp in the preceding example can be divided:

• , Month, day.
• T is a required element of the timestamp, which separates the date and time.
• 22:14:15. 003 is the 24-hour time, including the number of milliseconds that enter the next second (003 ).
• Z is an optional element and refers to UTC time. In addition to Z, this example can also include an offset, for example,-, which means that the time is shifted from UTC to 8 hours, that is, PST time.

 

Host Name

The Host Name field (server1.com in the preceding example) refers to the host name or sending information system.

 

Application name

The Application name field (corresponding to sshd: auth in the preceding example) refers to the name of the program sending information.

 

Priority

The priority field or abbreviated to pri (corresponding in the preceding example) tells us how urgent or severe the incident is. It consists of two numeric fields: device field and urgent field. The number of an emergency field ranges from 7 to 0 for a debug event. The device field describes which process created the event. It ranges from the number 0 representing the kernel information to 23 representing the use of the local application.

Pri has two output modes. The first type is represented by a separate number. It can be calculated as follows: multiply the value of the device field by 8, plus the value of the urgent field: (device field) (8) + (urgent field ). The second is pri text, which is output in the string format of "device field. Urgent field. The latter format is easier to read and search, but occupies more storage space.

Via: Linux Logging Basics

Author: Jason Skowronski, Amy Echeverri, Sadequl Hussain Translator: FSSlc Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address: