On the syslog daemon under Linux

Source: Internet
Author: User
Tags openlog syslog system log fully qualified domain name rsyslog dmesg

Syslog is the default log daemon under Linux. Any program that wants to generate log information can do so through a syslog interface.

At the same time, almost all network devices can pass the SYSLOG protocol to the remote server by transmitting the log information in UDP, the remote receiving log server must listen to UDP port 514through SYSLOGD, and according to Syslog.conf Configuration processing for profile sheets. Configuration file/etc/rsyslog.conf Specifies how SYSLOGD reports information based on the critical levels of devices and information.

Here's just a general idea, and here's what's going to be mentioned.

About configuration files:

In the previous version of CentOS, the configuration file was/"etc/syslog.conf ", which version was unclear, but the configuration file name changed from CentOS6.5 to "/etc/rsyslog.conf ".

Syslog is a support for logging classification output to a specific file, but there are several limitations:

1, syslog output support classification, but does not support each process output to a single file (because the syslog is not as a complete set of log database);

2, syslog output log file location is not arbitrary, the default is limited to "/var/log/" directory, if assigned to another location, as invalid;

In this file, most of the comment information is thrown, the main content is basically the format:

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/8F/A9/wKiom1jnrVPgh0yhAACTHzqbFEM910.png "title=" 1.png "alt=" Wkiom1jnrvpgh0yhaacthzqbfem910.png "/>

From front to back, in turn:

"Service. Priority <tab> Action field".

Among them, "service. Priority" is collectively referred to as the selection criteria, as shown in. Conditional selection is the classification of services, which facilitates syslog output management of logs. In the same line configuration, multiple selection conditions are allowed, and multiple selection criteria are used; Separated.

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/8F/A8/wKioL1jnrWKBlIprAABWfRFZsiI703.png "title=" 2.png "alt=" Wkiol1jnrwkblipraabwfrfzsii703.png "/>

Service (facility), which specifies the functionality of the syslog, mainly including:

Kern kernel information, first pass through KLOGD;

User process;

mail messages;

Daemon background process;

Authpriv authorization information;

syslog system log;

LPR printing information;

news newsgroup information;

UUCP information generated by UUCP

Cron Schedule and task information.

Mark Syslog internal function for generating timestamps

Local0----LOCAL7 used with custom programs, such as SSH with LOCAL5

* Wildcards represent all functions except mark

Priority (level), which specifies the priority of the syslog, from high to the bottom:

Emerg or panic the system is not available (most urgent message)

Alert needs to be modified immediately (emergency message)

Crit error conditions that prevent some tools or subsystem functionality from being implemented (important messages)

Err condition (Error message) for blocking tool or some subsystem partial functionality implementation

Warning Alert information (warning message)

Notice general conditions of importance (common but important messages)

Message (Informational message) for info

Debug does not contain additional information about a function condition or problem (debug level-most information)

None has no important level and is usually used for troubleshooting (no log messages are logged)

* All levels, except none


1./var/log/lastlog: Records the time each user recently checked in to the system, so when the user checks in, the time of their last check-in is displayed, and you should be aware that this is not the time that you last checked in, indicating that your account may have been compromised. This file can be read with the/usr/bin/lastlog instruction.

2./var/run/utmp: Record the time each user checks in the system, who, users, finger and other instructions will check this file.

3./var/log/wtmp: Record the time each user checks in and check out, last this command will check the file. This file also records the movements of shutdown and reboot.

4./var/log/secure: Login System Information

5./var/log/maillog: Record sendmail and pop and other related information.

6./var/log/cron: Record information about crontab, timer

7./VAR/LOG/DMESG:/BIN/DMESG will show this file, it is the screen message when the boot.

8./var/log/xferlog: Log those addresses to FTP to fetch those files.

9./var/log/messages: Most of the system's messages are recorded here, including login, check password, failed login, FTP, SU, etc.

Invoke the daemon of the syslog:

Syslog is also a daemon, which is exactly the Rsyslog, located in/etc/rc.d/init.d/rsyslog, which is the Syslog startup script. After we have modified the content in the file to start the intersection, we need to restart the service using the "Service rsyslog restart" command.

Syslog is not only used to log information about machine files, but more as a log server to receive information from remote systems. There are two common options for starting the service:

-R: Use the current host as the log server, listen for UDP packets coming in on port 514, and receive information from the remote system. Without this option, information from the remote system will not be received.

-H: Enables the current log server to transmit log information,

How to configure a central log server:

1, edit/etc/sysconfig/rsyslog (before the CentOS6.5 version of the file is called syslog), the file can be declared, start the service when the startup option.

-R: Mentioned above, indicates allow to receive foreign log messages;

-M * *: Changes the default timestamp flag information frequency to its own specified value "eg:-m240, which indicates that a timestamp message is added to the log file every 240 minutes";

-X: Indicates that you do not want the central log server to resolve the FQDN of other machines (fully qualified domain name, which refers to hostname + full path);

Syslogd_options= "-r-x-M 240-c 5"

2. Restart Rsyslog Service

Service Rsyslog Restart

3. Shut down the firewall (iptables), allow the connection on port No. 514 to pass;

4. Configure Syslog for the client

Method One: In the syslog configuration file on the client, the "@" character is used to point to the central log server for the operation action part of the configuration line, instead of pointing to the native/var/log/...

# Log All of the mail messages in one place.

Mail.* @

Method Two: Define a machine in DNS, name it arbitrarily, take "loghost" as an example, and then change the client's configuration file to the following form. This avoids the need to modify the client's syslog configuration file one at a time if a log server replacement occurs.

# Log All of the mail messages in one place.

Mail.* @loghost

After the client has been configured, and a reboot is required.

function interface for


#include  <syslog.h>     void openlog (Const char *ident,  int  option,  int  facil- ity);           # ident: Which process is logged, for process name            # option Common Options:                log_cons:               log_ PID: Each log message printed contains the pid          # facil-ity common options for the current process:                log_ User: Each log message printed contains the current user's level information      void syslog (int priority, const  CHAR&NBSP;*FORMAT,&NBSP, ...);           # format: List of parameters for output log information, using similar printf      Void closelog (void); 

Test Case:

#include <stdio.h> #include <syslog.h>int main (int argc,char* argv[]) {Openlog (argv[0],log_cons |    Log_pid, Log_user);    int count = 0;        while (Count < 5) {syslog (Log_info, "%d, LOG INFO test ...", count);    count++;    } closelog (); return 0;}

In order to test the configuration file at the same time, add a line in the Syslog configuration file as follows:

user.*/var/log/0.1 # This file is only available by default under/var/log and is not valid in other directories

Restart the Rsyslog service;

Execute the original program, you can see the 0.log file in/var/log/, open the file, the content is as follows:

[Email protected] ~]# Cat/var/log/0.log

APR 7 23:13:12 www./test_log[4063]: 0, log info test ...

APR 7 23:13:12 www./test_log[4063]: 1, log info test ...

APR 7 23:13:12 www./test_log[4063]: 2, log info test ...

APR 7 23:13:12 www./test_log[4063]: 3, log info test ...

APR 7 23:13:12 www./test_log[4063]: 4, log info test ...

Simple example see here is enough, I see a lot of people on the Internet is talking about how to use the syslog for a particular process to output log files, but there is no good solution. Although the LOCAL0~LOCAL7 custom service is provided in the configuration file, it is not a panacea, and in many cases does not really achieve our purpose.

What I want to say here is that the syslog under Linux, which is not intended to provide the log output of the user per process, is used only as a whole set of mechanisms for service management, which is for a class of services that are used to log servers. The maintenance of the log in the whole system network (maintenance of the log is actually the maintenance of the whole computer group). At the same time, the real project does not use the syslog as a full set of log management tools, under Linux has provided a lot of complete log library tools, such as Log4cplus,zlog and so on.

------Muhuizz Finishing

This article is from the "Twilight Back" blog, make sure to keep this source http://muhuizz.blog.51cto.com/11321490/1914017

On the syslog daemon under Linux

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.