Operating system logs, including Linux’s, provide a wide range of diagnostic data about your machine. Log files include messages about the system, such as the kernel, services, and programs that are operating on it. Linux logs everything, from kernel events to user operations, so you can view practically every activity taken on your servers. We’ll describe Linux logs in this part, including what they are, where to locate them, and how to read them.
System logging and syslog
There is a service called syslog that sends this information to the system logger. Syslog actually consists of a number of components, one of which is the syslogd daemon (newer Linux distributions use rsyslogd), which waits for event messages to occur and filters out the ones it wants to know about before sending them to a file, your console, or doing nothing, depending on what it is expected to do with them. another thing is aside from syslog, every program maintains its own logging file.
All of the logging files are stored in the
/var/log/ directory. If you look at the directory, you may see something like this.
Various files continue to record information on various things. For instance, all security-related events are logged in the auth.log. But each log must include a timestamp and information about the event.
This is a snapshot of the syslog file. You can see that each log has a timestamp and details info as we discussed. Syslog maintains and sends the logs to the system logger. Most linux distributions use Rsyslog which is an advanced version of syslog. You check what kinds of files are maintained by the system logger by running the command below.
$ tail -5 /etc/rsyslog.d/50-default.conf
You can manually create your own log by using the logger tool. Let’s do some logging.
$ logger -s Enablegeek is great
If you now see inside the syslog file, you can see the logging info like this.
At the time of booting the system, to prevent the action occurred linux logs everything which is known as the ring buffer. You may not need it any time but if you are facing trouble with the boot process, you need to see through the log file. This buffer keeps all messages created by the printk() function in the kernel code, including boot messages. You can view these messages which are located in the
/var/log/boot.log file. Let’s view some messages.
$ tail -5 /var/log/boot.log
The previously described buffer is a cyclic data structure with a defined size that is hard-coded into the kernel. When the ring buffer is full, fresh data replaces old.
There is another file where kernel logs can be located which is /var/log/kern.log. It keeps the information about events and kernel commands. For instance, these messages could be helpful while troubleshooting a new or specially created kernel. It also logs the output of the dmesg.
Depending on the distribution, linux stores the information about logging in
/var/log/secure. The first one is for debian-based distribution and the last one is for Redhat distribution. It logs all the logging attempts including failed and successful logging. thus, providing useful details when logging face issues with logging. A snapshot of the file is provided below.
Managing Log File
Log files must be preserved efficiently on the hard disk and we must be able to obtain the most up-to-date information. To do this, we must handle the log file in accordance with our requirements. Logrotate is a fantastic tool for this on Linux. The
/etc/logrotate.d/ file contains all configuration information for the log file.
Let’s look into the bootlog file.
The default setup is shown below. You may use logrotate to specify how many log files to preserve and which logs to discard.