Linux: The Ultimate Guide To Logging

Table of Contents

Related Tutorials

Operating system logs, including Linux’s, provide a wide range of diagnostic data about your machine. Log files include messages about the system, such as the kernel, services, and programs that are operating on it. Linux logs everything, from kernel events to user operations, so you can view practically every activity taken on your servers. We’ll describe Linux logs in this part, including what they are, where to locate them, and how to read them.

System logging and syslog

There is a service called syslog that sends this information to the system logger. Syslog actually consists of a number of components, one of which is the syslogd daemon (newer Linux distributions use rsyslogd), which waits for event messages to occur and filters out the ones it wants to know about before sending them to a file, your console, or doing nothing, depending on what it is expected to do with them. another thing is aside from syslog, every program maintains its own logging file. 
All of the logging files are stored in the /var/log/ directory. If you look at the directory, you may see something like this.

HueuEqbKDQSrXmYOxhLKlv5CkqXAMSBCIyinvOutyi3OgUaqgWDdKkftVW07DKtMB VoW5tuvRU3fTS4sLsKWSmo0m8YTeA57PRpCgPoaKGQ8l0yFWs4h9UMpknurLcOTSJ g Sdaz4 nuD30u7U4Ch6gbqwlvMQVAXFYNo 3St7L6T6T80zo6zTRQ - Linux: The Ultimate Guide To Logging

Various files continue to record information on various things. For instance, all security-related events are logged in the auth.log. But each log must include a timestamp and information about the event.

5qX1qCvTaoylPneJXND4gQpB3Xitv1YMXALwOY7er gubVqUXP ny9c56cLLPlA25NtyYHLOhEQVId wdjYnZBs CsumupTTXLL49aIoSwU5yoxZZamSC1mIdd9xTCaxaUSIWD5tv8DrDJRersoB9gFqczw5T7fi4VXK LaQ - Linux: The Ultimate Guide To Logging

This is a snapshot of the syslog file. You can see that each log has a timestamp and details info as we discussed.  Syslog maintains and sends the logs to the system logger. Most linux distributions use Rsyslog which is an advanced version of syslog. You check what kinds of files are maintained by the system logger by running the command below. 

$ tail -5 /etc/rsyslog.d/50-default.conf

ULIhGgCq2uuNndK xTa2k3wCKYq QkeESy2lFQg8p4 b374EPAOeR65YVZq 0FGrt5Y3Y8dsVQpa2666tduNqffnMMsYoBh3CRCVMV8C3Gt7S4lPbD B8N6JK6mLwhyXj66e VhwS Z9VviRjquZy5EXfIwqtfbd32TTneRH1CfN16VlJrzTbqBemw - Linux: The Ultimate Guide To Logging

You can manually create your own log by using the logger tool. Let’s do some logging.

$ logger -s Enablegeek is great

If you now see inside the syslog file, you can see the logging info like this.

HP2UPoP7m987iOHBdxpyLvjmXk2eC 9ZxTgyHkeLaUxZzvbd4DxUw5VeVFnUk0 WsbiAAvus0c0YV8oku LdJYcFZLtml90 aknf832HIA5gDIyg4VGaz4Ao0iKDd2r5djfjxAjsK9m jQNH1RErwspp eMegqPwFbGGNX5gOPr3 Qw2zrdopBybuQ - Linux: The Ultimate Guide To Logging

Kernel Logging

At the time of booting the system, to prevent the action occurred linux logs everything which is known as the ring buffer. You may not need it any time but if you are facing trouble with the boot process, you need to see through the log file. This buffer keeps all messages created by the printk() function in the kernel code, including boot messages.  You can view these messages which are located in the /var/log/dmesg or /var/log/boot.log file. Let’s view some messages.

$ tail -5 /var/log/boot.log

I0OiZvMl3BBSeUlEjrND8AyGt1anWdc xn46Z9eMcFyCz7kOd2DZF1czZiKiw CKa6zmxX p8D2 RHDlpCOYDWF4P0Lvk kBdMqU4UxVuGUKkYuSO49ZzcARwB 5StESHFkbVw4brZZ5RDH94 - Linux: The Ultimate Guide To Logging

The previously described buffer is a cyclic data structure with a defined size that is hard-coded into the kernel. When the ring buffer is full, fresh data replaces old.

There is another file where kernel logs can be located which is /var/log/kern.log. It keeps the information about events and kernel commands. For instance, these messages could be helpful while troubleshooting a new or specially created kernel. It also logs the output of the dmesg.

Authentication Logging

Depending on the distribution, linux stores the information about logging in /var/log/auth.log or /var/log/secure. The first one is for debian-based distribution and the last one is for Redhat distribution. It logs all the logging attempts including failed and successful logging. thus, providing useful details when logging face issues with logging.  A snapshot of the file is provided below.

2gU0VZU0cZv84IeYMOMslmzV90ASy9bJ 6WzegGirhO7VuPcgVyG v4 fwqNKN5TfIE53McYmS DG4DDqKZ6Fs7fyZOUBNO2xHyeWUXEWfkaki3LLct1st9hI - Linux: The Ultimate Guide To Logging

Managing Log File

Log files must be preserved efficiently on the hard disk and we must be able to obtain the most up-to-date information. To do this, we must handle the log file in accordance with our requirements. Logrotate is a fantastic tool for this on Linux. The /etc/logrotate.d/ file contains all configuration information for the log file.

4Z9VxeJlkAInH6wtNJ tgEM36aq5LzplxsJovbmahXNikaiA6yb 6VjcwuMb9IHsiL0S9RcfHqC6yxsSJTXSQV6nOx4d7YZVHkL89k899ieKvBBwCO - Linux: The Ultimate Guide To Logging

Let’s look into the bootlog file. 

p7rr5uscck6b4R0LZM5LhVErWrBTKRcQzfbC1bhjiV6hW5U3IGqXuBV7tv1Kp 41cPzuR1XxGBJh0GChluVRTRbixsa14rlxXVumALgt3UX0gThWL UslBgd7wkv9jGrfFiqEycEGD5D04M8rAJ Z7sV1GQAUSle6DAwU192efQ6XRrfOtDop Bf - Linux: The Ultimate Guide To Logging

The default setup is shown below. You may use logrotate to specify how many log files to preserve and which logs to discard.

Share The Tutorial With Your Friends