The translation is temporarily closed for contributions due to maintenance, please come back later.
Viewing and Managing Log Files
indexterm:[log files,System Log]indexterm:[log files,description] _Log files_ are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.
Log files can be very useful when trying to troubleshoot a problem with the system such as trying to load a kernel driver or when looking for unauthorized login attempts to the system. This chapter discusses where to find log files, how to view log files, and what to look for in log files. indexterm:[log files,rsyslogd daemon]indexterm:[rsyslog] Some log files are controlled by a daemon called `rsyslogd`. The `rsyslogd` daemon is an enhanced replacement for [application]*sysklogd*, and provides extended filtering, encryption protected relaying of messages, various configuration options, input and output modules, support for transportation via the `TCP` or `UDP` protocols. Note that [application]*rsyslog* is compatible with [application]*sysklogd*.
Log files can also be managed by the `journald` daemon – a component of `systemd`. The `journald` daemon captures Syslog messages, kernel log messages, initial RAM disk and early boot messages as well as messages written to standard output and standard error output of all services, indexes them and makes this available to the user. The native journal file format, which is a structured and indexed binary file, improves searching and provides faster operation, and it also stores meta data information like time stamps or user IDs. Log files produced by `journald` are by default not persistent, log files are stored only in memory or a small ring-buffer in the `/run/log/journal/` directory. The amount of logged data depends on free memory, when you reach the capacity limit, the oldest entries are deleted. However, this setting can be altered – see xref:Viewing_and_Managing_Log_Files.adoc#s2-Enabling_Persistent_Storage[Enabling Persistent Storage]. For more information on Journal see xref:Viewing_and_Managing_Log_Files.adoc#s1-Using_the_Journal[Using the Journal].
By default, only `journald` is installed on your system. You have to install rsyslog youself. Also do not forget to enable and start it after install before continuing with rest of this guide. The `journald` daemon is the primary tool for troubleshooting. It also provides additional data necessary for creating structured log messages. Data acquired by `journald` is forwarded into the `/run/systemd/journal/syslog` socket that may be used by `rsyslogd` to process the data further. However, [application]*rsyslog* does the actual integration by default via the `imjournal` input module, thus avoiding the aforementioned socket. You can also transfer data in the opposite direction, from `rsyslogd` to `journald` with use of `omjournal` module. See xref:Viewing_and_Managing_Log_Files.adoc#s1-interaction_of_rsyslog_and_journal[Interaction of Rsyslog and Journal] for further information. The integration enables maintaining text-based logs in a consistent format to ensure compatibility with possible applications or configurations dependent on `rsyslogd`. Also, you can maintain rsyslog messages in a structured format (see xref:Viewing_and_Managing_Log_Files.adoc#s1-structured_logging_with_rsyslog[Structured Logging with Rsyslog]).
Locating Log Files
indexterm:[log files,locating] A list of log files maintained by `rsyslogd` can be found in the `/etc/rsyslog.conf` configuration file. Most log files are located in the `/var/log/` directory. Some applications such as [command]#httpd# and [command]#samba# have a directory within `/var/log/` for their log files. indexterm:[log files,rotating]indexterm:[logrotate] You may notice multiple files in the `/var/log/` directory with numbers after them (for example, `cron-20100906`). These numbers represent a time stamp that has been added to a rotated log file. Log files are rotated so their file sizes do not become too large. The `logrotate` package contains a cron task that automatically rotates log files according to the `/etc/logrotate.conf` configuration file and the configuration files in the `/etc/logrotate.d/` directory.
Basic Configuration of Rsyslog
indexterm:[rsyslog,configuration] The main configuration file for [application]*rsyslog* is `/etc/rsyslog.conf`. Here, you can specify _global directives_, _modules_, and _rules_ that consist of _filter_ and _action_ parts. Also, you can add comments in the form of text following a hash sign (`#`).
indexterm:[rsyslog,filters] A rule is specified by a *filter* part, which selects a subset of syslog messages, and an *action* part, which specifies what to do with the selected messages. To define a rule in your `/etc/rsyslog.conf` configuration file, define both, a filter and an action, on one line and separate them with one or more spaces or tabs.
[application]*rsyslog* offers various ways to filter syslog messages according to selected properties. The available filtering methods can be divided into *Facility/Priority-based*, *Property-based*, and *Expression-based* filters.
Facility/Priority-based filters
The most used and well-known way to filter syslog messages is to use the facility/priority-based filters which filter syslog messages based on two conditions: _facility_ and _priority_ separated by a dot. To create a selector, use the following syntax:
_FACILITY_ specifies the subsystem that produces a specific syslog message. For example, the [command]#mail# subsystem handles all mail-related syslog messages. _FACILITY_ can be represented by one of the following keywords (or by a numerical code): [command]#kern# (0), [command]#user# (1), [command]#mail# (2), [command]#daemon# (3), [command]#auth# (4), [command]#syslog# (5), [command]#lpr# (6), [command]#news# (7), [command]#uucp# (8), [command]#cron# (9), [command]#authpriv# (10), [command]#ftp# (11), [command]#ntp# (12), [command]#logaudit# (13), [command]#logalert# (14), [command]#clock# (15), and [command]#local0# through [command]#local7# (16 - 23).
_PRIORITY_ specifies a priority of a syslog message. _PRIORITY_ can be represented by one of the following keywords (or by a number): [command]#debug# (7), [command]#info# (6), [command]#notice# (5), [command]#warning# (4), [command]#err# (3), [command]#crit# (2), [command]#alert# (1), and [command]#emerg# (0).
The aforementioned syntax selects syslog messages with the defined or *higher* priority. By preceding any priority keyword with an equal sign (`=`), you specify that only syslog messages with the specified priority will be selected. All other priorities will be ignored. Conversely, preceding a priority keyword with an exclamation mark (`!`) selects all syslog messages except those with the defined priority.
In addition to the keywords specified above, you may also use an asterisk (`*`) to define all facilities or priorities (depending on where you place the asterisk, before or after the comma). Specifying the priority keyword `none` serves for facilities with no given priorities. Both facility and priority conditions are case-insensitive.