Part 5. Linux logging
Working with logs
This content is part # of # in the series: Windows-to-Linux roadmap
This content is part of the series:Windows-to-Linux roadmap
Stay tuned for additional content in this series.
One of the keys to success in managing any system is to know what is happening on the system. Linux offers exceptional logging, and the detail in the logs is configurable.
Linux logs are in plain text, so you can search and read them without having to use special tools. You can also write scripts that scan through logs and perform automatic functions based on the contents.
Linux logs are contained in the /var/log directory. There are several log files that are maintained by the system, but other services and programs may put their log files here too. Most logs are only readable by root, but that can be changed by simply changing the access rights to the file.
The messages log is the core system log file. It contains the boot messages when the system came up as well as other status messages as the system runs. Errors with IO, networking, and other general system errors are reported in this file. Other information, such as when someone becomes root, is listed here as well. If services are running, such as DHCP servers, you can watch the action in the messages file. /var/log/messages is generally your first place to look when you are troubleshooting.
This log shows the results of the last execution of the Xfree86 Xwindows server. If you are having problems getting the graphical mode to come up, this file will usually provide answers as to what is failing.
There will be other log files in the /var/log directory depending on your distribution of Linux and the services and applications that you are running. For example, there may be logs associated with running a mail server, resource sharing, automatic tasks, and others.
You will see some files in the /var/log directory that end with a number.
These are rotated archives. Log files can get rather large and cumbersome.
Linux provides a command to rotate these logs so that you don't have
current log information mixed with older irrelevant data. Generally
logrotate runs automatically on a timed basis, but it can also be run
manually. When executed, logrotate will take the current version of the
log files and add a ".1" to the end of the filename. Then any other
previously rotated files are sequenced with ".2," ".3," etc. The larger
the number after a filename, the older the log is.
You can configure the automatic behavior for
logrotate by editing the
/etc/logrotate.conf file. Learn the full details about
Any text tool can be used to work with log files. Here are some tools that are particularly helpful.
To get a quick view of the boot log for the last system boot, use the command
dmesg. It generally puts out a lot of
text, so you will generally want to pipe it through a viewer.
dmesg | more
The command above will show the boot messages one screen page at a time.
Sometimes you want to keep an eye on a log file as activity is occurring.
Tail is designed to show the last few lines of a text file. By adding the
tail will continue to show
new output as it occurs.
tail -f /var/log/messages
The command above will show the last ten lines of /var/log/messages, then
continue to monitor the file and output any new activity. To stop the
tail -f command, use Ctrl + C to break the
More works the same as the DOS version. You can point it to a file, or
pipe output through it to see the information one screen page at a time. For example, to show the contents of the Xfree86 startup log file one screen page at a time:
Use "q" or [Ctrl]-C to stop looking at a file.
Less is another text viewer, but it allows you to scroll through a file and search for information.
The command above will display the contents of the /var/log/messages
file. Use "q" to quit viewing the file. Use "h" to
get help on using
You may want to put your own messages into the log file. You could just append the log message to the correct text file, but you would have to duplicate the log information style. Also, you would have to change your code if the logging system had been customized. The
logger command lets you send your own messages to the
logging facility. Use it in scripts to provide messages about execution
There are two services, or daemons, that control logging,
klogd only deals with kernel messages.
syslogd deals with other system messages, such as
applications. You can configure the behavior of both by editing the files
/etc/syslog.conf and /etc/sysconfig/syslog. Full custom logging is beyond
the scope of this article, but full details can be found in the Related topics listed at the end of this article. You can
also learn much by looking at the man page for /etc/sylogd.conf.
Essentially, each message generated by software provides some information to identify where the message came from and what message it is. The /etc/syslog.conf file allows you to specify what you want done with that kind of message. You can dump it to the messages file. You can dump it to a custom file. You can have it sent to a remote host where that host will process it according to its own syslogd configuration. Remote logging is an excellent security feature. By placing your logs on a remote system, you can prevent a security breach from easily covering its tracks by altering the log files.
Here is an example of customized logging taken from the
man /etc/syslog.conf page:
# Kernel messages are first, stored in the kernel # file, critical messages and higher ones also go # to another host and to the console # kern.* /var/adm/kernel kern.crit @finlandia kern.crit /dev/console kern.info;kern.!err /var/adm/kernel-info
The first rule directs any message that has the kernel facility to the file /var/adm/kernel.
The second statement directs all kernel messages of the priority crit and higher to the remote host finlandia. This is useful, because if the host crashes and the disks get irreparable errors, you might not be able to read the stored messages. If they're on a remote host, too, you still can try to find out the reason for the crash.
The third rule directs these messages to the actual console, so the person who works on the machine will get them, too.
The fourth line tells the syslogd to save all kernel messages that come with priorities from info up to warning in the file /var/adm/kernel- info. Everything from err and higher is excluded.
The ability to customize logging like this provides a great deal of flexibility and control over the Linux environment.
Log configuration in Webmin
Webmin has a module for working with log files.
Figure 1. Webmin system log view
All configured log files are shown. Click on a log file to edit its configuration.
Figure 2. Webmin log edit screen
Or you can click the View to see the contents of a log file.
The Webmin module interacts with the /etc/syslog.conf file, so anything you do in one is reflected in the other.
Logging in your life
Log files in Linux are critical to troubleshooting and maintaining your system. Linux logging is done to text files, so no proprietary tools are required to view the files. Text files are also easy to use with custom scripts and programs.
Logs are rotated to keep them from getting too large and to separate the current information from much older data. Log rotation is configurable.
Logging is highly configurable, and logs can even be stored on a separate system for security or backup purposes. You can generate system log messages out of your own scripts and programs that will be recognized and processed by the syslogd daemon.
- Check out the other parts in the Windows-to-Linux roadmap series (developerWorks, November 2003).
The syslog.conf man page contains an excellent description of how to
configure logging. To access it, type
The syslogd man page has a good overall description of how syslogd works,
including security issues. Type
- The developerWorks tutorial "LPI exam 101 prep: GNU and UNIX commands" (November 2005) covers basic text processing from the command line.
- Logging and working with the system logging daemon is covered in the developerWorks tutorial "LPI exam 201 prep: System maintenance" (September 2005).
- "LPI exam 202 prep: System security" (developerWorks, June 2006) covers Linux security in more detail.
- You'll find more information on .config files in "Understanding Linux configuration files" (developerWorks, December 2001).
- With IBM trial software, available for download directly from developerWorks, build your next development project on Linux.