Linux Logs
Created: October 07, 2019
rsyslog
- rsyslog (partially) controls where services write their logs.
/etc/rsyslog.confcontrols where services output their messages.- Messages are categorized by type. For example, error, warning, etc
- rsyslog can forward logs to other servers and receive logs from other servers
Log Files
| Description | File |
|---|---|
| RHEL: generic system activity logs. | /var/log/messages |
| Debian: generic system activity logs. | /var/log/syslog |
| Debian: authentication logs. | /var/log/auth.log |
| RHEL: authentication logs. | /var/log/secure |
| Kernel messages. | /var/log/kernel |
| systemd boot messages. | /var/log/boot.log |
logrotate
/etc/logrotate.confis the config file for logrotate.- There is an import by default for all files in /etc/logrotate.d/.
- Settings can be applied per log file. Syntax:
/var/log/yum.log {
missingok # it's okay for the file to be missing
notifempty # don't rotate if the file is empty
maxsize 30k # only rotate if the file is at least this size
yearly # time period for rotation
create 0600 root root # owners/permissions
}
systemd-journald
journaldis not persistent by default.- The journal is binary rather than text.
Make the journal persistent
mkdir /var/log/journal
chgrp systemd-journal /var/log/journal
chmod 2775 /var/log/journal
systemctl restart systemd-journal.service
Commands
| Description | Command |
|---|---|
| View all messages. | journalctl |
| Get every error for every service. | journalctl -p err |
| Get every error for every service since yesterday. | journalctl -p err -since yesterday |
| View messages associated with a specific UID. | journalctl _UID=UID |
| View messages associated with a specific PID. | journalctl _PID=PID |
| View messages associated with a specific service. | journalctl -u SERVICE.service |