Lesson 3.7: Locate and interpret system log files and journals
Checking the status of log service rsyslog
[root@sanjeeb ~]# rpm -q rsyslog
rsyslog-8.2310.0-3.el9.aarch64
[root@sanjeeb ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-09-26 11:23:46 +0545; 1 day 4h ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 1137 (rsyslogd)
Tasks: 3 (limit: 22585)
Memory: 6.6M
CPU: 5.481s
CGroup: /system.slice/rsyslog.service
└─1137 /usr/sbin/rsyslogd -n
Sep 26 11:23:46 sanjeeb systemd[1]: Starting System Logging Service...
Sep 26 11:23:46 sanjeeb rsyslogd[1137]: [origin software="rsyslogd" swVersion="8.2310.0-3.el9" x-pid="113>
Sep 26 11:23:46 sanjeeb systemd[1]: Started System Logging Service.
Sep 26 11:23:46 sanjeeb rsyslogd[1137]: imjournal: journal files changed, reloading... [v8.2310.0-3.el9 >
Sep 27 06:30:06 sanjeeb rsyslogd[1137]: imjournal: journal files changed, reloading... [v8.2310.0-3.el9 >
lines 1-17/17 (END)
Default location of log file /var/log
[root@sanjeeb ~]# ls /var/log
anaconda dnf.log messages-20240920 vmware-network.1.log
audit dnf.rpm.log messages-20240922 vmware-network.2.log
boot.log firewalld private vmware-network.3.log
boot.log-20240920 gdm qemu-ga vmware-network.4.log
boot.log-20240921 hawkey.log README vmware-network.5.log
boot.log-20240923 hawkey.log-20240405 samba vmware-network.6.log
boot.log-20240924 hawkey.log-20240407 secure vmware-network.7.log
boot.log-20240925 hawkey.log-20240920 secure-20240405 vmware-network.8.log
boot.log-20240926 hawkey.log-20240922 secure-20240407 vmware-network.9.log
boot.log-20240927 httpd secure-20240920 vmware-network.log
btmp kdump.log secure-20240922 vmware-vgauthsvc.log.0
btmp-20240920 lastlog speech-dispatcher vmware-vmsvc-root.log
chrony maillog spooler vmware-vmtoolsd-boss.log
cron maillog-20240405 spooler-20240405 vmware-vmtoolsd-root.log
cron-20240405 maillog-20240407 spooler-20240407 vmware-vmtoolsd-sanjeeb.log
cron-20240407 maillog-20240920 spooler-20240920 vmware-vmusr-boss.log
cron-20240920 maillog-20240922 spooler-20240922 vmware-vmusr-root.log
cron-20240922 messages sssd vmware-vmusr-sanjeeb.log
cups messages-20240405 tallylog wtmp
dnf.librepo.log messages-20240407 tuned
- /var/log/boot.log : It contains boot-time log.
- /var/log/secure : It contains of logs of SSH, Telnet, Login Services
- /var/log/maillog : It contains logs of mail
- /var/log/xferlog : It contains logs of FTP
- /var/log/messages : It contains logs of DNS, DHCP, NFS, LDAP
- /var/log/httpd/*.log : It contains logs of Apache Web Service
- /var/log/samba/*.log : It contains logs of Samba Service Logs
- /var/log/cron : It contains logs of cron
Typical Method to View a log file
# Displays the bottom of the log file
[root@sanjeeb ~]# tail -2 /var/log/secure
Sep 27 16:23:04 sanjeeb su[13770]: pam_unix(su-l:session): session closed for user bharat
Sep 27 16:23:04 sanjeeb su[13611]: pam_unix(su-l:session): session closed for user boss
Format of Log Files
Sep 27 16:23:04 sanjeeb su[13611]: pam_unix(su-l:session): session closed for user boss
- Date & Time
- Hostname
- Process[PID]
Log Main Configuration file
/etc/rsyslog.conf
Format of /etc/rsyslog.conf file
<facility> [operator] <priority> <log file>
- Facility : It represents the service that generates logs
- Priority : It represents severity level of the log messages
- [operator]
-
.
: It logs messages of the given and higher priority
-
.=
: It logs messages of the given priority only
-
.!
: It logs messages of all the priority
Example
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
####### Customization #######
# This will log the priorities higher than and equal to crit (crit, alert, emerg, panic)
mail.crit /var/log/critmail
mail.alert /var/log/alertmail
# This will log only the defined one
mail.=crit /var/log/critmail
# This will log the messages which are except crit
mail.!=crit /var/log/critmail
Logrotate
Configuration File : /etc/logrotate.conf
[root@sanjeeb ~]# vim /etc/logrotate.conf
# see "man logrotate" for details
# global options do not affect preceding include directives
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may be also be configured here.
# Log Rotate files are in this format <logname-date>
[root@sanjeeb log]# ls /var/log | grep secure-
secure-20240101
secure-20240107
secure-20240114
secure-20240124
...
[root@sanjeeb ~]# ls /var/log | grep maillog
maillog-20240405
maillog-20240407
maillog-20240920
maillog-20240922
...
# TO keep the log of the last 100 days, generates log daily for 100 days, and then rotates
[root@sanjeeb ~]# vim /etc/logrotate.conf
# rotate log files weekly
daily
# keep 4 weeks worth of backlogs
rotate 100
# If you want to define size based rotation
[root@sanjeeb ~]# vim /etc/logrotate.conf
size 10k
Manually rotate
[root@sanjeeb ~]# logrotate /etc/logrotate.conf