Lesson 3.7: Locate and interpret system log files and journals
Checking the status of log service rsyslog
[root@sanjeeb ~]# rpm -q rsyslog rsyslog-8.2310.0-3.el9.aarch64 [root@sanjeeb ~]# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled) Active: active (running) since Thu 2024-09-26 11:23:46 +0545; 1 day 4h ago Docs: man:rsyslogd(8) https://www.rsyslog.com/doc/ Main PID: 1137 (rsyslogd) Tasks: 3 (limit: 22585) Memory: 6.6M CPU: 5.481s CGroup: /system.slice/rsyslog.service └─1137 /usr/sbin/rsyslogd -n Sep 26 11:23:46 sanjeeb systemd[1]: Starting System Logging Service... Sep 26 11:23:46 sanjeeb rsyslogd[1137]: [origin software="rsyslogd" swVersion="8.2310.0-3.el9" x-pid="113> Sep 26 11:23:46 sanjeeb systemd[1]: Started System Logging Service. Sep 26 11:23:46 sanjeeb rsyslogd[1137]: imjournal: journal files changed, reloading... [v8.2310.0-3.el9 > Sep 27 06:30:06 sanjeeb rsyslogd[1137]: imjournal: journal files changed, reloading... [v8.2310.0-3.el9 > lines 1-17/17 (END)
Default location of log file /var/log
[root@sanjeeb ~]# ls /var/log anaconda dnf.log messages-20240920 vmware-network.1.log audit dnf.rpm.log messages-20240922 vmware-network.2.log boot.log firewalld private vmware-network.3.log boot.log-20240920 gdm qemu-ga vmware-network.4.log boot.log-20240921 hawkey.log README vmware-network.5.log boot.log-20240923 hawkey.log-20240405 samba vmware-network.6.log boot.log-20240924 hawkey.log-20240407 secure vmware-network.7.log boot.log-20240925 hawkey.log-20240920 secure-20240405 vmware-network.8.log boot.log-20240926 hawkey.log-20240922 secure-20240407 vmware-network.9.log boot.log-20240927 httpd secure-20240920 vmware-network.log btmp kdump.log secure-20240922 vmware-vgauthsvc.log.0 btmp-20240920 lastlog speech-dispatcher vmware-vmsvc-root.log chrony maillog spooler vmware-vmtoolsd-boss.log cron maillog-20240405 spooler-20240405 vmware-vmtoolsd-root.log cron-20240405 maillog-20240407 spooler-20240407 vmware-vmtoolsd-sanjeeb.log cron-20240407 maillog-20240920 spooler-20240920 vmware-vmusr-boss.log cron-20240920 maillog-20240922 spooler-20240922 vmware-vmusr-root.log cron-20240922 messages sssd vmware-vmusr-sanjeeb.log cups messages-20240405 tallylog wtmp dnf.librepo.log messages-20240407 tuned
- /var/log/boot.log : It contains boot-time log.
- /var/log/secure : It contains of logs of SSH, Telnet, Login Services
- /var/log/maillog : It contains logs of mail
- /var/log/xferlog : It contains logs of FTP
- /var/log/messages : It contains logs of DNS, DHCP, NFS, LDAP
- /var/log/httpd/*.log : It contains logs of Apache Web Service
- /var/log/samba/*.log : It contains logs of Samba Service Logs
- /var/log/cron : It contains logs of cron
Typical Method to View a log file
# Displays the bottom of the log file [root@sanjeeb ~]# tail -2 /var/log/secure Sep 27 16:23:04 sanjeeb su[13770]: pam_unix(su-l:session): session closed for user bharat Sep 27 16:23:04 sanjeeb su[13611]: pam_unix(su-l:session): session closed for user boss
Format of Log Files
Sep 27 16:23:04 sanjeeb su[13611]: pam_unix(su-l:session): session closed for user boss
- Date & Time
- Hostname
- Process[PID]
Log Main Configuration file
/etc/rsyslog.conf
Format of /etc/rsyslog.conf file
<facility> [operator] <priority> <log file>
- Facility : It represents the service that generates logs
- Priority : It represents severity level of the log messages
- [operator]
-
.: It logs messages of the given and higher priority
-
.=: It logs messages of the given priority only
-
.!: It logs messages of all the priority
Example
*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log ####### Customization ####### # This will log the priorities higher than and equal to crit (crit, alert, emerg, panic) mail.crit /var/log/critmail mail.alert /var/log/alertmail # This will log only the defined one mail.=crit /var/log/critmail # This will log the messages which are except crit mail.!=crit /var/log/critmail
Logrotate
Configuration File : /etc/logrotate.conf
[root@sanjeeb ~]# vim /etc/logrotate.conf # see "man logrotate" for details # global options do not affect preceding include directives # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # use date as a suffix of the rotated file dateext # uncomment this if you want your log files compressed #compress # packages drop log rotation information into this directory include /etc/logrotate.d # system-specific logs may be also be configured here. # Log Rotate files are in this format <logname-date> [root@sanjeeb log]# ls /var/log | grep secure- secure-20240101 secure-20240107 secure-20240114 secure-20240124 ... [root@sanjeeb ~]# ls /var/log | grep maillog maillog-20240405 maillog-20240407 maillog-20240920 maillog-20240922 ... # TO keep the log of the last 100 days, generates log daily for 100 days, and then rotates [root@sanjeeb ~]# vim /etc/logrotate.conf # rotate log files weekly daily # keep 4 weeks worth of backlogs rotate 100 # If you want to define size based rotation [root@sanjeeb ~]# vim /etc/logrotate.conf size 10k
Manually rotate
[root@sanjeeb ~]# logrotate /etc/logrotate.conf