Lesson 3.7: Locate and interpret system log files and journals


Checking the status of log service rsyslog

[root@sanjeeb ~]# rpm -q rsyslog
rsyslog-8.2310.0-3.el9.aarch64
 
[root@sanjeeb ~]# systemctl status rsyslog 
 rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-09-26 11:23:46 +0545; 1 day 4h ago
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 1137 (rsyslogd)
      Tasks: 3 (limit: 22585)
     Memory: 6.6M
        CPU: 5.481s
     CGroup: /system.slice/rsyslog.service
             └─1137 /usr/sbin/rsyslogd -n
 
Sep 26 11:23:46 sanjeeb systemd[1]: Starting System Logging Service...
Sep 26 11:23:46 sanjeeb rsyslogd[1137]: [origin software="rsyslogd" swVersion="8.2310.0-3.el9" x-pid="113>
Sep 26 11:23:46 sanjeeb systemd[1]: Started System Logging Service.
Sep 26 11:23:46 sanjeeb rsyslogd[1137]: imjournal: journal files changed, reloading...  [v8.2310.0-3.el9 >
Sep 27 06:30:06 sanjeeb rsyslogd[1137]: imjournal: journal files changed, reloading...  [v8.2310.0-3.el9 >
lines 1-17/17 (END)

Default location of log file /var/log

[root@sanjeeb ~]# ls /var/log
anaconda           dnf.log              messages-20240920  vmware-network.1.log
audit              dnf.rpm.log          messages-20240922  vmware-network.2.log
boot.log           firewalld            private            vmware-network.3.log
boot.log-20240920  gdm                  qemu-ga            vmware-network.4.log
boot.log-20240921  hawkey.log           README             vmware-network.5.log
boot.log-20240923  hawkey.log-20240405  samba              vmware-network.6.log
boot.log-20240924  hawkey.log-20240407  secure             vmware-network.7.log
boot.log-20240925  hawkey.log-20240920  secure-20240405    vmware-network.8.log
boot.log-20240926  hawkey.log-20240922  secure-20240407    vmware-network.9.log
boot.log-20240927  httpd                secure-20240920    vmware-network.log
btmp               kdump.log            secure-20240922    vmware-vgauthsvc.log.0
btmp-20240920      lastlog              speech-dispatcher  vmware-vmsvc-root.log
chrony             maillog              spooler            vmware-vmtoolsd-boss.log
cron               maillog-20240405     spooler-20240405   vmware-vmtoolsd-root.log
cron-20240405      maillog-20240407     spooler-20240407   vmware-vmtoolsd-sanjeeb.log
cron-20240407      maillog-20240920     spooler-20240920   vmware-vmusr-boss.log
cron-20240920      maillog-20240922     spooler-20240922   vmware-vmusr-root.log
cron-20240922      messages             sssd               vmware-vmusr-sanjeeb.log
cups               messages-20240405    tallylog           wtmp
dnf.librepo.log    messages-20240407    tuned
  • /var/log/boot.log : It contains boot-time log.
  • /var/log/secure : It contains of logs of SSH, Telnet, Login Services
  • /var/log/maillog : It contains logs of mail
  • /var/log/xferlog : It contains logs of FTP
  • /var/log/messages : It contains logs of DNS, DHCP, NFS, LDAP
  • /var/log/httpd/*.log : It contains logs of Apache Web Service
  • /var/log/samba/*.log : It contains logs of Samba Service Logs
  • /var/log/cron : It contains logs of cron

Typical Method to View a log file

# Displays the bottom of the log file 
[root@sanjeeb ~]# tail -2 /var/log/secure
Sep 27 16:23:04 sanjeeb su[13770]: pam_unix(su-l:session): session closed for user bharat
Sep 27 16:23:04 sanjeeb su[13611]: pam_unix(su-l:session): session closed for user boss

Format of Log Files

Sep 27 16:23:04 sanjeeb su[13611]: pam_unix(su-l:session): session closed for user boss

  • Date & Time
  • Hostname
  • Process[PID]

Log Main Configuration file

/etc/rsyslog.conf

Format of /etc/rsyslog.conf file

<facility> [operator] <priority> <log file>

  • Facility : It represents the service that generates logs
  • Priority : It represents severity level of the log messages
  • [operator]
    • . : It logs messages of the given and higher priority
    • .= : It logs messages of the given priority only
    • .! : It logs messages of all the priority

Example

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
 
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
 
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
 
# Log cron stuff
cron.*                                                  /var/log/cron
 
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*
 
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
 
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
 
####### Customization #######
# This will log the priorities higher than and equal to crit (crit, alert, emerg, panic)
mail.crit                                               /var/log/critmail
mail.alert                                              /var/log/alertmail
# This will log only the defined one
mail.=crit                                              /var/log/critmail
# This will log the messages which are except crit
mail.!=crit                                             /var/log/critmail

Logrotate

Configuration File : /etc/logrotate.conf

[root@sanjeeb ~]# vim /etc/logrotate.conf 
 
# see "man logrotate" for details
# global options do not affect preceding include directives
 
# rotate log files weekly
weekly
 
# keep 4 weeks worth of backlogs
rotate 4
 
# create new (empty) log files after rotating old ones
create
 
# use date as a suffix of the rotated file
dateext
 
# uncomment this if you want your log files compressed
#compress
 
# packages drop log rotation information into this directory
include /etc/logrotate.d
 
# system-specific logs may be also be configured here.
 
 
# Log Rotate files are in this format <logname-date>
[root@sanjeeb log]# ls /var/log | grep secure- 
secure-20240101
secure-20240107
secure-20240114
secure-20240124
...
[root@sanjeeb ~]# ls /var/log | grep maillog
maillog-20240405
maillog-20240407
maillog-20240920
maillog-20240922
...
 
# TO keep the log of the last 100 days, generates log daily for 100 days, and then rotates
[root@sanjeeb ~]# vim /etc/logrotate.conf 
# rotate log files weekly
daily
# keep 4 weeks worth of backlogs
rotate 100
 
# If you want to define size based rotation 
[root@sanjeeb ~]# vim /etc/logrotate.conf 
size 10k
 

Manually rotate

[root@sanjeeb ~]# logrotate /etc/logrotate.conf
 
All systems normal

© 2025 2023 Sanjeeb KC. All rights reserved.