jump to navigation

Linux system logger “syslogd”-part 2 December 6, 2010

Posted by Tournas Dimitrios in Linux.

The first part of this article made an introduction to Linux logging . This second part is optional , it is focused to users with administration needs . Lets recap the basic concepts  of the first part :

  • System logging is managed through the syslog service.
  • The syslog service is implemented by the syslogd daemon, which is managed using the syslog service script.
  • The klogd daemon services as a kernel message to syslog message proxy, and is also managed by the syslog service script.
  • Every syslog message is characterized by a facility and a priority, which is used to manage the destination of the message.
  • Syslog message destinations are defined by the /etc/syslog.conf configuration file.
  • The logger command can be used to generate syslog messages.

Syslog is both a series of programs and libraries , including syslogd , the syslog daemon , and  a communication protocol . The most important component is syslogd that starts up from startup and listen for messages from important parts of the operating system and applications . It is important to note that the syslogd daemon is a passive tool , it waits for imput from devices or programs ( local or remote ) , it does not go out and actively gather messages . An other component of syslog is klogd , actually it acts as a proxy between the kernel messages and syslogd . The next major piece of the syslog puzzle is the syslog communication protocol . With this protocol  (UDP ) it is possible to send your log data across a network to a remote system where another syslog daemon can collect and centralize your logs. It is important to note that it  is a coνnectionless  protocol and does not guaranties security or destination arrival . Another program syslog-ng comes in the foreground to fill this security gap .
Logging syslog Messages to a Remote Linux Server :

especially if you restrict the user access to the logging server .By default syslog doesn’t expect to receive messages from remote clients. Here’s how to configure your Linux server to start listening for these messages.

Syslog checks its /etc/rsyslog.conf file to determine the expected names and locations of the log files it should create. It also checks the file /etc/sysconfig/syslog to determine the various modes in which it should operate. Syslog will not listen for remote messages unless the SYSLOGD_OPTIONS variable in this file has a -r included in it . The second step is to configure the clients to send the logging messages to the server , this is done by  :

  • editing the /etc/hosts file on the Linux client , add an entry in the /etc/hosts file in the format:

IP-address    fully-qualified-domain-name   hostname       “loghost”   it_dep.someDomain.com    logserver    stelthboy

Now your /etc/hosts file has a nickname of “stelthboy” for server logserver .

  • The next thing you need to do is edit your /etc/rsyslog.conf file to make the syslog messages get sent to your new loghost nickname.

*.*                @stelthboy

*.*               /var/log/messages

You have now configured all  messages  to be logged to both server logserver (“stelthboy”)  and the local file /var/log/messages. Remember to restart syslog to get the remote logging started.
Syslog Configuration and  Network Devices :

syslog reserves facilities “local0” through “local7” for log messages received from remote servers and network devices. Routers, switches, firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting. Just configure these devices to send the log messages to the central log server ..

logrotate :

The Linux utility logrotate renames and reuses system error log files on a periodic basis so that they don’t occupy excessive disk space. The general configuration file for this utility is /etc/logrotate.conf ,  in which you can specify the frequency with which the files are reused.

  • You can specify either a weekly or daily rotation parameter by commenting out with a #, the un needed option .
  • The rotate parameter specifies the number of copies of log files logrotate will maintain. In the case below the 4 copy option is commented out with a #, while allowing 7 copies.
  • The create parameter creates a new log file after each rotation

Therefore, our sample configuration file will create weekly archives of all the logfiles and store them for one month.

The /etc/logrotate.d/  Directory :

Most Linux applications that use syslog will put an additional configuration file in this directory to specify the names of the log files to be rotated. It is a good practice to verify that all new applications that you want to use the syslog log have configuration files in this directory.

Changes made to the files inside logrotate.d or  /etc/logrotate.conf file will not take effect until you issue the following command: ” logrotate – f ” .

Compressing your log files :  On busy Web sites the size of your log files can become quite large. Compression can be activated by editing the logrotate.conf file and adding the “compress”  option.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s