Linux下的syslog和/var/log

[日期：2012-07-05]

来源：Linux社区

作者：myownstars

[字体：大 中 小]

Syslog is the general standard (IETF) for logging system and program messages in the Linux environment.

This service constitutes the system log daemon, where any program can do its logging (debug, security, normal operation) through in addition the Linux kernel messages.

--该服务由其daemon进程/sbin/syslogd维护，可通过如下命令启动

1 service syslog start

2 /etc/init.d/syslog start

--配置文件为/etc/sysconfig/syslog，大致结构如下；其中klogd负责捕获kernel日志信息

# Options to syslogd

# -m 0 disables 'MARK' messages.

# -r enables logging from remote machines

# -x disables DNS lookups on messages recieved with -r

# See syslogd(8) for more details

SYSLOGD_OPTIONS="-m 0"

# Options to klogd

# -2 prints all kernel oops messages twice; once for klogd to decode, and

# once for processing with 'ksymoops'

# -x disables all klogd processing of oops messages entirely

# See klogd(8) for more details

KLOGD_OPTIONS="-x"

#

SYSLOG_UMASK=077

# set this to a umask value to use for all log files as in umask(1).

# By default, all permissions are removed for "group" and "other".

In principle, the logs handled by syslog are available in the /var/log/ directory on Linux system:

# ls /var/log

acpid            cron.1     maillog.3         rpmpkgs.3         spooler.3

anaconda.log     cron.2     maillog.4         rpmpkgs.4         spooler.4

anaconda.syslog  cron.3     messages          sa                squid

anaconda.xlog    cron.4     messages.1        samba             tallylog

audit            cups       messages.2        scrollkeeper.log  vbox

boot.log         dmesg      messages.3        secure            wtmp

boot.log.1       faillog    messages.4        secure.1          Xorg.0.log

boot.log.2       gdm        Oracle-validated  secure.2          Xorg.0.log.old

boot.log.3       httpd      pm                secure.3          YaST2

boot.log.4       lastlog    ppp               secure.4          yum.log

btmp             mail       prelink           setroubleshoot

conman           maillog    rpmpkgs           spooler

conman.old       maillog.1  rpmpkgs.1         spooler.1

cron             maillog.2  rpmpkgs.2         spooler.2

where some of the logs are dumped under a subdirectory like cups, samba, httpd. Among the logs under /var/log the /var/log/messages is the most common one as the kernel / core system logs are held there. The kernel modules generally dumps there too. So, for problem diagnosis / monitoring the /var/log/messages is the primary log file to examine.

--syslog产生的日志位于/var/log目录下，其中messages是最常用到的，记录startup信息等

The logs are rotated every week (renaming the existing log to filename.number order):

# ls -l /var/log/messages*

-rw------- 1 root root 1973 Jun 10 15:07 /var/log/messages

-rw------- 1 root root 10866 Jun 6 04:02 /var/log/messages.1

-rw------- 1 root root 19931 May 30 04:02 /var/log/messages.2

-rw------- 1 root root 238772 May 23 04:02 /var/log/messages.3

-rw------- 1 root root 171450 May 14 18:29 /var/log/messages.4

Rsyslogd可以看作是syslogd的改良版，可通过man 8 rsyslogd查看详细信息。

以下是最常见的/var/log日志介绍

/var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.

/var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the dmesg command.

/var/log/auth.log – Contains system authorization information, including user logins and authentication machinsm that were used.

/var/log/boot.log – Contains information that are logged when the system boots

/var/log/daemon.log – Contains information logged by the various background daemons that runs on the system

/var/log/dpkg.log – Contains information that are logged when a package is installed or removed using dpkg command

/var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.

/var/log/lastlog – Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.

/var/log/maillog /var/log/mail.log – Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file

/var/log/user.log – Contains information about all user level logs

/var/log/Xorg.x.log – Log messages from the X

/var/log/alternatives.log – Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.

/var/log/btmp – This file contains information about failed login attemps. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”

/var/log/cups – All printer and printing related log messages

/var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file

/var/log/yum.log – Contains information that are logged when a package is installed using yum

/var/log/cron – Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file

/var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.

/var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.

/var/log/faillog – Contains user failed login attemps. Use faillog command to display the content of this file.