Using syslogd and logrotate to manage the server's log files
First note that on our machines the newer syslogd-ng is used as a more powerful replacement for the traditional syslogd.
Facilities and severity levels
syslogd uses selectors to identify the program (called the facility) that is sending a log message and the message's severity level (called the level). So a selector has the general form selector.level. Both facility names and levels must be chosen from a short list of predefined values. No, you cannot invent your own facilities or levels.
Facilities are defined for the kernel, for common groups of utilities, and for locally written programs. Everything else is classified under the generic facility user. The following facilities exist as defined in /usr/include/sys/syslog.h:
/* facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ #define LOG_FTP (11<<3) /* ftp daemon */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */
(So the names of the facilities are kern, user, and so on.)
The following severity levels exist, in descending ordered of severity:
#define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */
(So the names of the levels are emerg, alert, and so on.)
The severity level of a message specifies its importance. In the syslog-ng.conf file, levels indicate the minimum importance that a message must have in order to be logged upon a call to the syslog() function. For example, if syslog-ng.conf specifies that mail.info messages be logged to a file, then mail.warning messages will go there also unless there is a separate rule for these higher level messages.
Configuring syslogd-ng
The file to edit is /etc/sylog-ng/syslog-ng.conf.
destination myserverlog { file("/var/log/myserverlog"
owner("root")
group("adm")
perm(0644)); };
# TODO: made the log file readable for everyone
# should be: perm(0640);
filter f_myserver { facility(local0); }; # all priorities match!
log { source(src); filter(f_myserver); destination(myserverlog); };# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg" log_prefix("kernel: ")); };# kill -HUP `/bin/cat /var/run/syslog-ng.pid`
$ logger -p local0.info "This is a test line"
$ tail -f /var/log/myserverlog Nov 18 20:00:55 mpino1301 logger: This is a test line
#include <syslog.h>
int main(int argc, char**argv)
{
openlog(argv[0], /* string constant prepended to every message */
LOG_PID, /* option: include PID with each message */
LOG_LOCAL0 /* facility to log */);
syslog(LOG_WARNING, "Just logged %s", "this warning.");
syslog(LOG_ERR, "There were %d floating point errors.", 4711);
closelog();
}