Table of contents
1.
Introduction
2.
What is logging?
3.
What is the purpose of log files?
4.
What is logging in to Linux?
5.
Where to find these Linux system logs?
6.
Important Linux Logs
7.
Syslog
7.1.
Syslog Configuration
7.2.
Syslog Facilities
7.3.
Syslog Priorities
7.4.
Selector
7.5.
Syslog Actions
8.
Frequently Asked Questions
8.1.
How do you open Linux system logs?
8.2.
Cannot find the syslog file in the log folder. How to get the Linux system log?
8.3.
How is Linux System Logging useful?
8.4.
How to analyze log files?
9.
Conclusion
Last Updated: Mar 27, 2024

Linux System Logging

Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

Keeping track of the activities in any software is essential, especially for programmers. In Linux based environment, for monitoring the system, Linux System Logging is a great tool. 

introduction

This article will discuss how useful Linux system logging is and how it helps its users (especially programmers) by enabling them to record almost everything they want and then manipulating the logs to get the desired information.

What is logging?

Logging is keeping track of what is happening on the system. It is derived from the word log and means keeping a log. A log file is a document that keeps a record of all the events occurring in the system, including operating system messages and different software running on it. It is timestamped and automatically produced.

What is the purpose of log files?

One can receive a deep insight into server performance, security, error messages, and underlying issues by monitoring Linux log files, which is very valuable during troubleshooting the problems encountered.

Log files become very important in helping to detect the following:

  • If there is any security breach in the system from outside
     
  • Common problems which users face, like the repeated log-in failures
     
  • Issues with the equipment, like hard-disk crashes or power failures
     

In short, the log files helps the user to predict or anticipate upcoming issue before they occur.

What is logging in to Linux?

Logging is a facility in Linux which enables the user to log information related to his computer. Logs contain much diagnostic information that the user requires to troubleshoot any problem he faces. Linux logs everything from kernel events to user actions helping the user to get information about any activity performed on his computer system. Linux stores most of the logs automatically, and all of them have timestamps on them.

Where to find these Linux system logs?

In the root directory of Linux, it has a var directory. The var directory contains a log sub-directory. In this log sub-directory, typically, all logs are stored. There is a file named syslog in it, including the Linux system logging details. So the user can use the cat command on the file if he wishes to see the file's total contents or the tail command if he wishes to see just the end part.

logs list

Important Linux Logs

Some of the most essential and useful Linux logs can be grouped into four categories: 

  • System Logs
     
  • Service Logs
     
  • Event Logs
     
  • Application Logs
     

The most widely used Linux log commands are:

  • /var/log/syslog: It stores all the messages and system-related information.
     
  • /var/log/auth.log: It stores all messages related to authentication, including both successful and unsuccessful ones.
     
  • /var/log/boot.log: It stores all messages logged related to the startup and booting up of the device.
     
  • /var/log/mail.log: It stores all logs related to the mailing service and servers.
     
  • /var/log/kern: It stores all kernel logs, thus helping troubleshoot kernel issues.
     
  • /var/log/dmesg: It stores all messages related to device drivers. 
     
  • /var/log/faillog: It stores all messages related to failed login attempts.
     
  • /var/log/cron: It stores all logs related to the cron jobs, their successes, and failures.
     
  • /var/log/yum.log: It stores all installation-related information when we use the yum command to install a package.
     
  •  /var/log/httpd/: It is a directory that contains error_log and access_log files. The error_log files contain all errors encountered, and the access_log files contain all request records.
     
  • /var/log/mysql.log: It logs all success, failure, and debug messages of MySQL.

Syslog

Syslog is the standard system logging protocol. It is the standardized way of creating and sending event information or logs from the operating system, programs, and devices to a centralized message collector or the syslog server. 

syslog

On running the above command, we get the content of syslog as output. An example:

syslog content

There are four basic terms in syslog: 

  • Facility: Facility is the identifier used to describe the process or the application that generated the log message. Some examples are the kernel, mail, ftp, etc.
     
  • Priority: Priority tells about the importance of a message. Within syslog levels are defined as guidelines from critical events to debugging information.
     
  • Selector: Selector is a combination of one or more levels and facilities. An action gets performed only when an incoming event matches a selector.
     
  • Action: When an incoming message matches a selector, that message through actions can be written in the log file, sent to the logged-in user, echoed to the console, or sent to another syslog server.

Syslog Configuration

syslog.conf is a file that stores syslog configuration. It controls where the message is to be logged. Example of a syslog.conf file is:

configuration

Syslog Facilities

Following is the list of facilities available for the Syslog selector.

  • Auth: Facility for the activities related to requesting name and password. Some examples are getty, su, and log-in.
     
  • Authpriv: This facility is the same as that of auth other than giving access to a file that selected users can only read.
     
  • Console: Facility used to get messages that are generally directed to the system console.
     
  • Cron: Facility used to capture messages from the cron system scheduler.
     
  • Daemon: Facility for the system daemon catch-all.
     
  • Ftp: Facility for the messages related to ftp daemon.
     
  • Kern: Facility to get the kernel messages.
     
  • local0.local7: Local facilities defined per site.
     
  • lpr: Messages from the line printing system.
     
  • Mail: Messages relating to the mail system.
     
  • Mark: Pseudo-even is used to generate timestamps in log files.
     
  • News: Messages relating to network news protocol (NNTP).
     
  • ntp: Messages relating to the network time protocol.
     
  • User: Regular user processes.
     
  • uucp: UUCP subsystem.
     

These facilities are not universally present on all Linux-based Operating Systems.

Syslog Priorities

Following is the list of syslog priorities. One with the greatest importance is at the top and the least at the bottom.

  • Emerg: Emergency conditions, such as an imminent system crash, are usually broadcast to all users.
     
  • Alert: A Condition that should be looked into immediately, for example, a corrupted system database.
     
  • Crit: A Critical condition, for example, a hardware error.
     
  • Err: Ordinary error
     
  • Warning: Warning
     
  • Notice: This condition is not an error, but it should be handled in some special way
     
  • Info: Informational message
     
  • Debug: Messages that are used when debugging programs
     
  • None: This level is used to specify not to log any message. It is a pseudo-level.
     

Whenever a priority level is determined, the system tracks everything at that level and all higher levels. A combination of facilities and priority levels is needed to judge what is logged and where that information is going.

Selector

Where the messages are logged is controlled by the syslog.config file, and each line of this file contains two parts : 

  1. Message Selector: It specifies the kind of messages to log.
    There are two parts to a message selector a facility and a priority. The priority part selects all priorities that are higher than itself. An asterisk can be used either in place of facility or priority to select all. Commas specify multiple facilities. For grouping two or more selectors together, a semicolon is used. 
     
  2. Action Field: The action field decides the fate of the message. For example, send the message to the terminal, store it in some file, etc.

Syslog Actions

There are five actions, and the action field specifies one of them:

  1. Log message to a device or a file.
     
  2. Send a message to a user. Messages can be sent to multiple users using multiple usernames and separating them with commas.
     
  3. Send a message to all the users. We use an asterisk (*) to specify this condition.
     
  4. Pipe the message to a program. We use a pipe symbol (|) to specify this case.
     
  5. Send a message to the syslog of another host. For this, the action field consists of an at sign (@) followed by the hostname. 

Frequently Asked Questions

How do you open Linux system logs?

Linux logs are stored in the log sub-directory inside the var sub-present in the root directory. So to open system logs user can run the command cat /var/log/syslog on the terminal.   

Cannot find the syslog file in the log folder. How to get the Linux system log?

If the user cannot find the syslog file in the log folder in var, the syslog service is yet to start. To check it, run the command “service rsyslog status” if the output is “rsyslogd is not running” then run the command “service rsyslog start”; to solve the problem. This problem generally occurs with Window’s Ubuntu bash or WSL(Windows Subsystem for Linux).  

How is Linux System Logging useful?

Linux System logging is helpful because it stores messages of all severity (from emergency to none), helping the user to track system performance and during any problem, knowing the leading cause for the issue and solving it.  

How to analyze log files?

The easiest way to analyze the log files is by performing a simple text search using grep since the files are generally long. Grep is a command line tool capable of searching. To see just the end, you can use the tail command.

Conclusion

This article deeply discusses the Linux system logging, its utility, facilities and priorities, and selection and actions. It tells where all these are stored and how to access and use them efficiently.
 

We hope that this blog helped to enhance your knowledge. Do upvote our blogs if you find them helpful and engaging! If you like to learn more about Linux, Checkout Linux OSTypes of UNIX OS, and Intro to Linux Shell.

Live masterclass