I have written another article with
step by step instructions to redirect specific messages to different a log file from /var/log/messages so that your messages file is not filled up with unwanted eventsSyslog is one of the most important standards used in Linux as it is the key file which helps you determine the different level of logs which are getting generated and stored every second while you are working on your Linux box. Syslog can be taken as "System Log".
The main configuration file for syslog is
For RHEL 5 and older
/etc/syslog.conf
For RHEL 6 and 7
/etc/rsyslog.conf
Benefits of syslog
- Helps analyze the root cause for any trouble or problem caused
- Reduce overall downtime helping to troubleshoot issues faster with all the logs
- Improves incident management by active detection of issues
- Self-determination of incidents along with auto resolution
- Simplified architecture with different level of severity like error,info,warning etc
The syslog.conf file is the main configuration file for the syslogd which logs system messages on *nix Systems. This file specifies rules for logging. Every rule consists of two fields, a selector field and an action field. These two fields are separated by one or more spaces or tabs. The selector field specifies a pattern of facilities and priorities belonging to the specified action.
Selectors
The selector field itself again consists of two parts, a facility and a priority, separated by a period (''.''). Both parts are case insensitive.
For example
Kern.none, mail.info etc
Here
Kern = Facility
None = severity or priority
Facility
The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7. The keyword security should not be used anymore and mark is only for internal use and therefore should not be used in applications.
Anyway, you may want to specify and redirect these messages here. The facility specifies the subsystem that produced the message, i.e. all mail programs log with the mail facility (LOG_MAIL) if they log using syslog.
Facility Number
| Keyword | Facility | Description |
| 0 | kern | kernel messages |
| 1 | user | user level messages |
| 2 | mail system | |
| 3 | daemon | system daemons |
| 4 | auth | security/authorization messages |
| 5 | syslog | messages generated internally by syslogd |
| 6 | lpr | line printer subsystem |
| 7 | news | network news subsystem |
| 8 | uucp | UUCP subsystem |
| 9 | clock daemon | |
| 10 | authpriv | security/authorization messages |
| 11 | ftp | FTP daemon |
| 12 | - | NTP susbsystem |
| 13 | - | log audit |
| 14 | - | log alert |
| 15 | cron | clock daemon |
| 16 | local0 | local use 0 (local0) |
| 17 | local1 | local use 1 (local1) |
| 18 | local2 | local use 2 (local2) |
| 19 | local3 | local use 3 (local3) |
| 20 | local4 | local use 4 (local4) |
| 21 | local5 | local use 5 (local5) |
| 22 | local6 | local use 6 (local6) |
| 23 | local7 | local use 7 (local7) |
Severity Levels
The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg). The keywords error, warn and panic are deprecated and should not be used anymore. The priority defines the severity of the message
| Integer | Facility |
| 0 | Emergency: System is unusable |
| 1 | Alert: Action must be taken immediately |
| 2 | Critical: critical conditions |
| 3 | Error: Error conditions |
| 4 | Warning: Warning conditions |
| 5 | Notice: Normal but significant conditions |
| 6 | Informational: Informational messages |
| 7 | Debug: Debug level messages |
You can specify multiple facilities with the same priority pattern in one statement using the comma ('','') operator. You may specify as much facilities as you want. Multiple selectors may be specified for a single action using the semicolon ('';'') separator. Remember that each selector in the selector field is capable to overwrite the preceding ones. Using this behavior you can exclude some priorities from the pattern.
Examples
Log all the critical events on your Linux machine in a separate log file inside /var/log with a name of critical.log
Append this line inside /etc/syslog.conf
*.=crit /var/log/critical.log
Log all the kernel related messages in separate log file inside /var/log/firewall.log
# Add a new line
Kern.* /var/log/firewall.log
# Add a new entry at the end of the below line
# Log anything (except mail) of level info or higher.
# don’t log private authentication messages!
# don’t log kernel related events and messages
*.info;mail.none;authpriv.none;cron.none;kern.none /var/log/messages
Redirect all the error logs to a remote user root and Deepak on their terminals
# Messages of the priority alert will be directed
# to the operator
#
*.err root,deepak
Log all the firewall warning level messages inside /var/log/firewall-warning.log
Kern.warn /var/log/firewall-warning.log
Support for Remote Logging
These modifications provide network support to the syslogd facility. Network support means that messages can be forwarded from one node running syslogd to another node running syslogd where they will be actually logged to a disk file.
The strategy is to have syslogd listen on a unix domain socket for locally generated log messages. This behavior will allow syslogd to inter-operate with the syslog found in the standard C library. At the same time syslogd listens on the standard syslog port for messages forwarded from other hosts. To have this work correctly the /etc/services file must have the following entry:
Syslog 514/udp
If this entry is missing syslogd neither can receive remote messages nor send them, because the UDP port can’t be opened. Instead syslogd will die immediately, blowing out an error message.
For example,
to forward ALL messages to a remote host uses the following syslog.conf entry:
# Sample syslogd configuration files to
# Messages to a remote host forward all.
*.* @hostname
To forward all kernel messages to a remote host the configuration file would be as follows:
# Sample configuration files to forward all kernels
# messages to a remote host.
kern.* @hostname
References
Linux man page for syslogd
syslog wiki