Home » Understanding Linux Logging
System logs are essential to understand the timeline of events for any working system, and when issues arise, logs are an invaluable troubleshooting tool.
Linux is a popular operating system that is widely used on servers, desktops, and other devices. One of the key features of Linux is its system of logging. linux logging allows administrators to keep track of important events and messages, baselining, system audits, ascertaining SLA adherence, monitoring, and troubleshooting.
In this article, we will explain how Linux logging works, and how it can be used to manage and troubleshoot a Linux system.
Syslog was the first logging project that was available in 1980’s at that time it was very simple, Syslog-ng later extended syslog with additional features and capabilities. In 2004 Rsyslog enhanced syslog with more capabilities, Rsyslog is mostly used today and it provides a system of logging that records the events that happen on the operating system.
The system logs are by default stored in the /var/log directory, further, each application or system service is supposed to have its own log file. For example, the HTTPD web server will have a log file called /var/log/httpd/access.log that contains a record of all incoming requests to the web server.
In addition to the system logs, rsyslog also provides a way for applications to generate their own logs using the syslog system calls. This allows applications to record important events and messages, and send them to the syslog service for storage and processing.
we can check the status of the rsyslog service by running the command systemctl status rsyslog.service
Jan 13 17:49:01 midas.upspiroffice.com systemd[1]: Starting System Logging Service…
Jan 13 17:49:02 midas.upspiroffice.com rsyslogd[727]: $WorkDirectory: /var/lib/rsyslog can not be accessed, probably does>
Jan 13 17:49:02 midas.upspiroffice.com rsyslogd[727]: [origin software=”rsyslogd” swVersion=”8.2102.0-105.el9″ x-pid=”727>
Jan 13 17:49:02 midas.upspiroffice.com systemd[1]: Started System Logging Service.
If not installed, you can install rsyslog using yum, and start and enable the service
The rsyslog service is configurable, and administrators can specify the types of events that should be logged, as well as where and how the logs should be stored. Rsyslog can be configured to run as a client and server at the same time.
/etc/rsyslog.conf is the default configuration for the rsyslog
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* –/var/log/maillog
Analyzing logfiles System Admins use different Linux commands like grep, tail, head, more, less, and cat to search and filter the various logfiles, depending on what they are looking for.
You can edit the rsyslog.conf to have your custom configuration., but direct edit the file is not recommended
Recommended Method
To add any user configuration rsyslog.d directory is available, and it is added in the default configuration to load all config files from this directory
# Include all config files in /etc/rsyslog.d/
include(file=”/etc/rsyslog.d/*.conf” mode=”optional”)
So the user can create their custom config files and put in this directory, which will be automatically read by the service, without changing the default settings.
Rsyslog not only supports most of the programming languages
It also supports the CLI command to log messages. Let’s test whether our rsyslog is up and running.
journalctl is a command-line utility that can be used to view and manage the logs collected by the systemd system and service manager in Linux. It allows system admins to view these logs as well as filter and searrch specific logs for specific services, and also provides ability to only log messages for a specific time period.
To use journalctl, administrators can simply run the journalctl command with no options, which will display all of the logs collected by systemd.
[root@midas ~]# journalctl
Jan 13 23:18:52 localhost kernel: microcode: microcode updated early to revision 0x28, date = 2019-11-12
Jan 13 23:18:52 localhost kernel: Linux version 5.14.0-160.el9.x86_64 (mockbuild@x86-05.stream.rdu2.redhat.com) (gcc (GCC>
Jan 13 23:18:52 localhost kernel: The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can b>
Jan 13 23:18:52 localhost kernel: Command line: BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.14.0-160.el9.x86_64 root=UUID=2db362f1-e8>
Jan 13 23:18:52 localhost kernel: x86/fpu: Supporting XSAVE feature 0x001: ‘x87 floating point registers’
Jan 13 23:18:52 localhost kernel: x86/fpu: Supporting XSAVE feature 0x002: ‘SSE registers’
Jan 13 23:18:52 localhost kernel: x86/fpu: Supporting XSAVE feature 0x004: ‘AVX registers’
Jan 13 23:18:52 localhost kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Jan 13 23:18:52 localhost kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using ‘standard’ forma>
Jan 13 23:18:52 localhost kernel: signal: max sigframe size: 1776
Jan 13 23:18:52 localhost kernel: BIOS-provided physical RAM map:
met, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Using Journalctl, As journalctl does not kepp different logfiles as in the case of Syslog, system administrators can use various options and flags to search, filter, and extract relevant information.
For example,
journalctl -u httpd, will show all of the logs for httpd service
Systemd journal stores the logs in structured and indexed library file called journal
From RHEL8, the journal is stored in /run/log by default and its contents by default are cleared after reboot, we have to configure journalctl to store the logs from older sessions.
journalctl will show full system logs when run by root user starting from oldest log entry,
It highlights important log messages, and warning as bold text while errors in red color.
#Defaults can be restored by simply deleting this file and all drop-ins.
# Use ‘systemd-analyze cat-config systemd/journald.conf’ to display the full config.
# See journald.conf(5) for details.
[Journal]#Storage=autodmesg is a command-line utility in Linux that allows administrators to view the kernel’s log buffer.
This allows system admins to view messages about the system hardware and software including the hardware initialization messages, system errors, and warnings at the time of system booting up.
To use dmesg, administrators can simply run the dmesg command with no options, which will display the entire contents of the kernel’s log buffer.
dmesg logs are extremely useful to identify issues that may have cropped up during booting and these errors are not reflected in syslogs, though analyzing dmesg logs may need special skills and experience.
Here is an example of using dmesg to view the kernel’s log buffer:
Understanding the above logs and the ability to analyze them is an essential skill for anyone providing support on Linux be it system administrators, application support engineers, or even application developers, The proficiency in analyzing the logs helps to identify and isolate the issues, predict system behavior and prevent any negative event.
..
..
Author
Nikhil Kumar Ahluwalia
Founder Upspir
Nikhil has over 16years of experience in the industry, before starting UPSPIR he was heading the support, services, and delivery function at Ameyo/Exotel as vice-president, and he has vast experience in managing and leading technical support and delivery teams, With Upspir he aims to take his passion of developing and mentoring people to next level by sharing his experiences and learning with those who want to build their career in the tech support domain.