System Log Files
This article explains how to identify system log file on Linux, with specific reference to the information needed for the RHCSA EX200 and RHCE EX300 certification exams.
Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.
Related articles.
Location of System logs
The “/etc/rsyslog.conf” file defines the location of most of the the system log files. Most of the file is commented out, but the rules section defines the relevant locations.
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
As you can see, the majority of logging is done to the “/var/log” directory, so this is likely to be the first place you will look in the event of a problem. Probably the most common location is the “/var/log/messages” file.
A number of application services log to different locations. For example, the HTTPD service will log errors to the “/etc/httpd/logs/error_log” file by default. In addition, each virtual host defined in the “/etc/httpd/conf/httpd.conf” file can specify its own logging destination.
Log Rotation
Build up of log information can present a problem, since eventually you would run out of disk space to hold them. To prevent this, Linux automatically performs weekly log rotation under the control of the “/etc/logrotate.conf” file. Each service (or group of services) that requires log rotation has an entry under the “/etc/logrotate.d” directory. These files define how the specific logs should be managed.
# ls -al /etc/logrotate.d
total 64
drwxr-xr-x. 2 root root 4096 Mar 22 10:14 .
drwxr-xr-x. 119 root root 12288 Mar 22 10:08 ..
-rw-r--r--. 1 root root 71 Dec 7 07:19 cups
-rw-r--r--. 1 root root 103 Dec 7 23:33 dracut
-rw-r--r--. 1 root root 185 Dec 7 20:31 httpd
-rw-r--r--. 1 root root 173 Dec 7 22:32 iscsiuiolog
-rw-r--r--. 1 root root 136 Jul 7 2010 ppp
-rw-r--r--. 1 root root 329 Jul 7 2010 psacct
-rw-r--r--. 1 root root 219 Dec 8 01:52 sssd
-rw-r--r--. 1 root root 210 Dec 8 01:11 syslog
-rw-r--r--. 1 root root 32 Apr 8 2010 up2date
-rw-r--r--. 1 root root 95 Mar 9 2011 vsftpd
-rw-r--r--. 1 root root 100 Dec 8 02:03 wpa_supplicant
-rw-r--r--. 1 root root 100 Oct 14 21:37 yum
#
The “syslog” file contains the log rotation instructions for the major system logs.
# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
#
Analyzing Logs
Analyzing log files will typically start with identifying the relevant log file for your issue. If you don’t know which log file to check, go to the “/var/log” directory and look at the files available. If nothing jumps out at you as looking relevant, check the “/var/log/messages” file as a starting point.
Once you have found a file to analyze, you can read it using an editor (like vi), or perform file processing operations on it to pull out relevant text.
# cat /var/log/messages | grep -i error
The “tail -f” command is useful for watching continuous writes to log files over a period of time.
# tail -f /var/log/messages
For ideas about processing files, check out this article.
For more information see:
Leave a comment