لطفا منتظر باشید ...
System Logs: /var/log and syslogd
Various system logs for tasks performed on your system are stored in the /var/log directory. Here you can find logs for mail, news, and all other system operations, such as web server logs. The /var/log/messages file is a log of all system tasks not covered by other logs. This usually includes startup tasks, such as loading drivers and mounting file systems. If a driver for a card failed to load at startup, you find an error message for it here. Logins are also logged in this file, showing you who attempted to log in to what account. The /var/log/maillog file logs mail message transmissions and news transfers.
redhat-logviewer
You can manage and view logs with the Red Hat Log Viewer, redhat-logviewer (System Tools | System Logs). The Red Hat Log Viewer displays a list of all current system logs in a left pane (see Figure 27-2). Clicking a log displays the contents of that log in the left pane. Use the Filter box to enter patterns you wish to look for, and click the Filter button to perform the match. Reset restores the complete listing. In the Preferences dialog, the Log Files panel lets you select a different location for a log file. The Alerts panel lets you create alert words. An alert icon is displayed next to any entry containing an alert word. Configuration settings, such as log file locations and alert words, are kept in the /etc/sysconfig/redhat-logviewer file.
Figure 27-2: Red Hat Log Viewer
syslogd and syslog.conf
The syslogd daemon manages all the logs on your system, as well as coordinating with any of the logging operations of other systems on your network. Configuration information for syslogd is held in the /etc/syslog.conf file, which contains the names and locations for your system log files. Here you find entries for /var/log/messages and /var/log/maillog, among others. Whenever you make changes to the syslog.conf file, you need to restart the syslogd daemon using the following command (or use redhat-config-services, Server Settings | Services):
service syslog restart
syslogd.conf Entries
An entry in syslog.conf consists of two fields: a selector and an action. The selector is the kind of service to be logged, such as mail or news, and the action is the location where messages are to be placed. The action is usually a log file, but it can also be a remote host or a pipe to another program. The kind of service is referred to as a facility. syslogd has several terms it uses to specify certain kinds of service (see Table 27-9). A facility can be further qualified by a priority. A priority specifies the kind of message generated by the facility. syslogd uses several designated terms to indicate different priorities. A sector is constructed from both the facility and priority, separated by a period. For example, to save error messages generated by mail systems, you use a sector consisting of the mail facility and the err priority, as shown here:
mail.err
To save these messages to the /var/log/maillog file, you specify that file as the action, giving you the following entry:
mail.err /var/log/maillog
syslogd also supports the use of * as a matching character to match either all the facilities or priorities in a sector. cron.* would match on all cron messages no matter what the priority, *.err would match on error messages from all the facilities, and *.* would match on all messages. The following example saves all mail messages to the /var/log/maillog file and all critical messages to the /var/log/mycritical file:
mail.* /var/log/maillog
*.crit /var/log/mycritical
Priorities
When you specify a priority for a facility, all messages with a higher priority are also included. So the err priority also includes the crit , alert , and emerg priorities. If you just want to select the message for a specific priority, you qualify the priority with the = operator. For example, mail.=err will select only error messages, not crit , alert , and emerg messages. You can also restrict priorities with the ! operator. This will eliminate messages with the specified priority and higher. For example, mail.!crit will exclude crit messages, and the higher alert and emerg messages. To specifically exclude all the messages for an entire facility, you use the none priority. mail.none excludes all mail messages. This is usually used when you're defining several sectors in the same entry.You can list several priorities or facilities in a given sector by separating them with commas. You can also have several sectors in the same entry by separating them with semicolons. The first example saves to the /var/log/messages file all messages with info priority, excluding all mail, and authentication messages (authpriv ). The second saves all crit messages and higher for the uucp and news facilities to the /var/log/spooler file:
*.info;mail.none;news.none;authpriv.none /var/log/messages
uucp,news.crit /var/log/spooler
Actions and Users
In the action field, you can specify files, remote systems, users, or pipes. An action entry for a file must always begin with a / and specify its full path name, such as /var/log/messages. To log messages to a remote host, you simply specify the hostname preceded by an @ sign. The following example saves all kernel messages on rabbit.trek.com:
kern.* @rabbit.trek.com
To send messages to users, you list their login names. The following example will send critical news messages to the consoles for the users chris and aleina:
news.=crit chris,aleina
You can also output messages to a named pipe (FIFO). The pipe entry for the action field begins with a | . The following example pipes kernel debug messages to the named pipe |/usr/adm/debug :
kern.=debug |/usr/adm/debug
Facilities | Description |
|---|---|
authpriv | Security/authorization messages (private) |
cron | Clock daemon (cron and at) messages |
daemon | Other system daemon messages |
kern | Kernel messages |
lpr | Line printer subsystem messages |
Mail subsystem messages | |
mark | Internal use only |
news | Usenet news subsystem messages |
syslog | Syslog internal messages |
user | Generic user-level messages |
uucp | UUCP subsystem messages |
local0 through local7 | Reserved for local use |
Priorities | Description |
debug | 7, Debugging messages, lowest priority |
info | 6, Informational messages |
notice | 5, Notifications, normal, but significant, condition |
warning | 4, Warnings |
err | 3, Error messages |
crit | 2, Critical conditions |
alert | 1, Alerts, action must be taken immediately |
emerg | 0, Emergency messages, system is unusable, highest priority |
Operators | Description |
* | Matches all facilities or priorities in a sector |
= | Restrict to a specified priority |
! | Exclude specified priority and higher ones |
/ | A file to save messages to |
@@ | A host to send messages to |
| | FIFO pipe to send messages to |
/etc/syslog.conf Example
The default /etc/syslog.conf file for Red Hat systems is shown here. Messages are logged to various files in the /var/log directory.
/etc/syslog.conf
# Log all kernel messages to the console.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff.
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save mail and news errors of level err and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# INN
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
