If problems arise on your server, it is important for you to be able to fi nd out what hap-pened and why. To help with that, you need to set up logging on your server. On Red Hat Enterprise Linux, the Rsyslog service is used for this purpose. In this section, you’ll learn how to set up Rsyslog, you’ll become familiar with the most commonly used log fi les, and you’ll learn how to set up logrotate to make sure that your server doesn’t get fl ooded with log messages.
c03.indd 91
c03.indd 91 1/8/2013 10:43:14 AM1/8/2013 10:43:14 AM
Download from Wow! eBook <www.wowebook.com>
Even if you don’t do anything to set it up, your server will log automatically. On every Red Hat server, the rsyslogd process is started automatically to log all important events to log fi les and other log destinations, most of which exist in the /var/log directory.
Rsyslogd uses its main confi guration fi le, /etc/rsyslog.conf, to determine what it has to do. To be able to change the default logging behavior on your server, you need to under-stand how this fi le is used. In Listing 3.4 you see part of the default rsyslog.conf fi le as it is created while installing Red Hat Enterprise Linux.
Listing 3.4: Part of rsyslog.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure authpriv.* root
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg * 30 fewer lines
In the /etc/rsyslog.conf fi le, you’ll set up how to handle the logging of different events. To set this up properly, you need to be able to identify the different components that occur in every log. The fi rst part of the lines of code in rsyslog.conf defi ne the facil-ity. In Linux, you work with a fi xed set of predefi ned facilities, which are summarized in Table 3.4.
c03.indd 92
c03.indd 92 1/8/2013 10:43:14 AM1/8/2013 10:43:14 AM
Facility Description
auth and authpriv This is the facility that relates to authentication. auth has been deprecated. Use authpriv instead.
cron Logs messages related to the cron scheduler.
daemon A generic facility that can be used by different processes.
kern A facility used for kernel-related messages.
lpr Printer-related messages.
mail Everything that relates to the handling of email messages.
mark A generic facility that can be used to place markers in syslog.
news Messages that are related to the NNTP news system.
syslog Messages that are generated by Rsyslog itself.
user A generic facility that can be used to log user-related mes-sages.
uucp An old facility that is used to refer to the legacy UUCP protocol.
local0-local7 Eight different local facilities, which can be used by pro-cesses and daemons that don’t have a dedicated facility.
Most daemons and processes used on your system will be confi gured to use one of the facilities listed in Table 3.4 by default. Sometimes, the confi guration fi le of the daemon will allow you to specify which facility the daemon is going to use.
The second part of the lines of code in rsyslog.conf specifi es the priority that should be used for this facility. Priorities are used to defi ne the severity of the message. In ascending order, the following priorities can be used:
1. debug 2. info 3. notice 4. warning 5. err
c03.indd 93
c03.indd 93 1/8/2013 10:43:15 AM1/8/2013 10:43:15 AM
7. alert 8. emerg
If any of these priorities is used, the default behavior is such that anything that matches that priority and higher will be logged. To log only a specifi c priority, the name of the pri-ority should be preceded by an = sign.
Instead of using the specifi c name of a facility or a priority, you can also use * for all or none. It is also possible to specify multiple facilities and/or priorities by separating them with a semicolon. For instance, the following line ensures that, for all facilities, every-thing that is logged with a priority of info and higher is written to /var/log/messages. However, for the mail, authpriv, and cron facilities, nothing is written to this fi le.
*.info;mail.none;authpriv.none;cron.none /var/log/messages
The preceding example brings me to the last part of the lines of code in rsyslog.conf, which contain the destination. In most cases, the messages are written to a fi le in the /var/log directory. However, it is possible to write to a logged-in user, a specifi c device, or just everywhere. The following three lines show you how all messages related to the kern facility are written to /dev/console, the console of your server. Next you can see how all authentication-related messages are sent to root, and fi nally, you can see how all facilities that generate a message with an emerg status or higher send that message to all destinations.
kern.* /dev/console authpriv.* root
*.emerg *