Original: http://www.linuxpapers.org/show_article.html? Log_files
Translation: brimmer
"In order to ensure the normal operation of the system, in order to solve the various problems that may encounter every day, serious reading log files is a very important task for system administrators. In this article, I will explain What is a log file, where can I find a log file and how to handle them, "- Gianluca Insolvibile
Even if you only use Linux at home, you will have some strange problems later soon, as: PPP can't be used, X startup, and so on. At this time, you can only go to the log file to find some spider marts to solve the problem. Even now, everything is working properly, as a system administrator, you must also understand the log. Otherwise, maybe which day ...
System log file
Like other complex operating systems, Linux is also composed of many different subsystems, each subsystem completes a specific task. For example, some programs called Daemon have been run in the background (that is, they "silently", no need to interact with users), handle some iconic printing, sending mail, establishing Internet connection, and so on. You can't see the Daemon program because they do not have a window and user interface. However, these programs sometimes have to deliver some information to users. In order to achieve this, a special mechanism is needed.
Linux's kernel is a lot of subsystems, including network, file access, memory management, and more. Subsystems need to transmit some messages to users, including source, importance, and so on messages.
The solution to this problem must be consistent with the kernel or other programs, that is, all subsystems will send messages to a public message area that can be maintained. Thus, there is a program called SyslogD, which is responsible for receiving the message and distributes the message to the right place. Typically, all messages are copied (the term "logged) to a specific file (called" log file ", or" log file "or" log "(log)), especially important news will also be in the user The terminal window is displayed (see Chart 1). Syslogd is a good example of Daemon, which runs in the background and transfers the message from the log area to the log file. Like most Daemon, its name is also ending with letters "D".
The log file is usually stored in the "/ var / log" directory. Under the standard configuration of Slackware 4.0, the file name of the log file is Messages, Debug, and Syslog. Note that there are multiple paths in the SLACKWARE release, such as "/ var / adm", "/ var / adm", and "/ usr / ADM" are all symbolic connections to "/ var / log". In the Redhat 6.0 system, you can find a number of different log files, namely "/ var / log / messages", "/ var / log / secure", "/ var / log / spooler", and more. The configuration files of different Linux distributions also have some minor differences. The following is Slackware as an example. For other releases, you may need to do some changes.
Chart 1
View log file
The log file is actually a file file, and each line is a message. As long as it is a tool that can handle plain text under Linux to view log files. Simply use the CAT name to display the message in the "/ var / log / messages" file on the screen, but if this file is not a page, then you will not see the contents of the file because it is displayed. The log file is always big, because the message is accumulated in the log file from your first time Linux. When I will, I will tell how to limit the size of the log file, but please note that it is best not to use the content of the log file, it is best not to open the log file with the text editor, because on the one hand, it takes memory, another On the one hand, it is not allowed to change the log file. A better way to watch the log file is to display a single display program like more or less, or use GREP to find a specific message. Let's display "/ var / log / messages" first with LESS. You can see some messages taken from the log file in the chart. Each row represents a message, and it consists of four domains of fixed format: l TimeStamp, indicating the date and time of the message.
l Hostname (Hostname) (in our example is escher), indicating the name of the computer that generates the message. If there is only one computer, the host name may not be necessary. However, if you use syslog in your network environment, you may have to send messages of different hosts to a server.
l Generate the name of the subsystem of the message. Can be "kernel", indicating that the message comes from the kernel, or the name of the process, indicating the name of the program that issues a message. In square brackets is the PID of the process.
l Message, the remaining part is the content of the message.
Sep 12 10:23:44 Escher Sendmail [85]: Starting Daemon (8.9.3): SMTP Queueing @ 00: 15: 00
...
Sep 12 11:06:11 escher passwd [337]: Password for `progs 'change by` root'
...
Sep 12 11:08:30 escher kernel: disc changed.
...
Sep 12 16:06:01 Escher login [101]: root login on `TTY2 '
...
Sep 18 10:53:26 escher identd [251]: connection from betelgeuse.branzo.it
Sep 18 10:53:26 Escher Identd [251]: From: 192.168.9.4 (betelgeuse.branzo.it) for: 1024, 21
...
Sep 18 10:54:26 Escher Su [262]: TTYP0 BRANZO-PROGS
...
Sep 18 11:17:12 Escher - Mark -
Sep 18 11:37:12 Escher - Mark -
Figure 2: Some logs extracted from / var / log / messages
Chart 2
In our example, the first line is a message issued by Sendmail, and the Sendmail daemon (daemon) is responsible for managing received and issued messages. This line is the news that the daemon is started normally. The second line is a message from passwd that reminds us that the user "progs" is "root" to change. After other messages, the operation of our system is reported. In fact, the messages in the "/ var / log / message" file are not particularly important or urgent. There is a very interesting message to "Mark" message, which will generate once every 20 minutes by default, indicating that the system is still running. "Mark" message is very like "Heartbeat", for example: "Heartbeat Signal" is often used to confirm whether the remote host is still running. "Mark" message Another use is used as a post-analysis, which can help the system administrator to determine the time of the system crash. Other two standard log files are "/ var / log / debug" and "/ var / log / syslog", which contains some important messages such as debug messages and error tips. The picture third is an example of the Debug log. The previous line is information generated when the optical disk is generated by a SCSI device (the kernel identifies it as SR (11, 1)), and is identified to support ISO 9660 format with joliet extension (that is, this disc may be Created by Windows program). Note that the messages of each line include the name of the core subsystem that generates this message (VFS, ISO EXTENSIONS, ISOFS). The last two lines comes from the "Sound" subsystem, indicating that the sound subsystem is initialized.
Sep 12 11:26:41 Escher Kernel: VFS: Disk Change Detected On Device SR (11, 1)
Sep 12 11:26:42 Escher Kernel: ISO 9660 Extensions: Microsoft Joliet Level 3
Sep 12 11:26:42 escher kernel: isofs: changing to secondary root
...
Sep 18 10:37:13 escher kernel: Sound Initialization Started
Sep 18 10:37:13 escher kernel: Sound Initialization Complete
Figure 3: Some logs extracted from / var / log / debug
Chart 3
Nothing special reasons should be divided into "debug", "error" or "Normal". Since the subsystem generated for this message sets a category for this message, then Syslogd is distributed to the corresponding file according to the instructions. Therefore, although the initialization message of the Sound subsystem belongs to another message type, if the executive author is willing to set it into a Debug message. For a while, we will introduce how to accurately classify and associate different categories of messages and corresponding files.
Before continuing to introduce the log file, please note that "root" permissions must be "root" in order to view the content of the log file, because the information in the log file is important for the entire system, only allows the super user to access these files. .
The log file is constantly growing
The new message is to add at the end of the log file, so the latest news is always appearing at the end of the file. A convenient way to display a long file end is to use a TAIL command with the "-n" parameter. For example, in order to display the last 25 lines of the Messages log file, you can use "tail -n 25 / var / log / messages" or "tail -25 / var / log / messages". There is also a relatively convenient way to use Less, with the "g" command to reach the end of the file: run "less / var / log / messages", press "G" before exiting the program. The biggest advantage with Less is to quickly scroll up and down to scroll and find a specific string. In order to wait for a specific message of a program, you may have to constantly check the log file. If you use the method that constantly knocking the tail command until the message appears, isn't it too much? There is a very convenient method in the Linux system, which is to use the "tail -f / var / log / messages" command. This "tail" command displays the last few lines of the log file, but it will not immediately quit immediately. It will always wait until other programs join the message line in the specified log file, and immediately display these messages. The "less" command can also be used to implement similar functions with a parameter, run "Less F / VAR / LOG / Messages", so you can run the Less like "tail -f". Moreover, Less is easier to interact because you can use "Ctrl-C" at any time to wait for the message and return to the normal mode of the Less, then scroll through the file, look up the string.
Let us use an example: Assuming that you want to view the message generated when a new CDROM is generated, and these messages are sent to the "/ var / log / debug" file. Put the disc in the optical drive, open a terminal window, then enter the "tail -f / var / log / debug" command (note must have "root" permissions). Then, in another terminal window, use the "mount / cdrom" or "mount / dev / cdrom" command mount to view the information that appears. These are very easy! Note that the above methods cannot be used in Redhat 6.0, because the Debug message is not logged in the standard configuration of the redhat. However, if you go back, you can learn to change the configuration file.
Configure log
Let us carefully study the operation of the syslogd daemon. We have said this program is running in the background, gets new messages from the system, and send messages to the right place. Let's take a look at Syslogd which types of messages can be processed. Remember that every subsystem will give a message when you issue a log message. To be more accurate, a message can be divided into two parts: "Devices" and "Priority". The "Device" identifies the subsystem of the message, "priority" indicates the importance of the message, its range from 7 (least important) to 0 (most important). Chart 4 and Chart 5 are part of the "/usr/include/sys/syslog.h" file, you can see all "priority" and "devices" defined in the kernel 2.2.6 in these two charts.
Definition
Value
Comment
Log_emerg
0
/ * System is unusable * /
LOG_Alert
1
/ * action virt be taken immediately * /
Log_crit
2
/ * crringal conditions * /
Log_err
3
/ * Error conditions * /
Log_warning
4
/ * WARNING CONDitions * /
LOG_NOTICE
5
/ * Normal But Significant Condition * / Log_Info
6
/ * informational * /
Log_debug
Seduce
/ * Debug-level messageity * /
Figure 4: Message Priorities
Chart 4
Definition
Syslog name
Comment
LOG_KERN
Kern
/ * kernel messages * /
LOG_USER
User
/ * Random User-Level Messages * /
LOG_MAIL
/ * Mail system * /
Log_daemon
Daemon
/ * SYSTEM DAEMONS * /
LOG_AUTH
Auth, Security
/ * Security / Authorization Messages * /
LOG_SYSLOG
Syslog
/ * Messages generated interNally by syslogd * /
LOG_LPR
LPR
/ * Line Printer Subsystem * /
LOG_NEWS
News
/ * NetWork news subsystem * /
LOG_UUCP
UUCP
/ * Uucp subsystem * /
Log_cron
Cron
/ * Clock daemon * /
Log_AUTHPRIV
Authpriv
/ * Security / Authorization Messages (Private) * /
Figure 5: Message Facilities
Chart 5
The second thing you have to know is how to configure syslogd. Basic configuration is very simple, but some advanced features require some experience. We now look at the basic configuration, which is based on "devices" and "priority" which files should be received. The task can be customized by editing the editing file (usually "/etc/slog.conf"). Before you start, let's take a look at the "/etc/syslog.conf" file with the less command. In Chart 6, you can see the result of the command run in Slackware 4.0. The rows starting with "#" are noted. Some other rows are also easy to understand, they consist of two domains, which are "selector" and "action". The Selector uses the corresponding "devices" and "priority" (all "any one") to indicate the type of message. "Action" means what action is to take once there is a new message and "selector" matches. If "Action" is just a file name (just installed system is usually like this), then the message will be added to this file.
# /etc/slog.conf # for info it "man syslog.conf" (The BSD Man # page) (The BSD Man # page) (The BSD Man # Page), and /usr/doc/sysklogd/readme.linux.*.=info;* = NOTICE / USR / ADM / Messages *. = Debug /usR/adm/debug*.err / usr / adm / syslog
Figure 6: contents of /etc/syslog.conf
Chart 6
If you look at the chart 6, you will find the "Priority" message equal to "INFO" and "Notice", regardless of what their "device" is, all sent to "/ usr / adm / messages" file, because " Wildcards are used in the selector. The same "priority" "Debug" and "ERR" messages are sent to the "/ usr / adm / debug" file, respectively, respectively, and "/ usr / adm / syslog" file. Just installed the REDHAT system does not process the line of the "debug" message, you can join this line in the "syslog.conf" file so that you can use the examples described above. After editing the "/ etc / syslog" file, you must also run "KILLALL-HUP SYSLOGD" so that the changes will take effect. This command sends a "HUP" signal to the Syslog daemon, and the notification daemon re-read the configuration file.
Syslogd
A program that allows messages to syslogd is not limited to system programs (eg, daemons) and kernels, and any program can send messl as long as the C language function using syslog () can be sent to Syslogd. This article is not introducing the syslog function. If you need this function, you can use the "man 3 syslog" command to view, but if you just want to try some messages to syslogd can use the logger command. If you are running the "tail -f / var / log / debug" command in a terminal window, you can try to run "Logger -P User.debug" Hello, World! "In another terminal window. This message will soon be displayed in the first terminal window. Note "Device" and "Priority" of the message with the "-P" parameter. Redhat's users must use the "tail -f / var / log / messages" and "logger -p user.info" Hello, World! "Command.
to sum up
After reading this simple introduction to the system log, you may still want to get a further information, then the best way is to view the Man Help. Use "Man 8 SysklogD" to view the information of the syslogd daemon; use "man 5 syslog.conf" to view the format of the configuration file; if you want to know how the kernel is handled, you can use "Man 8 klogd"; "Man 3 syslog "View the C language function about the system log; Finally, you can view this command with" Man 1 Logger ".
