In-depth discussion Linux system log management
Source: CCID NETRETT In order to ensure that the Linux system is running normally, it is a very important task that seriously reads the log file is a very important task of system administrators. This article will simply explain what is a log file, where can you find a log file and how to handle them. Linux kernel consists of many subsystems, including network, file access, memory management, etc. Subsystems need to transmit some messages to users, including the source of messages and their importance. All subsystems are sent to a public message area that can be maintained, so there is a program called Syslog. The SYSLOG program has any system core and many system programs generate error messages, warning information, and other information. This information is important, so they should be written to a file. The program that executes this process is Syslog, which can be set to sort information into different files based on the program or importance of output information. For example, due to the core information more important and needs to be regularly read to determine where the problem is, the core information is separated from other information, and separately oriented into a separate file. Log files are usually stored in the "/ var / log" directory. In order to view the content of the log file, there must be "root" permission. The information in the log file is very important, and the super user can have access to these files. Viewing the log file log file is actually a pure text file, each line is a message. As long as it is a tool that can handle plain text under Linux to view log files. The log file is always very big, because the message is accumulated in the log file from the first time Linux started. A better way to see the log file is to display a pagination display like more or less, or find a specific message with GREP. Let's display "/ var / log / messages" first, you can see some messages taken from the log file. Each row represents a message and consists of four domains of fixed format: * Time label (timestamp), indicating the date and time of the message. * Hostname, indicating the name of the computer that generates a message. If there is only one computer, the host name may not be necessary. However, if you use syslog in your network environment, you may have to send messages of different hosts to a server. In our example, the host is named LCBJ. * The name of the subsystem of the message is generated. Can be "kernel", indicating that the message comes from the kernel or the name of the process, indicating the name of the program that makes a message. In square brackets is the PID of the process. * Message, the content of the message.
In Fig. 1, the first line is the message issued by Sendmail, and the Sendmail daemon is responsible for managing received and issued messages. This line is the news that the daemon is started normally. The second line is a message from Passwd, reminding the user of "progs" to change by "root". Other messages in the future is to report the operation of the system to the user. In fact, the messages in the "/ var / log / message" file are not particularly important or urgent. There is a very interesting message to "Mark" message, which generates a message that the system is still running every 20 minutes by default. "Mark" message is very similar to "Heartbeat) that is often used to confirm if the remote host is still running. Another use of "Mark" is used for post-analysis and can help the system administrator to determine the time of the system crash. Configuration log Let us carefully study the operation of the syslog daemon. This program runs in the background, gets a new message from the system, and sends the message to the appropriate place. When each subsystem issues a log message, you will specify a type. A message can be divided into two parts: "Device" and "Priority". "Device" means a subsystem that issues a message, "Priority" means the importance of the message, and its range is from 0 (most important) to 7 (least important). Please see Figure 2. The basic configuration of Syslog is very simple, and some of the high-level features require some experience. We now look at the basic configuration, which is to determine which files should be received based on "devices" and "priority". The task can be customized by editing the file (usually "/etc/slog.conf"). The rows starting with "#" are noted. Some other rows are also easy to understand, they are composed of two domains, which are "selector" and "action". The Selector uses the corresponding "devices" and "priority" (all "any one") to indicate the type of message. "Action" means what action is to take once there is a new message and "selector" matches.
In Figure 3, you will find the "Priority" message equal to "INFO" and "Notice", whether their "device" is sent to the "/ usr / adm / message" file, because in "selector" A wildcard is used. The same "priority" "Debug" and "ERR" messages are sent to the "/ usr / adm / debug" file, respectively, respectively. After editing the "/ etc / syslog" file, you must also run "KILLALL-HUP SYSLOGD" so that the changes will take effect. This command sends a "HUP" signal to the Syslog daemon, and the notification daemon re-read the configuration file. The log file is important for administrators. By management of log files, the system can be better maintained to ensure the normal operation of various applications.
