Product SiteDocumentation Site

Chapter 18. Viewing and Managing Log Files

18.1. Locating Log Files
18.2. Basic Configuration of Rsyslog
18.2.1. Filters
18.2.2. Actions
18.2.3. Templates
18.2.4. Global Directives
18.2.5. Log Rotation
18.3. Using the New Configuration Format
18.3.1. Rulesets
18.3.2. Compatibility with syslogd
18.4. Working with Queues in Rsyslog
18.4.1. Defining Queues
18.4.2. Managing Queues
18.5. Configuring rsyslog on a Logging Server
18.5.1. Using The New Template Syntax on a Logging Server
18.6. Using Rsyslog Modules
18.6.1. Importing Text Files
18.6.2. Exporting Messages to a Database
18.6.3. Enabling Encrypted Transport
18.6.4. Using RELP
18.7. Interaction of Rsyslog and Journal
18.8. Structured Logging with Rsyslog
18.8.1. Importing Data from Journal
18.8.2. Filtering Structured Messages
18.8.3. Parsing JSON
18.8.4. Storing Messages in the MongoDB
18.9. Debugging Rsyslog
18.10. Troubleshooting Logging to a Server
18.11. Using the Journal
18.11.1. Viewing Log Files
18.11.2. Access Control
18.11.3. Using The Live View
18.11.4. Filtering Messages
18.11.5. Enabling Persistent Storage
18.12. Managing Log Files in a Graphical Environment
18.12.1. Viewing Log Files
18.12.2. Adding a Log File
18.12.3. Monitoring Log Files
18.13. Additional Resources
Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.
Log files can be very useful when trying to troubleshoot a problem with the system such as trying to load a kernel driver or when looking for unauthorized login attempts to the system. This chapter discusses where to find log files, how to view log files, and what to look for in log files.
Some log files are controlled by a daemon called rsyslogd. The rsyslogd daemon is an enhanced replacement for sysklogd, and provides extended filtering, encryption protected relaying of messages, various configuration options, input and output modules, support for transportation via the TCP or UDP protocols. Note that rsyslog is compatible with sysklogd.
Log files can also be managed by the journald daemon – a component of systemd. The journald daemon captures Syslog messages, kernel log messages, initial RAM disk and early boot messages as well as messages written to standard output and standard error output of all services, indexes them and makes this available to the user. The native journal file format, which is a structured and indexed binary file, improves searching and provides faster operation, and it also stores meta data information like time stamps or user IDs. Log files produced by journald are by default not persistent, log files are stored only in memory or a small ring-buffer in the /run/log/journal/ directory. The amount of logged data depends on free memory, when you reach the capacity limit, the oldest entries are deleted. However, this setting can be altered – see Section 18.11.5, “Enabling Persistent Storage”. For more information on Journal see Section 18.11, “Using the Journal”.
By default, these two logging tools coexist on your system. The journald daemon is the primary tool for troubleshooting. It also provides additional data necessary for creating structured log messages. Data acquired by journald is forwarded into the /run/systemd/journal/syslog socket that may be used by rsyslogd to process the data further. However, rsyslog does the actual integration by default via the imjournal input module, thus avoiding the aforementioned socket. You can also transfer data in the opposite direction, from rsyslogd to journald with use of omjournal module. See Section 18.7, “Interaction of Rsyslog and Journal” for further information. The integration enables maintaining text-based logs in a consistent format to ensure compatibility with possible applications or configurations dependent on rsyslogd. Also, you can maintain rsyslog messages in a structured format (see Section 18.8, “Structured Logging with Rsyslog”).

18.1. Locating Log Files

A list of log files maintained by rsyslogd can be found in the /etc/rsyslog.conf configuration file. Most log files are located in the /var/log/ directory. Some applications such as httpd and samba have a directory within /var/log/ for their log files.
You may notice multiple files in the /var/log/ directory with numbers after them (for example, cron-20100906). These numbers represent a time stamp that has been added to a rotated log file. Log files are rotated so their file sizes do not become too large. The logrotate package contains a cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory.