How to create Linux logs?

Linux logs can be created by the user or automatically created by the system. The Linux log records the status of the system and important parameters of some programs. This article will introduce how Linux logs are created.

Linux system log

Many valuable log files are automatically created by the Linux for you. You can find them in the /var/log directory. Here's what this directory looks like on a typical Ubuntu system:

Some of the most important Linux system logs include:

1, /var/log/syslog or /var/log/messages Store all global system activity data, including boot information. Debian-based systems such as Ubuntu store them in /var/log/syslog, while RedHat-based systems such as RHEL or CentOS store them in /var/log/messages.

2, /var/log/auth.log or /var/log/secure Stores logs from the Pluggable Authentication Module (PAM), including successful logins, failed login attempts, and authentication methods. Ubuntu and Debian store authentication information in /var/log/auth.log, while RedHat and CentOS store this information in /var/log/secure.

3, /var/log/kern Stores kernel error and warning data, which is especially useful for troubleshooting faults associated with custom kernels.

4, /var/log/cron Stores information about cron jobs. Use this data to make sure your cron job is running successfully.

Digital Ocean has a complete tutorial on these files that explains how rsyslog creates them in common distributions such as RedHat and CentOS.

The application also writes log files in this directory. For example, common server programs like Apache, Nginx, MySQL can write log files in this directory. Some of these log files are created by the application itself, others are created by syslog (see below).

What is Syslog?

How is the Linux system log file created? The answer is through the syslog daemon, which listens for log information on the syslog socket /dev/log and writes them to the appropriate log file.

The word "syslog" represents several meanings and is often used to refer to one of the following names:

1.Syslog daemon — one for receiving, processing, and A program that sends syslog information. It can remotely send syslog to a centralized server or write to a local file. Common examples include rsyslogd and syslog-ng. In this way of use, people often say "send to syslog".

2.Syslog Protocol — A transport protocol that specifies how logs are transmitted over the network and a definition of the data format for syslog information (see below). It is formally defined in RFC-5424. For text logs, the standard port is 514, and for encrypted logs, the port is 6514. In this way of use, people often say "send via syslog".

3.Syslog Information — A log message or event in syslog format that includes a header with several standard fields. In this way of use, people often say "send syslog".

Syslog information or events include a header with several standard fields to make analysis and routing easier. They include the timestamp, the name of the application, the classification or location of the source of the information in the system, and the priority of the event.

Shown below is a log message containing the syslog header from the sshd daemon that controls the remote login to the system. This message describes a failed login attempt:

1."34"1 2003-10-11T22:14:15.003Z server1.com sshd - - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0 .2.2 Previous12Next page Total 2 pages