Logging with syslog

The traditional Linux logging facility is syslogd. Current versions of SLES and openSUSE offer both syslogd and syslog-ng (ng for "new generation''). syslog-ng is now the default in openSUSE and SLES. The basic concepts of logging facilities and log levels apply to both methods; syslog-ng (discussed later in the chapter) is essentially an extension of syslogd that has more flexibility and is easier to use as a central log host in a large networked environment.

Here we look first at syslogd and then move on to the more modern syslog-ng. Most of the basic concepts are similar.

The syslogd daemon intercepts messages logged to the system logging facility and then processes those messages based on the configuration specified in /etc/syslog.conf. The other side of syslogd is the klogd process, the kernel logging process that processes kernel-specific messages such as kernel crashes or a failure in a component of the kernel (for example, a kernel module).

j r - - r Not all processes use the syslogd method of logging. You will see in this chapter

H* ,t .-.5 . that syslogd has some limitations. To get around these, many applications provide their own logging facilities and use their own logging mechanisms. The way that such applications handle logging is therefore application-specific, and does not use the syslogd process.

The configuration file for syslogd is relatively simple to read, and you will see why it is limited in its use in modern systems based on this.

When a process asks the kernel to log information, it passes a logging facility to the kernel system call. This logging facility tells the kernel and the user what type of log entry it is. In the case of e-mail, the logging facility is MAIL. For FTP logging, it would be FTP. A total of 20 logging facilities are available to the system, 12 of which are used for specific purposes (see Table 7-1) and 8 for local use only. (When we talk about local use, we mean that you can tell your application to use one of the local logging facilities to customize how those log entries are saved and interpreted.)


Logging Facilities and Their Uses

Logging Facility



Deprecated. Replaced by AUTHPRIV.


Authentication logging.


Logging for the CRON and AT daemons.


General logging for daemons that do not have their own facility (BIND, OpenLDAP, and so on).


Logging for FTP daemons.


Kernel logging.


Custom logging facilities for local use.


Printing system logging facility.


Mail Transfer Agent (MTA) logging.


Network News Transfer Protocol (NNTP) logging facilities.


Internal syslog logging facility. Used for syslog to log messages it generates itself.


Generic user messages.


Logging for Unix-to-Unix Copy Protocol (UUCP) services.

Information for this table was taken from the syslog(3) man page.

Information for this table was taken from the syslog(3) man page.

Predefined logging facilities can cover the main services a Linux server is used for, but if you are hosting a large number of services on a server, you will find that you will run out of logging facilities to use. For general use, syslog serves the purpose well. But for larger systems, or a central logging server, it may prove very difficult to separate logs in a coherent fashion.

Each logging facility also has a log level that can be associated with the severity of the message (see Table 7-2). A world of difference exists between the MAIL facility's logging that mail has been received and that there is a critical configuration problem that has stopped the mail system from running. To distinguish between these scenarios, you can specify in the syslog.conf file how to handle those different situations. Of course, it is up to the mail system to specify the severity of the messages, not syslogd.


Log Levels

Log Level



Dire emergency. The system in question may not be capable of continuing.


Action must be taken immediately.


A critical error has occurred.


Standard error.


General notification level. This is something that someone should see and perhaps act upon if the need arises.


General information.


General information.

WARNING Warnings.

DEBUG Debugging information. Usually very high traffic.

Information for this table was taken from the syslog(3) man page.

As an example, we will work with an entry for the mail subsystem (see Listing 7-2) and examine how the logging via syslog is configured.

Was this article helpful?

0 0

Post a comment