On the right side of each entry in /etc/syslog.conf is a destination for the messages. The destination may be:
An absolute pathname
Messages are placed in the specified file. The pathname may also point to a named pipe, providing a method for passing messages to another program, or to a device such as a terminal (such as /dev/tty3 ) or a printer ( /dev/lp0 ). Adding a hyphen in front of a pathname will prevent syslogd from flushing the buffers to disk after each write, a performance-eating behavior that increases the chance that a message describing the cause of a crash will make it onto the disk.
@ host
Messages are forwarded to syslogd on the remote host .
user,user,user,...
Messages are written to the terminals of any of these users who are currently logged in.
*
Messages are written to the terminals of all logged-in users.
The order of the lines in the configuration file does not matter; every line is checked against each incoming message, so messages may be sent to multiple destinations.
The default configuration file routes messages according to Table 8-5 ; as you can see, /var/log/messages is the prime source of information about the state of the system.
Table 8-5. Message routing as configured in the default syslog configuration file
| Type of message | Destination |
|---|---|
| Everything except mail, authentication, and cron messages, with a priority of info or higher | /var/log/messages |
| Authentication messages (which may contain private information) | /var/log/secure |
| /var/log/maillog | |
| Cron | /var/log/cron |
| All messages of emerg level or higher | The terminals of all logged-in users |
| UUCP and news messages of crit level or higher | /var/log/spooler |
| Boot messages | /var/log/boot.log |
8.7.1.1. Interpreting /var/log/messages
The /var/log/messages logfile contains entries similar to this:
May 31 10:40:58 laptop3 dhclient: DHCPREQUEST on eth0 to 172.16.97.254 port 67
May 31 10:40:58 laptop3 dhclient: DHCPACK from 172.16.97.254
May 31 10:40:58 laptop3 dhclient: bound to 172.16.97.100 -- renewal in 34387 seconds.
May 31 20:14:05 laptop3 dhclient: DHCPREQUEST on eth0 to 172.16.97.254 port 67
May 31 20:14:05 laptop3 dhclient: DHCPACK from 172.16.97.254
May 31 20:14:05 laptop3 dhclient: bound to 172.16.97.100 -- renewal in 41631 seconds.
Each entry consists of a date, time, hostname ( laptop3 in this example), program name or other prefix ( dhclient ), and a text message. Note that the facility and priority are not recorded in the logfile.
Since the /var/log/message file can be very large, it's worthwhile using a tool such as grep to search for specific records. For example, you can view all of the kernel messages with the command:
$ grep kernel /var/log/messages
May 30 04:23:08 bluesky kerneclass="underline" SELinux: initialized (dev hdd, type iso9660), uses genfs_contexts
May 31 20:48:40 bluesky kerneclass="underline" atkbd.c: Unknown key pressed (translated set 2, code 0x85 on isa0060/serio0).
May 31 20:48:40 bluesky kerneclass="underline" atkbd.c: Use 'setkeycodes e005 <keycode>' to make it known.
May 31 21:14:54 bluesky kerneclass="underline" cdrom: This disc doesn't have any tracks I recognize!
8.7.1.2. Creating your own logfile entries
You can generate syslog messages using the logger command-line tool. Simply provide your text as arguments:
$ logger Added host lightning to /etc/hosts
The message recorded in /var/log/messages contains the username as the prefix:
Jun 1 02:32:59 darkday chris: Added host lightning to /etc/hosts
It's convenient to log information about changes you have made on the system in this way, entering them as you work. Your notes will be interleaved with system-generated log messages, making it easy to see the relationship between the changes that you have made and any messages that start or stop appearing in the log as a result.
By default, logger uses the facility user and the priority notice . You can override this using the -p option, and you can override the insertion of the username by supplying an alternate tag with the -t option:
$ logger -p local1.crit -t cooling Stopped water pump
Which would result in this message being logged:
Jun 1 09:54:49 darkday cooling: Stopped water pump
An alias can be used to simplify logging from the command line:
$ alias note='logger -p local4.notice '
$ note Ran yum update
If you are logging a message that contains metacharacters, surround the message with quotation marks.
By adding a custom rule to /etc/syslog.conf , the messages sent to the local1 facility can be placed in their own file (in addition to being logged in /var/log/messages ):
local1.* /var/log/cooling
The security context of any new logfiles must be set to the same context as /var/log/messages :
# touch /var/log/cooling
# ls -Z /var/log/messages /var/log/cooling
-rw-r--r-- root root user_u:object_r:var_log_t /var/log/cooling