First, we will describe what about the Linux logs is, where to find them, and they are the basics of how to create. If you already know these, please feel free to skip to the next section.
Linux system log
Many valuable log files are automatically created for you by Linux. You can find them in / var / log directory. The following is a typical Ubuntu system directory like this
Some of the most important Linux system logs include:
/ Var / log / syslog or / var / log / messages stored in all of the global system activity data, including boot information. As Ubuntu Debian based systems store them in / var / log / syslog, whereas RedHat based systems such as RHEL or CentOS which is stored in / var / log / messages in.
/var/log/auth.log or / var / log / secure storage from the Pluggable Authentication Modules (PAM) logs, including successful logins, failed login attempts and authentication. Ubuntu and Debian in /var/log/auth.log storing authentication information, RedHat and CentOS then stores this information in / var / log / secure in.
/ Var / log / kern kernel memory error and warning data, which exclude faults associated with custom kernel is especially useful.
/ Var / log / cron store information about cron jobs. Use this data to ensure that your cron jobs are successfully running.
Digital Ocean has a complete tutorial on these documents, the rsyslog describes how to create them in the common distributions such as RedHat and CentOS in.
Applications will be written to the log file in this directory. For example, like Apache, Nginx, MySQL and other common server programs can be written to a log file in this directory. Some of the log files created by the application itself, others by syslog (specifically see below) to create.
What is Syslog?
Linux system log files is how to create it? The answer is through the syslog daemon, it listens to the log information on the syslog socket / dev / log, and then write them to the appropriate log file.
The word "syslog" on behalf of several meanings, and often one of several names for the following abbreviation:
Syslog Daemon - one for receiving, processing and sending syslog information program. It can be remotely sent to a centralized syslog server or write to a local file. Common examples include rsyslogd and syslog-ng. Used in this way, often said, "is sent to the syslog".
Syslog protocol - specified log how network to transmit a transport protocol and definitions for syslog message (specifically see below) data format. It was formally defined in RFC-5424. For the text log, the standard port is 514, the encryption logs, the port is 6514. Used in this way, the phrase "the transmission by syslog."
Syslog information - syslog format log information or events, which includes a few standard header with the field. Used in this way, the phrase "the sending syslog".
Syslog information or events, including headers with a few standard fields that can make it easier to analyze and routing. They include time stamp, application name, category or location in the system of sources of information, and the priority of the event.
The following shows the log information contains a syslog message header, it comes from the sshd daemon to control the system's remote login, this description is a failed login attempt:
< 34> 1 2003-10-11T22: 14: 15.003Z server1.com sshd - - pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 10.0.2.2
Syslog format and fields
Each syslog message contains a header with the fields, these fields are structured data, making analysis and routing events easier. Here's what we use for generating syslog format the above example, you can match each value to the name of a particular field.
< % Pri%>% protocol-version%% timestamp ::: date-rfc3339%% HOSTNAME%% app-name%% procid%% msgid%% msg% n
Below, you will see some of the fields in the lookup syslog or troubleshooting commonly used when:
Timestamp (above examples 2003-10-11T22: 14: 15.003Z) implies that transmits the information in the system time and date. This time on another system may vary when receiving the information. In the above example can be decomposed into a time stamp:
2003-10-11 year, month, and day.
T is the timestamp of the essential elements of the date and time it separated.
22:14: 15.003 24-hour time, including access to the next second number (003) ms.
Z is an optional element refers to the UTC time, in addition to Z, this example may also include an offset, for example, -08: 00, which means that the time offset from UTC 8 hours, or PST time.
Host name field (in the example above corresponds server1.com) refers to the name of the host system or send information.
Application name field (in the example above corresponds sshd: auth) is the name of a program to send information.
Priority fields or abbreviated as pri (in the example above corresponds to) tell us how this incident or serious emergency. It consists of two numeric fields: Field equipment and emergency field. The urgency of the field from the figures represent the debug class event number from 0 to 7 have been emergencies. Device field which describes the process of creating the event. It stands for the kernel from the digital information from 0 to 23 on behalf of the local application used.
Pri has two output modes. The first is a single digital representation, it can be calculated as follows: first with 8 multiplied by the value of field equipment, field equipment :( value plus the urgency of the field) (8) + (emergency field). The second is pri text, will be "device field. Urgency field" format string output. The latter format is more convenient to read and search, but take up more storage space.