Logging

Från wiki.soltec.se
Hoppa till: navigering, sök
  • rsyslogd - persistent logs and are syslogd compatible
  • journald - is part of systemd, these logs don’t survive a reboot as written to RAM.

N.B! To make journald logs persistent click on the link in the TOC.


Display & Configuration

Display syslog with line numbering enabled. 

   $ less -N rsyslogd.conf

The following line will log anything except mail of level info or higher. Don’t log private authentication messages. 

   *.info;mail.none;authpriv.none;cron.none   /var/log/messages
  • The first selector, we can see that the facility is an asterisk wildcard matching everything, and the priority level is info.

Following this are three more selectors for mail, authpriv, and cron.

  • The priority in all of these is none, meaning it will ignore the messages.
  • The action is to write the log messages to /var/log/messages.

To summarise, we have a rule that logs anything of level info or higher except for mail, authentication, and cron messages.


Searching in log files

To search in messages file 

   $ grep -v ‘systemd’ /var/log/messages
   -v for invert      --> so ignore all systemd messages

Ignore multiple expressions using egrep 

   $ egrep -v ‘systemd|NetworkManager’ /var/log/messages

Use the $logger cmd to write entries manually to logfiles 

   $ logger “your message”    --> will write to messages file.


Journalctl

$ journalctl             | display all journald logs
$ journalctl -k          | display all kernel entries
$ journalctl -f          | this is the same as “tail -f” on syslog files
$ journalctl <path-to-cmd>         | this displays entries for the specified command.
$ journalctl -u <systemd-unit>     | this displays systemd info t.ex crond, httpd……

Configure journald logs to be persistent

   $ mkdir /var/log/journal
   $ systemctl restart systemd-journald
   N.B! Don't forget to check the logrotate configuration

Searching in journald logs

display journald from most recent boot.
   $ journalctl -b 1
display journald logs within time specified
   $ jounalctl --since “2021-01-01 17:00:00”
   $ journalctl --since “2021-01-01" --until “2021-05-01”
   $ jounalctl --since yesterday
   $ journalctl --since 08:00 --until “1 hour ago”
Hämtad från "http://wiki.soltec.se/index.php?title=Logging&oldid=148"