Logging
Från wiki.soltec.se
								Innehåll
- rsyslogd - persistent logs and are syslogd compatible
- journald - is part of systemd, these logs don’t survive a reboot as written to RAM.
N.B! To make journald logs persistent click on the link in the TOC.
Display & Configuration
Display syslog with line numbering enabled.
$ less -N rsyslogd.conf
The following line will log anything except mail of level info or higher. Don’t log private authentication messages.
*.info;mail.none;authpriv.none;cron.none /var/log/messages
- The first selector, we can see that the facility is an asterisk wildcard matching everything, and the priority level is info.
Following this are three more selectors for mail, authpriv, and cron.
- The priority in all of these is none, meaning it will ignore the messages.
- The action is to write the log messages to /var/log/messages.
To summarise, we have a rule that logs anything of level info or higher except for mail, authentication, and cron messages.
Searching in log files
To search in messages file
$ grep -v ‘systemd’ /var/log/messages -v for invert --> so ignore all systemd messages
Ignore multiple expressions using egrep
$ egrep -v ‘systemd|NetworkManager’ /var/log/messages
Use the $logger cmd to write entries manually to logfiles
$ logger “your message” --> will write to messages file.
Journalctl
$ journalctl | display all journald logs $ journalctl -k | display all kernel entries $ journalctl -f | this is the same as “tail -f” on syslog files $ journalctl <path-to-cmd> | this displays entries for the specified command. $ journalctl -u <systemd-unit> | this displays systemd info t.ex crond, httpd……
Configure journald logs to be persistent
$ mkdir /var/log/journal $ systemctl restart systemd-journald N.B! Don't forget to check the logrotate configuration
Searching in journald logs
display journald from most recent boot. $ journalctl -b 1 display journald logs within time specified $ jounalctl --since “2021-01-01 17:00:00” $ journalctl --since “2021-01-01" --until “2021-05-01” $ jounalctl --since yesterday $ journalctl --since 08:00 --until “1 hour ago”
