rsyslog

 rsyslog

The rsyslogd daemon is responsible for collecting service messages coming from applications and the kernel, then dispatching them into log files (usually stored in the /var/log/ directory). The main configuration file is /etc/rsyslog.conf and each log message is associated with an application subsystem (called “facility” in the documentation).


 The available facilities are:
• auth and authpriv: for authentication;
• cron: comes from task scheduling services, cron and atd;
• daemon: affects a daemon without any special classification (DNS, NTP, etc.);
• ftp: concerns the FTP server;
• kern: message coming from the kernel
• lpr: comes from the printing subsystem;
• mail: comes from the e-mail subsystem;
• news: Usenet subsystem message (especially from an NNTP — Network News Transfer Protocol — server that manages newsgroups);
• syslog: messages from the syslogd server, itself;
• user: user messages (generic);
• uucp: messages from the UUCP server (Unix to Unix Copy Program, an old protocol notably used to distribute e-mail messages);
• local0 to local7: reserved for local use.

Each message is also associated with a priority level. This is the list of priorities in decreasing order:
• emerg: “Help!” There is an emergency, the system is probably unusable.
• alert: hurry up, any delay can be dangerous, action must be taken immediately;
• crit: conditions are critical;
• err: error;
• warn: warning (potential error);
• notice: conditions are normal, but the message is important;
• info: informative message;
• debug: debugging message.


Example lines from rsyslog.conf:
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log

mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err



Selector and Action

The overall principle is to write “selector” and “action” pairs. The selector defines all relevant messages, and the actions describes how to deal with them. In the above example the 2 columns are the selector (the lines in the 1st column), the action (2nd column, in the above cases all messages are written in log files.)

Syntax of the Selector
The selector is a semicolon-separated list of subsystem.priority pairs (example: auth.notice;mail.info). An asterisk may represent all subsystems or all priorities (examples: *.alert or mail.
*). Several subsystems can be grouped, by separating them with a comma (example: auth,mail.info). The priority indicated also covers messages of equal or higher priority; thus auth.alert
indicates the auth subsystem messages of alert or emerg priority. Prefixed with an exclamation point (!), it indicates the opposite, in other words the strictly lower priorities; auth.!notice, thus, indicates messages issued from auth, with info or debug priority. Prefixed with an equal sign (=), it corresponds to precisely and only the priority indicated (auth.=notice only concerns messages from auth with notice priority).

Each element in the list on the selector overrides previous elements. It is thus possible to restrict a set or to exclude certain elements from it. For example, kern.info;kern.!err means messages from the kernel with priority between info and warn. The none priority indicates the empty set (no priorities), and may serve to exclude a subsystem from a set of messages. Thus, *.crit;kern.none indicates all the messages of priority equal to or higher than crit not coming from thekernel.


The various possible actions are:
• add the message to a file (example: /var/log/messages);
• send the message to a remote syslog server (example: @log.falcot.com);
• send the message to an existing named pipe (example: |/dev/xconsole);
• send the message to one or more users, if they are logged in (example: root,rhertzog);
• send the message to all logged in users (example: *);
• write the message in a text console (example: /dev/tty8).


=================================

minus sign in front of the log file:
You may prefix each entry with the minus ``-'' sign to omit syncing the file after every logging. Note that you might lose information if the system crashes right after a write attempt. Nevertheless this might give you back some performance, especially if you run programs that use logging in a very verbose manner.

The above was valid for earlier versions, but they left in for compatibility reasons. Current version says this: "In rsyslog v3, syncing has been turned off by default."


=================================

logrotate

Log files can grow, fast, and it is necessary to archive them. The most common scheme is a rotating archive: the log file is regularly archived, and only the latest X archives are retained.

logrotate, the program responsible for these rotations. Configuration of logrotate can happen in 2 places:

1. in /etc/logrotate.conf

can look like this:
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    missingok
    monthly
    create 0664 root utmp
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0660 root utmp
    rotate 1



2. in the files under /etc/logrotate.d/

can look like this:
/var/log/apt/term.log {
  rotate 12
  monthly
  compress
  missingok
  notifempty
}

/var/log/apt/history.log {
  rotate 12
  monthly
  compress
  missingok
  notifempty
}

Normally, logrotate is run as a daily cron job.  It will not modify a log more than once in one day unless the criterion for that log is based on the log's size  and  logrotate  is being run more than once each day

 =================================