lk/basics/logs.md

# Syslog Management Protocols

Let's look at the programs filling in things on our /var/log/ directory.

* rsyslog (common)

* syslog (old)

* syslog-ng (lots of content-based filtering)

* klogd (kernel-focussed)

# `rsyslog`

The config rests in /etc/rsyslog.conf, which then references /etc/rsyslog.d/.

# Systemd
This thing makes its own logs with journald, and the journal's own logging system writes to /var/log/journal/ directory, which is then filled with nonsense.

You can obtain nonsense in systemd's own format by entering:

journalctl -e

This thing generates so much nonsense it can crash your system, but can at least be checked with:

> journalctl --disk-usage

... in case you can't remember the `du` command.

You can limit the nonsense by editing the /etc/systemd/journald.conf file, and finding `#SystemMaxFileSize=`

# Logger

You can log things at any time with the logger:

> logger Server is being a dick!

Put things into a specific log with `-p`.  They can enter into, e.g., lpr (printer) log file with a priority of "critical", with:

> logger -p lpr.crit Help!

Logfiles rotate around and eventually get deleted.  Rotation means they get compressed.

Edit the config in /etc/logrotate.conf.

A few apps have their own special log rotation rules, kept in /etc/logrotate.d/.

The major variables to change are `weekly`, which compresses log files weekly, and `rotate 4`, which keeps 4 weeks worth of backlogs before deletion.

# Force Log Rotation

> sudo systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service

or just

> sudo systemctl restart systemd-journald.service
initial commit 2020-01-02 00:04:35 +00:00			`# Syslog Management Protocols`

			`Let's look at the programs filling in things on our /var/log/ directory.`

			`* rsyslog (common)`

			`* syslog (old)`

			`* syslog-ng (lots of content-based filtering)`

			`* klogd (kernel-focussed)`

			# `rsyslog`

			`The config rests in /etc/rsyslog.conf, which then references /etc/rsyslog.d/.`

			`# Systemd`
			`This thing makes its own logs with journald, and the journal's own logging system writes to /var/log/journal/ directory, which is then filled with nonsense.`

			`You can obtain nonsense in systemd's own format by entering:`

			`journalctl -e`

			`This thing generates so much nonsense it can crash your system, but can at least be checked with:`

			`> journalctl --disk-usage`

			... in case you can't remember the `du` command.

			You can limit the nonsense by editing the /etc/systemd/journald.conf file, and finding `#SystemMaxFileSize=`

			`# Logger`

			`You can log things at any time with the logger:`

			`> logger Server is being a dick!`

			Put things into a specific log with `-p`. They can enter into, e.g., lpr (printer) log file with a priority of "critical", with:

			`> logger -p lpr.crit Help!`

			`Logfiles rotate around and eventually get deleted. Rotation means they get compressed.`

			`Edit the config in /etc/logrotate.conf.`

			`A few apps have their own special log rotation rules, kept in /etc/logrotate.d/.`

			The major variables to change are `weekly`, which compresses log files weekly, and `rotate 4`, which keeps 4 weeks worth of backlogs before deletion.

			`# Force Log Rotation`

			`> sudo systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service`

			`or just`

			`> sudo systemctl restart systemd-journald.service`