lk/fundamentals/logs.md
2020-01-02 01:04:35 +01:00

1.6 KiB

Syslog Management Protocols

Let's look at the programs filling in things on our /var/log/ directory.

  • rsyslog (common)

  • syslog (old)

  • syslog-ng (lots of content-based filtering)

  • klogd (kernel-focussed)

rsyslog

The config rests in /etc/rsyslog.conf, which then references /etc/rsyslog.d/.

Systemd

This thing makes its own logs with journald, and the journal's own logging system writes to /var/log/journal/ directory, which is then filled with nonsense.

You can obtain nonsense in systemd's own format by entering:

journalctl -e

This thing generates so much nonsense it can crash your system, but can at least be checked with:

journalctl --disk-usage

... in case you can't remember the du command.

You can limit the nonsense by editing the /etc/systemd/journald.conf file, and finding #SystemMaxFileSize=

Logger

You can log things at any time with the logger:

logger Server is being a dick!

Put things into a specific log with -p. They can enter into, e.g., lpr (printer) log file with a priority of "critical", with:

logger -p lpr.crit Help!

Logfiles rotate around and eventually get deleted. Rotation means they get compressed.

Edit the config in /etc/logrotate.conf.

A few apps have their own special log rotation rules, kept in /etc/logrotate.d/.

The major variables to change are weekly, which compresses log files weekly, and rotate 4, which keeps 4 weeks worth of backlogs before deletion.

Force Log Rotation

sudo systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service

or just

sudo systemctl restart systemd-journald.service