Last updated
Most services used on a Linux server write information to log files. This information can be written to different destinations, and there are multiple solutions to find the relevant information in system logs. Many different approaches can be used by services to write log information and the most common is: -> Direct Writting : exp : logger -p kern.err "hello" ->rsyslogd: rsyslogd is the enhancement of syslogd, a service that takes care of managing centralized log files. Syslogd has been around for a long time. ->Journald: With the introduction of Systemd, the journald log service systemd journald has been introduced also. This service is tightly integrated with Systemd, which allows administrators to read detailed information from the journal while monitoring service status using the systemctl status command.
You can find the all global system activities within /var/log/syslog, while the security related events are stored in /var/log/audit.log...etc Here is a list of which activity and where to find its logs.
I've already explained this, let me show you some useful commands : -> journalctl -u <service-name> : see logs about a specific service. ->journalctl -f : follow the journal until you stop it. -> journalctlt -f --no-pager -p info --since yesterday -o verbose _SYSTEMD_UNIT=sshd.service
Usually the journald is not persistent, so to make it one, then you will have to modify /etc/systemd/journald.conf to set the storage permanently follow my steps : -> vim /etc/systemd/journald.conf -> add this line "storage = persistent" then save and quit -> systemctl restart systemd-journald
NOTE : storage = persistent will create /var/log/journal, while storage = auto will store the loggs if /var/log/journal exist, so make sure to make that directory if you've set storage = auto Consult man for more info.
as we've said before, rsyslog is the service that takes care of managing centralized log files. To make sure that the information you need is logged in a location where you want to find it, then you can configure rsyslog service through /etc/rsyslog.conf file. there is different section inside this file that allow you to specify where and how information should be written. ##Modules## -> rsyslog is modular, as they are included to enhance the supported featuers. ##Global DIRECTIVES## -> used to specify global parameters, such as the location where auxiliary files are written or the default timestamp format. ##RULES## -> most important part, used to specify what information should be logged to which destiniation. rsyslog service uses facility, priority and log destination. facility is the category, while priority and log destination is define the location. Here is a quick example : local1.error /var/log/httpd-error.log
log-rotation is used to prevent syslog messages filling your system. logrotae allow you to delete log files if they reached any condition. You can find the logrotate conf file within /etc/logrotate.conf
Consult man logrotate for more help.
Learn how logging in Linux is done and how you can manage logs in Linux.
