Linux Logging Concepts: Difference between revisions
No edit summary |
|||
(15 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
=Overview= | =Overview= | ||
Linux system logging is managed by two systems: [[#rsyslogd|rsyslogd]] and [[#journald|journald]], which is a component of [[Systemd_Concepts#journald|systemd]]. | Linux system logging is managed by two systems: [[#rsyslogd|rsyslogd]] and [[#journald|journald]], which is a component of [[Systemd_Concepts#journald|systemd]]. The logging systems coexist. [[#journald|journald]] is the primary tool for troubleshooting. | ||
=rsyslogd= | =rsyslogd= | ||
rsyslogd comes configured by default to write logging information into files like /var/log/messages, and it can be configured to provide additional filtering, encryption and log information relaying to external systems. | rsyslogd comes configured by default to write logging information into files like /var/log/messages, and it can be configured to provide additional filtering, encryption and log information relaying to external systems. | ||
The main rsyslogd configuration file is /etc/rsyslog.conf, which, among other things, lists all log files maintained by rsyslogd (/var/log/messages, /var/log/secure, /var/log/cron, /var/log/boot.log, etc.). For more details about rsyslogd configuration, see: {{Internal|Linux Logging Configuration#rsyslogd|rsyslogd Configuration}} | |||
rsyslogd-managed log files can be automatically rotated. The logrotate package contains a cron task that rotates log files based on the configuration found in /etc/logrotate.conf and /etc/logrotate.d/. For more details on how to configure log rotation see: {{Internal|Linux Logging Configuration#rsyslogd_Log_Rotation_Configuration|rsyslogd Log Rotation Configuration}} | |||
=journald= | =journald= | ||
journald daemon is a component of [[Systemd_Concepts#journald|systemd]]. It handles syslog, kernel, and early boot messages, as well as messages written to standard output and standard error by all services. | journald daemon is a component of [[Systemd_Concepts#journald|systemd]]. | ||
It handles syslog, kernel, and early boot messages, as well as messages written to standard output and standard error by all services. journald writes logging information, along with metadata such as timestamps and user IDs, into a structured and index binary file. The default location of the journal storage is /run/log/journal/ directory. | |||
The amount of data stored on disk is relatively small: journald uses a ring buffer and old entries are discarded continuously. The size of the log window is configured in /etc/systemd/journald.conf with SystemMaxUse: | |||
... | |||
SystemMaxUse=1024M | |||
... | |||
If configured as such, once journald crosses the size boundary, old data entries are discarded. | |||
The configuration changes require a journald restart: | |||
sudo systemctl restart systemd-journald | |||
The primary command-line interface for interaction with journald is [[Journalctl|journalctl]]. | |||
For more details about journald configuration, see: {{Internal|Linux_Logging_Configuration#journald_Configuration|journald Configuration}} | |||
=logrotate= | |||
{{Internal|Linux logrotate|logrotate}} |
Latest revision as of 17:42, 12 February 2018
Internal
Overview
Linux system logging is managed by two systems: rsyslogd and journald, which is a component of systemd. The logging systems coexist. journald is the primary tool for troubleshooting.
rsyslogd
rsyslogd comes configured by default to write logging information into files like /var/log/messages, and it can be configured to provide additional filtering, encryption and log information relaying to external systems.
The main rsyslogd configuration file is /etc/rsyslog.conf, which, among other things, lists all log files maintained by rsyslogd (/var/log/messages, /var/log/secure, /var/log/cron, /var/log/boot.log, etc.). For more details about rsyslogd configuration, see:
rsyslogd-managed log files can be automatically rotated. The logrotate package contains a cron task that rotates log files based on the configuration found in /etc/logrotate.conf and /etc/logrotate.d/. For more details on how to configure log rotation see:
journald
journald daemon is a component of systemd.
It handles syslog, kernel, and early boot messages, as well as messages written to standard output and standard error by all services. journald writes logging information, along with metadata such as timestamps and user IDs, into a structured and index binary file. The default location of the journal storage is /run/log/journal/ directory.
The amount of data stored on disk is relatively small: journald uses a ring buffer and old entries are discarded continuously. The size of the log window is configured in /etc/systemd/journald.conf with SystemMaxUse:
... SystemMaxUse=1024M ...
If configured as such, once journald crosses the size boundary, old data entries are discarded.
The configuration changes require a journald restart:
sudo systemctl restart systemd-journald
The primary command-line interface for interaction with journald is journalctl.
For more details about journald configuration, see: