Syslogd, rsyslogd, and syslog-ng are the syslog daemon, or system log daemon. syslogd is the legacy syslog daemon, and rsyslog and syslog-ng are newer syslog daemon that have enhancements over syslogd. The journal is used on some Linux distributions instead of syslog to handle the logging of events.
When a service has an event or message it would like to log to a log file, the service needs to have a way of knowing what file the message should be written to. Syslog is used to determine the file a message should be written to. The format of the /etc/syslog.conf or /etc/rsyslog.conf file is facility.priority action. For example, you may have a line in the syslog.conf file mail.* /var/log/maillog. Mail is the facility, * is the priority, and /var/log/maillog is the action.
Following is a typical syslog.conf file. When two or more facilities are used, the facilities are separated by a comma. When two or more priorities are used, the priorities are separated by a semi-colon.
Also in this example, any type of event at level emergency will be display on every TTY and PTS virtual console.
*.info;mail.none;authpriv.none;cron.none /var/log/messages *.emerg * kern.* /dev/console authpriv.* /var/log/secure mail.* /var/log/maillog cron.* /var/log/cron local7.* /var/log/boot.log uucp,news.crit /var/log/spooler
- Line 1 log anything level info or higher to /var/log/messages, except mail, authpriv, and cron events.
- Line 2 sends everyone emergency events
- Line 3 logs kernel events for any priority to /dev/console
- Line 4 logs security and authorization events for any priority to /var/log/secure
- Line 5 logs mail events for any priority to /var/log/maillog
- Line 6 logs cron events for any priority to /var/log/cron
- Line 7 logs boot events for any priority to /var/log/boot.log
- Line 8 logs Unix to Unix copy program (uucp) events and news errors level critical or higher to /var/log/spooler
Following are common facilities:
- authpriv: security and authorization messages
- cron: cron daemon messages
- daemon: various system daemon messages, typically used for services that do not have a facility, such as DHCP, DNS, and NTP, just to name a few
- kern: kernel messages
- lpr: printing messages
- mail: mail system messages
- news: news daemon messages
- syslog: syslog messages
- user: user level messages
- uucp: Unix to Unix copy program daemon messages
- local0 through local7: locally defined application messages
- *: every facility
Following are common priorities.
- debug: debugging information (lowest priority)
- info: information
- notice: noteworthy, but not necessary implicit of a problem
- warning: imply a possible problem
- err: error message
- crit: critical problem
- alert: very critical problem (high priority than crit)
- emerg: emergency message (highest priority)
- *: every priority
Typically, the action will be the absolute path to a file. However, the action can also be the * character. The * character will send a text message to the terminal of all users logged into the machine. The * character is typically only used for emergency messages.
When a service has an event or message it would like to log to a log file, the service will give the message one of the priorities. Syslog uses at or above. For example, uucp and news messages crit and above will be written to /var/log/spooler. This means that uucp and news messages err and below will not be written to /var/log/spooler. Instead, uucp and news messages err and below will be written to /var/log/messages.
If an equal sign is used, only messages at the priority will be written to the specified log file. For example, you could log critical mail messages to /var/log/maillog_critical.
An exclamation point reverses at or above to below. For example, you could write cron messages below err to /var/log/cron_low_priority.
The @ character can be used to write log events to a remote machine. For example, you could write cron messages to a machine with DNS name log.example.com.
If you make a change to the syslog or rsyslog configuration file, you will have to restart the daemon for the change to take effect.
systemctl restart syslog