Syslogd, rsyslogd, and syslog-ng are the syslog daemon, or system log daemon. syslogd is the legacy syslog daemon, and rsyslog and syslog-ng are newer syslog daemon that have enhancements over syslogd. The journal is used on some Linux distributions instead of syslog to handle the logging of events.
Which daemon is being used
The ps command can be used to determine if your system is using syslogd, rsyslogd or syslog-ng. In this example, rsyslogd is being used.
~]# ps -ef | grep -i syslog
root 1287 1 0 Aug17 ? 00:13:30 /usr/sbin/rsyslogd -n
conf file location
The find command can be used to determine the location of the conf file.
~]# find /etc/ | grep -i rsyslog.conf
/etc/rsyslog.conf
When a service has an event or message it would like to log to a log file, the service needs to have a way of knowing what file the message should be written to. Syslog is used to determine the file a message should be written to. The format of the /etc/syslog.conf or /etc/rsyslog.conf file is facility.priority action. For example, you may have a line in the syslog.conf file mail.* /var/log/maillog. Mail is the facility, * is the priority, and /var/log/maillog is the action.
mail.* /var/log/maillog
Following is a typical syslog.conf file. When two or more facilities are used, the facilities are separated by a comma. When two or more priorities are used, the priorities are separated by a semi-colon.
In this example, kern (kernal) events at any priority are sent to /dev/console. If /dev/console is set to /dev/tty1, then all kernel events will appear on /dev/tty1.
Also in this example, any type of event at level emergency will be display on every TTY and PTS virtual console.
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.emerg *
kern.* /dev/console
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
local7.* /var/log/boot.log
uucp,news.crit /var/log/spooler
Following are common facilities:
Following are common priorities.
Typically, the action will be the absolute path to a file. However, the action can also be the * character. The * character will send a text message to the terminal of all users logged into the machine. The * character is typically only used for emergency messages.
*.emerg *
When a service has an event or message it would like to log to a log file, the service will give the message one of the priorities. Syslog uses at or above. For example, uucp and news messages crit and above will be written to /var/log/spooler. This means that uucp and news messages err and below will not be written to /var/log/spooler. Instead, uucp and news messages err and below will be written to /var/log/messages.
uucp,news.crit /var/log/spooler
If an equal sign is used, only messages at the priority will be written to the specified log file. For example, you could log critical mail messages to /var/log/maillog_critical.
mail.=crit /var/log/maillog_critical
An exclamation point reverses at or above to below. For example, you could write cron messages below err to /var/log/cron_low_priority.
cron.!err /var/log/cron_low_priority
The @ character can be used to write log events to a remote machine. For example, you could write cron messages to a machine with DNS name log.example.com.
cron.* @log.example.com
If you make a change to the syslog or rsyslog configuration file, you will have to restart the daemon for the change to take effect.,The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.
If your system is using systemd, use the systemctl command to restart syslog.
systemctl restart syslog
If your system is using init, use the service command to restart syslog.
service syslog restart