24.7 About System Logging

24.7.1 Configuring Logwatch

The log files contain messages about the system, kernel, services, and applications. For those files that are controlled by the system logging daemon rsyslogd, the main configuration file is /etc/rsyslog.conf, which contains global directives, module directives, and rules.

Global directives specify configuration options that apply to the rsyslogd daemon. All configuration directives must start with a dollar sign ($) and only one directive can be specified on each line. The following example specifies the maximum size of the rsyslog message queue:

$MainMsgQueueSize 50000

The available configuration directives are described in the file /usr/share/doc/rsyslog-version-number/rsyslog_conf_global.html.

The design of rsyslog allows its functionality to be dynamically loaded from modules, which provide configuration directives. To load a module, specify the following directive:

$ModLoad MODULE_name

Modules have the following main categories:

Input modules receive messages, which pass them to one or more parser modules. A parser module creates a representation of a message in memory, possibly modifying the message, and passes the internal representation to output modules, which can also modify the content before outputting the message.

A description of the available modules can be found at http://www.rsyslog.com/doc/rsyslog_conf_modules.html.

An rsyslog rule consists of a filter part, which selects a subset of messages, and an action part, which specifies what to do with the selected messages. To define a rule in the /etc/rsyslog.conf configuration file, specify a filter and an action on a single line, separated by one or more tabs or spaces.

You can configure rsyslog to filter messages according to various properties. The most commonly used filters are:

The following table lists the available facility keywords for facility/priority-based filters:

Facility Keyword


auth, authpriv

Security, authentication, or authorization messages.


crond messages.


Messages from system daemons other than crond and rsyslogd.


Kernel messages.


Line printer subsystem.


Mail system.


Network news subsystem.


Messages generated internally by rsyslogd.


User-level messages.


UUCP subsystem.

local0 - local7

Local use.

The following table lists the available priority keywords for facility/priority-based filters, in ascending order of importance:

Priority Keyword



Debug-level messages.


Informational messages.


Normal but significant condition.


Warning conditions.


Error conditions.


Critical conditions.


Immediate action required.


System is unstable.

All messages of the specified priority and higher are logged according to the specified action. An asterisk (*) wildcard specifies all facilities or priorities. Separate the names of multiple facilities and priorities on a line with commas (,). Separate multiple filters on one line with semicolons (;). Precede a priority with an exclamation mark (!) to select all messages except those with that priority.

The following are examples of facility/priority-based filters.

Select all kernel messages with any priority.


Select all mail messages with crit or higher priority.


Select all daemon and kern messages with warning or err priority.


Select all cron messages except those with info or debug priority.


By default, /etc/rsyslog.conf includes the following rules:

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

You can send the logs to a central log server over TCP by adding the following entry to the forwarding rules section of /etc/rsyslog.conf on each log client:

*.*        @@logsvr:port

where logsvr is the domain name or IP address of the log server and port is the port number (usually, 514).

On the log server, add the following entry to the MODULES section of /etc/rsyslog.conf:

$ModLoad imtcp
$InputTCPServerRun port

where port corresponds to the port number that you set on the log clients.

To manage the rotation and archival of the correct logs, edit /etc/logrotate.d/syslog so that it references each of the log files that are defined in the RULES section of /etc/rsyslog.conf. You can configure how often the logs are rotated and how many past copies of the logs are archived by editing /etc/logrotate.conf.

It is recommended that you configure Logwatch on your log server to monitor the logs for suspicious messages, and disable Logwatch on log clients. However, if you do use Logwatch, disable high precision timestamps by adding the following entry to the GLOBAL DIRECTIVES section of /etc/rsyslog.conf on each system:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

For more information, see the logrotate(8), logwatch(8), rsyslogd(8) and rsyslog.conf(5) manual pages, the HTML documentation in the /usr/share/doc/rsyslog-5.8.10 directory, and the documentation at http://www.rsyslog.com/doc/manual.html.

24.7.1 Configuring Logwatch

Logwatch is a monitoring system that you can configure to report on areas of interest in the system logs. After you install the logwatch package, the /etc/cron.daily/0logwatch script runs every night and sends an email report to root. You can set local configuration options in /etc/logwatch/conf/logwatch.conf that override the main configuration file /usr/share/logwatch/default.conf/logwatch.conf, including:

  • Log files to monitor, including log files that are stored for other hosts.

  • Names of services to monitor, or to be excluded from monitoring.

  • Level of detail to report.

  • User to be sent an emailed report.

You can also run logwatch directly from the command line.

For more information, see the logwatch(8) manual page.