Table of Contents
SYSLOG
Summary: All about syslog.
Date: Around 2011
Refactor: 29 April 2025: Checked links and formatting.
Syslog Facility Levels
The RFC 5424 defines eight severity levels:
| Code | Severity | Keyword | Description | General Description |
|---|---|---|---|---|
| 0 | Emergency | emerg (panic) | System is unusable. | A “panic” condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call. |
| 1 | Alert | alert | Action must be taken immediately. | Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a primary ISP connection. |
| 2 | Critical | crit | Critical conditions. | Should be corrected immediately, but indicates failure in a secondary system, an example is a loss of a backup ISP connection. |
| 3 | Error | err (error) | Error conditions. | Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time. |
| 4 | Warning | warning (warn) | Warning conditions. | Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time. |
| 5 | Notice | notice | Normal but significant condition. | Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required. |
| 6 | Informational | info | Informational messages. | Normal operational messages - may be harvested for reporting, measuring throughput, etc. - no action required. |
| 7 | Debug | debug | Debug-level messages. | Info useful to developers for debugging the application, not useful during operations. |
SLES 10 syslog ng
To enable syslogging to a different log host edit this file:
OES:~ # vi /etc/syslog-ng/syslog-ng.conf.in
An add these lines to the bottom of the file:
destination loghost_udp {
udp("10.10.10.11" port(514));
};
log {
source(src);
destination(loghost_udp);
};
Afterwards run these commands to activate the logging:
OES:~ # SuSEconfig --module syslog-ng Starting SuSEconfig, the SuSE Configuration Tool... Running module syslog-ng only Reading /etc/sysconfig and updating the system... Executing /sbin/conf.d/SuSEconfig.syslog-ng... Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok Finished. OES:~ # /etc/init.d/syslog restart Shutting down syslog services done Starting syslog services done
STATS
Do you also get a lot of these messages?:
Syslog Syslog Notice OES syslog-ng[2435]: STATS: dropped 0 14:19:30 May 19 2009 Syslog Syslog Notice OES syslog-ng[2435]: STATS: dropped 0 13:19:29 May 19 2009 Syslog Syslog Notice OES syslog-ng[2435]: STATS: dropped 0 12:19:29 May 19 2009 Syslog Syslog Notice OES syslog-ng[2435]: STATS: dropped 0 11:19:29 May 19 2009
They mean that syslog hasn't dropped any message! Well, ain't that cool! But, I don't wanna know each hour. Once a day is good enough:
OES:~ # vi /etc/syslog-ng/syslog-ng.conf.in
And edit this line:
options { long_hostnames(off); sync(0); perm(0640); stats(86400); };
I changes the stats to 86.400 which means once a day. It was 3600, which means once every hour.
Test message
To test syslogging you can use the logger command:
logger "Testmessage oesbox"
SLES 11
In SLES 11, the SuSEconfig script and its syslog-ng.conf.in configuration template aren't used any more. You can enter the changes above directly in the /etc/syslog-ng/syslog-ng.conf file.
AIX syslog
To enable syslogging on an AIX box and to forward all information to a particular syslog server edit the /etc/syslog.conf file and restart the syslog daemon:
vi /etc/syslog.conf:
In this file you configure the logging in this format:
facility.priority destination
<facility> is:
* - all (except mark)
mark - time marks
kern,user,mail,daemon, auth,... (see syslogd(AIX Commands Reference))
<priority> is one of (from high to low):
emerg/panic,alert,crit,err(or),warn(ing),notice,info,debug
(meaning all messages of this priority or higher)
<destination> is:
/filename - log to this file
username[,username2...] - write to user(s)
@hostname - send to syslogd on this machine
* - send to all logged in users
Example:
#user.info /var/adm/log.log rotate size 10m files 2 compress #user.debug /var/adm/log.dbg rotate size 20m files 8 compress
Because I want to send all messages to a syslogd server, this is the line I need:
*.debug @syslogsrv.company.local
bash-3.2# refresh -s syslogd 0513-095 The request for subsystem refresh was completed successfully.
Solaris Syslog
The theory and file buildup is the same for Solaris and AIX. There is a difference though, to restart the syslog service you'll have to issue this command:
sudo svcadm restart system-log
Note: Do not use spaces (not even one!) between the selector and action colums. always use tabs or syslog will not read the configuration file correctly, resulting in errors like this:syslogd: line xx: unknown priority name "debug @loghost"