Recently, I found myself in the position of investigating the root cause of a booting failure in an embedded device. To diagnose the problem effectively, I relied on syslogs, which proved to be invaluable. Syslogs, or system logs, are a crucial element of Linux systems, as they capture and retain important data about different events and actions. In this article, we will emphasize the importance of syslogs in Linux and examine the various facilities and levels utilized to classify and prioritize log messages.
Understanding Facilities
Facilities in syslogs are used to categorize log messages based on their sources or purposes. They provide a way to differentiate between various components of a Linux system.
Photo from RFC5424
Understanding Levels
Syslog levels indicate the severity or importance of log messages. They help prioritize and filter log entries based on their significance.
Photo from RFC5424
An Example
For easier debugging, you can clear out the syslog before running the user application for investigation and to get fewer lines of logs. To clear out the syslogs, you can either truncate or delete them.
Remember that clearing syslogs removes log history, so ensure you don’t require the information for troubleshooting, analysis, or compliance purposes before clearing the logs. Additionally, clearing logs may require administrative privileges, so you may need to use the command or run the commands as the root user.
After clearing the syslog, remember to restart the rsyslog. Otherwise, your application won’t be able to log your user-level messages. Below is an example in Ubuntu on how to truncate, remove and restart the service.
This is a simple C++ code that generates a log message for the facility user that indicates an informational message.
In this example, we include the <syslog.h>
header file, which provides the necessary functions and constants for syslog logging. The <openlog()
function is used to open a connection to the syslog service, specifying a custom identifier (“SyslogSampleApp”) for our application, the logging options (LOG_PID
to include process ID), and the facility (LOG_USER
for user-level messages).
We then use the syslog()
function to generate log messages of different levels. In this case, we create a user-level message using LOG_INFO.
You can adjust the log levels based on your specific needs.
Finally, we close the syslog connection closelog()
to release any resources associated with the syslog service.
Viewing your syslog depends on the Linux distribution that you’re using. /var/log/syslog
is used for Debian and Ubuntu while /var/log/messages
is used for Red Hat and CentOS.
Conclusion
Syslogs are an integral aspect of Linux systems, serving as a foundation for efficient monitoring, troubleshooting and analysis. They play a crucial role in capturing and organizing log messages across various facilities and levels. This categorization allows for valuable insights into system behavior, promotes effective issue resolution, and contributes to the overall maintenance of system health and security. It is essential to utilize the appropriate log level, such as LOG_INFO, to ensure that the syslog remains uncluttered and focused on the relevant scenario, avoiding the unnecessary inclusion of LOG_ERR entries.