Master Linux Syslog: Configure, Manage, and Rotate Logs Like a Pro

Linux kernels and many applications generate error, warning, and informational messages that are crucial for administrators; syslog captures these messages and stores them in log files based on category and priority.

Common Linux Log Files and Their Purpose

/var/log/cron – records crontab schedule tasks and related errors.

/var/log/btmp – binary file of failed login attempts (view with

lastb

).

/var/run/utmp – current login users (view with

w

,

who

,

users

).

/var/log/dmesg – kernel messages during boot.

/var/log/lastlog – last login information for all accounts (view with

lastlog

).

/var/log/mail* – mail server logs (e.g., postfix).

/var/log/messages – general system messages and errors.

/var/log/secure – authentication‑related events.

/var/log/wtmp and /var/log/faillog – successful and failed login records.

Log files are usually readable only by

root

because they contain sensitive information.

The generation of log files occurs in two ways: applications may write their own logs, or the Linux distribution provides a logging service (syslogd) that categorizes and stores messages. The kernel also uses

klogd

for kernel‑generated logs.

Because log volume can grow quickly,

logrotate

is used to rotate and compress logs automatically.

Syslog Log Format

Each syslog entry typically includes: • Date and time of the event • Hostname where the event occurred • Service or program name that generated the event • The actual message content

Example from

/var/log/secure

:

<code>[root@localhost ~]# cat /var/log/secure | head -n 5
Oct 13 12:39:27 localhost polkitd[733]: Loading rules from directory /etc/polkit-1/rules.d
Oct 13 12:39:27 localhost polkitd[733]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Oct 13 12:39:33 localhost sshd[1082]: Server listening on 0.0.0.0 port 22.
Nov 28 09:36:41 localhost sshd[1364]: Accepted password for root from 192.168.1.20 port 63704 ssh2
Nov 28 05:36:41 localhost sshd[1364]: pam_unix(sshd:session): session opened for user root by (uid=0)</code>

The last line shows a successful login by root at the specified time, host, and service.

Syslog Configuration File

The main configuration file is

/etc/rsyslog.conf

. Its syntax maps a service and priority to a destination file, for example:

<code>[service] . =! [priority]    [destination]

authpriv.*                /var/log/secure
mail.info                 -/var/log/maillog
cron.*                    /var/log/cron</code>

Service Types

auth (authpriv) – authentication mechanisms such as login, ssh, su.

cron – scheduled jobs (cron/at).

daemon – generic daemon messages.

kern – kernel messages.

lpr – printing subsystem.

mail – mail server activity.

news – news‑group server.

syslog – messages generated by the syslog daemon itself.

user, uucp, local0‑local7 – miscellaneous user‑level messages.

Log Levels

debug – debugging information.

info – basic informational messages.

notice – normal but significant events.

warning (warn) – warnings that do not affect operation.

err (error) – error conditions that may affect services.

crit – critical conditions.

alert – alerts more severe than critical.

emerg (panic) – system is unusable.

* – all levels.

Syslog Server Configuration

Receiver Configuration

Edit

/etc/rsyslog.conf

to enable UDP (or TCP) reception and restart the service:

<code># vim /etc/rsyslog.conf
14 # Provides UDP syslog reception
15 $ModLoad imudp            # load UDP module
16 $UDPServerRun 514        # listen on port 514
#18 # Provides TCP syslog reception
#19 #$ModLoad imtcp
#20 #$InputTCPServerRun 514</code>

<code># systemctl restart rsyslog
# systemctl status rsyslog</code>

After this, the host can receive logs from other machines (firewall rules for port 514 may be required).

Sender Configuration

On client machines, add a forwarding rule to

/etc/rsyslog.conf

:

<code>#*.* @@remote-host:514
93 *.* @192.168.1.10   # use @ for UDP, @@ for TCP</code>

<code># systemctl restart rsyslog
# systemctl status rsyslog</code>

Logrotate Functionality

Logrotate runs from a daily cron job and rotates logs based on configuration files

/etc/logrotate.conf

and files under

/etc/logrotate.d/

. A typical

/etc/logrotate.conf

contains:

<code>weekly
rotate 4
create
dateext
#compress
include /etc/logrotate.d

/var/log/wtmp {
    monthly
    create 0664 root utmp
    minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}</code>

Common logrotate options include

daily

,

weekly

,

monthly

,

rotate

(number of files to keep),

compress

,

missingok

,

notifempty

,

size

, and

dateext

.

Running

logrotate -vf /etc/logrotate.conf

forces an immediate rotation.