Linux Log System

Sharp tools make good work.

preface

A professional log system is required for the debugging and maintenance of the server

1, Log system architecture

linux provides a daemon to process the system log - syslogd, which is basically rsyslogd.
The rsyslogd daemon can receive both user output logs and kernel logs.
The user process generates a system log through syslog system call, which is output to a UNIX local domain socket type file / dev/log, and rsyslog listens to the file to obtain the output of the user process.

The system is managed by another daemon rklogd, and rsyslogd uses additional modules to achieve the same function. The kernel log is printed to the ring buffer of the kernel by functions such as printk. The contents of the ring cache are mapped directly to the / proc/kmsg file. Rsyslogd obtains the kernel log by reading the file. The rsyslogd daemon will output the logs input by the user process or kernel to some specific log files after receiving them. By default, debugging information is saved to / var/log/debug file, general information is saved to / var/log/messages file, and kernel messages are saved to / var/log/kern.log file. However, the specific distribution of log information can be set in the configuration file of rsyslogd. The main configuration file of rsyslogd is / etc/rsyslog.conf, in which the main items that can be set include: kernel log input path, whether to receive UDP logs and their listening ports (514 by default, see / etclservices file), whether to receive TCP logs and their listening ports, permissions of log files, and which sub configuration files are included. Figure 7-1 summarizes the system log system of Linux

sudo systemctl status syslog.service // View syslog service status
● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabl>
     Active: active (running) since Sat 2021-10-02 01:50:08 PDT; 3 days ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 732 (rsyslogd)
      Tasks: 4 (limit: 2273)
     Memory: 3.4M
     CGroup: /system.slice/rsyslog.service
             └─732 /usr/sbin/rsyslogd -n -iNONE

sudo systemctl status rsyslog.service // View rsyslog service status
● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabl>
     Active: active (running) since Sat 2021-10-02 01:50:08 PDT; 3 days ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 732 (rsyslogd)
      Tasks: 4 (limit: 2273)
     Memory: 3.4M
     CGroup: /system.slice/rsyslog.service
             └─732 /usr/sbin/rsyslogd -n -iNONE

2, Log correlation function

#include <syslog.h>

void syslog(int priority, const char *format, ...);

Variable parameter function to structure the output. The priority parameter is the bitwise or of the so-called facility value and log level. The default value of the facility value is LOG_USER, and the log level is as follows

#include <syslog.h>
#define LOG_EMERG 0 / * system unavailable*/
#define LOG_ALERT 1 / * alarm, immediate action required*/
#Define log_crit 2 / * very serious situation*/
#Define log_err 3 / * error*/
#define LOG_WARNING 4 / * warning*/
#Define log_note 5 / * notification*/
#define LOG_INFO 6 / * info*/ 
#define LOG_DEBUG 7 / * debug*/

The following function can change the default output mode of syslog to further structure the log

#include <syslog.h>

void openlog(const char *ident, int option, int facility);

The string specified by ident parameter will be added after the date and time of the log message, and is usually set as the name of the program. The logopt parameter configures the parameters of the subsequent syslog call, which can go to the bitwise and of the following values.

#define 	 LOG_PID 	 0x01 / * include the pid of the program in the message log*/
#define LOG_CONS 0x02 / * if the message cannot be recorded to the log file, print it to the terminal*/
#define LOG_ODELAY 0x04 / * delay opening the log function until syslog is called for the first time*/
#define LOG_NDELAY 0x08 / * open log function without delay*/

In addition, log filtering is also very important. Setting log mask is a function of setting log mask because log information with log level greater than log mask is ignored by the system

#include <syslog.h>

int setlogmask(int mask);

Mask is the value of the mask. Successful (always successful) this function returns the value of the previous mask.

Turn off the log function

#include <syslog.h>

void closelog(void);

Tags: Linux udp

Posted on Wed, 06 Oct 2021 23:43:15 -0400 by RadiationHazard