Posted by: Mangesh_Linux_Administrator | July 22, 2010

Management of Logs


Application Default Log Location Configuration Location
Apache httpd
  • /usr/local/apache/logs/access_log
  • /usr/local/apache/logs/error_log
  • /usr/local/apache/logs/suexec_log
  • /usr/local/apache/domlogs/example.com
  • /usr/local/apache/conf/httpd.conf (read this first)
BIND
  • /var/log/messages (via syslog)
  • /var/named/data/named.run
  • /etc/named.conf (logging)
Courier (POP, IMAP)
  • /var/log/maillog (via syslog)
  • /usr/lib/courier-imap/etc/* (LOGGEROPTS)
cPanel
  • /usr/local/cpanel/logs/access_log
  • /usr/local/cpanel/logs/error_log
  • /usr/local/cpanel/logs/login_log
  • /usr/local/cpanel/logs/cpdavd_error_log
  • /usr/local/cpanel/logs/cphulkd_errors.log
  • /usr/local/cpanel/logs/cpbackup/$localtime.log
  • /var/cpanel/updatelogs
  • /var/cpanel/accounting.log
  • /var/log/secure (cpwrap)
  • /var/log/chkservd.log
  • not configurable
Exim
  • /var/log/exim_mainlog
  • /var/log/exim_rejectlog
  • /var/log/exim_paniclog
  • /etc/exim.conf (log_selector)
MySQL
  • /var/lib/mysql/`hostname`.err
  • /etc/my.cnf
OpenSSH server
  • /var/log/secure (via syslog)
  • /etc/ssh/sshd_config
Pure-FTPd
  • /var/log/messages (via syslog)
  • /usr/local/apache/domlogs/ftpxferlog
  • /etc/pure-ftpd.conf
suPHP
  • /usr/local/apache/logs/suphp_log
  • /opt/suphp/etc/suphp.conf
Vixie cron
  • /var/log/cron (via syslog)
  • /etc/syslog.conf
yum
  • /var/log/yum.log
  • /etc/yum.conf



Additional MySQL logging

Add a “log=/path/to/log” line to the [mysqld] section of /etc/my.cnf for more extensive logging. For example:

[root@host ~]# touch /var/log/mysql.log
[root@host ~]# chown mysql.mysql /var/log/mysql.log
[root@host ~]# chmod 600 /var/log/mysql.log
[root@host ~]# # vi /etc/my.cnf and add this to the [mysqld] section: log=/var/log/mysql.log
[root@host ~]# service mysql restart
[root@host ~]# tail -f /var/log/mysql.log

To log slow queries, add “log-slow-queries=/var/log/mysql-slow-queries.log” to the [mysqld] section of /etc/my.cnf:

[root@host ~]# touch /var/log/mysql-slow-queries.log
[root@host ~]# chown mysql.mysql /var/log/mysql-slow-queries.log
[root@host ~]# chmod 600 /var/log/mysql-slow-queries.log
[root@host ~]# # vi /etc/my.cnf and add this to the [mysqld] section: log-slow-queries=/var/log/mysql-slow-queries.log
[root@host ~]# service mysql restart
[root@host ~]# tail -f /var/log/mysql-slow-queries.log

What constitutes a “slow query”? According to the current documentation, the default is any query that takes longer than 10 seconds to execute. This can be adjusted by adding “set-variable=long_query_time=1” to the [mysqld] section of /etc/my.cnf and restarting MySQL, where “1” is an adjustable value.

syslog information

You can use the fuser command to learn about which processes are using which log files:

[root@host /var/log]# fuser -v messages
                     USER        PID ACCESS COMMAND
/var/log/messages:   root      23974 F.... syslogd

What other files does the syslog daemon have open? We can see this by checking its file descriptors:

[root@host /var/log]# ls -al /proc/23974/fd/
total 0
dr-x------ 2 root root  0 Sep  8 09:46 ./
dr-xr-xr-x 4 root root  0 Sep  8 08:10 ../
lrwx------ 1 root root 64 Sep  8 09:46 0 -> socket:[279167292]
l-wx------ 1 root root 64 Sep  8 09:46 1 -> /var/log/messages
l-wx------ 1 root root 64 Sep  8 09:46 2 -> /var/log/secure
l-wx------ 1 root root 64 Sep  8 09:46 3 -> /var/log/maillog
l-wx------ 1 root root 64 Sep  8 09:46 4 -> /var/log/cron
l-wx------ 1 root root 64 Sep  8 09:46 5 -> /var/log/spooler
l-wx------ 1 root root 64 Sep  8 09:46 6 -> /var/log/boot.log

What socket is syslogd using?

[root@host ~]# lsof | head -1 ; lsof | grep 279167292
COMMAND     PID      USER   FD   TYPE             DEVICE     SIZE       NODE NAME
syslogd   23974      root    0u  unix 0xffff810334bc2080           279167292 /dev/log
[root@host ~]# fuser -v /dev/log
                     USER        PID ACCESS COMMAND
/dev/log:            root      23974 F.... syslogd

More information can be found in the syslog.conf man page:

[user@host ~]$ man syslog.conf

If you make a change to one of your logs with vi, syslogd will no longer have a handle open on it, because vi creates a new file in place of the old one:

[root@host /var/log]# fuser -v messages
                     USER        PID ACCESS COMMAND
messages:            root       3441 F.... syslogd
[root@host /var/log]# ls -i messages
61603905 messages
[root@host /var/log]# vi messages
# make a change to messages and save the file
[root@host /var/log]# ls -i messages
61603929 messages
[root@host /var/log]# fuser -v messages
[root@host /var/log]#
[root@host /var/log]# service syslog restart
Shutting down kernel logger:                               [PASSED]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [PASSED]
[root@host /var/log]# fuser -v messages
                     USER        PID ACCESS COMMAND
messages:            root       7343 F.... syslogd

Extracting information from your logs

When searching for something in a log, it’s unnecessary to cat the file first:

[root@host ~]# cat /var/log/somefile | grep string

Instead, just grep the string:

[root@host ~]# grep string /var/log/somefile

If you want to grep for 2 or more strings at once, use egrep (or grep -E):

[root@host ~]# egrep 'string1|string2' /var/log/somefile
An easier way to use grep when searching for 1 string at a time:
[root@host ~]# < /var/log/somefile grep string1
[root@host ~]# < /var/log/somefile grep string2
[root@host ~]# < /var/log/somefile grep string3

If you have a list of strings to search for and want the search results to get sent to their own files:

[root@host ~]# cat > list << EOF
string1
string2
string3
EOF
[root@host ~]# for x in `cat list` ; do grep $x /var/log/somefile > log.$x ; done
[root@host ~]# ls log.*
log.string1  log.string2  log.string3

Log rotation

What prevents your log files from growing endlessly? logrotate:

[user@host ~]$ whereis logrotate
logrotate: /usr/sbin/logrotate /etc/logrotate.d /etc/logrotate.conf /usr/share/man/man8/logrotate.8.gz

[user@host ~]$ ls -al /etc/logrotate.d/

total 44
drwxr-xr-x  2 root root   4096 Aug 25 23:04 ./
drwxr-xr-x 75 root root  12288 Sep  8 10:37 ../
-rw-r--r--  1 root root    405 Mar 16 15:47 exim
-rw-r--r--  1 root root    789 Jul 29 21:52 mysql
-rw-r-----  1 root named   163 Jul 29 20:56 named
-rw-r--r--  1 root root     61 Jan 21  2009 rpm
-rw-r--r--  1 root root    154 Aug 18 07:10 snmpd
-rw-r--r--  1 root root    319 Aug 25 23:04 syslog
-rw-r--r--  1 root root    100 Jan 22  2009 yum

Check the man page for more information on how logrotate works:

[user@host ~]$ man logrotate
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Categories

%d bloggers like this: