Where the Log Files Live
11/08/2000In today's article, I'd like to tie together some of the concepts we've learned so far from the previous articles in the series. Let's apply our newfound skills to see what we can find out about FreeBSD and system logs.
You know there are logs on your FreeBSD system somewhere; you've probably also heard that it is a good thing to read these logs on a regular basis. You may have even heard horror stories about logs filling up a user's hard drive. So how do we go about finding these mysterious logs? Let's start by taking a look at the layout of our FreeBSD system using the trusty old command:
man hier|
Need some help viewing manpages? |
We'll then search for the word "log" within this manpage by typing:
/logOur first hit shows that the multi-purpose logs live in /var:
/var/ multi-purpose log, temporary, transient, and spool files
If you repeat the search by repeating the "n" key twice, you'll see that there are 2 subdirectories of /var that contain logs: cron and log.
cron/ log cron log files; see cron(8) log/ misc. system log files
If you repeat the search one more time by pressing the "n" key, you'll get a "Pattern not found" message, so it looks like we've found all the logs that came with our directory structure.
We're interested in the system log files, so let's take a look at the contents of /var/log:
ls /var/logcron messages setuid.today dmesg.today ppp.logs setuid.yesterday dmesg.yesterday security slip.log lpd-errs sendmail.st wtmp maillog sendmail.st.0
|
For more on permissions, see: |
Your output may vary slightly depending upon your version of FreeBSD, which ports you have installed on your FreeBSD system, and how long it's been since you've been in this directory. Being the curious type, you'll probably want to have a peek at each log to see what it contains. But before you start looking at files you didn't create, you'll want to first check that you have permission to view their contents by typing:
ls -ltotal 324 drwxr-xr-x 3 root wheel 1024 Nov 5 00:00 ./ drwxr-xr-x 18 root wheel 512 Sep 26 10:53 ../ -rw------- 1 root wheel 81964 Nov 5 09:15 cron -rw-r----- 1 root wheel 3435 Nov 3 02:06 dmesg.today -rw-r----- 1 root wheel 3382 Nov 2 02:06 dmesg.yesterday -rw-rw-r-- 1 root wheel 0 Jul 28 09:10 lpd-errs -rw-rw-r-- 1 root wheel 16821 Nov 5 08:41 maillog -rw-rw-r-- 1 root wheel 78888 Nov 5 08:40 messages -rw------- 1 root wheel 80332 Oct 30 14:17 ppp.log -rw------- 1 root wheel 0 Jul 28 09:10 security -rw-rw-r-- 1 root wheel 616 Nov 5 08:41 sendmail.st -rw-rw-r-- 1 root wheel 616 Nov 4 19:33 sendmail.st.0 -rw-r----- 1 root wheel 7791 Nov 3 02:06 setuid.today -rw-r----- 1 root wheel 6587 Nov 2 02:06 setuid.yesterday -rw------- 1 root wheel 0 Jul 28 09:10 slip.log -rw-r--r-- 1 root wheel 2684 Nov 2 21:12 wtmp
It looks like a regular user only has permission to view about half of the log files. If that user lives in the wheel group, they can view a few more, but only the superuser can view all of the system log files.
One last thing before looking at these files: You did not make these files, so you don't know what type of data they contain. Remember, you never open up an unknown file without first testing it with the file utility. Let's check the whole directory at once:
file *cron: ASCII text dmesg.today: English text dmesg.yesterday: English text lpd-errs: empty maillog: ASCII text messages: English text ppp.log: mail text security: empty sendmail.st: data sendmail.st.0: data setuid.today: ASCII text setuid.yesterday: ASCII text slip.log: empty wtmp: data
Any file that has a type called data is usually non-printable. This means that you shouldn't try to send the sendmail* or wtmp files to your terminal using the more or cat commands or your favorite editor. It looks like the lpd-errs, security and slip.log files are empty. The other files contain text, so they can be viewed by any user who has "r" permission to that file. Some of these files are quite large; if you are only concerned with the last bit, that is, the most recent part of the log, use the tail command like so:
tail maillogThis will display the last 10 lines of the maillog file; you'll note that maillog has very long lines that will wrap around your screen.
Now you know which log files you can safely look at and satisfy your curiosity regarding their contents. But who put that information into those log files, and how can you specify what type of information you'd like to see in your log files? Sounds like we need to use the apropos command to see which manpages will shed some light on this subject. If you type:
apropos system logyou'll receive a couple of screens full of possible manpages. Let's narrow our search a bit by adding some quotation marks:
apropos "system log"The " " tell apropos that you only want manpages that contain both words; the original search told apropos to return manpages that contained either word. This last search yielded a lot fewer results:
newsyslog(8) - maintain system log files to manageable sizes
syslog(3), vsyslog(3), openlog(3), closelog(3), setlogmask(3) - control system log
We seem to be getting closer; it appears that FreeBSD uses the word "syslog" instead of system logs. Let's try:
apropos syslogsyslog(3), vsyslog(3), openlog(3), closelog(3), setlogmask(3) - control system log
syslog.conf(5) - syslogd 8 configuration file
syslogd(8) - log systems messages
Sys::Syslog(3), openlog(3), closelog(3), setlogmask(3), syslog(3) - Perl interface to the UNIX syslog|(3) calls
And we've hit paydirt; syslogd is the daemon responsible for logging system messages, and syslog.conf is its configuration file.
