SUMMARY: syslog questions

From: Dave Wreski (dave@nic.com)
Date: Wed Jan 07 1998 - 22:34:07 CST


Hi all. I found some interesting information regarding my syslog problem.

Original question:

Hi all. I'm having some problems with syslog that I hoped someone could
help me with. For some reason it suddenly stops logging, and I can't
figure out why.

I've stoped and restarted syslogd, and 'cat /dev/null > /var/adm/messages'
to start from the beginning, then restarted syslogd, via the init.d
script. It is running.

Something like 'logger -p kern.err test-kern' doesn't get logged to
/var/adm/messages, or the console.

Is it true that syslogd fulfills all criteria that match according to
/etc/syslog.conf?

Shouldn't I be able to simply have '*.*<tab><tab>/var/ad/messages' as my
/etc/syslog.conf, and then be able to use logger to test syslog? I've
also tried with '*<tab><tab>/var/adm/messages' to no avail.

If I run 'syslogd -d', subsequent attempts at using logger get printed to
the console, but not to /var/adm/messages. Incidentally, I noticed
syslogd triggers an alarm every few minutes when running in debug mode.
What does it use this alarm for?

This is using the stock 2.5.1 /etc/syslog.conf and syslogd, with no
patches. Perhaps there's one I need to apply? As a result, all three of
my 2.5.1 minimally, and recently, installed sparcs have the same problem.
These machines are also listed as their own loghosts.

Does someone have a /etc/syslog.conf that they find most useful? I'd like
to have a /var/adm/mail.log, /var/adm/cron.log, /var/adm/messages, etc,
but not sure how to configure it.

Here are the two relevant lines from /etc/syslog.conf:

*.err;kern.notice;auth.notice;user.none /dev/console
*.err;*.info;kern.debug;daemon.notice;mail.crit;user.none /var/adm/messages

-----------------------

In summary, I forgot that syslogd caches some of its information, until there
is a different message. (so it can write 'last message occured 10 times').

Also, the stock 2.5.1 syslogd seems to be really badly broken once I started
using some of the other features not found in the stock syslogd.conf.

There is also a good reference to some sample syslogd.conf files that follow.

And the messages:

1. You cannot have a wildcard character for a priority, only for a facility.
Use something like : *.err;user.none<tab><tab>/var/adm/messages

2. Known-working syslogd.conf:

*.err;kern.notice;auth.notice /dev/console
*.err;kern.debug;mail.crit /var/adm/messages

*.alert;kern.err;daemon.err operator
*.alert root

*.emerg *

mail.debug /var/log/syslog
user.debug /var/log/syslog
daemon.debug /var/log/syslog
auth.debug /var/log/syslog

3. Michael Hill <Michael_Hill@csgsystems.com> wrote:

I wrote an article about syslog in SysAdmin magazine in the December 1996
issue. I think you would find it useful.

>Does someone have a /etc/syslog.conf that they find most useful? I'd like
>to have a /var/adm/mail.log, /var/adm/cron.log, /var/adm/messages, etc,
>but not sure how to configure it.

Included with my article were: a sample syslog.conf file that I found
useful (it was an actual working copy I used on my systems at the time)
and a program that would examine your syslog.conf file and tell you
how every kind of message was being logged. You can get a compressed
tar file from http://www.samag.com/code/ (click on December 1996).
You may want to obtain a back issue of the magazine for the article,
because they don't keep articles online. :^(

4. Richard Roberto <robertr@nwmarkets.co.jp>

> If I run 'syslogd -d', subsequent attempts at using logger get printed to
> the console, but not to /var/adm/messages. Incidentally, I noticed
> syslogd triggers an alarm every few minutes when running in debug mode.
> What does it use this alarm for?

Debug mode doesn't write to files, so if there is a problem in the
delimting, it may not show up in debug mode. Make sure that the
only delimters between fields (i.e. facility.level and filename) are
tabs.

He also pointed out that sunsolve.sun.com, and docs.sun.com, as well as the
answerbook are excellent resources that one should always make use of.

Thanks all,
Dave



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:29 CDT