这两天,因为项目的需要研究了一把如何利用Linux syslog写日记,这里简单整理一下。本人使用的系统是RHEL 5.5。
System Logging
[c-sharp] view plain copy print ?
- # Log all kernel messages to the console.
- # Logging much else clutters up the screen.
- #kern.* /dev/console
- # Log anything (except mail) of level info or higher.
- # Don't log private authentication messages!
- *.info;mail.none;authpriv.none;cron.none /var/log/messages
- # The authpriv file has restricted access.
- authpriv.* /var/log/secure
- # Log all the mail messages in one place.
- mail.* -/var/log/maillog
- # Log cron stuff
- cron.* /var/log/cron
- # Everybody gets emergency messages
- *.emerg *
- # Save news errors of level crit and higher in a special file.
- uucp,news.crit /var/log/spooler
- # Save boot messages also to boot.log
- local7.* /var/log/boot.log
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
在对这个配置文件进行详细的解释之前,我们先看一下在Linux C编程中如何利用syslog进行日记。
syslog APIs
Linux C中提供一套系统日记写入接口,包括三个函数:openlog,syslog和closelog。下面是这三个函数的调用格式:
[cpp:collapse:firstline[1]] + expand source view plain copy print ?
- #include <syslog.h>
- void openlog(char *ident, int option, int facility);
- void syslog(int priority, char *format, ...);
- void closelog();
#include <syslog.h> void openlog(char *ident, int option, int facility); void syslog(int priority, char *format, ...); void closelog();
[cpp:firstline[1]] view plain copy print ?
- #include <syslog.h>
- int main(int argc, char *argv[])
- {
- openlog("testsyslog", LOG_CONS | LOG_PID, 0);
- syslog(LOG_USER | LOG_INFO, "syslog test message generated in program %s /n", argv[0]);
- closelog();
- return 0;
- }
#include <syslog.h> int main(int argc, char *argv[]) { openlog("testsyslog", LOG_CONS | LOG_PID, 0); syslog(LOG_USER | LOG_INFO, "syslog test message generated in program %s /n", argv[0]); closelog(); return 0; }
[cpp] view plain copy print ?
- Apr 23 17:15:15 lirong-920181 testsyslog[27214]: syslog test message generated in program ./a.out
Apr 23 17:15:15 lirong-920181 testsyslog[27214]: syslog test message generated in program ./a.out
格式基本是:timestamp hostname ident[pid]:log message。其中ident就是我们调用openlog是指定的"testsyslog",而之所以会打印出[27214]是openlog的option参数中指定了LOG_PID。下面我们详细讨论openlog函数中的option,facility和syslog函数中的priority参数。
[c-sharp] view plain copy print ?
- #define LOG_PID 0x01 /* log the pid with each message */
- #define LOG_CONS 0x02 /* log on the console if errors in sending */
- #define LOG_ODELAY 0x04 /* delay open until first syslog() (default) */
- #define LOG_NDELAY 0x08 /* don't delay open */
- #define LOG_NOWAIT 0x10 /* don't wait for console forks: DEPRECATED */
- #define LOG_PERROR 0x20 /* log to stderr as well */
/* * Option flags for openlog. * * LOG_ODELAY no longer does anything. * LOG_NDELAY is the inverse of what it used to be. */ #define LOG_PID 0x01 /* log the pid with each message */ #define LOG_CONS 0x02 /* log on the console if errors in sending */ #define LOG_ODELAY 0x04 /* delay open until first syslog() (default) */ #define LOG_NDELAY 0x08 /* don't delay open */ #define LOG_NOWAIT 0x10 /* don't wait for console forks: DEPRECATED */ #define LOG_PERROR 0x20 /* log to stderr as well */
[c-sharp] view plain copy print ?
- #define LOG_KERN (0<<3) /* kernel messages */
- #define LOG_USER (1<<3) /* random user-level messages */
- #define LOG_MAIL (2<<3) /* mail system */
- #define LOG_DAEMON (3<<3) /* system daemons */
- #define LOG_AUTH (4<<3) /* security/authorization messages */
- #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */
- #define LOG_LPR (6<<3) /* line printer subsystem */
- #define LOG_NEWS (7<<3) /* network news subsystem */
- #define LOG_UUCP (8<<3) /* UUCP subsystem */
- #define LOG_CRON (9<<3) /* clock daemon */
- #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */
- #define LOG_FTP (11<<3) /* ftp daemon */
/* facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ #define LOG_FTP (11<<3) /* ftp daemon */
[c-sharp] view plain copy print ?
- { "auth", LOG_AUTH },
- { "authpriv", LOG_AUTHPRIV },
- { "cron", LOG_CRON },
- { "daemon", LOG_DAEMON },
- { "ftp", LOG_FTP },
- { "kern", LOG_KERN },
- { "lpr", LOG_LPR },
- { "mail", LOG_MAIL },
- { "mark", INTERNAL_MARK },
- { "news", LOG_NEWS },
- { "security", LOG_AUTH },
- { "syslog", LOG_SYSLOG },
- { "user", LOG_USER },
- { "uucp", LOG_UUCP },
{ "auth", LOG_AUTH }, { "authpriv", LOG_AUTHPRIV }, { "cron", LOG_CRON }, { "daemon", LOG_DAEMON }, { "ftp", LOG_FTP }, { "kern", LOG_KERN }, { "lpr", LOG_LPR }, { "mail", LOG_MAIL }, { "mark", INTERNAL_MARK }, /* INTERNAL */ { "news", LOG_NEWS }, { "security", LOG_AUTH }, /* DEPRECATED */ { "syslog", LOG_SYSLOG }, { "user", LOG_USER }, { "uucp", LOG_UUCP },
这个对应关系作用是是将syslog系统调用中facility ID和syslog.conf文件中的配置选项对应起来。后面将详细讲解。facility的作用是指明调用syslog应用的类型。syslog支持的priority如下:
[c-sharp] view plain copy print ?
- #define LOG_EMERG 0 /* system is unusable */
- #define LOG_ALERT 1 /* action must be taken immediately */
- #define LOG_CRIT 2 /* critical conditions */
- #define LOG_ERR 3 /* error conditions */
- #define LOG_WARNING 4 /* warning conditions */
- #define LOG_NOTICE 5 /* normal but significant condition */
- #define LOG_INFO 6 /* informational */
- #define LOG_DEBUG 7 /* debug-level messages */
#define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */
[c-sharp] view plain copy print ?
- { "alert", LOG_ALERT },
- { "crit", LOG_CRIT },
- { "debug", LOG_DEBUG },
- { "emerg", LOG_EMERG },
- { "err", LOG_ERR },
- { "error", LOG_ERR },
- { "info", LOG_INFO },
- { "none", INTERNAL_NOPRI },
- { "notice", LOG_NOTICE },
- { "panic", LOG_EMERG },
- { "warn", LOG_WARNING },
- { "warning", LOG_WARNING },
{ "alert", LOG_ALERT }, { "crit", LOG_CRIT }, { "debug", LOG_DEBUG }, { "emerg", LOG_EMERG }, { "err", LOG_ERR }, { "error", LOG_ERR }, /* DEPRECATED */ { "info", LOG_INFO }, { "none", INTERNAL_NOPRI }, /* INTERNAL */ { "notice", LOG_NOTICE }, { "panic", LOG_EMERG }, /* DEPRECATED */ { "warn", LOG_WARNING }, /* DEPRECATED */ { "warning", LOG_WARNING },
[消息类型(规则)] [处理方案(日记文件)]
这里需要注意的是,两者之间必须用一个或者多个Tab字符分开。消息类型是由”消息来源“(facility)和”紧急程度“(priority)构成,中间点号连接。如前面syslog.conf文件中的news.crit表示来自news的”关键“状况。这里,news表示消息来源,crit表示关键状况。通配符*表示一切消息来源,如第一条规则:*.info,将info级以上(notice,warning, err, alert, emerg)(priority表)的所有消息发送到日记文件/var/log/messages。而testsyslog程序中,调用syslog函数时指定的priority是LOG_USER | LOG_INFO,根据上面提到的ID和名字对应的关系,对应的消息类型规则是user.info,包含在规则*.info中,所以日记记录会写到/var/log/messages。
[c-sharp] view plain copy print ?
- user.debug /var/log/debug
user.debug /var/log/debug
要是添加的新规则生效,第二步我们需要重启syslogd和klogd:service syslog restart
[cpp:firstline[1]] view plain copy print ?
- #include <syslog.h>
- int main(int argc, char *argv[])
- {
- openlog("testsyslog", LOG_CONS | LOG_PID, 0);
- syslog(LOG_USER | LOG_DEBUG, "syslog test message generated in program %s /n", argv[0]);
- closelog();
- return 0;
- }
#include <syslog.h> int main(int argc, char *argv[]) { openlog("testsyslog", LOG_CONS | LOG_PID, 0); syslog(LOG_USER | LOG_DEBUG, "syslog test message generated in program %s /n", argv[0]); closelog(); return 0; }