1 00:00:06,660 --> 00:00:10,050 - In this video, I would like to explain rsyslog. 2 00:00:10,050 --> 00:00:13,260 Rsyslog is a service that works with facility, 3 00:00:13,260 --> 00:00:15,480 priority and destination. 4 00:00:15,480 --> 00:00:18,930 The facility is what rsyslogd should be logging for. 5 00:00:18,930 --> 00:00:22,380 The priority indicates the severity of the log event, 6 00:00:22,380 --> 00:00:23,880 and the destination defines 7 00:00:23,880 --> 00:00:26,330 where the message should be written to. 8 00:00:26,330 --> 00:00:30,270 And these facility, priority, and destination 9 00:00:30,270 --> 00:00:33,510 are used in the rsyslog configuration file. 10 00:00:33,510 --> 00:00:35,580 Let's go check out this configuration file 11 00:00:35,580 --> 00:00:38,283 and try to understand what it is doing. 12 00:00:40,170 --> 00:00:41,670 So I'm still in a root cell 13 00:00:41,670 --> 00:00:43,200 and in fact, it's convenient 14 00:00:43,200 --> 00:00:45,630 because in order to configure a log, 15 00:00:45,630 --> 00:00:47,310 we need root access. 16 00:00:47,310 --> 00:00:50,730 Rsyslog.conf is the main configuration file. 17 00:00:50,730 --> 00:00:52,320 And there's a lot going on. 18 00:00:52,320 --> 00:00:54,630 It's not my intention to tell you everything 19 00:00:54,630 --> 00:00:55,890 that's going on 20 00:00:55,890 --> 00:00:59,313 but I do want to tell you a little bit about the rules. 21 00:01:00,570 --> 00:01:02,700 So this is a nice one to start with 22 00:01:02,700 --> 00:01:04,770 to understand how it is organized. 23 00:01:04,770 --> 00:01:07,357 We see uucp,news. 24 00:01:07,357 --> 00:01:11,130 Uucp and news are the facilities. 25 00:01:11,130 --> 00:01:13,800 Facilities are strictly defined in rsyslog 26 00:01:13,800 --> 00:01:17,160 and that at the same time is the problem in rsyslog 27 00:01:17,160 --> 00:01:20,157 because these facilities were defined in the 1980s 28 00:01:20,157 --> 00:01:22,800 and because of backward compatibility, 29 00:01:22,800 --> 00:01:25,083 it was not possible to add something to it. 30 00:01:26,430 --> 00:01:30,180 So there is a facility for uucp, 31 00:01:30,180 --> 00:01:32,970 which is the Unix-to-Unix Copy Protocol, 32 00:01:32,970 --> 00:01:34,830 which nobody's using anymore. 33 00:01:34,830 --> 00:01:38,250 But there's no facility for HTTP, for instance. 34 00:01:38,250 --> 00:01:39,967 But that doesn't really matter. 35 00:01:39,967 --> 00:01:41,550 You have to deal with it 36 00:01:41,550 --> 00:01:43,770 if you are working with rsyslog. 37 00:01:43,770 --> 00:01:45,960 Now, we get a dot and behind the dot, 38 00:01:45,960 --> 00:01:47,760 we get the priority. 39 00:01:47,760 --> 00:01:50,610 And here we have the priority crit for critical. 40 00:01:50,610 --> 00:01:53,760 Here you can see a priority emerg for emergency. 41 00:01:53,760 --> 00:01:56,400 But it's also possible to just log everything 42 00:01:56,400 --> 00:01:58,672 by specifying a star 43 00:01:58,672 --> 00:02:01,320 or info for informational 44 00:02:01,320 --> 00:02:04,410 or none to exclude something from being logged. 45 00:02:04,410 --> 00:02:06,330 Like here cron.none. 46 00:02:06,330 --> 00:02:08,828 The third part is the destination, 47 00:02:08,828 --> 00:02:11,390 /var/log/messages in this case. 48 00:02:11,390 --> 00:02:14,970 /var/log/messages is the default log file 49 00:02:14,970 --> 00:02:16,920 on Red Hat family Linux. 50 00:02:16,920 --> 00:02:17,753 If you're on Ubuntu, 51 00:02:17,753 --> 00:02:21,600 /var/log/syslog is the default log file. 52 00:02:21,600 --> 00:02:23,610 And that is where you should be looking 53 00:02:23,610 --> 00:02:26,879 at on the syslog-based systems. 54 00:02:26,879 --> 00:02:30,930 So if you go to the /var/log directory, 55 00:02:30,930 --> 00:02:34,710 ls -lrt is always a convenient command. 56 00:02:34,710 --> 00:02:37,500 It will show you the files 57 00:02:37,500 --> 00:02:40,530 in order of last modification. 58 00:02:40,530 --> 00:02:43,980 So the last modified file is shown last. 59 00:02:43,980 --> 00:02:46,890 Messages, as you can see, it's a pretty big file, 60 00:02:46,890 --> 00:02:49,803 and it has been modified just a minute ago. 61 00:02:51,120 --> 00:02:53,670 And if you use less on messages, 62 00:02:53,670 --> 00:02:57,750 then you can see the rsyslog configuration file. 63 00:02:57,750 --> 00:02:59,100 And in case you are wondering 64 00:02:59,100 --> 00:03:01,290 what exactly is the difference 65 00:03:01,290 --> 00:03:02,940 with the journal? 66 00:03:02,940 --> 00:03:05,520 Well, the fun fact is that rsyslog 67 00:03:05,520 --> 00:03:07,590 is adding functionality, 68 00:03:07,590 --> 00:03:09,120 functionality like the option 69 00:03:09,120 --> 00:03:11,430 to build a centralized log server, 70 00:03:11,430 --> 00:03:12,930 functionality like the option 71 00:03:12,930 --> 00:03:15,300 to write your logs to a database server. 72 00:03:15,300 --> 00:03:17,430 That's stuff that you can do in rsyslog, 73 00:03:17,430 --> 00:03:19,373 not in the systemd journal. 74 00:03:19,373 --> 00:03:21,330 The systemd journal, by default, 75 00:03:21,330 --> 00:03:24,930 is configured to forward all messages to rsyslog. 76 00:03:24,930 --> 00:03:26,340 So what is the difference? 77 00:03:26,340 --> 00:03:28,410 There isn't really any. 78 00:03:28,410 --> 00:03:30,540 Rsyslog is adding functionality 79 00:03:30,540 --> 00:03:32,400 but at the Linux fundamentals level, 80 00:03:32,400 --> 00:03:34,260 you don't care about that too much. 81 00:03:34,260 --> 00:03:35,610 What you do care about 82 00:03:35,610 --> 00:03:37,800 is that rsyslog is creating a couple 83 00:03:37,800 --> 00:03:39,390 of configuration files 84 00:03:39,390 --> 00:03:42,420 in the /var/log directory by default. 85 00:03:42,420 --> 00:03:46,710 And you can browse these configuration files to figure out. 86 00:03:46,710 --> 00:03:48,960 And the last thing, logger HELLO. 87 00:03:48,960 --> 00:03:50,670 Logger is a convenient command 88 00:03:50,670 --> 00:03:52,170 if you want to write something 89 00:03:52,170 --> 00:03:53,760 to your system log. 90 00:03:53,760 --> 00:03:56,479 And because rsyslog and journal are connected, 91 00:03:56,479 --> 00:04:01,245 you will see it in the /var/log/messages in this case 92 00:04:01,245 --> 00:04:04,980 but also in the systemd journal. 93 00:04:04,980 --> 00:04:07,120 And that is how you work with rsyslog.