105

For the purposes of kernel logging, why do I have three different, non-inclusive levels of logging amongst /var/log/messages, /var/log/syslog, and /var/log/kern.log?

Knowledge Cube
  • 14,781
A Student at a University
  • 1,745

2 Answers2

82

Syslog is a standard logging facility. It collects messages of various programs and services including the kernel, and stores them, depending on setup, in a bunch of log files typically under /var/log. In some datacenter setups there are hundreds of devices each with its own log; syslog comes in handy here too. One just sets up a dedicated syslog server which collects all the individual device logs over the network. Syslog can also save logs to databases, and other clients.

According to my /etc/syslog.conf, default /var/log/kern.log captures only the kernel's messages of any loglevel; i.e. the output of dmesg.

/var/log/messages instead aims at storing valuable, non-debug and non-critical messages. This log should be considered the "general system activity" log.

/var/log/syslog in turn logs everything, except auth related messages.

Other insteresting standard logs managed by syslog are /var/log/auth.log, /var/log/mail.log.

2020 update

You may still stumble upon syslog; but the defaults have changed.

journald has replaced syslog, in quite a big portion of systems, including Ubuntu.

This is relevant because you won't be finding /var/log/messages that often anymore. journald doesn't write plaintext logs — it uses its own, compressed and partially authenticated format.

Search online for e.g. journalctl cheatsheet, or just study man 8 systemd-journald, man 1 journalctl yourself.

Syslog and journald are, to a degree, cross-compatible; you can transport logs between them in either direction. However, you won't get plaintext logs a-la /var/log/messages with journald; and you won't get structured (journalctl -o json-pretty) and authenticated logging with syslog.

ulidtko
  • 5,782
  • 1
    any references to you claims please? – Goaler444 May 29 '13 at 19:14
  • 9
    @Goaler444, man syslog.conf. – ulidtko May 31 '13 at 10:32
  • 2
    Note that entries in the kernel ring buffer (what dmesg reads) won't make it into any /var/log file by default if they were written by a user space process. You need to set $KLogPermitNonKernelFacility on in rsyslogd's config if you want to see those messages in /var/log. See my answer at http://askubuntu.com/a/490900/297973 for more details. – Vanessa Phipps Jul 02 '14 at 17:54
  • 9
    also worth noting that ubuntu (since natty) no longer uses /var/log/messages, and stores everything on /var/log/syslog – jackbravo Jan 23 '15 at 17:29
  • 2
    in Ubuntu 16.04 /var/log/syslog is indeed a clean superset of /var/log/kern.log with the caveat that one has to account for different rotation strategies. E.g. in my system (default config unchanged) today's and yesterday's messages are kept in a single file in /var/log/kern.log whereas most of yesterday's messages for syslog are in /var/log/syslog.1. – Marcus Junius Brutus Nov 12 '16 at 18:25
  • 1
    Now see: man rsyslog.conf – Elliptical view Feb 01 '18 at 02:04
  • 1
    On at least some systems /var/log/messages is where dmesg logs to FWIW... (Red Hat) – rogerdpack Dec 14 '21 at 18:57
15
  • syslog contains all the messages except of type auth.
  • messages contains only generic non-critical messages. The category is info , notice and warn
  • For complete log look at /var/log/syslog and /var/log/auth.log
  • AFAIK /var/log/kern.log contains kernel messages.
  • log files are just a convention spelled out in /etc/syslog.conf
  • read syslog(3) for more information

Check this page about differences between messages and syslog

it says /var/log/messages /var/log/syslog

Community
  • 1
Manish Sinha
  • 11,565