Master Linux Syslog: Configure, Manage, and Rotate Logs Efficiently

SYSlog Log File Format

Linux kernels and many programs generate error, warning, and informational messages that are valuable for administrators; syslog writes these messages to log files, categorizing them by facility and priority.

● /var/log/cron – records cron job information, such as misconfigurations and modifications.

● /var/log/btmp – binary file of failed login attempts; view with lastb .

● /var/run/utmp – current login users; view with w , who , users .

● /var/log/dmesg – kernel detection messages during boot.

● /var/log/lastlog – most recent login info for all accounts; view with lastlog .

● /var/log/maillog or /var/log/mail/* – mail server activity (e.g., Postfix).

● /var/log/messages – general system messages, errors, and important events.

● /var/log/secure – authentication‑related events (login, sudo, etc.).

● /var/log/wtmp or /var/log/faillog – records successful and failed login attempts.

Log files are usually readable only by root because they contain sensitive system details.

The two main services that generate log files are syslogd (system and network services) and klogd (kernel messages). Log volume can be high, so logrotate is used to rotate and compress logs automatically.

syslogd – logs system and network service messages klogd – logs kernel messages logrotate – handles log rotation

SYSlog Log Entry Structure

Each syslog entry typically contains:

● Date and time ● Hostname ● Service or program name ● Message content

Example using /var/log/secure:

[root@localhost ~]# cat /var/log/secure | head -n 5
Oct 13 12:39:27 localhost polkitd[733]: Loading rules from directory /etc/polkit-1/rules.d
Oct 13 12:39:27 localhost polkitd[733]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Oct 13 12:39:33 localhost sshd[1082]: Server listening on 0.0.0.0 port 22.
Nov 28 09:36:41 localhost sshd[1364]: Accepted password for root from 192.168.1.20 port 63704 ssh2
Nov 28 05:36:41 localhost sshd[1364]: pam_unix(sshd:session): session opened for user root by (uid=0)

The last line shows a session opened for root by UID 0 at 5:36 PM on November 28.

SYSlog Configuration File

The main configuration file is /etc/rsyslog.conf. It maps facilities and priorities to destinations.

[service] =![priority]    [destination]
authpriv.*                       /var/log/secure
mail.info                        -/var/log/maillog
cron.*                           /var/log/cron

Key sections:

Service name – e.g., auth, cron, daemon, kern, mail, etc.

Priority – levels from debug (least important) to emerg (system unusable).

Priority and facility are separated by a dot (e.g., kern.debug). An asterisk (*) matches all. Multiple facilities can be comma‑separated; multiple selectors are semicolon‑separated.

Actions include writing to a file, sending to a user, piping to a program, or forwarding to a remote syslog server (prefixed with @ for UDP or @@ for TCP).

Receiving Side Configuration

Edit /etc/rsyslog.conf to enable UDP reception:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception (optional)
#$ModLoad imtcp
#$InputTCPServerRun 514

Restart the service:

# systemctl restart rsyslog
# systemctl status rsyslog

Sending Side Configuration

Add a forwarding rule to the client’s /etc/rsyslog.conf:

*.* @192.168.1.10   # use @ for UDP, @@ for TCP

Then restart rsyslog on the client.

SYSlog Log Rotation

Log rotation is handled by logrotate, typically invoked daily via a cron job. Main configuration files are /etc/logrotate.conf and files under /etc/logrotate.d/.

weekly
rotate 4
create
dateext
include /etc/logrotate.d

/var/log/wtmp {
    monthly
    create 0664 root utmp
    minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

Common directives:

daily / weekly / monthly – rotation frequency.

rotate N – keep N old logs.

compress – compress old logs.

missingok – ignore missing files.

notifempty – skip empty logs.

size / minsize – rotate based on file size.

dateext – add date suffix to rotated files.

To force rotation manually:

logrotate -vf /etc/logrotate.conf

By configuring rsyslog and logrotate, administrators can centralize log collection, control log retention, and ensure system health monitoring across many Linux hosts.