Master Linux Syslog: Essential Log Files, Configuration, and Log Rotation

Why Syslog Matters

Linux kernels and many applications generate error, warning, and informational messages that are crucial for administrators to monitor system health; syslog captures these messages and stores them in log files based on category and priority.

Common Linux Log Files

/var/log/cron – records cron job configuration errors and modifications.

/var/log/btmp – binary file of failed login attempts; view with lastb.

/var/run/utmp – current logged‑in users; view with w, who, or users.

/var/log/dmesg – kernel messages generated during boot.

/var/log/lastlog – last login information for all accounts; displayed by lastlog.

/var/log/maillog (or /var/log/mail/*) – mail server activity, typically Postfix.

/var/log/messages – catches most system errors and important events.

/var/log/secure – records all authentication attempts, successful or not.

/var/log/wtmp and /var/log/faillog – successful and failed login records; read with last.

Log Services and Processes

Two main services manage log creation:

syslogd – handles system and network service logs.

klogd – records kernel‑generated messages.

Because log volume can grow quickly, logrotate is used to rotate, compress, and purge old logs.

Syslog Log Entry Format

Date and time of the event.

Hostname where the event occurred.

Service or program name that generated the event.

The actual message content.

Example Log Entry

[root@localhost ~]# cat /var/log/secure | head -n 5
Oct 13 12:39:27 localhost polkitd[733]: Loading rules from directory /etc/polkit-1/rules.d
Oct 13 12:39:27 localhost polkitd[733]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Oct 13 12:39:33 localhost sshd[1082]: Server listening on 0.0.0.0 port 22.
Nov 28 09:36:41 localhost sshd[1364]: Accepted password for root from 192.168.1.20 port 63704 ssh2
Nov 28 05:36:41 localhost sshd[1364]: pam_unix(sshd:session): session opened for user root by (uid=0)

The last line shows a successful root login at 5:36 PM on November 28, recorded by the sshd service and the pam_unix module.

Syslog Configuration File (/etc/rsyslog.conf)

The file maps service.name and priority to a destination path.

authpriv.*               /var/log/secure
mail.info                -/var/log/maillog
cron.*                  /var/log/cron

Service Names

Syslog defines many service selectors (e.g., authpriv, mail, cron) that can be combined with priorities to filter messages.

Log Levels

Seven severity levels, from least to most critical: debug, info, notice, warn, err, crit, emerg. A dot separates service and level (e.g., kern.debug).

Setting Up a Central Syslog Server

Receiver Configuration

# vim /etc/rsyslog.conf
$ModLoad imudp            # enable UDP reception
$UDPServerRun 514
# $ModLoad imtcp          # enable TCP reception (optional)
# $InputTCPServerRun 514

Restart the service to apply changes:

# systemctl restart rsyslog
# systemctl status rsyslog

Sender Configuration

Add a forwarding rule to the client’s /etc/rsyslog.conf: *.* @192.168.1.10 Use a single @ for UDP or double @@ for TCP. Restart rsyslog after editing.

# systemctl restart rsyslog
# systemctl status rsyslog

Log Rotation with logrotate

logrotate

runs daily via a script in /etc/cron.daily. It reads /etc/logrotate.conf and files under /etc/logrotate.d/ to determine rotation policies.

# cat /etc/logrotate.conf
weekly
rotate 4
create
dateext
include /etc/logrotate.d

/var/log/wtmp {
    monthly
    create 0664 root utmp
    minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

The daily cron job checks each rule and rotates files that meet size or time criteria.

Custom rules can be added to /etc/logrotate.d/ for application‑specific logs.

Force a rotation with logrotate -vf /etc/logrotate.conf.